BlackBerry Access app configuration settings

General

Setting	Supported OS	Description
Homepage	Android iOS Windows macOS	This setting specifies the URL for the website that you want to appear as the home screen when users start BlackBerry Access . The URL must begin with "http://" or "https://".
Allow user to set home page	Windows macOS	This setting specifies whether users can set their own home pages in BlackBerry Access .
Allow telephone and maps URL	Android iOS Windows macOS	This setting specifies whether users can access telephone and map URLs in BlackBerry Access .
Allow telephone only	Android iOS	This setting specifies whether users can access telephone URLs only.
Allow maps only	Android iOS	This setting specifies whether users can access map URLs only.
Identify BlackBerry Access in User Agent	iOS	This setting specifies whether BlackBerry Access can send its user agent string to servers hosting websites that users visit. The user agent string identifies BlackBerry Access in the HTTP request headers. Servers use the information in the user agent string to provide content tailored to BlackBerry Access .
Allow phone number to dial using entitled and installed Dynamics VOIP apps	Android iOS	This setting specifies whether users can make phone calls using a third-party phone call service such as CellTrust.
Enable pop-up windows	Android iOS Windows macOS	This setting specifies whether BlackBerry Access allows pop-up windows. Disabling pop-up windows may cause issues with applications such as Microsoft Exchange , that open pop-up windows for tasks like composing new email messages. If you disable this setting, when an app tries to open a pop-up window, BlackBerry Access displays a message that pop-up windows are blocked.
Allow other applications to open urls in full screen mode	iOS	This setting specifies whether apps can open in full screen mode by default.
Allow import of bookmarks from Safari or Firefox	Android Windows macOS	This setting specifies whether users can import bookmarks that they export from other browsers into BlackBerry Access .
Push Bookmarks	Android iOS Windows macOS	This setting specifies bookmarks that will be preloaded in BlackBerry Access to make it easier for users to access work intranet webpages. You can copy and paste the text of your bookmarks file directly into this text box. The bookmarks must follow the Netscape bookmark file format. For more information, see https://gist.github.com/jgarber623/cdc8e2fa1cbcb6889872.
Enable web clip feature	iOS	This setting specifies whether users can use web clips. Web clips are small icons on mobile devices that link to webpages.
Allow users to perform app diagnostics	Android iOS	This setting specifies whether users can perform app diagnostics for BlackBerry Access . If this setting is selected, the “Run Diagnostics” option appears in the BlackBerry Access settings menu on users’ devices.
Enable APK installation (Android only)	Android	This setting specifies whether users can download and install .apk files.
Allow external apps to open HTTP/HTTPS URLs through BlackBerry Access	Android iOS	This setting specifies whether third-party apps on the device can open webpages in BlackBerry Access . For BlackBerry Access for iOS , links in third-party, non- BlackBerry Dynamics apps can open in BlackBerry Access only if they launch with the following URL scheme: access://open?url= (for example, access://open?url=http://www.blackberry.com )
Do not allow download from any HTTP or HTTPS site you have not approved by whitelisting it in BlackBerry Control	Android iOS	This setting specifies whether BlackBerry Access users can download content from HTTP or HTTPS webpages even if they haven't been added to an allowed list.
Do not allow download from any HTTPS site you have not approved by whitelisting it in BlackBerry Control	Android iOS	This setting specifies whether BlackBerry Access users can download content from HTTPS webpages even if they haven't been added to an allowed list.
