System Administration Guide

BlackBerry Enterprise Server for
Microsoft Exchange
Version 4.1.3
System Administration Guide

BlackBerry Enterprise Server Version 4.1.3 for Microsoft Exchange System Administration Guide
Last modified: 31 January 2007
Part number: 10923308 Version 2
At the time of publication, this documentation is based on BlackBerry Enterprise Server Version 4.1.3 for Microsoft Exchange.
Send us your comments on product documentation: https://www.blackberry.com/DocsFeedback.
©2007 Research In Motion Limited. All Rights Reserved. The BlackBerry and RIM families of related marks, images, and symbols are the
exclusive properties of Research In Motion Limited. RIM, Research In Motion, BlackBerry, “Always On, Always Connected” and the “envelope in
motion” symbol are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries.
Adobe and Acrobat are trademarks of Adobe Systems Incorporated. Apache Tomcat is a trademark of Apache Software Foundation. Corel and
WordPerfect are trademarks of Corel Corporation. IBM and Sametime are trademarks of IBM Corporation. Java and JavaScript are trademarks
of Sun Microsystems, Inc. Kerberos is a trademark of Massachusetts Institute of Technology. Microsoft, Excel, Internet Explorer,
Outlook,PowerPoint, SQL Server, and Windows are trademarks of Microsoft Corporation. Novell and GroupWise are trademarks of Novell Inc.
PGP is a trademark of PGP Corporation. RSA and SecurID are trademarks of RSA Security Inc. All other brands, product names, company
names, trademarks and service marks are the properties of their respective owners.
The BlackBerry device and/or associated software are protected by copyright, international treaties, and various patents, including one or more
of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D445,428; D433,460; D416,256. Other patents are
registered or pending in various countries around the world. Visit www.rim.com/patents for a list of RIM [as hereinafter defined] patents.
This document is provided “as is” and Research In Motion Limited and its affiliated companies (“RIM”) assume no responsibility for any
typographical, technical, or other inaccuracies in this document. In order to protect RIM proprietary and confidential information and/or trade
secrets, this document may describe some aspects of RIM technology in generalized terms. RIM reserves the right to periodically change
information that is contained in this document; however, RIM makes no commitment to provide any such changes, updates, enhancements, or
other additions to this document to you in a timely manner or at all. RIM MAKES NO REPRESENTATIONS, WARRANTIES, CONDITIONS, OR
COVENANTS, EITHER EXPRESS OR IMPLIED (INCLUDING WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTIES OR
CONDITIONS OF FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, MERCHANTABILITY, DURABILITY, TITLE, OR RELATED TO
THE PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE REFERENCED HEREIN OR PERFORMANCE OF ANY SERVICES
REFERENCED HEREIN). IN CONNECTION WITH YOUR USE OF THIS DOCUMENTATION, NEITHER RIM NOR ITS RESPECTIVE DIRECTORS,
OFFICERS, EMPLOYEES, OR CONSULTANTS SHALL BE LIABLE TO YOU FOR ANY DAMAGES WHATSOEVER BE THEY DIRECT, ECONOMIC,
COMMERCIAL, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR INDIRECT DAMAGES, EVEN IF RIM HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES, INCLUDING WITHOUT LIMITATION, LOSS OF BUSINESS REVENUE OR EARNINGS, LOST DATA,
DAMAGES CAUSED BY DELAYS, LOST PROFITS, OR A FAILURE TO REALIZE EXPECTED SAVINGS.
This document might contain references to third-party sources of information, hardware or software, products or services and/or third-party
web sites (collectively the “Third-Party Information”). RIM does not control, and is not responsible for, any Third-Party Information, including,
without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any
other aspect of Third-Party Information. The inclusion of Third-Party Information in this document does not imply endorsement by RIM of the
Third-Party Information or the third-party in any way. Installation and use of Third-Party Information with RIM's products and services may
require one or more patent, trademark, or copyright licenses in order to avoid infringement of the intellectual property rights of others. Any
dealings with Third-Party Information, including, without limitation, compliance with applicable licenses and terms and conditions, are solely
between you and the third-party. You are solely responsible for determining whether such third-party licenses are required and are responsible
for acquiring any such licenses relating to Third-Party Information. To the extent that such intellectual property licenses may be required, RIM
expressly recommends that you do not install or use Third-Party Information until all such applicable licenses have been acquired by you or on
your behalf. Your use of Third-Party Information shall be governed by and subject to you agreeing to the terms of the Third-Party Information
licenses. Any Third-Party Information that is provided with RIM's products and services is provided “as is”. RIM makes no representation,
warranty or guarantee whatsoever in relation to the Third-Party Information and RIM assumes no liability whatsoever in relation to the Third-
Party Information even if RIM has been advised of the possibility of such damages or can anticipate such damages.
Research In Motion Limited Research In Motion UK Limited

295 Phillip Street Centrum House, 36 Station Road
Waterloo, ON N2L 3W8 Egham, Surrey TW20 9LF
Canada United Kingdom
Published in Canada
Contents
1 Mapping roles in your organization to BlackBerry roles ..............................................................................13
Administrative roles.........................................................................................................................................13
Adding database users to administrative roles ...........................................................................................14
Add a database user to an administrative role ....................................................................................14
Set how the BlackBerry Manager authenticates with the database server............................................14
Use database authentication credentials.............................................................................................15
Managing administrative roles ......................................................................................................................15
Manage an administrative role...............................................................................................................15
2 Setting up the BlackBerry environment ..........................................................................................................17

Protecting BlackBerry device data in transit............................................................................................... 17
Set an encryption algorithm ...................................................................................................................18
Extending protection of BlackBerry device data in transit........................................................................18
Protect data using the PGP Support Package .....................................................................................18
Protect data using the S/MIME Support Package ..............................................................................19
Replacing global scrambling of PIN-to-PIN messages with organization-specific scrambling .........19
Configuring a BlackBerry component to use a proxy server ....................................................................20
Access web servers using a .pac file .....................................................................................................20
Access web servers through a proxy server.......................................................................................... 21
Configure BlackBerry components to authenticate with a proxy server on behalf of BlackBerry
devices....................................................................................................................................................... 22
Associating a BlackBerry component with multiple BlackBerry Enterprise Servers ............................ 23
Assign a BlackBerry MDS Connection Service to multiple BlackBerry Enterprise Servers.......... 23
Assign a BlackBerry Collaboration Service to multiple BlackBerry Enterprise Servers................ 23
Assign BlackBerry MDS Services to multiple BlackBerry Enterprise Servers................................. 23
Configuring address lookup support in a hosted environment ............................................................... 24
Customize the address lookup function............................................................................................... 24
Use LDAP for address lookup ................................................................................................................ 25
Create a custom field for LDAP address lookup ................................................................................. 25
3 Setting up user accounts on the BlackBerry Enterprise Server ................................................................. 27

Adding user accounts..................................................................................................................................... 27
Add a user account.................................................................................................................................. 27
Managing user groups ................................................................................................................................... 27
Create a group ......................................................................................................................................... 28
Assign a user to a group ......................................................................................................................... 28
Customizing organizer data synchronization ............................................................................................. 28
Configure organizer data synchronization for all user accounts .....................................................29
Configure organizer data synchronization for a specific user account...........................................29
Set the organizer data synchronization type for all user accounts .................................................30
Set the organizer data synchronization type for a specific user account.......................................30
Set how organizer data conflicts are resolved for all user accounts ...............................................30
Set how organizer data conflicts are resolved for a specific user account......................................31
4 Controlling the BlackBerry environment .......................................................................................................33

Controlling which BlackBerry devices can connect to the BlackBerry Enterprise Server ................... 33
Enable the Enterprise Service Policy .................................................................................................... 33
Permit a user account to override the Enterprise Service Policy ..................................................... 34
Controlling BlackBerry device and BlackBerry Desktop Software behavior.......................................... 34
Change the default behavior ................................................................................................................. 35
Revert to the default behavior............................................................................................................... 35
Controlling custom applications using IT policy rules ..............................................................................36
Create an IT policy ..........................................................................................................................................36
Create an IT policy based on an existing IT policy .............................................................................36
Assign an IT policy to a user account or group ......................................................................................... 37
Managing IT policies ...................................................................................................................................... 37
Change an IT policy rule setting in an IT policy.................................................................................. 37
Create an IT policy rule for a custom application............................................................................... 38
Change or delete IT policy rules for custom applications ................................................................. 38
Delete an IT policy...................................................................................................................................39
Import an IT policy...................................................................................................................................39
Resend an IT policy to a BlackBerry device manually........................................................................39
Resend an IT policy to a BlackBerry device automatically................................................................40
5 Making additional BlackBerry Device Software and applications available to users.............................41

Software configurations..................................................................................................................................41
Adding software to a network drive ............................................................................................................. 42
Choose a network drive .......................................................................................................................... 42
Add the software and tools to the network drive ............................................................................... 42
Making applications available to users ....................................................................................................... 43
Create the software index ...................................................................................................................... 43
Re-index the software applications...................................................................................................... 43
Share the network drive .........................................................................................................................44
Creating software configurations.................................................................................................................44
Create a software configuration ...........................................................................................................44
Define an application control policy ....................................................................................................45
Assign a software configuration to a user account or group............................................................45
Sending applications to BlackBerry devices over the wireless network ................................................46
Send an application to a BlackBerry device ........................................................................................46
6 Implementing BlackBerry devices...................................................................................................................47

Loading users’ messages onto BlackBerry devices.................................................................................... 47
Change how a user’s messages are loaded onto a BlackBerry device ............................................ 47
Prevent a user’s messages from loading onto a BlackBerry device.................................................48
Option 1: Implementing BlackBerry devices using the BlackBerry Manager ........................................48
Assign a BlackBerry device to a user account.....................................................................................48
Option 2: Implementing BlackBerry devices over the wireless network................................................48
Send organizer data to BlackBerry devices through the BlackBerry Router..................................49
Wireless enterprise activation passwords............................................................................................50
Option 3: Implementing BlackBerry devices using the BlackBerry Desktop Manager ........................51
Implement a BlackBerry device using the BlackBerry Desktop Manager .......................................51
Protecting lost or stolen BlackBerry devices ...............................................................................................51
Protect a lost BlackBerry device............................................................................................................ 52
Protect a stolen BlackBerry device ....................................................................................................... 52
Issuing existing BlackBerry devices to new users...................................................................................... 52
Prepare a BlackBerry device for redistribution................................................................................... 52
Redistribute the BlackBerry device to a user ...................................................................................... 53
7 Making BlackBerry MDS Studio Applications available to users ..............................................................55

Permitting BlackBerry MDS Services to authenticate with the BlackBerry Manager
and web services .............................................................................................................................................55
Establish server authentication between the BlackBerry MDS Services and the
BlackBerry Manager................................................................................................................................55
Establish client authentication between the BlackBerry MDS Services and web services..........56
Configuring which BlackBerry MDS Studio Applications users can install on BlackBerry devices ...56
Permit BlackBerry MDS Studio Applications that use HTTPS to access web services ................. 57
Permit users to install unsigned BlackBerry MDS Studio Applications on BlackBerry devices .. 57
Manage a trusted certificate ................................................................................................................. 57
Preparing BlackBerry devices to install BlackBerry MDS Studio Applications .....................................58
Define and manage a BlackBerry MDS Services device policy to control BlackBerry MDS Studio
Applications on BlackBerry devices......................................................................................................58
Assign a BlackBerry MDS Services device policy to a user account or group................................59
Sending BlackBerry MDS Studio Applications to BlackBerry devices....................................................59
Install a BlackBerry MDS Studio Application on a BlackBerry device.............................................60
Upgrade a BlackBerry MDS Studio Application on a BlackBerry device .........................................61
Removing BlackBerry MDS Studio Applications from the repository and BlackBerry devices...........62
Remove a BlackBerry MDS Studio Application from the repository................................................62
Remove a BlackBerry MDS Studio Application from a BlackBerry device......................................63
Monitoring BlackBerry MDS Services messages........................................................................................64
Set up monitoring of BlackBerry MDS Studio Application messages .............................................64
View BlackBerry MDS Studio Application messages .........................................................................65
Remove all monitored messages from the BlackBerry MDS Services server .................................65
Filter communication from a web services host..................................................................................65
Set how the BlackBerry MDS Services and the BlackBerry MDS Connection Service connect ........ 66
8 Customizing BlackBerry messaging................................................................................................................67

Managing message redirection .................................................................................................................... 67
Create a global filter ............................................................................................................................... 67
Manage a global filter.............................................................................................................................68
Create a user filter.................................................................................................................................. 69
Manage a user filter ................................................................................................................................ 70
Managing message redirection to a user account ............................................................................. 70
Forward incoming messages to a BlackBerry device when no filter rules apply........................... 70
Do not deliver incoming messages to a BlackBerry device when no filter rules apply ................. 71
Forward messages in inbox subfolders to a BlackBerry device ......................................................... 71
Turn off synchronization for messages sent from a BlackBerry device............................................ 71
Turn off message redirection to a BlackBerry device......................................................................... 72
Managing wireless message reconciliation................................................................................................ 72
Turn off wireless message reconciliation............................................................................................. 72
Reconcile permanently-deleted messages.......................................................................................... 73
Enforcing secure messaging using classifications .................................................................................... 73
Using signatures and disclaimers in messages ......................................................................................... 75
Create a signature for a user account .................................................................................................. 75
Create a prepended disclaimer for a user account ............................................................................ 75
Create an appended disclaimer for a user account ........................................................................... 76
Create a prepended disclaimer for all user accounts on a BlackBerry Enterprise Server ............ 76
Create an appended disclaimer for all user accounts on a BlackBerry Enterprise Server ........... 76
Create a prepended disclaimer for a group of users.......................................................................... 77
Create an appended disclaimer for a group of users......................................................................... 77
Set conflict rules for prepended disclaimers....................................................................................... 77
Set conflict rules for appended disclaimers ........................................................................................ 77
Monitoring messages that users send from their BlackBerry devices.................................................... 78
Blind carbon copy a recipient on all messages................................................................................... 78
Managing the message queue...................................................................................................................... 78
Purge pending messages from the messaging queue ....................................................................... 78
Managing the wireless backup and restore of organizer data ................................................................79
Delete a user’s organizer data from the BlackBerry Enterprise Server ...........................................79
Turn off wireless backup.........................................................................................................................79
Setting address book fields for synchronization and lookups .................................................................79
Map an address book field in the desktop email application to an address book field on all Black-
Berry devices ............................................................................................................................................80
Map an address book field in the desktop email application to an address book field on a specific
BlackBerry device ....................................................................................................................................80
Map a user-defined address book field to an address book field on all BlackBerry devices .......80
Map a user-defined address book field to an address book field on a specific
BlackBerry device .....................................................................................................................................81
Sending messages to users ............................................................................................................................81
When a user replies to the message, the reply is sent to the service account that you used to in-
stall the BlackBerry Enterprise Server (for example, BESAdmin).Send a message to
selected users............................................................................................................................................81
Send a message to all users....................................................................................................................81
Managing instant messaging........................................................................................................................ 82
Configure the connection to the instant messaging server.............................................................. 82
Change the transport protocol that the BlackBerry Enterprise Server uses to connect to the in-
stant messaging server........................................................................................................................... 82
Control an instant messaging session.................................................................................................. 83
9 Customizing attachment support ....................................................................................................................85

Configuring how the BlackBerry Enterprise Server connects to the BlackBerry Attachment Service ...
85
Connect the BlackBerry Enterprise Server to the BlackBerry Attachment Service.......................85
Connect the BlackBerry Attachment Service to the BlackBerry Enterprise Server.......................86
Controlling how the BlackBerry Attachment Service converts attachments ........................................86
Customize how the BlackBerry Attachment Service converts attachments .................................. 87
Configuring support for attachment file formats ...................................................................................... 87
Remove support for an attachment file format...................................................................................88
Add support for additional attachment file format extensions ........................................................88
Controlling attachment file sizes to minimize conversion resource requirements...............................88
Set the maximum file size for an attachment .....................................................................................89
Set the maximum dimensions for images............................................................................................89
Controlling attachment file sizes to minimize upload resource requirements......................................90
Change attachment upload file size maximums..................................................................................91
Prevent attachment uploads...................................................................................................................91
10 Customizing wireless access to enterprise applications ............................................................................93

Central push servers.......................................................................................................................................93
Set the central push server ....................................................................................................................93
Customize how BlackBerry devices authenticate with web servers........................................................94
Configure how BlackBerry devices authenticate with web servers .................................................94
Configure the BlackBerry MDS Connection Service to authenticate with servers
that use NTLM..........................................................................................................................................94
Configure the BlackBerry MDS Connection Service to authenticate with servers that use Ker-
beros ..........................................................................................................................................................94
Configure the BlackBerry MDS Connection Service to authenticate with servers
that use LTPA ...........................................................................................................................................95
Configure the BlackBerry MDS Connection Service to authenticate with the RSA Authentication
Manager....................................................................................................................................................95
Restricting users’ access to web content ................................................................................................... 96
Restrict web content requests from BlackBerry devices .................................................................. 96
Create and assign a rule to a type of web content request ............................................................. 96
Assign a rule to a user account or group .............................................................................................97
Restricting user access to types of media...................................................................................................98
Create a media content restriction.......................................................................................................98
Manage media content restrictions..................................................................................................... 99
Control how the BlackBerry MDS Connection Service manages web requests from
BlackBerry devices......................................................................................................................................... 99
Permitting push applications to make trusted connections to the BlackBerry MDS
Connection Service....................................................................................................................................... 100
Publish the BlackBerry MDS Connection Service certificate to permit push applications to make
trusted connections with the BlackBerry MDS Connection Service.............................................. 100
Export the BlackBerry MDS Connection Service certificate to make it available to other applica-
tions .......................................................................................................................................................... 101
Permit Java applications to trust the BlackBerry MDS Connection Service certificate .............. 101
Customizing how applications make trusted connections to web servers............................................ 101
Configure the BlackBerry MDS Connection Service to query LDAP servers for trusted application
certificates ............................................................................................................................................... 101
Configure the BlackBerry MDS Connection Service to retrieve the status of a certificate from an
OCSP server............................................................................................................................................ 102
Permit BlackBerry devices to connect to untrusted web servers ................................................... 102
Permit BlackBerry devices to connect to trusted web servers........................................................ 103
Permit the BlackBerry MDS Connection Service to accept an SSL connection with a push appli-
cation to send content to BlackBerry devices ................................................................................... 103
Restricting the resources that push applications can access ................................................................ 103
Restrict push application access to resources on a BlackBerry Enterprise Server...................... 104
Create and assign a rule to a push application ................................................................................ 104
Assign a rule to a user account or group ........................................................................................... 105
Associate a push initiator with the BlackBerry MDS Services........................................................ 106
Managing push application requests ........................................................................................................ 106
Permit the transfer of application-reliable push requests between BlackBerry devices and the
BlackBerry MDS Connection Service on device ports...................................................................... 106
Store push application requests in the BlackBerry Configuration Database................................107
Delete push requests from the BlackBerry Configuration Database .............................................107
Configure the number of simultaneous push application requests that the BlackBerry MDS Con-
nection Service can process..................................................................................................................107
Clear the push queue manually........................................................................................................... 108
Configure how the BlackBerry MDS Connection Service connects to BlackBerry devices............... 108
11 Managing user accounts ...................................................................................................................................111

Managing user groups ................................................................................................................................... 111
Change properties for a group ............................................................................................................. 111
Manage a group ...................................................................................................................................... 111
Managing users.............................................................................................................................................. 112
Move or delete a user account.............................................................................................................. 112
Update a user account manually ........................................................................................................ 113
12 Managing BlackBerry Device Software and wireless applications .......................................................... 115

Managing applications on BlackBerry devices ......................................................................................... 115
Upgrade an application on a BlackBerry device................................................................................ 115
Remove an application from a BlackBerry device ............................................................................ 115
Change or delete an application control policy ................................................................................ 116
Managing software configurations ............................................................................................................. 116
Manage a software configuration........................................................................................................ 116
13 Managing a BlackBerry Domain .....................................................................................................................119

Monitoring the BlackBerry services and components in a BlackBerry Domain................................... 119
Customize how the BlackBerry Controller monitors BlackBerry services..................................... 120
Accessing log files for BlackBerry services ................................................................................................122
Customize how BlackBerry services creates log files........................................................................122
Customize how the BlackBerry MDS Connection Service creates a log file ................................124
Customize how the BlackBerry Collaboration Service creates a log file ......................................125
Monitor PIN messages, SMS messages, and phone calls in a BlackBerry Domain .................... 126
Managing different BlackBerry Domains...................................................................................................127
Connect the BlackBerry Manager to a different BlackBerry Domain ...........................................127
Managing license keys..................................................................................................................................128
Add or remove a license key ................................................................................................................128
Copy a license key to a text file ...........................................................................................................128
A Appendix: Role matrix...................................................................................................................................... 129

Domain tasks ................................................................................................................................................. 129
BlackBerry Enterprise Server tasks ............................................................................................................ 130
Group tasks.....................................................................................................................................................133
User tasks........................................................................................................................................................135
BlackBerry device management tasks........................................................................................................137
Tools menu ......................................................................................................................................................137
B Appendix: Wireless backup and restore ....................................................................................................... 139

BlackBerry device data that the BlackBerry Enterprise Server does not back up over the wireless net-
work................................................................................................................................................................. 139
1
Mapping roles in your organization to
BlackBerry roles
Administrative roles
Adding database users to administrative roles
Set how the BlackBerry Manager authenticates with the database server
Managing administrative roles
Administrative roles
The BlackBerry® Enterprise Server uses predefined roles, which correspond to common corporate administrative
roles, to control who can perform specific tasks and limit who can access sensitive data in your organization.
You assign database users—either trusted Microsoft® Windows® users or groups, or SQL logins—to each role. If
you already manage your organization using Microsoft Windows groups, assign those groups to the administrative
roles so that you can manage role membership through the group.
When you start the BlackBerry Manager, the BlackBerry Manager checks your authentication credentials,
determines your administrative role, and then displays a list of the tasks that you can complete.
Throughout this guide, icons appear beside tasks to indicate which administrative roles can perform the tasks.
Icon Role Description

Security administrator These administrators can perform all tasks. They are the only administrators who can manage role
(rim_db_admin_security) membership and change sensitive security properties, such as licenses and encryption keys.
Enterprise administrator These administrators can perform all tasks that relate to user accounts, services, BlackBerry
(rim_db_admin_enterprise) Enterprise Servers, and global application data.
These administrators cannot view role membership, licenses, or encryption keys.
Device administrator These administrators can perform all tasks that relate to user accounts and BlackBerry device
(rim_db_admin_handheld) management, including supporting new user accounts, implementing BlackBerry devices,
managing software configurations, and managing the installation and behavior of third-party
applications on BlackBerry devices.
Senior help desk administrator These administrators can perform all user account management tasks, including adding, moving,
(rim_db_admin_sr_helpdesk) and deleting user accounts, updating and sending IT policies to BlackBerry devices, and sending IT
administration commands to BlackBerry devices.
Junior help desk administrator These administrators can perform user account management tasks, including creating and sending
(rim_db_admin_jr_helpdesk) wireless enterprise activation passwords, and resending service books or IT policies. These
administrators cannot add, move, or delete user accounts or send certain IT administration
commands.
BlackBerry Enterprise Server for Microsoft Exchange System Administration Guide
Icon Role Description

— (rim_db_admin_audit_<role>) These administrators can view all the tasks and properties associated with their role, but cannot
perform the tasks or change the properties. Use this view-only access to each role when training
new administrators.
Adding database users to administrative roles

