Administration Guide

Local Navigation

BlackBerry Manuals & Help   Administrator Documentation   BlackBerry Enterprise Server Express 5   BlackBerry Enterprise Server Express for Microsoft Exchange   Administration Guide BlackBerry Enterprise Server Express for Microsoft Exchange - 5.0.3

Restricting user access to content on web servers

You can prevent BlackBerry® device users from accessing specific web servers using the BlackBerry® Browser or applications on BlackBerry devices. To specify the web servers that you want users to access, you can turn on pull authorization to restrict access to all types of web content and create pull rules to specify a list of web servers that you permit users to access. Alternatively, you can create pull rules that specify a list of restricted web servers.

When you create pull rules, you can specify whether users must authenticate using RSA® authentication, integrated Windows® authentication, or both before the users can access the web servers.

Restrict requests for content on web servers from BlackBerry devices

Turn on pull authorization for a BlackBerry® MDS Connection Service to restrict the web addresses that users assigned to that BlackBerry MDS Connection Service can request when the users connect to the Internet or to your organization's intranet from their BlackBerry devices.
  1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service.
  2. Click the instance that you want to change.
  3. Click Edit instance.
  4. In the Access control section, in the Pull authorization drop-down list, click Yes.
  5. Click Save all.
Users cannot access web content on their BlackBerry devices until you permit the users to access specific web servers using pull rules.
After you finish: To permit users to access specific web servers, specify allowed web address patterns and assign the web address patterns to a pull rule, and assign the pull rule to a user account or group.

Specify web address patterns

You can create pull rules that specify which web address patterns users can and cannot use to access web servers from the BlackBerry® Browser and other applications on their BlackBerry devices. To create a pull rule, you must first specify web address patterns (for example, specify addresses with domains that are allowed). You can assign the web address patterns to a pull rule that you create, and specify whether access to web servers that match the web address patterns is permitted or restricted on BlackBerry devices. After you create a pull rule, you must assign it to user accounts or groups.

A web site that uses DNS load balancing returns a single IP address to the BlackBerry MDS Connection Service but might use multiple IP addresses to provide access to the web site. As a result, the BlackBerry MDS Connection Service might not be able to restrict BlackBerry devices from accessing the web site.

  1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. On the Pull URL patterns tab, in the appropriate protocol section, type the web address pattern of a web server that you want to control access to. The web address patterns are based on Java® regular expressions (for example, .*\..*domain.*).
  5. Click the Add icon.
  6. Click Save all.
After you finish: Create web address patterns for each web server that you want to permit users to access. Create a pull rule that permits users to access the web servers that match the web address patterns.

Create a pull rule

  1. In the BlackBerry® Administration Service, in the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. On the Access control rules tab, in the Rule name field, type a name for the pull rule.
  5. In the Control type drop-down list, click Pull.
  6. Click the Add icon.
  7. Click Save all.
After you finish: Restrict or permit web address patterns using a pull rule.

Restrict or permit web addresses and Intranet addresses using a pull rule

A web site that uses DNS load balancing returns a single IP address to the BlackBerry MDS Connection Service but might use multiple IP addresses to provide access to the web site. As a result, the BlackBerry MDS Connection Service might not be able to restrict BlackBerry devices from accessing the web site.
Before you begin:
  • Create a pull rule.
  • If you want BlackBerry® device users to use RSA® authentication to access web servers, configure the BlackBerry® MDS Connection Service to authenticate BlackBerry devices to the RSA® Authentication Manager.
  • If you want users to use integrated Windows® authentication when they access the web servers, configure the BlackBerry MDS Connection Service to authenticate devices to Microsoft® Active Directory®.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. On the Access control rules tab, click the Edit icon for a pull rule.
  5. In the URL pattern group drop-down list, click the protocol for the address that you want to assign to the pull rule.
  6. In the URL pattern drop-down list, click the address that you want to assign to the pull rule.
  7. In the Allowed drop-down list, perform one of the following actions:
    • To prevent users from accessing web servers that match the address, click Deny.
    • To permit users to access web servers that match a specific address, click Allow.
  8. In the Authentication drop-down list, perform one of the following actions:
    • To require that a user authenticates to Microsoft Active Directory using Windows authentication, click Regular.
    • To require that the BlackBerry MDS Connection Service authenticates a user using integrated Windows authentication, click Integrated.
    • To require that a user authenticates to the RSA Authentication Manager using RSA authentication, click RSA.
    • To require that the BlackBerry MDS Connection Service authenticates the user using integrated Windows authentication and that a user authenticates to the RSA Authentication Manager using RSA authentication, click Integrated and RSA.
  9. Click the Add icon.
  10. Repeat steps 5 to 8 for each address that you want to assign to the pull rule.
  11. Click Save all.
After you finish: Assign the pull rule to a group or user account.

Assign a pull rule to the members of a group

Before you begin: Create a pull rule. Assign web address patterns to the pull rule.
  1. In the BlackBerry® Administration Service, in the BlackBerry solution management menu, expand User.
  2. Click Manage users.
  3. Click View more criteria.
  4. Search for a group.
  5. Click Select all results in the entire set.
  6. In the Add to user configuration list, click Add pull rule.
  7. In the Available pull rules list, click a pull rule.
  8. Click Add.
  9. Click Save.

Assign a pull rule to user accounts

Before you begin: Create a pull rule. Assign web address patterns to the pull rule.
  1. In the BlackBerry® Administration Service, in the BlackBerry solution management menu, expand User.
  2. Click Manage users.
  3. Search for one or more user accounts.
  4. Select the appropriate user accounts.
  5. In the Add to user configuration list, click Add pull rule.
  6. In the Available pull rules list, click a pull rule.
  7. Click Add.
  8. Click Save.
Next topic: Restricting user access to media content in the BlackBerry Browser
Previous topic: Managing how users access enterprise applications and web content

Was this information helpful? Send us your comments.