Enable export of downloaded files to OS file system (Windows and Mac)	Windows macOS	This setting specifies whether BlackBerry Work users can download files directly to their device's default download folder, instead of the BlackBerry Dynamics secure container. Note that allowing users to bypass the secure container is a potential security risk.
Enable import of files from OS file system ( Windows and Mac )	Windows macOS	This setting specifies whether BlackBerry Work users can attach files that aren't in the BlackBerry Dynamics secure container.
Enable Direct Downloads ( Windows and Mac )	Windows macOS	This setting specifies whether BlackBerry Work users can download attachments in email messages directly to the device's file system, instead of into the Download Manager in the BlackBerry Dynamics Launcher .
Disable BlackBerry Work ( Windows and Mac )	Windows macOS	This setting specifies whether users can use BlackBerry Work .
Open HTML files from other BlackBerry Dynamics applications	Android iOS	This setting specifies whether BlackBerry Access can open HTML files from other BlackBerry Dynamics apps.
Enable Geolocation	Android iOS	This setting specifies whether BlackBerry Access users can allow webpages to access their device's location.
Enable 3rd-Party Applications	Android iOS Windows macOS	This setting specifies whether BlackBerry Access can open custom URL schemes supported by third-party apps. By default, BlackBerry Access opens only HTTP and HTTPS URL schemes. If you select this setting, you must also set the "Enter comma separated URL schemes" setting. Each URL string must be mapped as `yourstring`://`your.URL.string` . For example, for Webex, you could use wbx://`yourcompany`.webex.com . In Access, the user would click on the anchor tag <a href="wbx://blackberry.webex.com">wbx://blackberry.webex.com</a> to open the local Webex app and pass the string yourcompany.webex.com to the app.
Enter comma-separated URL schemes	Android iOS Windows macOS	This setting specifies the custom URL schemes that BlackBerry Access can open. The list must be separated by commas. For example, itms-services,market,wbx,lync, where "itms-services" is App Store , "market" is Google Play , "watchdox" is BlackBerry Workspaces , "wbx" is WebEx , and "lync" is Microsoft Lync Server . This setting is valid only if the "Enable 3rd-Party Applications" setting is selected.
Enter JSON for search engine titles and URLs	Android iOS Windows macOS	This setting specifies search engine links that are added to the end of users' search results for bookmarks, history, or downloads. They provide users with easier access to search engines when they perform searches. In the text box, specify the search engine labels to show in BlackBerry Access such as Google and the corresponding search engine URLs. The text must be in .json format and each entry must end with [[GASEARCHKEY]]. For example: [ { "Google" : "https://www.google.com/search?q=[[GASEARCHKEY]]"}, { "Yahoo" : "https://search.yahoo.com/search?p=[[GASEARCHKEY]]"}, { "Bing" : "http://www.bing.com/search?q=[[GASEARCHKEY]]"} ]
Enable QR Code scanning	Android iOS	This setting specifies whether users can scan a QR code.
Allow universal links to external apps from BlackBerry Access ( iOS only)	iOS	This setting allows BlackBerry Access to open universal links to external apps,
To force policy update to device, enter current date and time and click update	Android iOS Windows macOS	This setting allows you to send the updated app settings to devices. It also refreshes PAC files. Enter the current date and time, in either 24-hour format or 12-hour format (for example, 02-16-2021 12:04AM in 12-hour format and 02-16-2021 0004 in 24-hour format) and click Update .