Assign database users to administrative roles based on the existing distribution of responsibility in your
organization.
To create database users using the BlackBerry Manager, you require System Administrator permission on the
database server.
If you type the user name only, you create a SQL login. If you type a name preceded by a domain name (for
example, DOMAIN\username), you create a SQL login for a Microsoft Windows user or group.
Do not add a database user to more than one administrative role. The BlackBerry Configuration Database uses the
most restrictive settings to determine which tasks the BlackBerry Manager displays, so a database user who is
both an enterprise administrator and a junior help desk administrator sees only the tasks for the junior help desk
administrator.
Add a database user to an administrative role

1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
2. On the Role Administration tab, click a role name.
3. Perform one of the following actions:
Action Procedure
Add an existing database user to the administrative role. 1. Click List Administrators.
2. Click the database user to add to the role.
3. Click OK.
Create a new database user and assign it to the 1. Click Add Administrators.
administrative role. 2. Type a new login name.
3. Type a new password.
4. Confirm the new password.
4. Click OK.
Set how the BlackBerry Manager authenticates with the

database server
By default, the BlackBerry Manager automatically accepts the Microsoft Windows authentication credentials you
supply when you log into your computer. If you are assigning SQL logins to administrative roles, you must change
the type of authentication credentials that the BlackBerry Manager accepts.
14
1: Mapping roles in your organization to BlackBerry roles
Use database authentication credentials

1. In the BlackBerry Manager, on the Tools menu, click Options.
2. Click Database.
3. In the Authentication drop-down list, click Database Authentication.
4. Click OK.
5. Close the BlackBerry Manager.
6. Open the BlackBerry Manager.
Managing administrative roles

As organizational changes occur, you might need to remove a database user from an administrative role or move a
database user to a new administrative role.
If you move a database user to a new administrative role, the database permissions change immediately. Database
users must restart the BlackBerry Manager to update the tasks associated with their new administrative role. If
they do not restart the BlackBerry Manager, unpredictable effects occur.
Manage an administrative role

2. On the Role Administration tab, click the role to which the database user is assigned.
Action Procedure
Move a database user to another administrative 1. Click List Administrators.
role. 2. Click the new administrative role for the database user.
3. Select the database user.
4. Click OK.
5. Instruct the database user to restart the BlackBerry Manager.
Remove a database user from an administrative 1. Click Remove Administrators.
role. 2. In the drop-down list, click the database user.
3. Click OK.
4. Click OK.
15
16
2
Setting up the BlackBerry environment
Protecting BlackBerry device data in transit
Extending protection of BlackBerry device data in transit
Replacing global scrambling of PIN-to-PIN messages with organization-specific scrambling
Configuring a BlackBerry component to use a proxy server
Associating a BlackBerry component with multiple BlackBerry Enterprise Servers
Configuring address lookup support in a hosted environment
Protecting BlackBerry device data in transit

From the time the user sends data (for example, an email message) from the BlackBerry device until the
BlackBerry Enterprise Server receives the message, and from the time the BlackBerry Enterprise Server receives
and forwards data (for example, an email message) to the user until the user opens the message on the BlackBerry
device, standard BlackBerry encryption uses a symmetric algorithm to protect the message.
Consider setting the BlackBerry Enterprise Server to use Advanced Encryption Standard (AES) encryption for all
communication with BlackBerry devices. Visit www.blackberry.com/knowledgecenterpublic/ to see article KB-
05429 for more information.
Encryption algorithm Description Notes

Triple DES enables use of the Triple Data Encryption • provides Triple DES encryption only on BlackBerry devices
Standard (Triple DES or 3DES) algorithm to
encrypt and decrypt all data communication
between the BlackBerry Enterprise Server and
all BlackBerry devices on the BlackBerry
Enterprise Server
AES enables use of the AES algorithm to encrypt and • designed to use a longer encryption key to provide a better
decrypt all data communication between the combination of security and performance than Triple DES
BlackBerry Enterprise Server and all BlackBerry • designed to protect user data and encryption keys from
devices on the BlackBerry Enterprise Server traditional and side-channel attacks
• requires BlackBerry® Desktop Software Version 4.0 or
later and BlackBerry® Device Software Version 4.0 or later
Triple DES and AES enables use of both the Triple DES and the AES • default encryption method
algorithms to encrypt and decrypt all data • provides Triple DES encryption on BlackBerry devices that
communication between the BlackBerry do not support AES (BlackBerry devices running
Enterprise Server and all BlackBerry devices on BlackBerry Device Software versions earlier than 4.0)
the BlackBerry Enterprise Server • provides AES encryption by default on BlackBerry devices
that support AES
See the BlackBerry Enterprise Solution Security Technical Overview for more information.
Set an encryption algorithm

If you change the encryption algorithm, you must re-activate all of the BlackBerry devices in the BlackBerry
Domain to enable users to send and receive messages on their BlackBerry devices again. See “Setting up the
BlackBerry environment” on page 17 for more information.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry Enterprise Server.
2. On the Server Configuration tab, click Edit Properties.
3. Click General.
4. In the Security section, click Encryption Algorithm.
5. In the drop-down list, click one of the following encryption types:
• Triple DES
• AES
• Triple DES and AES
6. Click OK.
Extending protection of BlackBerry device data in transit

Additional digital signature and encryption technology is designed to enable sender-to-recipient authentication
and confidentiality and help maintain data integrity and privacy from the time that the originator of the message
sends it over the wireless network until the message is decoded and read by the message recipient.
Protect data using the PGP Support Package

To digitally sign, encrypt, or sign and encrypt data that the BlackBerry device sends to the BlackBerry Enterprise
Server using the PGP® Support Package, you must set the PGP Universal Server Address IT policy rule in the IT
policy that you assign to the users, and each user must install the PGP Support Package on the BlackBerry device
and enroll with the PGP Universal Server.
When the BlackBerry Enterprise Server pushes the IT policy to the BlackBerry devices to which you have applied
the IT policy, with the PGP Universal Server Address rule set to the PGP Universal Server URL, the BlackBerry
devices prompt the users who have installed the PGP Support Package to enroll with PGP®.
With PGP Support Package 4.2 or later, users can receive PGP/MIME format messages on BlackBerry devices with
the PGP Support Package installed, and users with both the PGP Support Package and the S/MIME Support
Package installed and enabled on their BlackBerry devices can download PGP keys with attached S/MIME X.509
certificates from the PGP Universal Server and use them in compliance with the PGP Universal Server secure
email policy. The PGP Support Package continues to support OpenPGP format messages.
See the PGP Support Package Security Technical Overview for more information.
18
2: Setting up the BlackBerry environment
Protect data using the S/MIME Support Package

To digitally sign, encrypt, or digitally sign and encrypt data that the BlackBerry device sends to the BlackBerry
Enterprise Server using the S/MIME Support Package
• you must enable S/MIME message processing on the BlackBerry Enterprise Server
• the user must install the S/MIME Support Package on the BlackBerry device and add the Certificate
Synchronization Manager to the BlackBerry® Desktop Manager
Enable S/MIME message processing on the BlackBerry Enterprise Server

3. Click Messaging.
4. In the Secure Messages section, click Enable S/MIME Message Processing.
5. In the drop-down list, click True.
6. Click OK.
Set additional S/MIME encryption options

3. Click Messaging.
4. In the Secure Messages section, set the desired encryption options.
5. Click OK.
See the S/MIME Support Package Security Technical Overview for more information.
Replacing global scrambling of PIN-to-PIN messages with

organization-specific scrambling
All BlackBerry devices have a common, global peer-to-peer encryption key by default. You can limit the number of
BlackBerry devices that can decrypt personal identification number (PIN) messages that users in your
organization send from their BlackBerry devices by generating a new peer-to-peer encryption key that is known
only to BlackBerry devices in your organization. BlackBerry devices with an organization specific peer-to-peer
encryption key can send and receive PIN messages with other BlackBerry devices with the same organization
peer-to-peer encryption key only.
You should generate a new organization peer-to-peer encryption key if you know that the current corporate peer-
to-peer encryption key is compromised.
2. On the Global tab, expand Service Control & Customization.
3. Click Update Peer-to-Peer Encryption Key.
19
4. Click Set or update the Peer-to-Peer encryption key for all devices within this organization.
5. Click Yes.
See the BlackBerry Enterprise Solution Security Technical Overview for more information.
Configuring a BlackBerry component to use a proxy server

Create proxy mapping rules for the BlackBerry® Mobile Data System Connection Service, BlackBerry
Collaboration Service, and BlackBerry MDS Services to access URLs on the Internet and intranet. Use the proxy
method that is consistent with how other applications and servers within your organization access web content.
Because corporate proxy servers do not permit traffic between servers on the same side of the firewall, you can
configure BlackBerry components to use a proxy auto-configuration (.pac) file or to access the Internet directly
through a proxy server. You can also configure multiple proxy servers to handle traffic to specific URLs, and you
can configure URLs that BlackBerry components can access without passing through a proxy server.
The BlackBerry MDS Services send applications and data to BlackBerry devices through the central push server.
The BlackBerry MDS Connection Service cannot communicate with the BlackBerry MDS Services through a proxy
server. If you configure the BlackBerry MDS Connection Service to use a proxy server, when you associate the
BlackBerry MDS Services with the BlackBerry Enterprise Server, the BlackBerry Manager creates a direct
connection between the BlackBerry MDS Connection Service and the BlackBerry MDS Services. See “Associating
a BlackBerry component with multiple BlackBerry Enterprise Servers” on page 23 for more information. If you use
a PAC file configuration, modify the PAC file to allow a direct connection between the BlackBerry MDS
Connection Service and the BlackBerry MDS Services.
When you create a proxy mapping rule for a URL, you can configure whether the BlackBerry component
authenticates with the proxy server on behalf of the BlackBerry device. See “Configure BlackBerry components to
authenticate with a proxy server on behalf of BlackBerry devices” on page 22 for more information.
Access web servers using a .pac file

1. In the BlackBerry Manager, in the left pane, perform one of the following actions:
Action Procedure
Configure PAC file settings for the 1. Click a BlackBerry MDS Connection Service.
BlackBerry MDS Connection Service. 2. On the Connection Service tab, click Edit Properties.
Configure PAC file settings for the 1. Click a BlackBerry Collaboration Service.
BlackBerry Collaboration Service. 2. On the Collaboration Service tab, click Edit Properties.
Configure PAC file settings for the 1. Click a BlackBerry MDS Services server.
BlackBerry MDS Services. 2. On the MDS Services tab, click Edit Properties.
2. Click Proxy.
3. Double-click Proxy Mappings.
4. Click New.
20
5. In the Universal Resource Locator field, type the URL expression that you want to use the proxy mapping rule
to control.
6. In the Description field, type a description for the proxy mapping rule.
7. Double-click Proxy String.
8. Click New.
9. From the Proxy Type drop-down list, perform one of the following actions:
Action Procedure
Detect a PAC file automatically. 1. Click AUTO.
2. Double-click the Proxy String field and delete the default value.
Specify the location of the PAC file. 1. Click PAC.
2. Double-click the Proxy String field and type the proxy server name, port number, and
location of the PAC file, for example, http://<ProxyServer>:<Port>/<PACFilePath>/
<PACFileName>.
10. Click OK.

11. Click OK.
Access web servers through a proxy server

When BlackBerry components access web servers through a proxy server, you can specify more than one proxy
string in a proxy mapping rule for a URL. BlackBerry components use defined proxy strings in the order that they
appear for the URL. If a BlackBerry component uses the first proxy string for a URL and cannot successfully access
the web server, the BlackBerry component then uses the next defined proxy string in the proxy mapping rule. For
example, you can create a proxy mapping rule to permit a specific URL to use a non-default proxy server, and if
that server is unavailable, you can define a secondary proxy string to allow the URL access to the web server
through the default corporate proxy server.
Action Procedure
Configure proxy settings for the BlackBerry 1. Click a BlackBerry MDS Connection Service.
MDS Connection Service. 2. On the Connection Service tab, click Edit Properties.
Configure proxy settings for the BlackBerry 1. Click a BlackBerry Collaboration Service.
Collaboration Service. 2. On the Collaboration Service tab, click Edit Properties.
Configure proxy settings for the BlackBerry 1. Click a BlackBerry MDS Services server.
MDS Services. 2. On the MDS Services tab, click Edit Properties.
2. Click Proxy.
4. Click New.
21
5. In the Universal Resource Locator field, type the URL expression that you want to use the proxy mapping rule
to control.
6. In the Description field, type a description of the proxy mapping rule.
7. Double-click Proxy String.
8. Click New.
9. From the Proxy Type drop-down list, perform any of the following actions:
Action Procedure
Configure a proxy server. 1. Click PROXY.
2. Double-click the Proxy String field and type the proxy server name and port number.
Exclude the URL from routing through the 1. Click DIRECT.
proxy server. 2. Double-click the Proxy String field and delete the default value.
10. Click OK.

11. Click OK.
Configure BlackBerry components to authenticate with a proxy server on

behalf of BlackBerry devices
Action Procedure
Configure authentication settings between 1. Click a BlackBerry MDS Connection Service.
the BlackBerry MDS Connection Service 2. On the Connection Service tab, click Edit Properties.
and a proxy server.
Configure authentication settings between 1. Click a BlackBerry Collaboration Service.
the BlackBerry Collaboration Service and a 2. On the Collaboration Service tab, click Edit Properties.
proxy server.
Configure authentication settings between 1. Click a BlackBerry MDS Services server.
the BlackBerry MDS Services and a proxy 2. On the MDS Services tab, click Edit Properties.
server.
2. Click Proxy.
4. Click a URL.
5. Click Properties.
6. In the User Name field, type the user name that the BlackBerry component uses to connect to the proxy
server defined for the URL.
7. In the Password field, type the password for the user name.
8. In the Password (Confirmation) field, retype the password.
9. Click OK.
22
Associating a BlackBerry component with multiple

BlackBerry Enterprise Servers
Assign one BlackBerry MDS Connection Service, BlackBerry Collaboration Service, and BlackBerry MDS Services
server to multiple BlackBerry Enterprise Servers in the BlackBerry Domain. If your BlackBerry Domain contains
one BlackBerry Enterprise Server, the BlackBerry MDS Connection Service, BlackBerry Collaboration Service, and
the BlackBerry MDS Services server are associated with the single BlackBerry Enterprise Server instance
automatically.
Assign a BlackBerry MDS Connection Service to multiple BlackBerry

Enterprise Servers
Set the central push server as the primary BlackBerry MDS Connection Service that multiple BlackBerry Enterprise
Servers use to transfer application data and permit HTTP browsing on BlackBerry devices. See “Set the central
push server” on page 93 for more information.
3. Click MDS CS to BES Mapping.
4. In the BES Mappings dialog box, in the left pane, click the BlackBerry MDS Connection Service.
5. In the right pane, select the BlackBerry Enterprise Server(s).
6. Click OK.
Assign a BlackBerry Collaboration Service to multiple BlackBerry Enterprise

Servers
3. Click IM to BES Mapping.
4. In the IM to BES Mappings dialog box, in the left pane, click the BlackBerry Collaboration Service.
5. In the right pane, select the BlackBerry Enterprise Server(s).
6. Click OK.
Assign BlackBerry MDS Services to multiple BlackBerry Enterprise Servers

Make the BlackBerry MDS Studio Applications published in the BlackBerry MDS Services repository available to
users on multiple BlackBerry Enterprise Servers.
23
The BlackBerry MDS Services push applications and data to BlackBerry devices through the central push server.
See “Set the central push server” on page 93 for more information. When you assign a BlackBerry MDS Services
server to a BlackBerry Enterprise Server, if the BlackBerry MDS Connection Service uses a proxy, the BlackBerry
Manager maps a direct connection between the BlackBerry MDS Connection Service and the BlackBerry MDS
Services. The BlackBerry MDS Services cannot communicate with the BlackBerry MDS Connection Service
through a proxy server.
Note: The BlackBerry Manager prompts you to install a Secure Sockets Layer (SSL) certificate the first time that you select the
BlackBerry MDS Services server. See “Establish server authentication between the BlackBerry MDS Services and the BlackBerry
Manager” on page 55 for more information.
3. Click Connection Service.
4. Click BlackBerry MDS Services Server URL.
5. In the drop-down list, click the BlackBerry MDS Services server.
6. Click OK.
Configuring address lookup support in a hosted environment

If you are hosting a BlackBerry Enterprise Server and more than one organization subscribes to your hosted
service, you must customize the address lookup function. The address lookup function enables users to access an
organization’s contact list, for example, the Global Address List (GAL), and download the information for one or
more users to their BlackBerry devices. Customizing the address lookup function restricts users from accessing
contact information from another organization.
You must make sure that each user’s organization name is listed accurately and consistently in the GAL. For
example, if the organization name is listed as an acronym in some entries and is written out in others, the address
lookup request might return inaccurate results. If a user looks up contact information for a user whose
organization name is not specified, the address lookup request does not return any results.
Instruct users to type the entire email address when composing messages to prevent address lookup requests from
failing or returning inaccurate results.
If you do not want to use the default address lookup function, you can set the BlackBerry Enterprise Server to look
up user addresses using Lightweight Directory Access Protocol (LDAP). LDAP enables users to perform more
comprehensive searches for addresses in the GAL. LDAP does not search for a user’s organization name in the
GAL. Instead, it uses an LDAP field as a filter for retrieving users with a specific organization name. You can either
select an existing LDAP field, or you can create a custom field.
Customize the address lookup function

1. At the command prompt, type regedit.
2. In the left pane, browse to HKEY_LOCAL_MACHINE\Software\Research In Motion\BlackBerry Enterprise
Server\Agents.
24
3. Verify that the value of the AllowAddressLookup DWORD value is set to 1.

4. Create a DWORD value called HostedServer.
5. Set the value to 1.
6. On the computer on which the BlackBerry Enterprise Server is installed, in the Services window, restart the
BlackBerry Controller service.
Use LDAP for address lookup

Server\Agents.
3. Create a DWORD value called LDAPSearch.
5. Create a DWORD value called LDAPALPSearch.
Create a custom field for LDAP address lookup

Server\Agents.
3. Create a String value called LDAPCompanyField.
4. Set the value to a string that represents the LDAP field that you want to use as the company name field.
25
26
3
Setting up user accounts on the BlackBerry
Enterprise Server
Adding user accounts
Managing user groups
Customizing organizer data synchronization
Adding user accounts

When you add a user account to the BlackBerry Enterprise Server, the user’s Microsoft Exchange mailbox does not
have to be in the same Microsoft Exchange site or routing group as the BlackBerry Enterprise Server.
Add a user account to only one BlackBerry Enterprise Server at a time.
If you add a user account that was previously on another BlackBerry Enterprise Server in a different BlackBerry
Domain, or the user previously used the BlackBerry Desktop Redirector, you must implement the BlackBerry
device. See “Implementing BlackBerry devices” on page 47 for more information.
Add a user account

2. On the Server Configuration tab, click Common.
3. Click Add Users.
4. In the Show Names from the drop-down list, click an address group.
5. In the user list, click a user.
6. Click Select.
7. Click OK.

Create groups of user accounts in the BlackBerry Domain to apply common configuration properties for the group
or perform administrative tasks on all user accounts in the group. User accounts in a group can exist on different
BlackBerry Enterprise Servers in the BlackBerry Domain. After you create a group, set the properties that you want
to apply to all user accounts in the group. When you add user accounts to a group, the user accounts are assigned
the group properties automatically.
You can copy properties from an existing group to a new group.
Create a group
1. In the BlackBerry Manager, in the left pane, click User Groups.
2. Click Create Group.
3. In the Group Name field, type a name.
4. In the Description field, type a description.
5. Click OK.
Action Procedure
Add properties to the group. 1. Click Edit Group Template.
2. Set the desired properties. See “Customizing BlackBerry messaging” on page 67 for
more information.
Copy the properties from an existing group. 1. In the Group Name list, click the group from which to copy properties.
2. Click Copy Properties to Another Group.
3. Click the group to which to copy the properties.
7. Click OK.
Assign a user to a group

2. On the Users tab, click a user account.
3. Click Account.
4. Click Assign To Group.
5. Click a group name.
6. Click OK.
Customizing organizer data synchronization

You synchronize organizer data (PIM) items such as tasks, memos, and contacts so that the entries on a user’s
BlackBerry device and the entries on the desktop email application are consistent.
You can set synchronization options globally for all user accounts in the BlackBerry Domain or you can set
synchronization options for a specific user account. By default, wireless synchronization of all organizer data
applications is enabled for a user account.
28
3: Setting up user accounts on the BlackBerry Enterprise Server
Configure organizer data synchronization for all user accounts

2. On the Global tab, click Edit Properties.
3. Click Global PIM Sync.
Action Procedure
Turn off message filter synchronization. 1. In the Message Filters section, click Synchronization enabled.
2. In the drop-down list, click False.
Turn off tasks synchronization. 1. In the Tasks section, click Synchronization enabled.
Turn off message setting synchronization. 1. In the Message Settings section, click Synchronization enabled.
Turn off memo synchronization. 1. In the Memos section, click Synchronization enabled.
Turn off address book synchronization. 1. In the Address Book section, click Synchronization enabled.
Turn off organizer data synchronization for 1. Click Wireless Synchronization Enabled.
a specific user account. 2. In the drop-down list, click False.
5. Click OK.
Configure organizer data synchronization for a specific user account

2. On the Users tab, double-click a user account.
3. Click PIM Sync.
Action Procedure
Turn off message filter synchronization. 1. In the Message Filters section, click Synchronization enabled.
Turn off tasks synchronization. 1. In the Tasks section, click Synchronization enabled.
Turn off message setting synchronization. 1. In the Message Settings section, click Synchronization enabled.
Turn off memo synchronization. 1. In the Memos section, click Synchronization enabled.
Turn off address book synchronization. 1. In the Address Book section, click Synchronization enabled.
29
Action Procedure
Turn off organizer data synchronization. 1. Click Wireless Synchronization Enabled.
5. Click OK.
Set the organizer data synchronization type for all user accounts
4. Locate an organizer data application in the list.
5. Select one of the following synchronization options:
• Server to Device: synchronizes data from the BlackBerry Enterprise Server to the BlackBerry device only
• Device to Server: synchronizes data from the BlackBerry device to the BlackBerry Enterprise Server only
• Bidirectional: synchronizes data from the BlackBerry device to the BlackBerry Enterprise Server and from
the BlackBerry Enterprise Server to the BlackBerry device
6. Click OK.
Set the organizer data synchronization type for a specific user account
3. Click PIM Sync.
4. Locate an organizer data application in the list.
5. Select one of the following synchronization options:
• Server to Device: synchronizes data from the BlackBerry Enterprise Server to the BlackBerry device only
• Device to Server: synchronizes data from the BlackBerry device to the BlackBerry Enterprise Server only
• Bidirectional: synchronizes data from the BlackBerry device to the BlackBerry Enterprise Server and from
the BlackBerry Enterprise Server to the BlackBerry device
6. Click OK.
Set how organizer data conflicts are resolved for all user accounts
30
3: Setting up user accounts on the BlackBerry Enterprise Server
4. For each organizer data application in the list, select one of the following conflict resolution options:
• Server Wins: the BlackBerry Enterprise Server information overrules the BlackBerry device information
• Device Wins: the BlackBerry device information overrules the BlackBerry Enterprise Server information
5. Click OK.
Set how organizer data conflicts are resolved for a specific user account
2. On the User List tab, double-click a user account.
3. Click PIM Sync.
4. For each organizer data application in the list, select one of the following conflict resolution options:
• Server Wins: the BlackBerry Enterprise Server information overrules the BlackBerry device information
• Device Wins: the BlackBerry device information overrules the BlackBerry Enterprise Server information
5. Click OK.
31
32
4
Controlling the BlackBerry environment
Controlling which BlackBerry devices can connect to the BlackBerry Enterprise Server
Controlling BlackBerry device and BlackBerry Desktop Software behavior
Controlling custom applications using IT policy rules
Create an IT policy
Assign an IT policy to a user account or group
Managing IT policies
Controlling which BlackBerry devices can connect to the

BlackBerry Enterprise Server
Turn on the Enterprise Service Policy to control which BlackBerry devices can connect to the BlackBerry Enterprise
Server. After you turn on the Enterprise Service Policy, the BlackBerry Enterprise Server still permits connections
from BlackBerry devices previously added to the BlackBerry Enterprise Server, but it prevents connections from
BlackBerry devices added thereafter by default.
Note: The Enterprise Service Policy also applies to BlackBerry devices with BlackBerry® Connect™ software or BlackBerry® Built-In™
software.
Define BlackBerry device criteria in an “approval list” to turn on and turn off BlackBerry Enterprise Server access
for BlackBerry devices. BlackBerry devices that meet the approval list criteria can complete wireless enterprise
activation on that BlackBerry Enterprise Server.
You can define the following types of criteria:
• specific, permitted BlackBerry device PINs, as a string
• a permitted range of BlackBerry device PINs
• specific, permitted manufacturers and models of BlackBerry devices
The BlackBerry Manager includes lists of permitted manufacturers and models based on the properties of
BlackBerry devices already added to the BlackBerry Enterprise Server. You can clear items in these lists to prevent
further connections from BlackBerry devices of a specific manufacturer or model.
You can permit a specific user account to override the Enterprise Service Policy. If you then configure the approval
list with criteria that excludes that user’s BlackBerry device, the user account can still connect to the BlackBerry
Enterprise Server.
Enable the Enterprise Service Policy

2. In the right pane, click Service Control & Customization.
3. Click Enable Enterprise Service Policy.

4. Click OK.
6. Click Enterprise Service Policy.
7. Set the desired properties.
8. Click OK.
Permit a user account to override the Enterprise Service Policy

3. Click Edit Properties.
4. Click ES Policy Override
6. Click OK.
Controlling BlackBerry device and BlackBerry Desktop

Software behavior
Use one or more IT policies to control the behavior of BlackBerry devices and BlackBerry® Desktop Software in
your organization.
An IT policy is a set of one or more IT policy rules. The default IT policy includes all standard IT policy rules on the
BlackBerry Enterprise Server. When a new user account in a BlackBerry Domain completes enterprise activation on
the BlackBerry Enterprise Server, the BlackBerry Enterprise Server automatically pushes the default IT policy to
that user’s BlackBerry device. The standard IT policy rules do not enforce the default BlackBerry device or
BlackBerry Desktop Software behavior.
You can use either of the following methods to change the default behavior of BlackBerry devices and BlackBerry
Desktop Software in your organization:
• set the values of IT policy rules in the default IT policy
• create or import a new IT policy, set its IT policy rule values, and assign one or more user accounts or user
groups to the new IT policy
The BlackBerry Enterprise Server must resend the IT policy to the BlackBerry device to update the BlackBerry
device and BlackBerry Desktop Software behavior over the wireless network. By default, the BlackBerry Enterprise
Server is designed to resend the IT policy to the BlackBerry devices of users that are assigned to that IT policy
within a short period of time after you update the IT policy.
34
4: Controlling the BlackBerry environment
You can also resend an IT policy to the user account of a specific BlackBerry device manually. You can configure
the BlackBerry Enterprise Server to resend IT policies to BlackBerry devices on that specific BlackBerry Enterprise
Server at a scheduled interval regardless of whether you have changed the IT policies. When the BlackBerry device
receives an updated default IT policy or a new IT policy, the BlackBerry device and BlackBerry Desktop Software
apply the configuration changes
Change the default behavior

An IT policy rule enables you to customize and control BlackBerry device or BlackBerry Desktop Software
functionality by
• setting an IT policy rule to a True or False value
• typing a string that simultaneously turns on an IT policy rule and provides the parameters for its use
• selecting a predefined, permitted value to assign to an IT policy rule
Some IT policy rules have a corresponding, user-accessible field on the BlackBerry device.
• When you set an IT policy rule to a True or False value, you prevent the user from selecting another value for a
corresponding field on the BlackBerry device.
• When you type a string that simultaneously turns on an IT policy rule and provides the parameters for its use,
the user cannot change the value of a corresponding field on the BlackBerry device.
• When you select a predefined, permitted value to assign to an IT policy rule, you restrict the values that the
user can set for a corresponding field on the BlackBerry device.
A lock icon next to a field on the BlackBerry device indicates that its setting is controlled by the IT policy and the
user cannot change it.
You can add a standard IT policy rule to, remove a standard IT policy rule from, or change the assigned value of a
standard IT policy rule in an IT policy. You cannot add, remove, or change the permitted values for a standard IT
policy rule. You also cannot delete the standard IT policy rules.
You can add a new IT policy rule to, remove a new IT policy rule from, or change the assigned value of a new IT
policy rule in an IT policy the same way that you change a standard IT policy rule in an IT policy.
Revert to the default behavior

To revert to the default behavior for the functionality that an IT policy rule customizes or controls, you can set an IT
policy rule to Default, if that setting is available, or delete the value that you set previously for an IT policy rule.
If you have assigned user accounts to a new IT policy, you can delete the new IT policy to revert those user
accounts to the default behavior for all functionality on the BlackBerry device and the BlackBerry Desktop
Software. The BlackBerry Enterprise Server reassigns those user accounts to the default IT policy automatically
and resends the default IT policy to the BlackBerry device, enforcing the default settings. You cannot delete the
default IT policy.
35
Controlling custom applications using IT policy rules

Create new IT policy rules to control custom applications that your organization develops to run in BlackBerry
environments. After you create a new IT policy rule, you can add it and assign a value to it in a new or existing IT
policy. Only your own custom applications can use new IT policy rules that you create. You cannot create new IT
policy rules to control standard BlackBerry device functionality.
Create an IT policy
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. Click New.
6. Double-click IT Policy Name.
7. Type a name for the new IT policy.
8. Configure the IT policy rules by performing the following actions:
• In the left pane, click a policy group.
• In the right pane, double-click the IT policy rule.
• Set a value for the IT policy rule.
9. Click OK.
Create an IT policy based on an existing IT policy

3. Click IT Policy.
5. Click an IT policy.
6. Click New Copy.
7. Type a name for the new IT policy.
• In the right pane, double-click the IT policy rule.
9. Click OK.
36
Assign an IT policy to a user account or group

Action Procedure
Assign an IT policy to a user account. 1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policy to User Mapping.
5. In the left pane, click a user account.
6. In the right pane, select the desired IT policy.
7. Click OK.
Assign an IT policy to a group. 1. In the BlackBerry Manager, in the left pane, click User Groups List.
2. In the Group Name list, click a group.
3. Click Edit Group Template.
4. Click IT Policy.
5. In the right pane, select the IT Policy Name option to override any user exceptions to the IT
policy rules.
6. In the drop-down list, click an IT policy.
7. Click Reapply Template.
8. Click Yes.
9. Click OK.
Managing IT policies
Change an IT policy rule setting in an IT policy
3. Click IT Policy.
5. In the list of policies, click an IT policy.
• In the right pane, click an IT policy rule.
8. Click OK.
See the Policy Reference Guide for more information.
37
Create an IT policy rule for a custom application

3. Click IT Policy.
5. Click the desired IT policy.
7. In the Properties list, click User Defined Items.
8. Double-click IT Policy Template.
9. Click New.
10. Perform the following actions:
Action Procedure
Set the IT policy rule name. > Type a name for the custom IT policy rule.
Explain how the IT policy rule can > Type a description for the custom rule.
be used.
Identify the type of values that the > In the drop-down list, click Boolean, Integer, String, Bitmask, or Multiline String.
IT policy rule uses.
Identify where the IT policy rule is > In the drop-down list, click Handheld, Desktop, or Both.
enforced.
Set the minimum integer value. > Type the minimum value that an integer IT policy rule can accept.
Set the maximum integer value. > Type the maximum value that an integer IT policy rule can accept.
Set bitmask data. > Type the data that a bitmask IT policy rule can accept. Include up to 8 related boolean values.
You can assign a bit option name for one, some, or all of the 8-bit values.
For example, you might create a bitmask IT policy rule called Allowed Features with 3 boolean bit
values where bit 0 is named Phone, bit 1 is named Browser, and bit 2 is named Third-Party Apps.
11. Click OK.

12. In the Policy Item Settings section, provide a value for the IT policy rule in this IT policy.
13. Click OK.
Change or delete IT policy rules for custom applications

3. Click IT Policy.
5. Click Default.
38
7. In the Properties list, click User Defined Items.
8. Double-click IT Policy Template.
9. Click an IT policy rule.
Action Procedure
Edit a custom IT policy rule. 1. Click Properties.
2. Change the desired values.
Delete a custom IT policy > Click Remove.
rule.
11. Click OK.
Delete an IT policy
3. Click IT Policy.
5. Click the custom IT policy to delete.
6. Click Remove.
7. Click OK.
Import an IT policy
3. Click Import IT Policy Definitions.
4. Click a .xml file that contains IT policy rule definitions.
5. Click Open.
6. Click OK.
Resend an IT policy to a BlackBerry device manually

3. Click IT Admin.
39
4. Click Resend IT Policy.
Resend an IT policy to a BlackBerry device automatically

3. In the IT Admin section, double-click Policy Resend Interval.
4. Type the interval, in hours, at which you want the automatic resends to occur.
5. Click OK.
40
5
Making additional BlackBerry Device
Software and applications available to users
Software configurations
Adding software to a network drive
Making applications available to users
Creating software configurations
Sending applications to BlackBerry devices over the wireless network
Software configurations
A software configuration defines the applications that you want to install on certain BlackBerry devices and
provides you control over those applications. Software configurations create more uniformity in the non-default
applications that are installed on BlackBerry devices in your organization. They also require less interaction with
the BlackBerry Manager when you install applications on BlackBerry devices.
Define software configurations to perform the following tasks:
• load additional BlackBerry Device Software and applications onto BlackBerry devices using the BlackBerry
Manager
• assign application control policies to user accounts to control third-party applications installed on BlackBerry
devices
• send and administer BlackBerry MDS Java® Applications, the Enterprise Messenger, and the BlackBerry®
MDS Runtime on BlackBerry devices over the wireless network
• monitor the versions of BlackBerry Device Software and applications that are running on BlackBerry devices
in your organization
When a BlackBerry device is not running the most current version of the BlackBerry Device Software and
applications as defined in the software configuration, the BlackBerry Manager informs you that applications must
be installed or upgraded on the BlackBerry device.
Before you can create a software configuration and assign it to a user account, you must install and share the
appropriate BlackBerry Device Software and applications on a network drive. When you specify the location of the
BlackBerry Device Software and applications in the shared network drive, the software configuration displays the
applications that are available to install or administer on BlackBerry devices.
Note: See “Making BlackBerry MDS Studio Applications available to users” on page 55 for more information.
Adding software to a network drive

Add BlackBerry Device Software, Java® applications, the Enterprise Messenger, or the BlackBerry® MDS Runtime
to the network drive to enable you to install applications on BlackBerry devices that are connected to the
BlackBerry Manager and to send applications to BlackBerry devices over the wireless network using software
configurations.
You can maintain only one version of each application or tool on the network drive at a time. Delete old versions of
applications or tools from the network drive as part of your maintenance tasks.
Choose a network drive

When you store applications on a network drive that users can access, you do not have to send applications to and
install applications on user computers manually to load the applications on BlackBerry devices. See the
BlackBerry Enterprise Server Upgrade Guide for more information about upgrading BlackBerry Device Software.
Choose a central network drive that your organization has taken steps to secure on which to store the software
and tools that you use to create software configurations and install and manage the BlackBerry Device Software
and applications on BlackBerry devices. Choose a network drive that all user computers in your organization can
access to support future BlackBerry Device Software upgrades. Also, consider a network drive that is in close
proximity to users to decrease bandwidth over the corporate LAN when users install applications on BlackBerry
devices.
Add the software and tools to the network drive

Warning: You are solely responsible for the selection, implementation, and performance of any third-party applications that you use
with the BlackBerry device or the BlackBerry Desktop Software. Research In Motion (RIM) does not in any way endorse or guarantee
the security, compatibility, performance, or trustworthiness of any third-party application and shall have no liability to you or any third-
party for issues arising from such third-party applications.
> Perform any of the following actions:
Action Procedure
Install the 1. Obtain the BlackBerry Device Software installation file from your service provider.
BlackBerry Device 2. Copy the BlackBerry Device Software installation file to the network drive.
Software.
3. On the network drive, double-click the .exe file.
4. Complete the installation.
5. Verify that the files are located in <drive:>\Program Files\Common Files\Research In Motion\Shared\Loader
Files\.
Add Java Note: If a third-party vendor requires you to install the third-party application before you can copy the files,
applications. complete the installation as instructed by the third-party vendor, and then copy the required application and
module files to the Applications folder.
1. On the network drive, create the network path <drive:>\Program Files\Common Files\Research In
Motion\Shared\Applications\.
2. In the Applications folder, copy the .alx, .cod, and .dll files to a subfolder to preserve the structure of the Java
application.
42
5: Making additional BlackBerry Device Software and applications available to users
Action Procedure
Add the Enterprise 1. On the network drive, create the network path <drive:>\Program Files\Common Files\Research In
Messenger. Motion\Shared\Applications\.
2. On the BlackBerry Enterprise Server product CD, in the IM folder, perform one of the following actions:
• Double-click lcs.zip to use BlackBerry® Instant Messaging for Microsoft® Live Communications Server
2005™.
• Double-click sametime.zip to use BlackBerry® Instant Messaging for IBM® Lotus® Sametime®.
• Double-click groupwise.zip to use BlackBerry® Instant Messaging for Novell® GroupWise® Messenger.
3. Extract the .alx, and .cod files to the network path that you created in step 1.
Add the BlackBerry 1. On the network drive, create the network path <drive:>\Program Files\Common Files\Research In
MDS Runtime. Motion\Shared\Applications\.
2. Create a folder for the application.
3. On the BlackBerry Enterprise Server product CD, in the MDS Runtime Environment folder, copy
MdsRuntime.alx and the appropriate BlackBerry Device Software version folder to the folder that you created
in step 2.
Visit www.blackberry.com/developers to download the most recent version of the BlackBerry MDS Runtime.
Making applications available to users

Before you can install most applications on BlackBerry devices, you must create a software index in the network
drive. To index the software, you create a specification.pkg file and a PkgDBCache.xml index file for each
application. The index files inform the software configuration and the application loader tool of the applications
that are available to install on BlackBerry devices.
Not all files require indexing. If you add BlackBerry Device Software Version 4.0 or later for Java based BlackBerry
devices or BlackBerry Device Software Version 2.7 or later for C++ based BlackBerry devices to the network
location, the index files are created automatically.
Create the software index

1. At the command prompt, type cd <drive:>\Program Files\Common Files\Research In
2. Type loader.exe /index. The application loader tool builds the software index structure in the network drive
and adds any missing index files.
Re-index the software applications

If you modify an .alx file after creating a software index, re-index the applications.
1. At the command prompt, type cd <drive:>\Program Files\Common Files\Research In
2. Type loader.exe /reindex. The application loader tool updates the software index structure in the network
drive and adds any missing index files.
43
Share the network drive

1. Share <drive:>\Program Files\Common Files\Research In Motion\Shared\Applications\.
2. Set the permission attributes to Read-only.
Creating software configurations

You must create a software configuration for each BlackBerry device series in your organization. When you create
a software configuration, you can define application control policies to specify the resources that Java
applications, the Enterprise Messenger, and the BlackBerry MDS Runtime can access on BlackBerry devices from
behind the corporate firewall. You can also use application control policies to make sure that certain applications
remain installed on, or are removed from, BlackBerry devices. You can only define application control policies for
BlackBerry devices that are running BlackBerry Device Software Version 4.0 or later.
After you create a software configuration and define any application control policies, assign the software
configuration to a user account or group to apply the configuration attributes, to monitor the applications
installed on BlackBerry devices, and to control the applications installed on the BlackBerry device.
Create a software configuration

2. On the Software Configurations tab, click Add New Configuration.
3. In the Configuration Name field, type a name.
4. In the Configuration Description field, type a description.
5. Define the location of the BlackBerry Device Software by clicking Change.
6. Type the location of the BlackBerry Device Software.
7. Click OK.
8. In the Application Name list, select the check box beside the BlackBerry device series for which to configure
the BlackBerry Device Software.
9. Expand the BlackBerry Device Software/BlackBerry device series application tree (for example, BlackBerry®
7100 Series Software).
10. Perform any of the following actions:
Action Procedure
Install applications on BlackBerry devices. > Select the check box beside the application.
Do not install applications on BlackBerry devices or remove > Clear the check box beside the application.
applications from BlackBerry devices.
11. Click OK.
44
5: Making additional BlackBerry Device Software and applications available to users
Define an application control policy

2. On the Software Configurations tab, perform the following actions:
Action Procedure
Define an application control 1. Click Manage Application Policies.
policy. 2. Click New.
3. Type a new policy name.
4. Customize the application control policy rules. See the Policy Reference Guide for more information.
Assign an application control 1. In the Configuration Name list, click a software configuration.
policy to an application. 2. Click Edit Configuration.
3. Expand the Application Software application tree.
4. In the Policy drop-down list, click an application control policy to assign to the application.
• To assign an application control policy to all applications that are not currently assigned to an
application control policy, click an application control policy at the application software level.
• To assign the application control policy that is assigned at the application software level, click
<default>. An asterix is added to the policy name.
• To assign the default application control policy rules that are preconfigured on the BlackBerry
device, click <none>.
3. Click OK.
Assign a software configuration to a user account or group

1. In the BlackBerry Manager, perform one of the following actions:
Action Procedure
Assign a software configuration to a user 1. In the left pane, click a BlackBerry Enterprise Server.
account. 2. In the Name list, click the user account to which to assign the software configuration.
3. In the lower pane, click Device Management.
Assign a software configuration to a group. 1. In the left pane, click a group.
2. In the right pane, click Device Management.
2. Click Assign Software Configuration.

3. Click the desired software configuration.
4. Click OK.
45
Sending applications to BlackBerry devices over the wireless

network
You can send Java applications, the Enterprise Messenger, and the BlackBerry MDS Runtime to BlackBerry devices
with 16 MB or more of flash memory that are running BlackBerry Device Software Version 4.0 or later over the
wireless network. The wireless download to BlackBerry devices can take up to 4 hours to complete.
Send an application to a BlackBerry device

1. Verify that your corporate IT policy permits third-party applications on the BlackBerry device. See the Policy
Reference Guide for more information.
3. On the Software Configurations tab, in the Configuration Name list, click a software configuration.
4. Click Edit Configuration.
5. Expand the application.
6. Click the desired application.
7. In the Delivery drop-down list, click Wireless.
8. To make sure that the application remains installed on a BlackBerry device, create and assign an application
control policy. In the Disposition drop-down list, click Required. See the Policy Reference Guide for more
information.
9. Click OK.
46
6
Implementing BlackBerry devices
Loading users’ messages onto BlackBerry devices
Option 1: Implementing BlackBerry devices using the BlackBerry Manager
Option 2: Implementing BlackBerry devices over the wireless network
Option 3: Implementing BlackBerry devices using the BlackBerry Desktop Manager
Protecting lost or stolen BlackBerry devices
Issuing existing BlackBerry devices to new users
Loading users’ messages onto BlackBerry devices

As part of the BlackBerry device implementation process, you can configure the BlackBerry Enterprise Server to
load messages that users previously sent and received onto BlackBerry devices running BlackBerry Device
Software Version 4.0 or later. The BlackBerry Enterprise Server can load messages for new users and for users
whose PIN changes when they receive a replacement BlackBerry device. By default, the BlackBerry Enterprise
Server loads 200 message headers from a 5 day period for a user. If you set the BlackBerry Enterprise Server to
load both the message body and message headings onto a BlackBerry device, the BlackBerry Enterprise Server
can load up to 750 messages over a 14 day period for a user.
When the BlackBerry Enterprise Server adds messages to a BlackBerry device, it uses the message filter rules and
redirection settings for a specific user account. See “Managing message redirection” on page 67 for more
information.
Change how a user’s messages are loaded onto a BlackBerry device

3. Click Messaging.
4. In the Message Prepopulation section, perform any of the following actions:
Action Procedure
Load message headings only onto the BlackBerry device. > In the Send Headers Only drop down list, click True.
Load message headings and the message body onto the BlackBerry > In the Send Headers Only drop down list, click False.
device.
Set the number of previous days for which to load messages. > In the Prepopulation By Message Age field, type a number.
Set the maximum number of messages to load. > In the Prepopulation By Message Count field, type a number.
5. Click OK.
Prevent a user’s messages from loading onto a BlackBerry device

3. Click Messaging.
4. In the Message Prepopulation section, in the Prepopulation By Message Age field, type 0.
5. In the Message Prepopulation section, in the Prepopulation By Message Count field, type 0.
6. Click OK.
Option 1: Implementing BlackBerry devices using the

BlackBerry Manager
If you want to control the activation and initial implementation of BlackBerry devices, connect BlackBerry devices
to the computer on which the BlackBerry Manager is installed and assign them to user accounts.
When you assign a BlackBerry device to a user account, you associate the BlackBerry device with the user’s
messaging account and install the service books on the BlackBerry device.
Assign a BlackBerry device to a user account

1. Connect the BlackBerry device to the computer on which the BlackBerry Manager is installed.
3. On the Users tab, click the user account to which to assign the BlackBerry device.
4. Click Device Management.
5. Click Assign Device.
6. Click the BlackBerry device to assign to the user account.
7. Click OK.
Option 2: Implementing BlackBerry devices over the wireless

network
Implement BlackBerry devices over the wireless network to enable users who receive or purchase new or
replacement BlackBerry devices to implement their BlackBerry devices without a physical connection to the
corporate network. Wireless enterprise activation with message preloading and automatic wireless backup allows
users who have lost their BlackBerry devices to get up and running quickly with replacement BlackBerry devices.
You implement BlackBerry devices over the wireless network by sending wireless enterprise activation passwords
to user accounts. The users receive messages that provide the wireless enterprise activation password on their
desktop email applications.
48
6: Implementing BlackBerry devices
You can use organizer data synchronization IT policy rules to set whether or not users must connect their
BlackBerry devices to their computers during the implementation process or can complete the implementation
process over the wireless network.
Send organizer data to BlackBerry devices through the BlackBerry Router

By default, the BlackBerry Enterprise Server sends the initial bulk load of organizer data during the BlackBerry
device implementation process over the wireless network. To save bandwidth, you can set the BlackBerry
Enterprise Server to send the bulk load of organizer data through the BlackBerry Router over the corporate LAN.
The BlackBerry Router transfers the organizer data when users connect their BlackBerry devices to their
computers. Users must have the BlackBerry® Device Manager installed.
3. Click IT Policy.
Action Procedure
Turn off the wireless initial organizer data 1. In the list of policies, click Default.
synchronization using the default IT policy. 2. Click Properties.
3. Click PIM Sync Policy Group.
4. Click the Disable Wireless Bulk Loads IT policy rule.
Create a new IT policy, turn off the wireless initial 1. Click New.
organizer data synchronization, and send the IT 2. Type a policy name.
policy to user accounts.
4. Click the Disable Wireless Bulk Loads IT policy rule.
6. Click OK.
7. Click OK again.
9. In the left pane, click a user account.
10. In the right pane, click the new policy.
6. Click OK.
7. Instruct users to connect their BlackBerry devices to their computers and start the BlackBerry Device
Manager. See the BlackBerry Enterprise Server Upgrade Guide for more information about sending the
BlackBerry Device Manager to user computers.
49
Wireless enterprise activation passwords