Security

Setting	Supported OS	Description
Allow SHA1 leaf or intermediate certificates	Android iOS	This setting specifies whether BlackBerry Access users can access https websites that use SHA1 signature TLS certificates and expired certificates. By default, this setting is selected.
Allow legacy/weak algorithms (DES)	Android iOS	This setting specifies whether BlackBerry Access can use 3DES algorithms.
Allow user to securely save authentication credentials	Android iOS Windows macOS	This setting specifies whether BlackBerry Access users can save their authentication credentials that they use to access webpages. BlackBerry Access supports saving only NTLM or Kerberos authentication credentials. Passwords entered into web forms are not saved even if this setting is enabled.
Expire stored credentials after	Android iOS Windows macOS	This setting specifies when the stored user credentials expire. You can choose between "'Never Expire" or "24 Hrs." This setting is valid only if the "Allow user to securely save authentication credentials" setting is selected.
Allow to save web form credentials and credentials autofill	Android iOS	This setting specifies if a user can automatically fill fields with saved passwords and credentials.
Alert user for invalid or expired certificate	Android iOS Windows macOS	This setting specifies whether users will be notified when certificates are invalid or expired.
Enforce strict tunnel	Android iOS Windows macOS	This setting specifies whether BlackBerry Access can use only IP addresses and URLs listed in Connectivity profiles. If an IP address or a URL is explicitly defined to route DIRECT, the site is allowed and routes DIRECT. External sites that are not explicitly defined in the Connectivity profile are blocked. However, if the default route is configured to use a BlackBerry Proxy cluster, all undefined IP addresses and URLs are allowed. If external sites are not allowed, they are blocked. If the default route is set to DIRECT, all sites that are not explicitly allowed are blocked.
Allow URL not in Allowed Domains of Connectivity Profiles to be loaded in native browser	Android iOS Windows macOS	This setting determines whether webpages from domains that aren't listed in the "Allowed Domains" section of the Connectivity profiles, will open in the user's native browser instead of BlackBerry Access . This setting is valid only if the "Enforce strict tunnel" setting is selected.
When user selects apply to all during prompt to open in third-party browser, do not prompt again for all the hosts under same domain.	iOS	When users select “Always open links from “<domain> in Safari“, this setting specifies whether they will be prompted again for any other hosts the user accesses within same domain. This setting is valid only if the "Allow URL not in Allowed Domains of Connectivity Profiles to be loaded in native browser" setting is selected.
Allow URL not in Allowed Domains of Connectivity Profiles to be loaded in native default browser	iOS	This setting determines whether BlackBerry Access users can access webpages from domains not listed in the “Allowed Domains” section of the Connectivity profiles. If these domains are encountered, they will open in the device’s native browser, which is typically set by the user in the device settings. By default, the native default browser on the device is Safari . You must inform users that if they want to change the default browser in their device settings, they should avoid selecting “Access” or “BlackBerry Access.” Selecting these options may lead to unexpected behavior. This setting is valid only if the "Enforce strict tunnel" setting is selected.
Do not prompt client cert authorization for all sites	Android iOS Windows macOS	When a user uploads only one certificate to BlackBerry UEM that matches a recognized CA, selecting this setting allows the webpage requesting authorization to obtain the certificate without prompting the user. If the user has uploaded multiple certificates from the same CA, the user is prompted to select the certificate to use.
Do not prompt client cert authorization for white listed sites only	Android iOS Windows macOS	When a user uploads only one certificate to BlackBerry UEM that matches a recognized CA, selecting this setting allows all domains listed in the allowed domains portion in Connectivity profiles to obtain the certificate without prompting the user. If the user has uploaded multiple certificates from the same CA, the user is prompted to select the certificate to use.
List all certificates available to user to choose for client cert authentication	Android iOS	Specify whether all uploaded encryption certificates are displayed when a user attempts to access websites that require a client cert.
Enable DLP Watermark	Android iOS	This setting specifies whether to add a faint background watermark across all application screens, with the username and the current date and time.
Prevent Screenshots on iOS	iOS	This setting allows you to prevent screenshots of BlackBerry Access from being taken on an iOS device.
Allow SameSite cookies feature and associated restrictions.	iOS	This setting specifies whether to allow SameSite cookies. Some legacy websites may not function properly when this setting is enabled.
Force authenticate using NTLM over Kerberos when NTLM authentication is possible to access resources.	Android iOS	This setting specifies whether to force authentication using NTML over Kerberos . This policy is not applied when the FIPS policy is enabled. If the NTLM override policy is enabled, BlackBerry Access will force NTLM authentication, if the website is configured to use Kerberos/KCD and NTLM. Use this setting only if Kerberos authentication is not available. This setting disables Kerberos to improve performance by preventing extra network roundtrips and timeouts to an unreachable KDC.
Allow MDM web content restrictions	iOS	This setting allows you to turn off MDM content filter rules that are configured for Safari in BlackBerry Access .
Enable biometric authentication while reusing saved credentials	iOS	Enable biometric authentication while reusing saved credentials.
Allow JavaScript to clear credentials	Android iOS	Web developers can use a JavaScript API to clear credential storage when a user logs out of their account on a web page. If you are using the API, when you select this option, you then specify which domains or hosts the policy should apply to. You can add up to 10 domains. When you enable this feature, users will be prompted for credentials on their next login.