The wireless enterprise activation password is specific to a user account. The wireless enterprise activation
password expires after 48 hours by default or when the user unsuccessfully types the wireless enterprise
activation password five times on the BlackBerry device. If a user has received a wireless enterprise activation
password, you cannot generate a new wireless enterprise activation password for the user until the active
password expires.
After the user types a wireless enterprise activation password on a BlackBerry device successfully, the password
becomes inactive.
Customize the wireless enterprise activation password and message

Customize the default wireless enterprise activation message that users receive on their desktop email application
to make sure the message conforms to your corporate messaging policy or to provide support contact information
to help users troubleshoot the BlackBerry device activation.
3. Click General.
4. In the Administration section, perform the following actions:
Action Procedure
Customize the wireless enterprise activation 1. Double-click Custom Activation Email Message.
message. 2. Type the desired parameters, subject, and message.
Set the wireless enterprise activation password 1. Double-click Auto-generated password length.
length. 2. Type a wireless enterprise activation length.
Set the wireless enterprise activation type. > In the Auto-generated password type drop-down list, click a password type.
Tip: For the BlackBerry 7100 Series, click the 7100 Friendly password type. The
password consists of characters that require the user to press only one specific key
at a time.
5. Click OK.
Send a wireless enterprise activation password to a user account

Wireless enterprise activation passwords do not support accented characters.
3. Click Service Access.
Action Procedure
Generate the wireless enterprise activation 1. Click Generate and Email Activation Password.
password and send it to the user in a message. 2. Click OK.
50
Action Procedure
Define the activation password and set the password 1. Click Set Activation Password.
expiration time. 2. Type a wireless enterprise activation password.
3. Retype the password to confirm it.
4. In the Password Expires in drop-down list, click an expiration time.
5. Click OK.
6. Notify the user of the new password.
Set a wireless enterprise activation password for a group

2. On the User Groups List tab, click a group.
3. Click Service Access.
4. Click Generate and Email Activation Password.
5. Click OK.
Option 3: Implementing BlackBerry devices using the

BlackBerry Desktop Manager
To permit users to control the initial activation and implementation of BlackBerry devices, connect BlackBerry
devices to user computers on which the BlackBerry Desktop Manager is installed.
When the BlackBerry device is connected to user computers during the implementation process, the BlackBerry
Enterprise Server sends the organizer data through the BlackBerry Router to the BlackBerry device over the
corporate LAN instead of over the wireless network. If the connection to the BlackBerry Router is interrupted, the
data transfer continues over the wireless network.
Implement a BlackBerry device using the BlackBerry Desktop Manager

1. Verify that the BlackBerry Desktop Manager is installed on the user’s computer.
2. Instruct the user to start the BlackBerry Desktop Manager and to connect the BlackBerry device to the
computer.
A message prompts the user to assign the BlackBerry device to the mail account. A second message prompts the
user to generate an encryption key to activate the BlackBerry device. When the activation completes, the
BlackBerry Enterprise Server loads messages and organizer data onto the BlackBerry device.
Protecting lost or stolen BlackBerry devices

If a user misplaces a BlackBerry device or has a BlackBerry device stolen, you can protect the data on the
BlackBerry device by using the BlackBerry Manager to issue IT commands to lock the BlackBerry device or make
the BlackBerry device unavailable.
51
Protect a lost BlackBerry device

Warning: If a user forgets the password for a BlackBerry device on which content protection is turned on, do not use the Set a Password
and Lock Handheld command to reset the password remotely. If you reset the user’s password remotely, the content-protected
BlackBerry device prompts the user to type the BlackBerry device password, which they have forgotten, before they type a new
password. See the BlackBerry Enterprise Solution Security Technical Overview for more information.
3. Click IT Admin.
4. Click Set Password and Lock Handheld.
5. In the New Password and New Password Again fields, type a password that is between 4 and 14 characters
long.
Warning: Do not use special characters when you create the password in case the BlackBerry device does not accept special
characters.
6. Click OK.
Protect a stolen BlackBerry device

3. Click IT Admin.
4. Click Erase Data and Disable Handheld.
5. Click Yes.
Issuing existing BlackBerry devices to new users

To issue an existing BlackBerry device to a new user, prepare the BlackBerry device for redistribution by deleting
the previous user’s application data from the BlackBerry device and adding or removing applications on the
BlackBerry device. To remove all applications and data from the BlackBerry device, return the BlackBerry device to
its default application configuration.
Prepare a BlackBerry device for redistribution

> Perform any of the following actions:
Action Procedure
Delete the previous user’s application > Make the BlackBerry device unavailable and delete BlackBerry device data. See “Protect
data over the wireless network and a stolen BlackBerry device” on page 52 for more information.
make the BlackBerry device unavailable.
52
Action Procedure
Delete the previous user’s application 1. Connect the BlackBerry device to the computer on which the BlackBerry Manager is
data using the BlackBerry Manager. installed.
2. In the BlackBerry Manager, in the left pane, click Local Ports (Device Management).
3. In the Connection list, click a connection.
4. Click Wipe Device File System.
5. Click Yes.
6. If prompted, type the BlackBerry device password to complete the task.
Install or remove applications from the 1. Connect the BlackBerry device to the computer on which the BlackBerry Manager is
BlackBerry device. installed.
4. Click Load Device (Interactive).
5. Click a software configuration.
6. Click OK.
7. In the Device Software Configuration Screen, perform one of the following actions:
• Clear the check boxes beside the applications to remove.
• Select the check boxes beside the applications to install.
8. Complete the application loader wizard.
Return a BlackBerry device to the 1. Connect the BlackBerry device to the computer on which the BlackBerry Manager is
factory default state. installed.
4. Click Nuke Device.
5. Click Yes.
6. Click Load Device (Interactive).
8. Click OK.
9. Complete the application loader wizard.
Redistribute the BlackBerry device to a user

If a user backs up messages that the user received previously onto the computer before receiving a replacement
BlackBerry device, you can turn off message prepopulation when redistributing a BlackBerry device to that user.
See “Prevent a user’s messages from loading onto a BlackBerry device” on page 48 for more information.
> When a user receives a replacement BlackBerry device, implement the BlackBerry device to register the new
PIN for message redirection. See “Option 2: Implementing BlackBerry devices over the wireless network” on
page 48 for more information.
53
54
7
Making BlackBerry MDS Studio Applications
available to users
Permitting BlackBerry MDS Services to authenticate with the BlackBerry Manager and web services
Configuring which BlackBerry MDS Studio Applications users can install on BlackBerry devices
Preparing BlackBerry devices to install BlackBerry MDS Studio Applications
Sending BlackBerry MDS Studio Applications to BlackBerry devices
Removing BlackBerry MDS Studio Applications from the repository and BlackBerry devices
Monitoring BlackBerry MDS Services messages
Set how the BlackBerry MDS Services and the BlackBerry MDS Connection Service connect
Permitting BlackBerry MDS Services to authenticate with the

BlackBerry Manager and web services
The BlackBerry MDS Services stores a self-signed certificate in its key store. You install this certificate to establish
server-authenticated communication between the BlackBerry MDS Services and the BlackBerry Manager. If you
use an SSL to communicate with external Web servers, export the BlackBerry MDS Services certificate to establish
safe communication with web services.
The BlackBerry MDS Services self-signed certificate permits server authentication between the BlackBerry MDS
Services and the BlackBerry Manager, and client authentication between the BlackBerry MDS Services and
external web services hosts.
If you replace the BlackBerry MDS Services self-signed certificate with a signed root certificate from a certificate
authority, replace the self-signed certificate before establishing authentication with the BlackBerry Manager or
web services using the self-signed certificate.
After you configure authentication between the BlackBerry MDS Services and web services, you must permit
BlackBerry devices to install BlackBerry MDS Studio Applications that use SSL web services. See “Permit
BlackBerry MDS Studio Applications that use HTTPS to access web services” on page 49 for more information.
Establish server authentication between the BlackBerry MDS Services and the
BlackBerry Manager
The BlackBerry Manager prompts you to view and install the BlackBerry MDS Services self-signed certificate the
first time the BlackBerry Manager connects to the BlackBerry MDS Services. The certificate installs as a trusted
root certificate authority and, once installed, permits the BlackBerry Manager to safely communicate with the
BlackBerry MDS Services.
If you replaced the BlackBerry MDS Services self-signed certificate with a root certificate from a certificate
authority, the BlackBerry Manager accepts the root certificate and authenticates with the BlackBerry MDS
Services.
1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Services server.
2. In the certificate installation dialog box, click View Certificate.
3. Review the certificate information.
4. Click Install Certificate.
5. Complete the installation wizard by accepting the default settings.
6. At the login prompt, click Cancel.
Establish client authentication between the BlackBerry MDS Services and web
services
Export the BlackBerry MDS Services self-signed certificate and send it web services hosts that BlackBerry MDS
Studio Applications use. If you have multiple BlackBerry MDS Services servers installed, export the certificate for
each BlackBerry MDS Services instance. Web services hosts install the certificate to allow BlackBerry devices with
BlackBerry MDS Studio Applications that use web services to authenticate with and access the web service.
Contact your BlackBerry MDS Studio Application developers for information about which web services BlackBerry
MDS Studio Applications use.
If you replaced the BlackBerry MDS Services self-signed certificate with a root certificate from a certificate
authority, web services must trust the root certificate authority to authenticate with BlackBerry MDS Services.
1. Use Microsoft® Internet Explorer® to export the BlackBerry MDS Services self-signed certificate from the
trusted root certificate authorities area.
2. Send the BlackBerry MDS Services self-signed certificate to web services hosts that BlackBerry MDS Studio
Applications use.
3. Confirm that the web services hosts installed the certificate in the truststore of web services servers.
Configuring which BlackBerry MDS Studio Applications

users can install on BlackBerry devices
If you configured authentication between the BlackBerry MDS Services and web services, you must permit
BlackBerry devices to install the MDS Studio Applications that use HTTPS to connect to web services. See
“Permitting BlackBerry MDS Services to authenticate with the BlackBerry Manager and web services” on page 47
for more information.
BlackBerry MDS Studio Application developers can sign the BlackBerry MDS Studio Applications with a digital
certificate. You manage trusted certificates that the BlackBerry MDS Services use to authenticate the BlackBerry
MDS Studio Applications. If the BlackBerry MDS Studio Applications do not have trusted certificates, configure
whether users can install unsigned BlackBerry MDS Studio Applications that are published in the repository on
BlackBerry devices.
56
7: Making BlackBerry MDS Studio Applications available to users
Permit BlackBerry MDS Studio Applications that use HTTPS to access web
services
1. On the MDS Services tab, click Edit Properties.
2. Click General.
3. Click Allow Web Services Access over SSL.
5. Click OK.
6. On the MDS Services tab, expand Common.
7. Click Stop Service.
Permit users to install unsigned BlackBerry MDS Studio Applications on

BlackBerry devices
3. Click General.
4. Click Allow Unsigned Applications.
6. Click OK.
7. On the MDS Services tab, expand Common.
8. Click Stop Service.
9. When the status displays “Stopped,” click Start Service.
Manage a trusted certificate

Action Procedure
Add a certificate to the BlackBerry MDS Services 1. On the MDS Services tab, expand Common.
server. 2. Click Add Certificate.
3. In the Alias field, type a certificate name.
4. In the Certificate file field, type the path to the certificate and the .cer file name.
5. Click OK.
57
Action Procedure
Remove a certificate from the BlackBerry MDS 1. On the MDS Services tab, click Edit Properties.
Services server. 2. Click Certificate.
3. Double-click BlackBerry MDS Services Certificate Definition.
4. Click a certificate.
5. Click Remove.
6. Click OK.
7. Click OK.
Preparing BlackBerry devices to install BlackBerry MDS

Studio Applications
Users must install and activate the BlackBerry MDS Runtime on BlackBerry devices before BlackBerry MDS Studio
Applications can be installed. You can install the BlackBerry MDS Runtime over the wireless network or instruct
users to install the BlackBerry MDS Runtime using the application loader tool. See “Sending applications to
BlackBerry devices over the wireless network” on page 46 for more information.
Create and assign BlackBerry MDS Services device policies to user accounts and user groups to
• control whether a user can discover, install, and remove BlackBerry MDS Studio Applications on the
BlackBerry device
• control whether BlackBerry MDS Studio Applications can access other data and applications on the
BlackBerry device
• configure local storage capacity for BlackBerry MDS Studio Application messages on the BlackBerry device
Define and manage a BlackBerry MDS Services device policy to control

BlackBerry MDS Studio Applications on BlackBerry devices
3. Click Device Policies.
4. Double-click BlackBerry MDS Services Device Policy Definition.
Action Procedure
Create a BlackBerry MDS Services device policy. 1. Click New.
2. Double-click Policy Name.
3. Type a BlackBerry MDS Services device policy name.
4. Set the BlackBerry MDS Services device policy settings. See the Policy Reference
Guide for more information.
5. Click OK.
58
Action Procedure
Remove a BlackBerry MDS Services device policy. 1. Click the BlackBerry MDS Services device policy name.
2. Click Remove.
3. Click OK.
Assign a BlackBerry MDS Services device policy to a user account or group

Depending on your administrator role, you can assign BlackBerry MDS Services device policies to user accounts
and user groups. A user group must contain at least one user account before you can assign a BlackBerry MDS
Services device policy to the group and all user accounts in a group must be connected to the same BlackBerry
MDS Services server.
Action Procedure
Assign a BlackBerry MDS Services device policy 1. Click a user group.
to a group of user accounts. 2. On the Users tab, right-click a column heading.
3. In the Available columns list, click MDS Services Server URL.
4. Click Insert.
5. Click OK.
6. Click the MDS Services Server URL column heading to sort user accounts by the
BlackBerry MDS Services server.
7. Click the user accounts connected to the same BlackBerry MDS Services server.
8. On the Group Configuration tab, click MDS Services.
Assign a BlackBerry MDS Services device policy 1. Click a BlackBerry MDS Services server.
to a user account. 2. Click Devices Registered.
3. On the Devices Registered tab, click a user account.
4. Click Common.
2. Click Assign Device Policy.

3. In the Device Policy drop-down list, click a BlackBerry MDS Services policy.
4. Click OK.
Sending BlackBerry MDS Studio Applications to BlackBerry

devices
Depending on your administrator role, you can send BlackBerry MDS Studio Applications and upgrades to user
accounts and user groups.
59
Install a BlackBerry MDS Studio Application on a BlackBerry device

Action Procedure
Install a BlackBerry MDS Studio Application on 1. Click a group.
BlackBerry devices for a group of user accounts 2. On the Users tab, right-click a column heading.
that use the same BlackBerry MDS Services.
4. Click Insert.
5. Click OK.
6. Click the MDS Services Server URL column heading to sort users by the
7. Click the user accounts connected to the same BlackBerry MDS Services server.
9. Click Install on Device.
10. Click the BlackBerry MDS Studio Application to install.
Install a BlackBerry MDS Studio Application on a 1. Click a BlackBerry MDS Services server.
single BlackBerry device. 2. Click Application Registry.
3. Click a BlackBerry MDS Studio Application.
5. Click Install on Device.
6. In the Install application on devices drop-down list, click without application
installed.
7. Clear the Select all check box.
8. Click the PIN of the BlackBerry device to which to push the BlackBerry MDS
Studio Application.
2. Click Next.
Action Procedure
Set the number of BlackBerry devices to send the > In the Group size for pushing field, type a number.
BlackBerry MDS Studio Application to at the
same time.
Set how frequently, in minutes, to send the > In the Push interval (minute) field, type a number.
BlackBerry MDS Studio Application installation
request to BlackBerry devices.
Set a specific date and time at which to send the 1. Select the Schedule check box.
BlackBerry MDS Studio Application to 2. In the Start at drop-down list, click a date.
BlackBerry devices.
3. Set the start time.
Note: If you do not schedule a start time, the BlackBerry MDS Services send the
BlackBerry MDS Studio Application immediately.
60
Action Procedure
Configure the BlackBerry MDS Studio > Click Required.
Application to install silently on the specified Note: If you do not install the BlackBerry MDS Studio Application silently on the
BlackBerry devices. BlackBerry device, the BlackBerry device prompts the user to install the BlackBerry
MDS Studio Application.
4. Click Next.
5. Click Finish.
Upgrade a BlackBerry MDS Studio Application on a BlackBerry device

2. Click Application Registry.
3. On the Application Registry tab, click the BlackBerry MDS Studio Application.
Action Procedure
Upgrade a BlackBerry MDS Studio Application on 1. Click Upgrade on Device.
a single BlackBerry device. 2. In the Upgrade application on devices drop-down list, click with old version of
application.
4. Click the PIN of the BlackBerry device to which to push the BlackBerry MDS
Studio Application upgrade.
Upgrade a BlackBerry MDS Studio Application on 1. Click Install on Device.
BlackBerry devices, and install the application on 2. In the Install application on devices drop-down list, click with or without
BlackBerry devices on which the application is application installed.
not installed currently.
6. Click Next.
Action Procedure
BlackBerry MDS Studio Application upgrade
request to at the same time.
BlackBerry MDS Studio Application upgrade
61
Action Procedure
Set a specific time at which to send the 1. Select the Schedule check box.
BlackBerry MDS Studio Application upgrade 2. In the Start at drop-down list, click a date.
4. In the Expire at drop-down list, click a date.
5. Set the expiry time.
BlackBerry MDS Studio Application immediately.
Configure the BlackBerry MDS Studio > Click Required.
Application to upgrade silently on the specified Note: If you do not upgrade the BlackBerry MDS Studio Application silently on the
BlackBerry devices. BlackBerry device, the BlackBerry device prompts the user to install the BlackBerry
MDS Studio Application.
8. Click Next.
9. Click Finish.
Removing BlackBerry MDS Studio Applications from the

repository and BlackBerry devices
Developers publish BlackBerry MDS Studio Applications in the repository. You manage the BlackBerry MDS Studio
Applications in the repository. Multiple versions of a BlackBerry MDS Studio Application can be published in the
repository. Depending on your administrator role, you can remove BlackBerry MDS Studio Applications from the
repository and from BlackBerry devices.
If you remove a BlackBerry MDS Studio Application from the repository, the application continues to function on
the BlackBerry devices on which the BlackBerry MDS Studio Application is installed. If you do not want users to
use a previously installed BlackBerry MDS Studio Application, remove the BlackBerry MDS Studio Application from
the repository and then remove the BlackBerry MDS Studio Application from BlackBerry devices.
Remove a BlackBerry MDS Studio Application from the repository

2. Click Application Registry.
3. On the Application Registry tab, click the BlackBerry MDS Studio Application to remove.
4. Click Application Management.
5. Click Delete Application.
6. Click Yes.
62
Remove a BlackBerry MDS Studio Application from a BlackBerry device

Action Procedure
Remove a BlackBerry MDS Studio Application 1. Click a user group.
from the BlackBerry devices of a group of user 2. On the Users tab, right-click a column heading.
accounts that use the same BlackBerry MDS
Services.
4. Click Insert.
5. Click OK.
6. Click the MDS Services Server URL column heading to sort users by the
7. Click the users connected to the same BlackBerry MDS Services server.
9. Click Uninstall on Device.
10. Click the BlackBerry MDS Studio Application to remove.
Remove a BlackBerry MDS Studio Application 1. Click a BlackBerry MDS Services server.
from a single BlackBerry device. 2. Click Applications Installed.
3. On the Applications Installed tab, click the BlackBerry MDS Studio Application
to remove from the BlackBerry device.
5. Click Uninstall on Device.
6. In the Uninstall application on devices drop-down list, click with application
installed.
8. Click the PIN of the BlackBerry device from which to remove the BlackBerry MDS
Studio Application.
2. Click Next.
Action Procedure
BlackBerry MDS Studio Application remove
request to at the same time.
BlackBerry MDS Studio Application remove
63
Action Procedure
Set a specific time at which to send the 1. Click the Schedule check box.
BlackBerry MDS Studio Application remove 2. In the Start at drop-down list, click a date.
4. In the Expire at drop-down list, click a date.
5. Set the expiry time.
removal request immediately.
4. Click Next.
5. Click Finish.
Monitoring BlackBerry MDS Services messages

Monitor the message traffic between the BlackBerry MDS Services and the BlackBerry devices, and the message
traffic generated by BlackBerry MDS Studio Applications. The BlackBerry Manager displays monitored messages.
An excessive number of messages from a specific BlackBerry MDS Studio Application or messages of a particular
type might indicate that a problem exists with a BlackBerry device, a BlackBerry MDS Studio Application, or web
services.
Create filters to block notifications that web services hosts send too frequently. When you create a filter for a
specific host, the BlackBerry MDS Services do not process or send the messages from that host to BlackBerry
devices.
Set up monitoring of BlackBerry MDS Studio Application messages

If you restart the BlackBerry MDS Services, you must re-create your message monitors.
3. Click Message Monitors.
4. Double-click BlackBerry MDS Services Monitor Definition.
5. Click New.
Action Procedure
Monitor messages transmitted to and > In the PIN field, type the PIN of the BlackBerry device to monitor.
from a BlackBerry device. Note: If you want to monitor multiple BlackBerry devices, use commas to separate PINs.
Monitor messages generated by a > In the Application drop-down list, click the BlackBerry MDS Studio Application name
BlackBerry MDS Studio Application. and version.
7. Click OK.
8. Click OK.
64
View BlackBerry MDS Studio Application messages

2. Click Monitor Messages.
3. On the Monitor Messages tab, perform any of the following actions:
Action Procedure
View all messages sent to and from a specific > In the Device field, type the PIN.
BlackBerry device.
View all messages sent to and from a specific > In the Application drop-down list, click the BlackBerry MDS Studio Application
BlackBerry MDS Studio Application. name.
Filter displayed messages for a specific 1. In the Start time drop-down list, click the date.
BlackBerry device or BlackBerry MDS Studio 2. Click the numbers in the time field and use the arrow buttons to set the time in
Application in the message list by date and time. hours, minutes, and seconds.
3. Click End time to set a date and time after which messages are not displayed.
4. Click Search.
Remove all monitored messages from the BlackBerry MDS Services server
2. Click Monitor Messages.
3. On the Monitor Messages tab, click Purge Messages.
Filter communication from a web services host

3. Click Filters.
4. Double-click Filters.
Action Procedure
Block communication from a web services host. 1. Click New.
2. In the Host/Address field, type the full URL and domain for the web
services host, for example, <hostname>.<domain>.
3. Click OK.
Permit communication from a web services host that was 1. Click a filter.
previously blocked. 2. Click Remove.
6. Click OK.
65
Set how the BlackBerry MDS Services and the BlackBerry

MDS Connection Service connect
When you add a BlackBerry MDS Connection Service to the BlackBerry MDS Services, the BlackBerry MDS
Connection Service must have a fully-qualified domain name or IP address. The BlackBerry MDS Connection
Service cannot use localhost or 127.0.0.1.
Note: If you install a remote BlackBerry MDS Connection Service and this BlackBerry MDS Connection Service does not display as an
available BlackBerry MDS Connection Service for the BlackBerry MDS Services, you can add the BlackBerry MDS Connection Service
to the list of BlackBerry MDS Connection Services available to the BlackBerry MDS Services.
If the remote BlackBerry MDS Connection Services uses a proxy server, consider removing the BlackBerry MDS Services from the
BlackBerry Enterprise Server and then re-assigning the BlackBerry MDS Services to the BlackBerry Enterprise Server. In this setup, the
remote BlackBerry MDS Connection Service maps to the BlackBerry MDS Services automatically and the direct proxy mapping
between the BlackBerry MDS Connection Service and the BlackBerry MDS Services persists. See “Assign BlackBerry MDS Services to
multiple BlackBerry Enterprise Servers” on page 23 for more information.
4. Double-click BlackBerry MDS Connection Service Definition.
Action Procedure
Add a new BlackBerry MDS Connection Service 1. Click New.
to the list of connection services available to the 2. Double-click URL.
BlackBerry MDS Services.
3. Type the full URL or domain name and port number for the connection service.
4. Click OK.
5. Click OK again.
Remove a BlackBerry MDS Connection Service 1. Click a connection service URL.
from the list of connection services that are 2. Click Remove.
available to the BlackBerry MDS Services.
3. Click OK.
66
8
Customizing BlackBerry messaging
Managing message redirection
Managing redirection filters
Managing wireless message reconciliation
Enforcing secure messaging using classifications
Using signatures and disclaimers in messages
Monitoring messages that users send from their BlackBerry devices
Managing the message queue
Managing the wireless backup and restore of organizer data
Setting address book fields for synchronization and lookups
Sending messages to users
Managing instant messaging
Managing message redirection

Redirection filters define which messages the BlackBerry Enterprise Server redirects to BlackBerry devices. When
a user receives a message, the BlackBerry Enterprise Server applies filters to determine how to direct the message:
forward, forward with priority, or do not forward to the BlackBerry device.
Filters that you set on the BlackBerry Enterprise Server take precedence over the filters that users define using the
BlackBerry® Desktop Manager.
You can create two types of filters:
• global filters apply to all user accounts on the BlackBerry Enterprise Server
• user filters apply to specific user accounts on the BlackBerry Enterprise Server
Users cannot view global filters. If you define global filters, inform users so that they understand why some of
their filter rules might not apply to incoming messages.
If you change global filters, the BlackBerry Enterprise Server reads the filter changes immediately.
Create a global filter

The BlackBerry Enterprise Server applies filters to messages based on the order in which the filters appear.
3. Click Global Filters.
4. Double-click Global Filter Definition.
5. Click New.
6. In the New Message Conditions section, double-click Filter Name.

7. Type a name for the new filter.
8. Set the filter options.
9. Click Action.
Action Procedure
Hold messages that satisfy > In the drop-down list, click Hold.
the filter criteria.
Forward messages that 1. In the drop-down list, click Forward.
satisfy the filter criteria. 2. Double-click Forwarding Options.
• To forward only message headers to BlackBerry devices, select the Header Only check box.
• To forward messages to BlackBerry devices with priority status, select the Level1 Notification
check box.
• To forward only the message headers of messages with priority status, select both the Header
Only and Level1 Notification check boxes.
11. Click OK.
Manage a global filter

3. In the left pane, click Global Filters.
4. Double-click Global Filter Definition.
5. In the Filter Name list, click a filter.
Action Procedure
Turn on a filter. 1. Click Properties.
2. Click Enabled.
Edit a filter. 1. Click Properties.
2. Click Edit.
3. Change the desired settings.
4. Click OK.
Change the order of filters. 1. Click Move Up or Move Down to move the filter higher or lower in the list.
2. Click OK.
Note: The BlackBerry Enterprise Server applies filters to new messages in the order in which the filters
appear. Make sure the filters appear from least to most restrictive.
68
8: Customizing BlackBerry messaging
Action Procedure
Delete a filter. > Click Remove.
7. Click OK.
Create a user filter

The BlackBerry Enterprise Server applies filters to messages based on the order in which the filters appear.
3. Click Filters.
4. Double-click Filter Rules.
5. Click New.
6. In the New Message Conditions section, double-click Filter Name.
7. Type a name for the new filter.
8. Set the filter options.
9. Click Action.
Action Procedure
Hold messages that satisfy > In the drop-down list, click Hold.
the filter criteria.
Forward messages that 1. In the drop-down list, click Forward.
satisfy the filter criteria. 2. Double-click Forwarding Options.
• To forward only message headers to the BlackBerry device, select the Header Only check box.
• To forward messages to the BlackBerry device with priority status, select the Level1 Notification
check box.
• To forward only the message headers of messages with priority status, select both the Header
Only and Level1 Notification check boxes.
11. Click OK.
69
Manage a user filter

3. In the left pane, click Filters.
4. Double-click Filter Rules.
5. In the Filter Name list, click a filter.
Action Procedure
Turn on a filter. 1. Click Properties.
2. Click Enabled.
Edit a filter. 1. Click Properties.
2. Click Edit.
4. Click OK.
Change the order of filters. 1. Click Move Up or Move Down to move the filter higher or lower in the list.
2. Click OK.
Note: The BlackBerry Enterprise Server applies filters to new messages in the order in which the filters
appear. Make sure the filters appear from least to most restrictive.
Delete a filter. > Click Remove.
7. Click OK.
Managing message redirection to a user account

You can define the message redirection settings for individual users on the BlackBerry Enterprise Server. You can
use these settings to control how the BlackBerry Enterprise Server redirects messages from a user’s email
application to a BlackBerry device. The message redirection settings allow you to manage individual user
accounts, and they help you to control the size of the message queue and the load on the BlackBerry Messaging
Agent to process redirection requests. By default, message redirection is turned on when you add a user account
to the BlackBerry Enterprise Server.
Each user on the BlackBerry Enterprise Server can configure message redirection settings on the BlackBerry
device or by using the BlackBerry Desktop Manager. The redirection settings that you define override the settings
that the user defines.
Forward incoming messages to a BlackBerry device when no filter rules apply

2. Click the Users tab.
70
3. Double-click a user account.

5. In the Default Action section, click Forward messages to BlackBerry device.
7. Click OK.
Do not deliver incoming messages to a BlackBerry device when no filter rules

apply
5. In the Default Action section, click Forward messages to BlackBerry device.
7. Click OK.
Forward messages in inbox subfolders to a BlackBerry device

You can specify the subfolders in a user’s email application from which the BlackBerry Enterprise Server can
redirect messages. By default, the BlackBerry Enterprise Server redirects messages from the inbox only.
3. Click a user account.
4. In the lower pane, click Service Access.
5. Click Choose Folders for Redirection.
6. Click Redirect the following selected folders.
7. Select the check boxes beside the folders from which to redirect messages.
8. Click OK.
Turn off synchronization for messages sent from a BlackBerry device

You can turn off synchronization for sent messages if you do not want a user’s email application to receive a copy
of messages sent from the user’s BlackBerry device.
71

4. In the left pane, click Redirection.
5. In the Message Forwarding section, click Do Not Save Sent Messages.
7. Click OK.
Turn off message redirection to a BlackBerry device

You can stop message redirection to a BlackBerry device temporarily, for example, if a user is out of a wireless
coverage area and does not want to receive messages during that time. When you turn off message redirection for
a user account, the user can send messages, but cannot receive them. The user can re-enable redirection on the
BlackBerry device manually.
3. Click a user account.
4. In the lower pane, click Service Access.
5. Click Disable Redirection.
Managing wireless message reconciliation

Wireless message reconciliation enables users on the BlackBerry Enterprise Server to manage their messages so
that the BlackBerry device and the desktop email application synchronize message status changes automatically
between them. By default, wireless message reconciliation is turned on and set to occur every 15 minutes on the
BlackBerry Enterprise Server.
If you want the BlackBerry Enterprise Server to reconcile messages only when users connect their BlackBerry
devices to the BlackBerry Desktop Manager, turn off wireless message reconciliation.
The hard delete feature enables users to remove messages from their BlackBerry devices over the wireless network
when they delete the messages permanently by pressing SHIFT+DELETE, move messages to personal folders, or
archive messages from their desktop email application. The hard delete feature is turned off by default. Turn on
the hard delete feature to enable the BlackBerry Enterprise Server to remove permanently deleted messages from
BlackBerry devices every 15 minutes.
Turn off wireless message reconciliation

3. Click Messaging.
4. In the Messaging Options section, click Wireless Message Reconciliation Enabled.
72
6. Click OK.
Reconcile permanently-deleted messages

2. Click Edit Properties.
3. Click Messaging.
4. In the Messaging Options section, click Hard Deletes Reconciliation.
6. Click OK.
7. On the computer on which the BlackBerry Dispatcher is installed, in the Microsoft Windows Services, restart
the BlackBerry Dispatcher.
Enforcing secure messaging using classifications

Message classification enables you to require S/MIME-enabled or PGP enabled users to sign, encrypt, or sign and
encrypt email messages from their BlackBerry devices.
Use the Message Classification IT policy rule to configure one or more message classifications available to users
to apply to email messages that they send from their BlackBerry devices. The BlackBerry Enterprise Server permits
users to apply S/MIME-protected or PGP protected messaging encoding types that the classification level that
they select when composing a message determines.
If a user does not select a classification, the BlackBerry device applies the first classification listed by default. You
can change the order in which the BlackBerry device lists the classifications.
The Encoding options on the BlackBerry device are limited to the encoding types that the secure messaging
package(s) installed and enabled on the BlackBerry device permit. When a user applies a classification to a
message on the BlackBerry device, the user must also select an encoding type permitted by that message
classification or accept the default encoding type. If a user applies an encoding type that requires signing,
encryption, or signing and encryption to a message and the user does not have a secure messaging package
installed and enabled on their BlackBerry device, the user cannot send the message.
3. Click IT Policy.
73
Action Procedure
Create a message classification. 1. In the list of IT policies, click an IT policy.
3. Click Security Policy Group.
4. Double-click the Message Classification IT policy rule.
5. Click New.
6. Type a display name to appear in the Classifications list on the BlackBerry
device.
7. Type a subject suffix to append, in parentheses, to the message subject (for
example, type subject suffix “(U)” for a classification named “Unclassified”).
8. In the drop-down list, click a minimum action for encoding the message (for
example, click Signed to permit the user to select Sign, Encrypt, or Sign and
Encrypt encoding types for the secure messaging package(s) installed on their
BlackBerry device).
9. Click Apply.
10. Click OK.
Create a message classification based on an 1. In the list of IT policies, click an IT policy.
existing classification. 2. Click Properties.
5. Click a display name.
6. Click New Copy.
7. Type a new display name.
8. Type a new subject suffix.
9. In the drop-down list, click a minimum action for encoding the message.
10. Click Apply.
11. Click OK.
Order message classifications. 1. In the list of IT policies, click an IT policy.
• Click Make First to move the selected classification to the top of the list.
• Click Move Up to move the selected classification one position higher in the
list.
• Click Move Down to move the selected classification one position lower in
the list.
• Click Make Last to move the selected classification to the bottom of the list.
7. Click Apply.
74
Action Procedure
Remove a message classification. 1. In the list of IT policies, click an IT policy.
6. Click Remove.
7. Click Apply.
6. Click OK.
Using signatures and disclaimers in messages

You can add a standard disclaimer or other text to prepend to (appear before) the message body or append to
(appear after) the user signature on all messages that users on a BlackBerry Enterprise Server send from their
BlackBerry devices. You can set the disclaimers for a single user or a group of users. Users cannot change the
disclaimers. If you set separate disclaimers for a single user and for all users on a BlackBerry Enterprise Server, you
can set conflict rules to control how the BlackBerry Enterprise Server applies the disclaimers.
Note: If the S/MIME Support Package for BlackBerry devices exists and is enabled on the BlackBerry device for a user account, the
BlackBerry Enterprise Server does not apply the set appended disclaimer to S/MIME-protected messages that the user sends from
the BlackBerry device. Appending a disclaimer would invalidate the digital signature on messages that the BlackBerry device sends
using the S/MIME Support Package for BlackBerry devices.
You can also set a signature for an individual user account to appear on all messages that the user sends from the
BlackBerry device. Users can change their signatures on their BlackBerry devices or in the BlackBerry Desktop
Manager. To enforce any signature format policies in your organization, add the signature to the corporate
disclaimer.
Create a signature for a user account

3. Click Redirection.
4. In the Signature field, type the signature to appear in the messages that the user sends from the BlackBerry
device.
5. Click OK.
6. Click OK.
Create a prepended disclaimer for a user account

75
3. Double-click Prepended Disclaimer Text.

4. Type a disclaimer.
5. Click OK.
6. Click OK.
Create an appended disclaimer for a user account

3. Double-click Appended Disclaimer Text.
5. Click OK.
6. Click OK.
Create a prepended disclaimer for all user accounts on a BlackBerry Enterprise

Server
3. Click Messaging.
4. In the Messaging Options section, double-click Prepended Disclaimer Text.
6. Click OK.
7. Click OK.
Create an appended disclaimer for all user accounts on a BlackBerry

Enterprise Server
3. Click Messaging.
4. In the Messaging Options section, double-click Appended Disclaimer Text.
6. Click OK.
7. Click OK.
76
Create a prepended disclaimer for a group of users

1. In the BlackBerry Manager, in the left pane, click User Groups List.
4. In the Messaging Options section, double-click Prepended Disclaimer Text.
6. Select the check box to the left of the field to apply the disclaimer to all user accounts assigned to the group.
8. Click Yes.
9. Click OK.
Create an appended disclaimer for a group of users

1. In the BlackBerry Manager, in the left pane, click User Groups List.
4. In the Messaging Options section, double-click Appended Disclaimer Text.
6. Select the check box to the left of the field to apply the disclaimer to all user accounts assigned to the group.
8. Click Yes.
9. Click OK.
Set conflict rules for prepended disclaimers

3. Click Messaging.
4. In the Messaging Options section, click Prepended Disclaimer Conflict Rule.
5. In the drop-down list, click a rule.
6. Click OK.
Set conflict rules for appended disclaimers

77
3. Click Messaging.
4. In the Messaging Options section, click Appended Disclaimer Conflict Rule.
5. In the drop-down list, click a rule.
6. Click OK.
Monitoring messages that users send from their BlackBerry

devices
If your corporate IT policy requires you to monitor messages, set a blind carbon copy (BCC) address to retain a
copy of all messages that users send from their BlackBerry devices.
Set the auto BCC feature on the BlackBerry Enterprise Server to force all messages that users send from their
BlackBerry devices to be blind carbon copied to specified recipients. This feature does not populate the BCC field
of the original message, so the message sender is unaware that the message is being BCCed.
Blind carbon copy a recipient on all messages

3. Click Messaging.
4. In the Messaging Options section, double-click Auto BCC Addresses.
5. Type the addresses, separated by a semicolon (;).
6. Click OK.
Managing the message queue

You can remove messages in the messaging queue to maintain user accounts that have high pending message
counts. When you purge pending messages from the messaging queue, you prevent the BlackBerry Enterprise
Server from sending the messages to the user’s BlackBerry device. Messages still appear in the user’s inbox.
Purge pending messages from the messaging queue

3. Click Service Control & Customization.
4. Click Purge Pending Messages.
5. Click OK.
Note: If the user account has wireless calendar synchronization turned on, pending calendar messages are also purged. However,
those messages are resent later. Pending IT policies or IT admin commands are not purged.
78
Managing the wireless backup and restore of organizer data

Automatic wireless backup is designed to back up user account settings and data from the BlackBerry device to
the BlackBerry Enterprise Server automatically, without user involvement. Wireless backup on the BlackBerry
Enterprise Server enables you to synchronize organizer data to new BlackBerry devices without impacting the
performance of the messaging server. See “Appendix: Wireless backup and restore” on page 139 for more
information.
If the BlackBerry Enterprise Server is not writing a user’s organizer data from the BlackBerry device to the
BlackBerry Configuration Database correctly, the existing backed up organizer data on the BlackBerry Enterprise
Server might be corrupt. Delete the organizer data from the BlackBerry Enterprise Server. Deleting the organizer
data forces the user’s BlackBerry device to synchronize with the BlackBerry Enterprise Server over the wireless
network.
Delete a user’s organizer data from the BlackBerry Enterprise Server

4. Click Clear PIM Sync Backup Data.
5. Click OK.
Turn off wireless backup

3. Click PIM Sync.
4. Click Automatic Wireless Backup Enabled.
6. Click OK.
Setting address book fields for synchronization and lookups

Map fields in the address book so that the fields for a contact on the user’s desktop email application synchronize
to the fields you set on the user’s BlackBerry device. There are two types of field mappings that you can create on
the BlackBerry Enterprise Server:
• global field mappings apply to all user accounts in the BlackBerry Domain
• user field mappings apply to specific user accounts
79
You can map up to four custom fields that users define in a contact entry to BlackBerry devices. When users
request a remote address lookup from the GAL, the fields that you set display on BlackBerry devices.By default,
users can synchronize pictures as part of the contact entries in their address book. Users can add, delete, and
replace pictures in either their desktop email application or on their BlackBerry device.
The BlackBerry Messaging Agent limits the file size of a picture that you can synchronize between the desktop
email application and the BlackBerry device to a maximum of 32 KB.
If your messaging environment includes Microsoft Outlook 2000, users are also required to name the picture
“ContactPicture.jpg” when they attach it to the contact entry. If that file name is not used, the picture does not
synchronize.
To prevent contact picture synchronization, clear the Pictures address book field mapping.
Map an address book field in the desktop email application to an address book
field on all BlackBerry devices
2. On the Global tab, click Service Control & Customization.
3. Click PIM Sync Global Field Mapping.
4. In the Desktop Field column, click a field.
5. In the Device Field column, in the drop-down list, click the BlackBerry device address book field to map to the
field in the desktop email application.
6. Click OK.
Map an address book field in the desktop email application to an address book
field on a specific BlackBerry device
4. Click PIM Sync Field Mapping.
5. In the Desktop Field column, click a field.
6. In the Device Field column, in the drop-down list, click the BlackBerry device address book field to map to the
field in the desktop email application.
7. Click OK.
Map a user-defined address book field to an address book field on all

BlackBerry devices
80
2. On the Global tab, click Service Control & Customization.

3. Click Edit PIM Sync Global Field Mapping.
4. In the Desktop Field column, click User Defined String 1.
5. In the Device Field column, in the drop-down list, click the custom BlackBerry device address book field to
map to the desktop address book field.
6. Click OK.
Map a user-defined address book field to an address book field on a specific

BlackBerry device
3. In the lower pane, click Service Control & Customization.
4. Click Edit PIM Sync Field Mapping.
5. In the Desktop Field column, click User Defined String 1.
6. In the Device Field column, in the drop-down list, click the custom BlackBerry device address book field to
map to the desktop address book field.
7. Click OK.
Sending messages to users

Use the BlackBerry Manager to send a message or PIN message to users in the BlackBerry Domain. Because the
messaging server does not process PIN messages, the PIN messaging feature is useful for informing users about
messaging server outages.
BlackBerry devices do not filter PIN messages that the BlackBerry Manager sends.
When a user replies to the message, the reply is sent to the service account that you used to install the BlackBerry
Enterprise Server (for example, BESAdmin).Send a message to selected users
3. In the lower pane, click Account.
4. Click Send Message.
5. Complete the message wizard.
Send a message to all users

81
2. On the Server Configuration tab, click Account.

3. Click Send Message.
4. Complete the message wizard.
Managing instant messaging

The BlackBerry Collaboration Service is designed to provide a connection between the instant messaging server
and the instant messaging application on the BlackBerry device.
To control bandwidth and resource consumption in your environment, set the number of open instant messaging
sessions permitted between the BlackBerry Collaboration Service and the instant messaging server. The
BlackBerry Collaboration Service supports up to 2000 instant messaging session connections to the Microsoft
Live Communications Server or the IBM® Lotus® Sametime® server. The number of instant messaging session
connections to the Novell® GroupWise® instant messaging server that the BlackBerry Collaboration Service
supports is limited to the number of Microsoft Windows sockets that are available.
You can control whether BlackBerry® Instant Messaging for IBM® Lotus® Sametime® or BlackBerry® Instant
Messaging for GroupWise® Messenger users can see an instant messaging mobile icon on the BlackBerry device
beside the names of session participants in their contact list that are using the same enterprise messenger. By
default, the mobile icon appears.
Configure the connection to the instant messaging server

1. In the BlackBerry Manager, in the left pane, click a BlackBerry Collaboration Service.
2. On the Collaboration Service tab, click Edit Properties.
3. In the left pane, click General.
4. In the Connection section, double-click Host. Type the host name of the instant messaging server.
5. In the Connection section, double-click Port. Type the port number of the instant messaging server.
6. Click OK.
Change the transport protocol that the BlackBerry Enterprise Server uses to
connect to the instant messaging server
If your instant messaging server is Microsoft Live Communications Server 2005, and if the enterprise messenger
that your environment supports is Microsoft® Windows® Messenger, Microsoft Office Communicator, or both, you
can change the transport protocol that the BlackBerry Collaboration Service uses to connect to the instant
messaging server.
2. In the left pane, click General.
82
3. In the Connection section, perform one of the following actions:
Enterprise messenger Procedure

BlackBerry® Instant Messaging for Microsoft® > In the Transport Protocol drop-down list, click one of the following protocol
Windows® Messenger types:
• TLS: Use TLS if you want the Microsoft Live Communications Server connector
to encrypt the data that it sends to the Microsoft Live Communications Server.
The computer running the Live Communications Server Connector must trust
the TLS certificate on the Microsoft Live Communications Server.
If you use TLS, the Microsoft Live Communications Server uses one socket
connection for each user login. This allows you to support up to 2000 instant
messaging sessions at the same time.
• TCP: Use standard TCP if you do not want the Microsoft Live Communications
Server connector to encrypt the data that it sends to the Microsoft Live
Communications Server.
If you use TCP, the Microsoft Live Communications Server uses up to three
socket connections for each user login; you cannot support up to 2000 instant
messaging sessions at the same time.
BlackBerry® Instant Messaging for Microsoft® > In the Transport Protocol drop-down list, click one of the following protocol
Office Communicator types:
• HTTPS: Use HTTPS if you want the BlackBerry Collaboration Service to
encrypt the data that it sends to the Microsoft Office Communicator Web
Access server.
• HTTP: Use standard HTTP if you do not want the BlackBerry Collaboration
Service to encrypt the data that it sends to the Microsoft Office
Communicator Web Access server.
Mixed environment: BlackBerry Instant 1. Set the transport protocol for the primary instant messaging server.
Messaging for Microsoft Windows Messenger 2. To change the protocol for the related instant messaging server, in the Related
and BlackBerry Instant Messaging for Microsoft Services section, double-click Related Services.
Office Communicator
3. Double-click the related instant messaging server.
4. Set Transport Protocol to the desired transport protocol for the appropriate
enterprise messenger environment.
4. Click OK.
Control an instant messaging session