Network

Setting	Supported OS	Description
Enter comma-separated Kerberos realm mappings e.g.: foo=FOO. COMPANY.COM	Android iOS Windows macOS	This setting specifies Kerberos realm mappings. Kerberos authentication realms define areas that are under control of Kerberos . These mappings allow you to equate realm names with other names that are accessible or for some other reason. The limit is 4000 characters.
Enable Kerberos Forwardable Ticket	Android iOS	This setting specifies whether Kerberos Forwardable tickets can be used. Forwardable tickets in Kerberos are client-side authentication credentials that are tied to a particular IP address that can be treated as new tickets with other IP addresses.
Resolve short names to fully qualified domain name (FQDN) for Kerberos authentication	Android iOS Windows macOS	This setting specifies whether users can reach servers by typing the unqualified domain name instead of the FQDN for Kerberos authentication. Enabling this setting may impact performance.
Disable file upload and download on mobile connections (Windows Only)	Windows	This setting specifies whether files can be downloaded or uploaded when users are connected to a mobile network instead of a Wi-Fi network.
Enable HTTP 2.0 Support	Android iOS	This setting specifies whether HTTP 2.0 is supported in BlackBerry Access .
Enable Web Proxy	Android iOS Windows macOS	This setting specifies whether BlackBerry Access can communicate through a web proxy server.
Use Proxy Auto Configuration	Android iOS Windows macOS	PAC files make it easier for users to work with proxy servers by hiding the complexities of authentication from the end user. If your organization uses a PAC file to define proxy rules, you can select this setting to use the proxy server settings from the PAC file that you specify. Enabling this setting will override static web proxy settings. This setting requires BlackBerry Dynamics servers version 1.6 and later. This setting is valid only if the "Enable Web Proxy" setting is selected.
Enter URL for PAC file location	Android iOS Windows macOS	This setting specifies the URL for the web server that hosts the PAC file, including the PAC file name. For example, http://www.example.com/PACfile.pac. The PAC file must not be hosted on the same server as BlackBerry UEM or any of its components. This configuration is not supported. The limit is 4000 characters. This setting is valid only if the "Enable Web Proxy" and "Use Proxy Auto Configuration" settings are selected.
Use Static Web Proxy (Full Tunnel)	Android iOS Windows macOS	This setting specifies whether communications are enabled through a single web proxy service only. This setting is valid only if the "Enable Web Proxy" setting is selected. Enabling this setting overrides 'Enforce strict tunnel' settings.
Proxy Host	Android iOS Windows macOS	This setting specifies the the FQDN or IP address of the proxy server. This setting is valid only if the "Use Static Web Proxy (Full Tunnel)" setting is selected.
Proxy Port	Android iOS Windows macOS	This setting specifies the port number of the proxy server. This setting is valid only if the "Use Static Web Proxy (Full Tunnel)" setting is selected.
Use HTTPS web proxy tunnel for above host	Android iOS Windows macOS	The HTTPS proxy can be specified either as a static proxy or through PAC: You can specify the HTTPS using a BlackBerry UEM policy. Example PAC script for an HTTPS proxy: function FindProxyForURL(url, host) { return "HTTPS secure-proxy.example.com:443"; }
Enable PAC proxy check for all the sub-resources	Android iOS Windows macOS	You can use this setting to enforce PAC processing without caching. Selecting this setting has an impact on the performance of your organization’s environment. It is recommended to use this feature for special circumstances only.

RSA

Setting	Supported OS	Description
Enable RSA SecurID	Android iOS	This setting specifies whether users can use RSA SecurID token authentication to authenticate with BlackBerry Access , instead of a password.
Prompt PIN for PINPAD Token	Android iOS	This setting specifies whether users are always prompted for an RSA SecurID PIN. This setting is valid only if the "Enable RSA SecurID" setting is selected.
Token File Password Retry Count	Android iOS	This setting specifies the number of times that a user can enter an incorrect RSA SecurID PIN before they are locked out. This setting is valid only if the "Enable RSA SecurID" setting is selected.
Token Request SendTo Email Address	Android iOS	This setting specifies the email address of your RSA authentication manager. All RSA SecurID token seed record requests are sent to this address. This setting is valid only if the "Enable RSA SecurID" setting is selected.
Token Request CC Email Address	Android iOS	This setting specifies the email address that should be CC'd for all RSA SecurID token seed record requests. This setting is valid only if the "Enable RSA SecurID " setting is selected.
Token Request Email Subject	Android iOS	This setting specifies the email subject for token request emails. This setting is valid only if the "Enable RSA SecurID " setting is selected.