1. In the BlackBerry Manager, in the left pane, click a BlackBerry Collaboration Service.
3. Click General.
4. In the Service section, perform any of the following actions:
Action Procedure
Set how many instant messaging sessions can be open at the same time. 1. Double-click Maximum Simultaneous Sessions.
2. Type a number.
83
Action Procedure
Set how long, in seconds, an instant messaging session can remain idle before 1. Double-click Idle Timeout.
it is closed to permit a new session if the Maximum Simultaneous Sessions 2. Type a number.
number is reached.
Set how long, in milliseconds, an instant messaging session can remain 1. Double-click Inactivity timeout.
inactive before it is closed. 2. Type a number.
Hide the instant messaging mobile icon for BlackBerry Instant Messaging for 1. Click Show Mobile Icon.
IBM Lotus Sametime or BlackBerry Instant Messaging for Novell GroupWise 2. In the drop-down list, click False.
Messenger.
Set your organization’s Microsoft Windows domain name so that users do not 1. Double-click Default Domain Name.
have to type their user names when they provide their SIP login account to log 2. Type the Windows domain address.
in to the enterprise messenger application on BlackBerry devices.
5. Click OK.
84
9
Customizing attachment support
Configuring how the BlackBerry Enterprise Server connects to the BlackBerry Attachment Service
Controlling how the BlackBerry Attachment Service converts attachments
Configuring support for attachment file formats
Controlling attachment file sizes to minimize conversion resource requirements
Controlling attachment file sizes to minimize upload resource requirements
Configuring how the BlackBerry Enterprise Server connects

to the BlackBerry Attachment Service
If the BlackBerry Attachment Service is installed on a remote computer (separate from the BlackBerry Enterprise
Server), you configure certain connection settings on each computer.
• On the BlackBerry Enterprise Server, set the Connector Configuration settings to connect the BlackBerry
Messaging Agent to the BlackBerry Attachment Service when users retrieve attachments on BlackBerry
devices.
• On the computer on which the BlackBerry Attachment Service is installed, set the Attachment Server settings
to connect the BlackBerry Attachment Service to the BlackBerry Enterprise Server.
Connect the BlackBerry Enterprise Server to the BlackBerry Attachment

Service
1. On the BlackBerry Enterprise Server, on the taskbar, click Start > Programs > BlackBerry Enterprise Server >
BlackBerry Server Configuration.
2. On the Attachment Server tab, in the Configuration Option drop-down list, click Connector Configuration.
Action Procedure
Set the name or IP address of the computer on which the > In the Server field, type a name or IP address.
BlackBerry Attachment Service is installed. Tip: If the BlackBerry Attachment Service is installed on the same
computer as the BlackBerry Enterprise Server, localhost is set by
default.
Set the TCP/IP port number that the attachment connector uses to > In the Server Submit Port field, type the port number between
send the attachment data requests to the BlackBerry Attachment 1024 and 65,535.
Service.
Set the TCP/IP port number to use to query and retrieve large > In the Server Result Port field, type the port number between
attachment conversion data from the BlackBerry Attachment 1024 and 65,535.
Service.
Action Procedure
Set the interval to use to query the server results time if large > In the Polling Time(s) (seconds) field, type a time between 10
attachments are available for delivery from the BlackBerry and 300 seconds.
Attachment Service.
4. Click OK.
5. On the computer on which the BlackBerry Enterprise Server is installed, in the Microsoft Windows Services,
restart the BlackBerry Dispatcher.
Connect the BlackBerry Attachment Service to the BlackBerry Enterprise

Server
1. On the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration.
2. On the Attachment Server tab, in the Configuration Option drop-down list, click Attachment Server.
Action Procedure
Set the TCP/IP port number that the BlackBerry Attachment > In the Submit Port field, type the same port number that you
Service uses to receive document submissions and for which it set in the Server Submit Port field on the BlackBerry Enterprise
returns conversion results. Server.
Set the TCP/IP port number that the BlackBerry Attachment > In the Result Port field, type the same port number that you set
Service uses to send large attachment conversion data when polled in the Server Result Port field on the BlackBerry Enterprise
from the attachment connector on the BlackBerry Enterprise Server.
Server.
Set the TCP/IP port number to use for configuration and > In the Configuration Port field, type a port number between
administrative purposes. 1024 and 65,535.
4. Click OK.
5. On the computer on which the BlackBerry Attachment Service is installed, in the Microsoft Windows Services,
restart the BlackBerry Attachment Service.
Controlling how the BlackBerry Attachment Service converts

attachments
You can control how the BlackBerry Attachment Service converts attachments to optimize BlackBerry Attachment
Service performance and you can configure the Attachment Server settings to control the retrieval, distillation,
and conversion of attachment data. You can modify the Attachment Server settings only on the computer on
which the BlackBerry Attachment Service is installed.
Every attachment conversion process allocates memory on startup, uses memory on conversion, and caches the
attachment Document Object Model (DOM) locally on the computer on which the BlackBerry Attachment Service
is installed. A larger cache size means that more memory is allocated to each running conversion process. The
maximum file size of attachments affects the cached memory used. Use the Attachment Server settings to control
the amount of memory that the BlackBerry Attachment Service uses.
86
9: Customizing attachment support
When the BlackBerry Enterprise Server receives an attachment, the BlackBerry Attachment Service converts the
attachment into a DOM and caches the DOM locally. When users request to view the attachment on BlackBerry
devices, the BlackBerry Attachment Service accesses the DOM to process the request. All cached data is kept in
memory only and the original document is never cached.
Customize how the BlackBerry Attachment Service converts attachments

Action Procedure
Prevent multiple requests for the same attachment from > In the Concurrent Caching drop-down list, click Disabled.
using the first cached copy of the attachment DOM in a Note: The cache is maintained for 25 minutes (the default recycle time) or
conversion process for a user. until a new request exceeds the cache limit for that process and the least
recently used document in the cache is removed.
Set the maximum number of converted documents that > In the Document Cache Size (docs) field, type a number between 1 and
might reside in the document cache (as DOM) for an 128.
individual conversion process.
Set the number of conversion requests that the BlackBerry > In the Conversion Processes field, type a number between 1 and 64.
Attachment Service can process concurrently. Note: Set a value in relation to the available memory and competing services
on the computer on which the BlackBerry Attachment Service is installed.
Set the number of documents that can be converted > In the Max. Threads Per Process field, type a number between 2 and 32.
concurrently in a single conversion process. Tip: Use this setting to control thread saturation and to manage the
BlackBerry Attachment Service workload in conjunction with the Busy
Threshold (seconds) setting.
Set a limit for the time in which an application conversion > In the Recycle Time(s) (seconds) field, type a time between 300 and
process can reuse system resources. 3600 seconds.
Tip: The BlackBerry Attachment Service uses process recycling to reclaim
space and prevent failed processes from keeping memory allocated.
Set the threshold to determine whether the BlackBerry > In the Busy Threshold(s) (seconds) field, type a time between 60 and
Attachment Service is busy with conversions and should 270 seconds.
not accept new requests. Note: The BlackBerry Attachment Service monitors the running conversion
threads to check whether all conversion processes are busy when a new
request arrives.
4. Click OK.
Configuring support for attachment file formats

The BlackBerry Attachment Service uses distillers to convert attachments in supported file formats for display on
the BlackBerry device. All supported distillers are turned on by default.
87
Turn off a distiller to prevent users from viewing attachments on BlackBerry devices in specific file formats. For
example, if you turn off the .pdf distiller, users can no longer view Adobe® .pdf attachments on the BlackBerry
device. When you turn off a distiller for an attachment file format, remove the file format extension from the format
list in the Connector Configuration settings so that the Open Attachment option does not display on the
BlackBerry device.
Remove support for an attachment file format

3. In the Format Extension field, remove the file format extension.
5. In the Distiller Settings section, clear the check box beside the file format to remove.
6. Click OK.
Add support for additional attachment file format extensions

If your messaging server is connected to a document management system that enforces file format extension
renaming, add the extensions to the format list to support arbitrary extensions.
3. In the Format Extension field, type the file format extension.
4. To enable users to view all image formats on BlackBerry devices, select the Image Attachments check box.
5. Click OK.
Controlling attachment file sizes to minimize conversion

resource requirements
By default, the BlackBerry Attachment Service does not limit the file size of an attachment embedded in a
message or retrieved through a web link. Data sent to the BlackBerry device through the wireless network must be
in packets no larger than 64 KB but there is no limit to the number of packets that can be sent.
88
In a heavy use environment, change the maximum file size for individual attachment formats to control the amount
of memory that the BlackBerry Attachment Service uses during attachment conversion.
Your environment is considered a heavy use environment if the BlackBerry Attachment Service responds to the
following demands:
• multiple users requesting conversions for large or complex attachments (especially .pdf and ASCII text files
that are larger than 2 MB)
• multiple users requesting large or complex documents in the same time frame (0 to 10 minutes) while the
BlackBerry Attachment Service processes large conversions
Set the maximum file size for an attachment

3. In the Distiller Settings section, in the Max. File Size (Kb) column, click the value beside the distiller that you
are modifying.
4. Type a value in kilobytes. In a heavy use environment, consider using the following file sizes:
File format Recommended size

Adobe® Acrobat® Versions 1.1, 1.2, 1.3, and 1.4 less than 2000 KB
Microsoft® Excel® Versions 97, 2000, 2003, and XP less than 2000 KB
Microsoft® PowerPoint® Versions 97, 2000, 2003, and XP less than 2000 KB
Microsoft® Word Versions 97, 2000, 2003, and XP less than 2000 KB
MP3 less than 2000 KB
Rich Text Format less than 2000 KB
Corel® WordPerfect® Versions 6.0, 7.0, 8.0, 9.0 (2000), and 10.0 less than 2000 KB
ASCII text less than 100 KB
HTML less than 100 KB
ZIP archives less than 2000 KB
images less than 2000 KB
audio less than 2000 KB
5. Click OK.
Set the maximum dimensions for images

You can control the dimensions of image attachments that users can view on BlackBerry devices. By default, for
image attachments, the BlackBerry Attachment Service sets a maximum width of 5000 pixels and a height of
4000 pixels.
If you permit the BlackBerry Attachment Service to convert larger image attachments, you must install the
BlackBerry Attachment Service on a remote computer.
89
1. On the computer on which the BlackBerry Attachment Service is installed, at the command prompt, type
regedit.
2. Browse to HKEY_LOCAL_MACHINE\Software\Research In Motion\BBAttachEngine\Distillers
\LoadImageDistiller\.
3. In the Name list, double-click the MaxWidth key.
4. In the Value data field, set the maximum width in pixels.
5. Click OK.
6. Browse to HKEY_LOCAL_MACHINE\Software\Research In Motion\BBAttachEngine\Distillers
\LoadImageDistiller\.
7. In the Name list, double-click the MaxHeight key.
8. In the Value data field, set the maximum height in pixels.
9. Click OK.
Controlling attachment file sizes to minimize upload resource

requirements
The BlackBerry Messaging Agent is designed to receive attachments that are locally created on certain BlackBerry
devices running BlackBerry Device Software Version 4.2 and to reconcile those attachments to the messaging
server. These attachments are not converted by the BlackBerry Attachment Service; they are received by the
BlackBerry Messaging Agent only.
The BlackBerry device determines whether or not the BlackBerry Enterprise Server supports attachment uploads
based on new CMIME service book entries. Users must have BlackBerry Desktop Software Version 4.2 installed to
make sure that these new service book entries remain in effect during service book updates over a physical
connection to the computer running the BlackBerry Desktop Software.
By default, the BlackBerry Messaging Agent limits the file size of an attachment uploaded from a BlackBerry
device to a maximum of 3072 KB (3 MB). If uploading more than one attachment at a time, the BlackBerry
Messaging Agent also limits the total of those attachment file sizes to a maximum of 5120 KB (5 MB).
Data that the BlackBerry device and the messaging server send between them over the wireless network must be
in packets no larger than 64 KB. If an attachment that is uploaded from a BlackBerry device is greater in size than
a single packet, the BlackBerry device divides the attachment into multiple packets. The BlackBerry Messaging
Agent caches all packets until it receives the last packet and then sends the attachment to the messaging server.
In a heavy use environment, to control the amount of memory and transactions that the BlackBerry Messaging
Agent uses during attachment uploads perform one or both of the following actions:
• change the file size maximums
• prevent attachment uploads
90
Change attachment upload file size maximums

3. In the left pane, click Messaging.
Action Procedure
Change the maximum file size for a single attachment > In the Maximum Upload Attachment Size field, type a number between
upload. 1 and 3072.
Change the maximum file size for multiple attachments > In the Maximum Upload Total Attachment Size field, type a number
uploaded at one time. between 1 and 5120 that is also greater than the Maximum Upload
Attachment Size.
Prevent attachment uploads

If you set the attachment upload file size maximum, users can only upload specific attachments—certificates and
address book entries—that are less than a single packet.
3. In the left pane, click Messaging.
4. In the Maximum Upload Attachment Size field, type 0.
91
92
10
Customizing wireless access to enterprise
applications
Central push servers
Customize how BlackBerry devices authenticate with web servers
Restricting users’ access to web content
Restricting user access to types of media
Control how the BlackBerry MDS Connection Service manages web requests from BlackBerry devices
Customizing how applications make trusted connections to web servers
Restricting the resources that push applications can access
Managing push application requests
Configure how the BlackBerry MDS Connection Service connects to BlackBerry devices
Central push servers

Using the BlackBerry Manager, you designate one BlackBerry MDS Connection Service in a BlackBerry Domain as
the central push server. The central push server receives push requests from applications. It establishes a
connection to the BlackBerry device through which applications send data.
Only one BlackBerry MDS Connection Service in a BlackBerry Domain can be the central push server. When you
designate a BlackBerry MDS Connection Service as the central push server, the designation is dropped from any
other BlackBerry MDS Connection Service previously identified as the central push server. Before you remove a
push server designation from a BlackBerry MDS Connection Service, you must assign the designation to another
BlackBerry MDS Connection Service. If you change the central push server, notify the push application developers
of the change.
If you turn off the BlackBerry MDS Connection Service, the BlackBerry Collaboration Service also turns off.
Set the central push server

1. In the BlackBerry Manager, in the left pane, click a BlackBerry MDS Connection Service.
2. On the Connection Service tab, click Common.
3. Click Set as Push Server.
4. If you have BlackBerry MDS Services installed, confirm that the central push server appears in the list of
BlackBerry MDS Connection Services that are available to the BlackBerry MDS Services. See “Set how the
BlackBerry MDS Services and the BlackBerry MDS Connection Service connect” on page 66 for more
information.
Customize how BlackBerry devices authenticate with web

servers
Configure whether BlackBerry devices authenticate with a content web server directly, or whether the BlackBerry
MDS Connection Service authenticates with the web server on behalf of BlackBerry devices.
If you configure BlackBerry devices to authenticate directly with web servers, users are prompted to provide login
credentials every 30 minutes on their authenticated BlackBerry devices.
Configure how BlackBerry devices authenticate with web servers

2. On the Connection Service tab, click Edit Properties.
3. Click HTTP.
Action Procedure
Configure BlackBerry devices to authenticate 1. Click Support HTTP Authentication.
directly with web servers. 2. In the drop-down list, click False.
Configure the BlackBerry MDS Connection Service 1. Click Support HTTP Authentication.
to authenticate with web servers on behalf of 2. In the drop-down list, click True.
BlackBerry devices using HTTP Basic.
5. Double-click Authentication Timeout.

6. Type the length of time, in milliseconds, that authentication information remains on the web server.
7. Click OK.
Configure the BlackBerry MDS Connection Service to authenticate with

servers that use NTLM
> At <drive:>\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\
ServerInstance\config, configure the MDSLogin.conf file and the Java Authentication and Authorization
Service (JAAS) configuration file.
Visit java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginConfigFile.html for information about the
JAAS configuration file.

servers that use Kerberos
> At <drive:>\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\
ServerInstance\config, configure the Kerberos™ 5 configuration file (krb5.conf).
94
10: Customizing wireless access to enterprise applications
Visit web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.3/doc/krb5-admin.html#krb5.conf for information about the

Kerberos 5 file.

servers that use LTPA
Turn on cookie storage to permit the BlackBerry MDS Connection Service to authenticate with web servers that
use LTPA.
3. Click HTTP.
4. Click Support HTTP Cookie Storage.
6. Click OK.
Configure the BlackBerry MDS Connection Service to authenticate with the

RSA Authentication Manager
When you turn on RSA® authentication, users must type their login credentials on their BlackBerry devices before
they can access intranet or Internet content. After the user is authenticated, if proxy authentication is configured,
the BlackBerry device prompts the user to authenticate with the proxy server.
3. Click RSA Authentication.
Action Procedure
Turn on RSA authentication. 1. Click Enable RSA Authorization Support.
Set the length of time, in minutes, that an authenticated BlackBerry 1. Double-click RSA Authentication Timeout.
device can be connected to the corporate network before the user 2. Type a number.
must log in again.
Set the length of time, in minutes, that an authenticated BlackBerry 1. Double-click RSA Inactivity Timeout.
device can be inactive while connected to the corporate network 2. Type a number.
before the user must log in again.
5. Click OK.
95
Restricting users’ access to web content

Create pull access control rules to restrict the web servers that the BlackBerry MDS Connection Service accesses
on behalf of a user. You assign users to pull rules to control from which web servers users can request content. The
BlackBerry MDS Connection Service transmits the content that users request to their BlackBerry devices.
Restrict web content requests from BlackBerry devices

Configure whether access control rules are applied to web content requests from the BlackBerry device. Turn on
pull authorization to restrict the web content that users can receive on BlackBerry devices.
3. Click Access Control.
4. Click Pull Authorization.
6. Click OK.
Create and assign a rule to a type of web content request

3. In the left pane, click Access Control.
Action Procedure
Create a unique pull rule. 1. Double-click Pull Rules.
2. Click New.
3. Double-click Name.
4. Type a name for the rule.
5. Double-click Description.
6. Type a description for the rule.
7. Click OK.
8. Click OK again.
96
Action Procedure
Create a URL pattern. 1. Double-click URL Patterns.
2. Click New.
3. Double-click URL pattern.
4. Type the URL pattern of the web server to which the pull rule will control access.
5. In the Service Name drop-down list, click one of the following:
• http: rule applies when users request a connection to an HTTP site on their BlackBerry devices
• https: rule applies when users request a connection to an HTTPS site on their BlackBerry devices
when you enable SSL or Transport Layer Security (TLS) in proxy mode
• ldap: rule applies when users access a user profile or certificate from their BlackBerry devices; the
BlackBerry MDS Connection Service retrieves the user profile or certificate from the LDAP directory
• ocsp: rule applies when users verify the revocation status of a certificate from their BlackBerry
devices; the BlackBerry MDS Connection Service retrieves the certificate revocation status from the
OCSP server
• tcp: rule applies when users request a connection to the Internet or corporate intranet from their
BlackBerry devices using other standard Internet protocols
7. Type a description for the URL pattern.
8. Click OK.
9. Click OK.
Assign a rule to a URL 1. Double-click URL Pattern Rules.
pattern and define 2. In the left pane, click the pull rule.
whether access is
3. In the right pane, perform one of the following actions:
enabled for the URL.
• To prevent the user assigned to the rule from accessing a URL matching the URL pattern, select the
Deny option.
• To permit the user assigned to the rule to access a URL matching the URL pattern, select the Allow
option.
4. Click OK.
Assign a rule to a user account or group

Action Procedure
Assign a pull rule to a 1. Click BlackBerry Domain.
single user account. 2. On the Global tab, click Edit Properties.
4. Double-click User Rules.
5. In the left pane, click a rule.
6. In the right pane, select the option for a user account.
7. Click OK.
97
Action Procedure
Assign a pull rule to 1. Click a group.
users in a group. 2. On the Group Configuration tab, click Edit Group Template.
4. Double-click Pull Rule Set.
5. Select the pull rule check box to assign to the group.
6. Click OK.
7. Select the check box beside Pull Rule Set.
9. Click Yes.
2. Click OK.
Restricting user access to types of media

You can control what types of media—for example, audio and video—your users can receive on their BlackBerry
devices.
Using standard definitions for MIME media types, specify whether or not the BlackBerry MDS Connection Service
can send the media to the BlackBerry device. You can also set file size limits for each media type. Visit
www.iana.org for more information about MIME media types.
You can prevent users from receiving every format of a media (for example, video) or you can prevent users from
receiving only certain formats of a media (for example, mp4). If you want to prevent only certain formats you must
type both the media type and subtype definitions (for example, video/mp4) when you create the restriction.
Create a media content restriction

2. From the Global tab, click Edit Properties.
3. Click Media Content Management.
4. Double-click Media Content Types.
5. Click New.
6. In the Media Content Type field, type the media type and, optionally, a subtype.
Action Procedure
Prevent the BlackBerry MDS Connection Service from sending 1. From the Disallow content drop-down list, click True.
the media to BlackBerry devices. 2. Click OK.
98
Action Procedure
Permit the BlackBerry MDS Connection Service to send the 1. In the Maximum KB/Connection field, type the maximum file
media to BlackBerry devices only if the file size does not exceed size.
the maximum size. 2. From the Disallow content drop-down list, click False.
3. Click OK.
8. Click OK.
Manage media content restrictions

1. In the BlackBerry Manager, in the left pane, click a BlackBerry Domain.
2. From the Global tab, click Edit Properties.
3. Click Media Content Management.
4. Double-click Media Content Types.
5. Click a media content type restriction.
Action Procedure
Change an existing 1. Click Properties.
media content 2. Modify the file size, and media type.
restriction.
3. Click OK.
Delete an existing media > Click Remove.
content restriction.
7. Click OK.
Control how the BlackBerry MDS Connection Service

manages web requests from BlackBerry devices
3. Click HTTP.
Action Procedure
Cache cookies on behalf of BlackBerry devices and enable the 1. Click Support HTTP Cookie Storage.
BlackBerry MDS Connection Service to add cookie information to 2. In the drop-down list, click True.
HTTP requests from BlackBerry devices.
Note: If the BlackBerry device requires JavaScript® support in its
HTTP requests, cookies are processed on the BlackBerry device.
99
Action Procedure
Set the length of time, in milliseconds, that the HTTP connection 1. Double-click HTTP Device Connection Timeout.
waits for the BlackBerry device to send data. 2. Type a number.
Set the length of time, in milliseconds, that the HTTP connection 1. Double-click HTTP Server Connection Timeout.
waits for the web server to send data. 2. Type a number.
Set the maximum number of HTTP redirections that the BlackBerry 1. Double-click Maximum Number of Redirects.
MDS Connection Service supports. 2. Type a number.
Note: HTTP redirection occurs when the BlackBerry® Browser
requests a web page from a web server and the web server returns
a redirection status code that indicates a new URL for the web
page.
5. Click OK.
Permitting push applications to make trusted connections to

the BlackBerry MDS Connection Service
Generate a webserver.keystore file that contains a certificate for the BlackBerry MDS Connection Service. Push
applications require this certificate to establish an HTTP over SSL connection with the BlackBerry MDS
Connection Service when pushing content to a BlackBerry device.
Use the keytool to generate a self-signed certificate for the BlackBerry MDS Connection Service, or you can
import a signed certificate from a trusted public certificate authority. Use the keytool to export the BlackBerry
MDS Connection Service certificate from the webserver.keystore and import it into key stores used by other
applications, such as Microsoft Windows and Java applications.
Visit java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html for more information on using the keytool.
Visit tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html for more information on Apache Tomcat™ requirements.
Publish the BlackBerry MDS Connection Service certificate to permit push

applications to make trusted connections with the BlackBerry MDS
Connection Service
1. On the computer where the BlackBerry MDS Connection Service is installed, go to <drive:>\Program
Files\Java\<JRE version>\bin, and at the command prompt, perform one of the following actions:
Action Procedure
Generate a self-signed 1. Type keytool -genkey -alias tomcat -keyalg RSA -keystore webserver.keystore.
certificate and publish it 2. Type the required information.
in webserver.keystore.
3. Confirm the information that you entered and, if correct, type Yes.
Publish a publicly signed 1. Type keytool -import -trustcacerts -alias tomcat -file <trustedserver.cer> -keystore
certificate in webserver.keystore.
webserver.keystore. 2. Type the key store password.
3. At the prompt, click Yes to add the certificate to the key store.
100
2. Copy the webserver.keystore file to <drive:>\Program Files\Research In Motion\BlackBerry Enterprise

Server\MDS\webserver.
Export the BlackBerry MDS Connection Service certificate to make it available

to other applications
Files\Java\<JRE version>\bin, and at a command prompt, type
keytool -export -alias tomcat -file <server.cer> -keystore <drive:>\Program Files\Research In
Motion\BlackBerry Enterprise Server\MDS\webserver\webserver.keystore -storepass <password>
2. Type the key store password.
Permit Java applications to trust the BlackBerry MDS Connection Service

certificate
Files\Java\<JRE version>\bin, and at a command prompt, type
keytool -import -trustcacerts -alias <alias> -file <server.cer> -keystore <application_keystore>
4. If the certificate does not exist, copy the file to <drive:>\Program Files\Java\lib\security.
Customizing how applications make trusted connections to

web servers
Configure how applications on BlackBerry devices retrieve certificate information for trusted and untrusted web
servers. The BlackBerry MDS Connection Service supports Lightweight Directory Access Protocol (LDAP), Online
Certificate Status Protocol (OCSP), SSL, and TLS. Certificates authenticate applications with the BlackBerry MDS
Connection Service.
Configure a key store file to permit BlackBerry devices and applications to connect to untrusted servers when
there is no certificate stored for the server on the computer where the BlackBerry MDS Connection Service is
installed. The key store file permits a push application to establish an HTTP-over-SSL connection with the
BlackBerry MDS Connection Service when pushing content to a BlackBerry device.
Configure the BlackBerry MDS Connection Service to query LDAP servers for
trusted application certificates
Define a user name and password for the BlackBerry MDS Connection Service to authenticate with LDAP servers
on behalf of BlackBerry devices.
101
Do not change the default LDAP port parameters unless there is a port conflict with another service on the same
computer. If you change port or host information, you must stop and restart the BlackBerry MDS Connection
Service to reload the configuration information.
3. Click LDAP.
4. Set the LDAP server settings.
5. Click OK.
Configure the BlackBerry MDS Connection Service to retrieve the status of a

certificate from an OCSP server
3. Click OCSP.
Action Procedure
Set the OCSP handler to accept OCSP responders 1. Click Use Device Responders.
that are specified by the BlackBerry device. 2. In the drop-down list, click True.
Set the OCSP handler to use the OCSP responder 1. If a certificate is present, click Use Certificate Extension Responders.
extension in a certificate. 2. In the drop-down list, click True.
Set the default URL of the OCSP responder. 1. Double-click Default Responder URL.
2. Type the URL of the OCSP responder.
Set the URL of the server on which the certificate 1. Double-click Default CRL Server URL.
revocation list (CRL) is located. 2. Type the URL of the CRL server.
Set the URL of the server on which the PGP keys 1. Double-click Default PGP Key Server URL.
are located. 2. Type the URL of the PGP server.
5. Click OK.
Permit BlackBerry devices to connect to untrusted web servers

A web server is untrusted if there is no certificate for it stored on the BlackBerry Enterprise Server.
3. Click TLS/HTTPS.
102
Action Procedure
Allow outgoing requests from the BlackBerry device that the 1. Click Allow Untrusted HTTPS Connections.
BlackBerry MDS Connection Service encrypts with HTTPS. 2. In the drop-down list, select True.
Allow outgoing requests from the BlackBerry device that the 1. Click Allow Untrusted TLS Connections.
BlackBerry MDS Connection Service encrypts with TLS. 2. In the drop-down list, select True.
Permit BlackBerry devices to connect to trusted web servers

Use the keytool to add a certificate for a web server to the BlackBerry Enterprise Server key store and permit
connections to the trusted web server.
1. Copy the certificate from a secure web site to a .cer file.
2. On the computer on which the BlackBerry MDS Connection Service is installed, copy the .cer file into the
<drive:>\Program Files\Java\<JRE version>\lib\security folder.
3. At a command prompt, browse to <drive:>\Program Files\Java\<JRE version>\bin.
4. Type keytool -import -trustcacerts -alias <alias_name> -file <cert_filename> -keystore cacerts.
Visit java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html for more information about using the keytool.
Permit the BlackBerry MDS Connection Service to accept an SSL connection

with a push application to send content to BlackBerry devices
2. On the Mobile Data Service tab, configure the key store information. Only one key store file can exist. The file
must be called webserver.keystore and must be located at <drive:>\Program Files\Research in
Motion\BlackBerry Enterprise Server\MDS\webserver.
3. Click Create Keystore File.
4. If a message prompts you, click Yes to overwrite the existing key store file.
5. Click OK.
Restricting the resources that push applications can access

Control which push applications can send content to BlackBerry devices without users requesting the content
first. Push access control rules enable you to assign users and push applications to push rules to control which
push applications can send requests to users.
103
Restrict push application access to resources on a BlackBerry Enterprise

Server
Action Procedure
Restrict push applications from accessing the BlackBerry MDS 1. Click Push Authentication.
Connection Service to push content to users. 2. In the drop-down list, click True.
Restrict push applications from pushing content to specific 1. Click Push Authorization.
BlackBerry devices. 2. In the drop-down list, click True.
Encrypt push requests using SSL or TLS. 1. Click Push Encryption.
5. Click OK.
Create and assign a rule to a push application

If the BlackBerry MDS Services are installed, create a push initiator and password for the BlackBerry MDS Services
to communicate with the BlackBerry MDS Connection Service. Make the push initiator available to the BlackBerry
MDS Services. See “Associate a push initiator with the BlackBerry MDS Services” on page 106 for more
information.
Action Procedure
Create a unique push 1. Double-click Push Rules.
rule. 2. Click New.
3. Double-click Name.
4. Type a name for the rule.
6. Type a description for the rule.
7. Click OK.
8. Click OK.
104
Action Procedure
Create a push initiator 1. Double-click Push Initiators.
for a push application. 2. Click New.
3. Double-click Push Principal Name.
4. Type the name of the application sending the push requests that a push rule will control.
5. Double-click Credentials.
6. Type the password for the application.
8. Type a description for the application.
9. Click OK.
10. Click OK.
Assign a push rule to a 1. Double-click Push Initiator Rules.
push initiator. 2. In the left pane, click a rule.
3. In the right pane, select the option for a push initiator.
4. Click OK.
Assign a rule to a user account or group

Action Procedure
Assign a push rule to a 1. Click BlackBerry Domain.
single user account. 2. On the Global tab, click Edit Properties.
4. Double-click User Rules.
5. In the left pane, click a rule.
6. In the right pane, select the option for a user account.
7. Click OK.
Assign a push rule to 1. Click a group.
users in a group. 2. On the Group Configuration tab, click Edit Group Template.
4. Double-click Push Rule Set.
5. Select the push rule check box to assign to the group.
6. Click OK.
7. Select the check box beside Push Rule Set.
9. Click Yes.
2. Click OK.
105
Associate a push initiator with the BlackBerry MDS Services

Add the BlackBerry MDS Connection Service that has a BlackBerry MDS Services push initiator access control rule
defined to the list of BlackBerry MDS Connection Services available to the BlackBerry MDS Services.
4. Double-click BlackBerry MDS Connection Service Definition.
5. Click New.
6. Double-click URL.
7. Type the full URL or domain name and port number for the BlackBerry MDS Connection Service.
8. In the Push Initiator field, type the name of the BlackBerry MDS Services push initiator.
9. Click OK.
10. Click OK again.
Managing push application requests

The BlackBerry MDS Connection Service sends push application requests to BlackBerry devices. Configure how
the BlackBerry Enterprise Server manages push application requests.
Permit the transfer of application-reliable push requests between BlackBerry

devices and the BlackBerry MDS Connection Service on device ports
Configure the BlackBerry MDS Connection Service to permit application-reliable push requests between
BlackBerry devices and the BlackBerry MDS Connection Service on device ports. Applications that use reliable
push requests to notify the BlackBerry MDS Connection Service whether a push request was received successfully
on the BlackBerry device have unique port numbers. Contact your application developers for the port value
defined for an application.
3. Click Push/PAP.
4. Double-click Device Ports Enabled for Reliable Pushes.
5. Type the device port number. Use commas to separate multiple port numbers.
6. Click OK.
7. Click Restart Service.
106
Store push application requests in the BlackBerry Configuration Database

If push requests that use result notification are sent to a group that has users on multiple BlackBerry Enterprise
Servers within the BlackBerry Domain, you must store the push requests.
3. Click Push/PAP.
4. Click Store Push Submissions.
6. Click OK.
Delete push requests from the BlackBerry Configuration Database

3. Click Push Control.
Action Procedure
Set the maximum number of push messages to store in the 1. Double-click Maximum Stored Push Messages.
BlackBerry Configuration Database. 2. Type a number.
Set the maximum length of time, in minutes, to store a push 1. Double-click Maximum Push Message Age.
message before it is eligible for purging from the BlackBerry 2. Type a number.
Configuration Database.
5. Click OK.
Configure the number of simultaneous push application requests that the

BlackBerry MDS Connection Service can process
Configure how many active push connections the BlackBerry MDS Connection Service can process before it
queues the connections or sends a service unavailable message to the BlackBerry device.
3. Click Push/PAP.
107
Action Procedure
Set the maximum number of push connections to 1. Double-click Maximum number of Active Connections.
process simultaneously before queuing connections. 2. Type a number.
Set the maximum number of push connections 1. Double-click Maximum number of Queued Connections.
enabled in the queue before sending a service 2. Type a number.
unavailable message to the BlackBerry device.
5. Click OK.
Clear the push queue manually

An automated process runs daily to clear the push queue. You can also clear the queue manually.
1. In the Microsoft® SQL Server™ Enterprise Manager, open Console Root\Microsoft SQL Servers\SQL Server
Group\<BlackBerry Configuration Database server>\Management\SQL Server Agent\Jobs.
2. Start the RIMPurgeMDSMsg<database_name> process.
Configure how the BlackBerry MDS Connection Service

connects to BlackBerry devices
Configure whether BlackBerry devices can establish persistent connections with the BlackBerry MDS Connection
Service and set the maximum number of persistent connections permitted. Change the default port parameters
only if there is a port conflict with another service on the same computer. If you change host or port information,
you must restart the BlackBerry MDS Connection Service to reload the configuration information.
3. Click General.
Action Procedure
Set the maximum amount of data, in KB, that can be sent to the 1. Double-click Maximum KB/Connection.
BlackBerry device by the BlackBerry MDS Connection Service. 2. Type a number.
Set the length of time, in milliseconds, that the BlackBerry device 1. Double-click Flow Control Timeout.
has to send an acknowledgement before the BlackBerry MDS 2. Type a number.
Connection Service discards all pending content for the BlackBerry
device.
Permit Java applications on BlackBerry devices to make persistent 1. Double-click Use Persistent Socket.
TCP socket connections with the BlackBerry MDS Connection 2. Click True.
Service.
108
Action Procedure
Set the maximum number of threads that the BlackBerry MDS 1. Double-click Thread Pool Size.
Connection Service can process at the same time before the 2. Type a number.
BlackBerry MDS Connection Service rejects processing requests.
Set the maximum number of persistent TCP connections that can 1. Double-click Maximum Simultaneous Persistent Sockets.
be open simultaneously between BlackBerry devices and the 2. Type a number.
BlackBerry MDS Connection Service before the BlackBerry MDS
Connection Service rejects processing requests.
Modify the port number on which the web server listens for 1. Double-click Web Server Listen Port.
requests from push applications. 2. Type the port number.
Note: Notify push application developers if you change this
setting.
Modify the port number on which the web server receives HTTPS 1. Double-click Web Server SSL Listen Port.
requests from BlackBerry devices. 2. Type the port number.
Set the frequency at which the BlackBerry MDS Connection Service 1. Double-click Admin Configuration Cycle Timer.
polls the BlackBerry Configuration Database for changes to the 2. Type the interval.
BlackBerry MDS Connection Service and BlackBerry Collaboration
Service administrative settings.
109
110
11
Managing user accounts
Managing users

You can set property exceptions in a group by changing the properties for a single user account after the user
account is added to a group. If you have user account property exceptions in a group and you change and apply
the group properties, the updated group properties override any user account property exceptions that were set for
individual user accounts. See Chapter 6, “Customizing the BlackBerry messaging environment” for more
information about changing the properties for individual user accounts.
If you remove a user account from a group, the user account remains in the global users list but does not appear in
the user group lists.
Change properties for a group

5. Save the changes by clicking Apply.
6. Select the check boxes beside the properties to modify.
8. Click Yes.
9. Click OK.
Manage a group
3. Click Group Admin.
Action Procedure
Rename a group. 1. Click Modify Group Definition.
2. In the Group Name field, type a new name.
3. Click OK.
Delete a group. 1. Click Delete Group.
2. Click Yes.
Move a group to another BlackBerry 1. Click Move Group to BES.
Enterprise Server. 2. Click the destination BlackBerry Enterprise Server.
3. Click OK.
4. Click Yes.
Managing users
You can move user accounts between user groups or from one BlackBerry Enterprise Server to another in the
BlackBerry Domain. New service books are sent to the BlackBerry device over the wireless network.
If you move or change the display name of a user mailbox on the messaging server, the BlackBerry Enterprise
Server updates the user account within 15 minutes. If you move a hidden mailbox that does not appear in the GAL,
you must update the user account manually on the BlackBerry Enterprise Server.
When you remove a user account from the BlackBerry Enterprise Server, you can retain users’ BlackBerry
information in their mailboxes. Retaining the information enables you to add the user accounts again or enable
the users to continue to use their BlackBerry devices as BlackBerry Desktop Redirector users.When you add a user
account for which the BlackBerry information is retained, the user can continue to use the BlackBerry device with
the same configuration and privileges that the user account had before you removed it.
Move or delete a user account

3. Click Account.
Action Procedure
Move a user account to another 1. Click Assign To Group.
group. 2. Click a group to which to move the user account.
3. Click OK.
Remove a user account from a 1. Click Remove From Group.
group. 2. Click Yes.
112
11: Managing user accounts
Action Procedure
Move a user account to a different 1. Click Move User.
BlackBerry Enterprise Server. 2. Click the destination BlackBerry Enterprise Server.
3. Click OK.
Remove a user account from the 1. Click Delete User.
BlackBerry Enterprise Server. 2. Click Yes.
• To retain the BlackBerry information in the user’s mailbox, click No.
• To remove the BlackBerry information from the user’s mailbox, click Yes.
Update a user account manually

3. Click Account.
4. Click Reload User.
5. Click OK.
113
114
12
Managing BlackBerry Device Software and
wireless applications
Managing applications on BlackBerry devices
Managing software configurations
Managing applications on BlackBerry devices

You can upgrade or remove Java applications, the Enterprise Messenger, and the BlackBerry MDS Runtime from
BlackBerry devices over the wireless network. The BlackBerry Enterprise Server might take 4 hours to upgrade or
remove the applications from BlackBerry devices.
You can update application control policies to change the access that applications installed on BlackBerry devices
have to the BlackBerry devices and resources behind the corporate firewall, and you can remove application
control policies that you no longer require.
You are solely responsible for the selection, implementation, and performance of any third-party applications that you use with the
BlackBerry device or the BlackBerry Desktop Software. RIM does not in any way endorse or guarantee the security, compatibility,
performance, or trustworthiness of any third-party application and shall have no liability to you or any third party for issues arising
from such third-party applications.
Upgrade an application on a BlackBerry device

1. Add or upgrade the application in the network drive. See “Add the software and tools to the network drive” on
2. Re-index the application. See “Re-index the software applications” on page 43 for more information.
Note: Applications that are assigned an application control policy with a Disposition set to Required also receive the application
upgrade over the wireless network.
Remove an application from a BlackBerry device

2. On the Software Configurations tab, click Manage Application Policies.
3. Double-click an application control policy.
4. In the Disposition drop-down list, click Disallowed.
5. Click OK.
Change or delete an application control policy

2. Click the Software Configurations tab.
3. Click Manage Application Policies.
4. Click the application policy.
Action Procedure
Change an application control policy. 1. Click Properties.
2. Modify the application control policy properties.
3. Click OK.
Delete an application control policy. > Click Remove.
6. Click OK.
Managing software configurations

You manage software configurations using the computer on which the BlackBerry Manager is installed. You can
change a software configuration to update or change the applications to install on BlackBerry devices and you can
assign a different software configuration to users.
Manage a software configuration

> In the BlackBerry Manager, in the left pane, perform one of the following actions:
Action Procedure
Change a software 1. Click BlackBerry Domain.
configuration. 2. On the Software Configurations tab, in the Configuration Name list, click a software configuration.
3. Click Edit Configuration.
4. In the Application Name list, perform one of the following actions:
• Select the check box beside the applications to install on BlackBerry devices.
• Clear the check box beside the applications to remove from BlackBerry devices.
5. Click OK.
Assign a different software 1. Click a BlackBerry Enterprise Server.
configuration to a user. 2. In the Users list, click a user to assign the software configuration to.
6. Click OK.
116
12: Managing BlackBerry Device Software and wireless applications
Action Procedure
Remove a software 1. Click a BlackBerry Enterprise Server.
configuration from a user. 2. In the Users list, click a user to whom to assign the software configuration.
5. Click <none>.
6. Click OK.
Delete a software 1. Click BlackBerry Domain.
configuration. 2. On the Software Configurations tab, in the Configuration Name list, click a software configuration.
3. Click Delete Configuration.
4. Click OK.
Create a new software 1. Click BlackBerry Domain.
configuration based on an 2. On the Software Configurations tab, in the Configuration Name list, click a software configuration.
existing software
3. Click Copy Configuration.
configuration.
4. Double-click the copied software configuration.
5. In the Configuration Name field, rename the software configuration.
6. Change the software configuration properties as desired. See “Create a software configuration” on
7. Click OK.
117
118
13
Managing a BlackBerry Domain
Monitoring the BlackBerry services and components in a BlackBerry Domain
Accessing log files for BlackBerry services
Managing different BlackBerry Domains
Managing license keys
Monitoring the BlackBerry services and components in a

BlackBerry Domain
In the case of a failed operation, the BlackBerry Controller detects and restarts the appropriate processes by
default, which enables the BlackBerry Enterprise Server to continue to function in the event of nonresponsive
threads or inactive services.
The BlackBerry Controller monitors the following BlackBerry services and components:
• BlackBerry Dispatcher
• BlackBerry Router
• BlackBerry Messaging Agent
• BlackBerry Attachment Service
• BlackBerry Collaboration Service
• Live Communications Server connector
• BlackBerry Synchronization Service
• BlackBerry Policy Service
• BlackBerry MDS Connection Service
• BlackBerry MDS Services
• BlackBerry Database Consistency Service
By default, the registry keys that control the BlackBerry Controller are not visible. To customize how the BlackBerry
Controller monitors the BlackBerry services, you must create the registry keys that govern the BlackBerry
Controller and change the default values.
Warning: Do not restart the BlackBerry Controller. Restarting the BlackBerry Controller restarts the BlackBerry Messaging Agents,
which might take a long time to start. Users cannot send or receive messages on BlackBerry devices while the BlackBerry Messaging
Agents are restarting.
Customize how the BlackBerry Controller monitors BlackBerry services

1. On the computer on which the BlackBerry service is installed, start the Registry Editor.
Server.
3. Click Controller.
Action Procedure Default

Do not restart the BlackBerry 1. Create a new DWORD value called RestartAgentsOnCrash. 1
Messaging Agents if they stop 2. Double-click the new value.
responding.
3. In the Value data field, type 0.
Set the maximum number of times to 1. Create a new DWORD value called MaxAgentRestartsPerDay. 10
restart the BlackBerry Messaging 2. Double-click the new value.
Agents daily.
3. In the Value data field, type a number.
Set a limit for the number of missed 1. Create a new DWORD value called WaitToRestartAgentOnHung. 6
health checks that the BlackBerry 2. Double-click the new value.
Controller permits before it restarts
the BlackBerry Messaging Agents. 3. In the Value data field, type a number that is greater than 4 to provide the
BlackBerry Controller sufficient time to monitor thread health checks before it
restarts the BlackBerry Messaging Agents.
Health checks occur every 10 minutes. If the health check does not receive a response
from the thread being monitored, the missed health check is tracked in the BlackBerry
Messaging Agent log file as the Wait Count. For example:
[20148] (05/12 12:21:00):{0xC28} Thread: *** No Response ***
Thread Id=0xB00, Handle=0x558, WaitCount=2,
Do not restart the BlackBerry 1. Create a new DWORD value called WaitToRestartAgentOnHung. 6
Messaging Agents when the 2. Double-click the new value.
BlackBerry Controller detects
3. Type 0.
nonresponsive threads.
Do not restart the BlackBerry 1. Create the following DWORD values: —
Messaging Agents within a specified • RestartAgentOnHungBlackoutFrom
time range when the BlackBerry • RestartAgentOnHungBlackoutTo
Controller detects a non-responsive
2. In each new value, select the Decimal option.
thread.
3. In RestartAgentOnHungBlackoutFrom, type the lower boundary of the time
range. The values range from 0 to 23, where 0 is 12:00 AM and 23 is 11:00 PM.
4. In RestartAgentOnHungBlackoutTo, type the upper boundary of the time range.
The values range from 0 to 23, where 0 is 12:00 AM and 23 is 11:00 PM.
For example, if the RestartAgentOnHungBlackoutFrom value is set to 8 and the
RestartAgentOnHungBlackoutTo value is set to 17, the BlackBerry Controller does not
restart the BlackBerry Messaging Agents between 8:00 AM and 5:00 PM.
120
13: Managing a BlackBerry Domain

Turn off the time range in which the 1. Double-click RestartAgentOnHungBlackoutFrom. —
BlackBerry Controller must not 2. In the Value data field, type 0.
restart the BlackBerry Messaging
3. Click OK.
Agents when it detects a non-
responsive thread. 4. Double-click RestartAgentOnHungBlackoutTo.
Restart the BlackBerry Messaging 1. Create a new DWORD value called RestartAgentOnHung. 1
Agents and do not generate a 2. Double-click the new value.
user.dmp file when the BlackBerry
Controller detects non-responsive
threads. The WaitToRestartAgentOnHung value takes precedence over this value.
To use this data collection option, download and install the User Mode Process Dump
application that is included in the Microsoft OEM Support Tools. Visit
www.support.microsoft.com for more information.
Set the maximum number of 1. Create a new DWORD value called MaxUserDumpPerDay. 3
user.dmp files to generate for each 2. Double-click the new value.
BlackBerry Enterprise Server daily,
3. In the Value data field, type a number.
before the BlackBerry Controller
restarts the BlackBerry Messaging To use this data collection option, download and install the User Mode Process Dump
Agents. application that is included in the Microsoft OEM Support Tools. Visit
www.support.microsoft.com for more information.
Set the number of 10-minute 1. Create a DWORD value called MissedHeartbeatThreshold. 2
intervals in which to restart the 2. Double-click the new value.
BlackBerry Messaging Agents if the
BlackBerry Controller does not 3. In the Value data field, type a number.
receive health checks from the Health checks occur every 10 minutes. For example, if the MissedHeartbeatThreshold
BlackBerry Messaging Agents. value is set to 3, the BlackBerry Controller does not restart the BlackBerry Messaging
Agents for 30 minutes.
Do not restart the BlackBerry 1. Create a DWORD value called MissedHeartbeatThreshold. —
Messaging Agents if the BlackBerry 2. Double-click the new value.
Controller does not receive health
checks from the BlackBerry
Messaging Agents.
Do not restart the BlackBerry 1. Create a new DWORD value called RestartDispatcherOnCrash. 1
Dispatcher if it stops responding. 2. Double-click the new value.
Do not restart the BlackBerry 1. Create a DWORD value called RestartBBIMOnCrash. 1
Collaboration Service if it stops 2. Double-click the new value.
responding.
Do not restart the Live 1. Create a new DWORD value called RestartLCSOnCrash. 1
Communication Server connector if 2. Double-click the new value.
it stops responding.
Do not restart the BlackBerry Router 1. Create a new DWORD value called RestartRouterOnCrash. 1
if it stops responding. 2. Double-click the new value.
121

Do not restart the BlackBerry Policy 1. Create a new DWORD value called RestartPolicyServerOnCrash. 1
Service if it stops responding. 2. Double-click the new value.
Do not restart the BlackBerry 1. Create a new DWORD value called RestartSyncServerOnCrash. 1
Synchronization Service if it stops 2. Double-click the new value.
responding.
Do not restart the BlackBerry MDS 1. Create a new DWORD value called RestartMDSOnCrash. 1
Connection Service if it stops 2. Double-click the new value.
responding.
Do not restart the BlackBerry 1. Create a new DWORD value called RestartAttachmentServerOnCrash. 1
Attachment Service if it stops 2. Double-click the new value.
responding.
Do not restart the BlackBerry MDS 1. Create a new DWORD value called RestartMDSServicesOnCrash. 1
Services if they stop responding. 2. Double-click the new value.
Do not restart the BlackBerry 1. Create a new DWORD value called RestartDBConsistencyOnCrash. 1
Database Consistency Service if it 2. Double-click the new value.
stops responding.
5. Click OK.
Accessing log files for BlackBerry services

Use log files to monitor the daily activities that the BlackBerry services perform and to find errors or information
when you troubleshoot BlackBerry service issues. Each BlackBerry service creates its own log file. By default,
BlackBerry services write log files to C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Logs\
and the BlackBerry Enterprise Server organizes the log files into daily folders. You can change the location in
which to save the log files. To save hard disk space, you can configure the BlackBerry Enterprise Server to delete
log files automatically after a specified number of days.
By default, the BlackBerry services create log files using the format
<ServerName_IdentifierName_Instance_YYYYMMDD_Log#.txt> (for example,
BBServer01_MAGT_01_20051020_0001.txt). Events that the BlackBerry services write to the log file use a five-
digit number (for example, 30126). The first digit represents the logging level.
Use logs to monitor the time and the frequency at which users send PIN messages and SMS messages, and make
phone calls from BlackBerry devices. By default, phone call logging is enabled and PIN and SMS message logging
is turned off on the BlackBerry Enterprise Server.
Customize how BlackBerry services creates log files

122
2. On the Logging tab, perform any of the following actions:
Action Procedure
Set the root location in which the 1. Click Browse.
BlackBerry services write the log files. 2. Browse to a location on a local drive.
Set a prefix to use for all log files. > In the Log file prefix field, type a prefix.
Store all log files in the root folder. > Clear the Create daily log folder check box.
3. In the BlackBerry Service Log Settings pane, click a BlackBerry service.