Features

Setting	Supported OS	Description
Allow user to upload	Android iOS	This setting specifies whether users can upload files to web pages in BlackBerry Access . Files can have a maximum size of 20 MB.
Allow user to take new photos/videos and upload	Android iOS	This setting specifies whether users can take photos and videos and upload the photos and videos to a web page. Users must allow BlackBerry Access to access their cameras. Files can have a maximum size of 20 MB.
Allow user to select existing photos/videos to upload	Android iOS	This setting specifies whether users can upload existing photos and videos from their photo libraries to a web page. Files can have a maximum size of 20 MB.
Allow user to select files from file providers to upload	Android iOS	This setting specifies whether users can upload files from other file apps. Files can have a maximum size of 20 MB.
Allow user to upload files from the Dynamics container	Android iOS	This setting specifies whether users can upload files that have been downloaded to the downloads folder in BlackBerry Access .
Allow WebRTC	Android iOS	This setting turns on the use of WebRTC, which provides microphone and camera support required by services such as Zoom and WebEx . WebRTC traffic is not routed through the BlackBerry Dynamics secure tunnel regardless of the network connectivity profile settings. WebRTC traffic goes direct to the internet. Also, Connectivity profile settings do not apply to WebRTC traffic.
Enable exporting to 3rd-party native apps	Android iOS	Select the "Enable exporting to 3rd-party native apps" option to specify whether to allow the transfer of files to third-party native apps on the user's device. You can allow and disallow specific apps by app ID. By default, this setting is not selected. Consider the following scenarios when you enable this feature to allow or block exporting to 3rd-party native apps: If you select "Allow exporting to only these apps", but do not specify one or more app IDs, the "Share" option is not available and users are restricted from sharing files to apps of their choice. If you select "Allow exporting to only these apps" and specify one or more app IDs, users can share files to the specified apps. When users try to share a file to an app that is not listed, they receive an error message. If you select "Block exporting to only these apps", but do not specify one or more app IDs, users can share files to apps of their choice. If you select "Block exporting to only these apps", and specify one or more app IDs, users cannot share files to the specified apps. This policy is not applied when the CylanceAVERT policy "Do not allow copying data from BlackBerry Dynamics apps into non BlackBerry Dynamics apps" option is selected in the BlackBerry Dynamics profile. For more information about the BlackBerry Dynamics profile, see the Managing BlackBerry Dynamics apps content.

BlackBerry Work
(Mac and Win)