Action Procedure
Change the four-character identifier 1. Click Debug log identifier.
name that appears in the BlackBerry 2. In the Setting column, type a new identifier name to associate the BlackBerry service with
service log file name. the log file that it writes to.
Do not create a new log file every 1. Click Debug daily log file.
day. 2. In the Setting column, in the drop-down list, click No, which means that the log file name
does not contain the date.
Set the logging level. 1. Click the Debug log level setting.
2. In the Setting column, in the drop-down list, click one of the following logging levels:
• 1: Error
• 2: Warning
• 3: Information, which enables you to monitor the daily activities that the BlackBerry
service performs
• 4: Debug, which provides additional information to help you troubleshoot the BlackBerry
service
• 5: Verbose, which logs all events associated with the service or component
Set a maximum log file size. 1. Click Debug log size.
2. In the Setting column, type the maximum log file size in MB. A value of 0 means no limit is
enforced.
If Debug log auto-roll is turned on, a new file is created when the file size reaches the maximum.
If Debug log auto-roll is turned off, the existing file is overwritten.
Create a new log file when the 1. Click Debug log auto-roll.
BlackBerry service is restarted or the 2. In the Setting column, in the drop-down list, click Yes.
log file reaches the maximum size.
Set the age at which log files are 1. Click Debug log maximum daily file age.
deleted. 2. In the Setting column, type the number of days at which log files are deleted. A value of 0
means no limit is enforced.
Restore the default logging settings > Click Reset All.
for all listed BlackBerry services.
5. Click OK.
6. On the computer on which the BlackBerry service is installed, in the Microsoft Windows Services, restart the
BlackBerry service.
123
Customize how the BlackBerry MDS Connection Service creates a log file
3. Click Logs.
Action Procedure
Monitor activity at the Server Routing Protocol (SRP) network layer. 1. Click SRP logging enabled.
2. Click True.
Monitor activity at the IPPP network layer. 1. Click IPPP logging enabled.
2. Click True.
Monitor activity at the UDP network layer. 1. Click UDP logging enabled.
2. Click True.
Monitor activity at the General Message Envelope (GME) network 1. Click GME logging enabled.
layer. 2. Click True.
Monitor HTTP headers for response messages that are sent from 1. Click HTTP logging enabled.
the web server when users retrieve content from the Internet and 2. Click True.
intranet on the BlackBerry devices.
Monitor HTTP headers and the body of response messages that are 1. Click Verbose HTTP logging enabled.
sent from the web server when users retrieve content from the 2. Click True.
Internet and intranet on the BlackBerry devices.
Monitor encrypted data that the BlackBerry device and the origin 1. Click TLS logging enabled.
web server send between them using TLS. 2. Click True.
Monitor the certificate revocation status that the BlackBerry device 1. Click OCSP logging enabled.
retrieves from the OCSP server. 2. Click True.
Monitor requests from the BlackBerry device to access a user 1. Click LDAP logging enabled.
profile or certificate from the LDAP directory. 2. Click True.
Monitor certificate revocation lists that the BlackBerry device 1. Click CRL logging enabled.
retrieves from the CRL server. 2. Click True.
Monitor PGP key status and revocation information that the 1. Click PGP logging enabled.
BlackBerry device retrieves from the PGP server. 2. Click True.
5. Double-click Logs.
6. Click Destination.
124
Action Procedure
Set the logging level. 1. In the File section, click Log Level.
2. Click one of the following logging levels:
• Event
• Error
• Warning
• Informational: enables you to monitor normal BlackBerry MDS data flow
• Debug: enables you to troubleshoot the BlackBerry MDS Connection Service
Set the location in which the BlackBerry MDS 1. In the file File section, double-click Location.
Connection Service writes the log file. 2. Type the location.
Set the interval at which the BlackBerry MDS 1. In the File section, double-click Log Timer Interval.
Connection Service writes information to the log 2. Type the interval, in milliseconds.
file.
Set the level of logging to write to the UDP log 1. In the UDP section, click Log Level.
file. 2. Click the logging level.
Set the port number to which the BlackBerry 1. In the UDP section, double-click Location.
MDS Connection Service sends UDP log 2. Type the port number to use to connect to the SNMP agent using the following
messages. The BlackBerry Enterprise Server format: <hostname:port number>.
SNMP agent receives these messages on the
same port number.
Set the level of logging to write to the TCP log 1. In the TCP section, click Log Level.
file. 2. Click the logging level.
Set the location to which the BlackBerry MDS 1. In the TCP section, double-click Location.
Connection Service connects to send the TCP log 2. Type the location to which the BlackBerry MDS Connection Service connects to
message. send the log message using the following format: <hostname:port>.
Set the level of logging to write to the EventLog. 1. In the EventLog section, click Log Level.
2. Click the logging level.
8. Click OK.
Customize how the BlackBerry Collaboration Service creates a log file

2. On the BlackBerry Collaboration Services tab, click Edit Properties.
3. Click Logs.
Action Procedure
Do not monitor activity at the BlackBerry Instant Messaging 1. Click BBIM logging enabled.
network layer. 2. In the drop-down list, click False.
125
Action Procedure
Do not monitor activity at the SRP network layer. 1. Click SRP logging enabled.
Monitor activity at the GME network layer. 1. Click GME logging enabled.
5. Click OK.
Monitor PIN messages, SMS messages, and phone calls in a BlackBerry

Domain
The PIN message, SMS message, and phone call log files store confidential information in plain text format. To
protect the information, you must limit read and write controls to the location of the log files, or you can define a
different audit root location from the location of the other BlackBerry service log files.
3. Click Sync Server.
4. Double-click Audit Root Directory.
5. Type the absolute path to the location in which to save the log files, if desired.
6. Click OK.
9. Click IT Policy.
11. In the list of policies, click a policy.
Action Procedure
Monitor SMS messages that users send from BlackBerry 1. Click Disable SMS Messages Wireless Sync.
devices. 2. In the drop-down list, click False.
Monitor PIN messages that users send from BlackBerry 1. Click Disable PIN Messages Wireless Sync.
devices. 2. In the drop-down list, click False.
Do not monitor phone calls that users make on BlackBerry 1. Click Disable Phone Call Log Wireless Sync.
devices. 2. In the drop-down list, click True.
15. Click OK.
126
16. On the computer on which the BlackBerry Synchronization Service is installed, in the Microsoft Windows
Services, restart the BlackBerry Synchronization Service. The BlackBerry Enterprise Server creates the log files
using the following formats:
• PINLog_<YYYYMMDD>.csv
• SMSLog_<YYYYMMDD>.csv
• PhoneCallLog_<YYYYMMDD>.csv
Managing different BlackBerry Domains

Manage a different BlackBerry Domain by connecting the BlackBerry Manager to a different BlackBerry
Connect the BlackBerry Manager to a different BlackBerry Domain

1. In the BlackBerry Manager, on the Tools menu, click Options.
2. Click Database.
Action Procedure
Set the database server to which to connect. 1. Double-click Database Server Name.
2. Type the name of the database server on which the BlackBerry Configuration
Database resides.
Set the BlackBerry Configuration Database to which 1. Double-click Database Name.
to connect. 2. Type the BlackBerry Configuration Database name.
Set the authentication type to use to connect to the > In the Authentication drop-down list, click an authentication type.
BlackBerry Configuration Database.
Turn on verbose logging for all calls to the BlackBerry > In the Log Database Calls drop-down list, click True.
4. Click OK.
5. Close the BlackBerry Manager.
6. Open the BlackBerry Manager.
127
Managing license keys

Client access license keys control how many user accounts can exist on a BlackBerry Enterprise Server at the same
time. When you exceed the number of permitted user accounts, the license manager informs you that you require
more client access licenses.
Warning: If you use a temporary evaluation version client access license key and the key expires, the BlackBerry Dispatcher turns off
automatically, stopping all synchronization between the BlackBerry Enterprise Server and BlackBerry devices. You must purchase a
new client access license key before you can restart it. If you use a temporary evaluation license key, you cannot reuse that key after
you purchase a permanent client access license key.
To help you migrate client access license keys to computers in different BlackBerry Domains or troubleshoot client
access license key issues, you can copy the license keys from the BlackBerry Manager to a text file.
Add or remove a license key

2. On the Global tab, click Account.
3. Click License Management.
Action Procedure
Add a client access license key. 1. Type the new license key information.
2. Click Add License.
3. Click Close.
Remove a client access license key. 1. Right-click the license key to remove. Click Remove License Key.
2. Click Close.
Copy a license key to a text file

2. On the Global tab, click Account.
3. Click License Management.
4. Right-click a license key. Click Copy Key.
5. Open a text editor application.
6. Paste the license key into the file.
7. Save the file.
128
A
Appendix: Role matrix
Domain tasks
BlackBerry Enterprise Server tasks
Group tasks
User tasks
BlackBerry device management tasks
Tools menu
Domain tasks
Senior help Junior help
Task/Property Security Enterprise Device
Icon/Tab page Properties administrator administrator administrator desk desk
administrator administrator
BlackBerry edit edit view view view
Domain
Find User edit edit view view view
Enable edit edit — — —
Enterprise
Service Policy
Find Handheld edit edit view view —
License edit edit — — —
Management
Edit PIM Sync edit edit — — —
Global Field
Mapping
Global edit edit — — —
Properties
General edit edit — — —
IT Policy edit edit — — —
Access Control edit edit — — —
Push Control edit edit — — —
Global PIM edit edit — — —
Sync
WLAN edit edit — — —
Configuration
Media Content edit edit — — —
Management
Enterprise edit edit — — —
Service Policy
Task/Property Security Enterprise Device Senior help Junior help

Icon/Tab Properties desk desk
page administrator administrator administrator administrator administrator
Send Message edit edit — — —
Update Peer- edit edit — — —
to-Peer
Encryption Key
Reset PIM Sync edit edit — — —
Global Field
Mapping
Import IT Policy edit edit — — —
Definitions
MDS CS to BES edit edit — — —
Mapping
IM to BES edit edit — — —
Mappings
Role edit — — — —
Administration
Add edit — — — —
Administrators
List edit — — — —
Administrators
Remove edit — — — —
Administrators
BlackBerry Enterprise Server tasks

Task/Property Security Enterprise Device
Icon/Tab page Properties administrator administrator administrator desk desk
Servers edit edit view view view
Add Users edit edit — edit —
Clear Statistics edit edit — — —
Disable edit edit — — —
BlackBerry
MDS
Connection
Service
Server edit edit — — —
Properties
BES Alert edit edit — — —
Global Filters edit edit — — —
IT Admin edit edit — — —
Messaging edit edit — — —
130

Sync Server edit edit — — —
MDS Services edit edit — — —
Remove edit edit — — —
BlackBerry
Enterprise
Server
Restart edit edit — — —
BlackBerry
Enterprise
Server
Stop BlackBerry edit edit — — —
Enterprise
Server
Send Message edit edit — edit —
Connection edit edit — — —
Services
BlackBerry edit edit — — —
MDS
Connection
Service
Properties
HTTP edit edit — — —
LDAP edit edit — — —
Access Control edit edit — — —
Logs edit edit — — —
OCSP edit edit — — —
Push/PAP edit edit — — —
Proxy edit edit — — —
RSA edit edit — — —
Authentication
Stats edit edit — — —
TLS/HTTPS edit edit — — —
Restart Service edit edit — — —
Set as Push edit edit — — —
Server
Unset as Push edit edit — — —
Server
Start Service edit edit — — —
Stop Service edit edit — — —
131

Collaboration edit edit — — —
Services
Restart Service edit edit — — —
BlackBerry edit edit — — —
Collaboration
Service
Properties
Logs edit edit — — —
<MDS Services edit edit view view view
server name>
<MDS Services edit edit — — —
server name>
Properties
Filters edit edit — — —
Device Policies edit edit — — —
Certificate edit edit — — —
Connection edit edit — — —
Service
Message edit edit — — —
Monitors
Security edit — — — —
JDBC Drivers edit edit — — —
Add Certificate edit edit — — —
Applications edit view view view view
Installed
Remove edit edit edit — —
Application
from List
Quarantine edit edit edit — —
Application
Reinstate edit edit edit — —
Application
Uninstall on edit edit edit — —
Device
132

Quarantine on edit edit edit — —
Device
Reinstate on edit edit edit — —
Device
Application edit edit edit view view
Registry
Delete edit edit edit — —
Application
Install on edit edit edit — —
Device
Upgrade on edit edit edit — —
Device
Devices edit edit edit edit edit
Registered
Device edit edit edit edit edit
Registered
Properties
Device Policy edit edit edit edit edit
Applications edit edit edit edit edit
Assign Device edit edit edit edit —
Policy
Monitor edit edit edit — —
Messages
Purge All edit edit edit — —
Messages
Group tasks
Icon/Tab Task/Property Properties Security Enterprise Device desk desk
page administrator administrator administrator
User Groups edit edit view view view
User Groups edit edit view view view
List
Edit Group edit edit view view view
Template
Redirection edit edit view view view
Filters edit edit view view view
Security edit edit view view view
IT Policy edit edit view view view
PIM Sync edit edit view view view
Access Control edit edit view view view
133

Create Group edit edit — — —
Modify Group edit edit — — —
Definition
Delete Group edit edit — — —
Copy Properties edit edit — — —
to Another
Group
Update Group edit edit view view —
Membership
Move Group to edit edit — — —
BlackBerry
Enterprise
Server
Send Message edit edit — — —
Set Activation edit edit — — —
Password
Generate and edit edit — — —
Email
Activation
Password
Resend IT edit edit — — —
Policy
Assign IT Policy edit edit — — —
Resend Peer- edit edit — — —
to-Peer Key
Resend Service edit edit — — —
Book
Reset PIM Sync edit edit — — —
Field Mapping
Clear PIM Sync edit edit — — —
Backup Data
Purge Pending edit edit — — —
Messages
Export Stats To edit edit — — —
File
Assign Device edit edit — — —
Policy
Install on edit edit — — —
Device
Uninstall on edit edit — — —
Device
134

Assign edit edit edit — —
Software
Configuration
Update edit edit edit — —
Configuration
Check Status
Export Asset edit edit edit — —
Summary Data
Software edit edit edit — —
Configurations
Add New edit edit edit — —
Configuration
Edit edit edit edit — —
Configuration
Copy edit edit edit — —
Configuration
Delete edit edit edit — —
Configuration
Manage edit edit edit — —
Application
Policies
User tasks
Explorer Security Enterprise Device Senior help Junior help
Task/Property page Properties desk desk
Icon/Tab administrator administrator administrator administrator administrator
Users edit edit edit edit edit
Set Activation Password edit edit — edit edit
Reload User edit edit — edit edit
Clear In-Cradle Flag edit edit — edit edit
Choose Folders for edit edit — — —
Redirection
Note: To set up folder
redirection for a user, you
must have the appropriate
messaging server
permissions on the user’s
mailbox.
Add Users edit edit — edit —
Assign To Group edit edit — edit —
Clear Statistics edit edit — edit —
Delete User edit edit — edit —
135

Export Stats To File edit edit — edit edit
Find User edit edit — edit edit
Generate and Email edit edit — edit edit
Activation Password
Assign IT Policy edit edit — edit —
Resend IT Policy edit edit — edit edit
Erase Data and Disable edit edit — edit —
Handheld
Disable Connection and edit edit — edit —
Collaboration Services
Move User edit edit — edit —
Resend Peer-to-Peer Key edit edit — edit edit
Clear PIM Sync Backup edit edit — edit —
Data
Edit PIM Sync Field edit edit — edit —
Mapping
Reset PIM Sync Field edit edit — edit —
Mapping
User Properties edit edit edit edit edit
Filters edit edit — edit edit
IT Policy edit edit — edit —
PIM Sync edit edit — edit —
Redirection edit edit — edit edit
Security edit edit — edit edit
WLAN edit edit — edit —
Configuration
Advanced edit edit — — —
Purge Pending Messages edit edit — edit edit
Disable Redirection edit edit — edit edit
Send Message edit edit — edit edit
Resend Service Book edit edit — edit edit
Set Owner Information edit edit — edit —
Set Password and Lock edit edit — edit edit
Handheld
Assign Device edit edit edit — —
Assign Software edit edit edit — —
Configuration
Export Asset Summary edit edit edit — —
Data
Update Configuration edit edit edit — —
Check Status
136

Assign Device Policy edit edit — — —
Install on Device edit edit — — —
Uninstall on Device edit edit — — —
BlackBerry device management tasks

Task/Property Security Enterprise Device Senior help desk Junior help desk
Icon/Tab
Local Ports edit edit edit — —
(Device
Management)
Handheld edit edit edit — —
Properties
Load Handheld edit edit edit — —
Load Handheld edit edit edit — —
(Interactive)
Nuke Handheld edit edit edit — —
Configure Port edit edit edit — —
Retrieve Summary edit edit edit — —
Properties
Tools menu
Menu item Menu item desk desk
Tools edit edit edit edit edit
Options edit edit edit edit edit
Database edit edit edit edit edit
General edit edit edit edit edit
Serial Ports edit edit edit — —
137
138
B
Appendix: Wireless backup and restore
BlackBerry device data that the BlackBerry Enterprise Server does not back up over the wireless network
BlackBerry device data that the BlackBerry Enterprise Server

does not back up over the wireless network
Data Description
messages messages that were received on the BlackBerry device before the specified prepopulation date, not marked
as saved, located in folders not set for redirection, or that have message filters assigned to prevent
redirection to the BlackBerry device
content store saved images and ring tones
service books all service books
group addresses group addresses that users create on the BlackBerry device are stored locally and are not synchronized
RMS databases Java applications that third-party developers created in Java ME
Java applications Java applications that third-party developers created in the BlackBerry® Java® Development Environment
that you send to BlackBerry devices over the wireless network
Enterprise Messenger Enterprise Messenger application that you send to BlackBerry devices over the wireless network
BlackBerry MDS Studio BlackBerry MDS Studio Applications that you push to BlackBerry devices over the wireless network
Applications
140
©2007 Research In Motion Limited
Published in Canada.

System Administration Guide

Uploaded by

Copyright:

Available Formats

System Administration Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

System Administration Guide

Uploaded by

Copyright:

Available Formats

BlackBerry Enterprise Server for

System Administration Guide

Last modified: 31 January 2007

Part number: 10923308 Version 2

Send us your comments on product documentation: https://www.blackberry.com/DocsFeedback.

Research In Motion Limited Research In Motion UK Limited

2 Setting up the BlackBerry environment ..........................................................................................................17

3 Setting up user accounts on the BlackBerry Enterprise Server ................................................................. 27

4 Controlling the BlackBerry environment .......................................................................................................33

5 Making additional BlackBerry Device Software and applications available to users.............................41

6 Implementing BlackBerry devices...................................................................................................................47

7 Making BlackBerry MDS Studio Applications available to users ..............................................................55

8 Customizing BlackBerry messaging................................................................................................................67

9 Customizing attachment support ....................................................................................................................85

10 Customizing wireless access to enterprise applications ............................................................................93

11 Managing user accounts ...................................................................................................................................111

12 Managing BlackBerry Device Software and wireless applications .......................................................... 115

13 Managing a BlackBerry Domain .....................................................................................................................119

A Appendix: Role matrix...................................................................................................................................... 129

B Appendix: Wireless backup and restore ....................................................................................................... 139

Icon Role Description

Icon Role Description

Adding database users to administrative roles

Add a database user to an administrative role

Set how the BlackBerry Manager authenticates with the

Use database authentication credentials

Managing administrative roles

Manage an administrative role

Protecting BlackBerry device data in transit

Encryption algorithm Description Notes

Set an encryption algorithm

Extending protection of BlackBerry device data in transit

Protect data using the PGP Support Package

Protect data using the S/MIME Support Package

Enable S/MIME message processing on the BlackBerry Enterprise Server

Set additional S/MIME encryption options

Replacing global scrambling of PIN-to-PIN messages with

Configuring a BlackBerry component to use a proxy server

Access web servers using a .pac file

10. Click OK.

Access web servers through a proxy server

10. Click OK.

Configure BlackBerry components to authenticate with a proxy server on

Associating a BlackBerry component with multiple

Assign a BlackBerry MDS Connection Service to multiple BlackBerry

Assign a BlackBerry Collaboration Service to multiple BlackBerry Enterprise

Assign BlackBerry MDS Services to multiple BlackBerry Enterprise Servers

Configuring address lookup support in a hosted environment

Customize the address lookup function

3. Verify that the value of the AllowAddressLookup DWORD value is set to 1.

Use LDAP for address lookup

Create a custom field for LDAP address lookup

Adding user accounts

Add a user account

Managing user groups

Assign a user to a group

Customizing organizer data synchronization

Configure organizer data synchronization for all user accounts

Configure organizer data synchronization for a specific user account