Setting	Supported OS	Description
Launch mail app on browser start	Windows macOS	This setting specifies whether the mail app opens instead of a browser window when BlackBerry Access starts.
Enable avatar photos	Windows macOS	This setting specifies whether users can set avatar photos. If it is disabled, the user's initials appear instead.
EWS server	Windows macOS	Optionally, you can use this setting to specify the URL that the mail app uses for Microsoft Exchange Web Services provisioning. Otherwise, BlackBerry Work uses autodiscovery methods to locate the EWS server. Optionally, you can enter a series of name=value pairs separated by commas, where the name designates an email domain and the value designates the URL for the EWS endpoint for that domain. Using this method, administrators can assign multiple users with different EWS endpoints to the same application policy and be able to control where the mail app accesses mail, based on the user’s email domain. For example: Single value: blackberry.com=http://mail.blackberry.com Multiple values: blackberry.com=http://mail.blackberry.com,yahoo.com=https://mail.yahoo.com BlackBerry Access does not validate the entries. All related logs are prefixed by [WEB_MAIL] EWS URL Resolution: at the INFO log level.
Enable KCD or PKNIT Support	Windows macOS	This setting specifies whether the mail app can use Kerberos constrained delegation.
Use client certificate in place of login/password	Windows macOS	This setting specifies whether users can use SSL certificates instead of using a login and password to authenticate with BlackBerry Work . SSL certificates must be uploaded to BlackBerry UEM . For more information, see Managing certificates.
Disable Notifications	Windows macOS	This setting specifies whether BlackBerry Work displays notifications for mail and calendar events.
Enable email Classification Markings	Windows macOS	This setting specifies whether to enable email classification markings, such as INTERNAL, CONFIDENTIAL, NO FORWARD, and/or NO REPLY. If selected, specify the following sample information in the Classifications and caveats field as required: <emailClassificationMarks> <options> <classifications>ON</classifications> <caveats>OFF</caveats> <classificationDefault>INTERNAL</classificationDefault> <caveatDefault>NO FORWARD</caveatDefault> </options> <classifications> <classification> <select>INTERNAL</select> <subject>(INTERNAL)</subject> </classification> <classification> <select>CONFIDENTIAL</select> <subject>[CONFIDENTIAL]</subject> </classification> </classifications> <caveats> <caveat> <select>NO FORWARD</select> <subject>(DO NOT FORWARD)</subject> </caveat> <caveat> <select>NO REPLY</select> <subject>(DO NOT REPLY)</subject> </caveat> </caveats> </emailClassificationMarks>
Require all emails to have Email Classification	Windows macOS	This setting specifies whether users are required to specify one of the classification options that are set in the 'Enable email Classification Markings' policy xml file. This setting is valid only if the "Enable email Classification Markings" setting is selected.
Display warning while sending message if recipient's email domain is unauthorized	Windows macOS	This setting specifies whether to display a warning if the user is sending an email to a recipient in an email domain that is not authorized. If selected, specify email domains you want to authorize in the Authorize email domains field. Users will notice that email addresses in untrusted domains appear in purple text.
Default signing algorithm	Windows macOS	This setting specifies the algorithm to use for signing sent messages.
Default encryption algorithm	Windows macOS	This setting specifies the algorithm to use for encrypting sent messages.
Enable Revocation Checking	Windows macOS	This setting allows you to set revocation checking of all certificates used for signing/encryption and signing verification/decryption of S/MIME messages. When you select this box, Use AIA extension in certificate if present is selected by default. In the Default OSCP URL field, specify the web address of the OSCP service. The OCSP URI is used by the S/MIME verification APIs as an OCSP revocation check service if an AIA extension is not present in a certificate or if the Use AIA extension in certificate if present check box is not selected.
Use Office 365 Modern Authentication	Windows macOS	This setting allows you to configure options for Microsoft 365 . Modern authentication enables BlackBerry Work to us sign-in features such as Multi-Factor Authentication and SAML-based third-party Identity Providers. If selected, specify the following: In the Entra App ID field, specify the Microsoft Entra ID app ID for BlackBerry Work . For information on how obtain an Entra app ID, see Obtain an Entra app ID for BlackBerry Work for Windows and macOS. In the Office 365 Sign On URL field, specify the web address that BlackBerry Work should use when it signs in to Office 365 . If you do not specify a value, BlackBerry Work uses https://login.microsoftonline.com during setup. In the Office 365 Tenant ID field, specify the tenant ID of the Office 365 server that you want BlackBerry Work to connect to during setup. In the Office 365 Resource field, specify the resource URL of the Office 365 server that you want BlackBerry Work to connect to during setup. If you do not specify a value, BlackBerry Work uses https://outlook.office365.com during setup.

BlackBerry Access
(Mac and Win)

Setting	Supported OS	Description
Enable WebRTC	Windows macOS	This setting specifies whether to enable access to WebRTC protocol-based destinations such as Citrix VDI browser-based access. For information on how to configure BlackBerry Access to support WebRTC, see Configure access to WebRTC-based destinations.
Enable Microphone Access	Windows macOS	This setting specifies whether BlackBerry Access should display a prompt that allows users to permit websites to use the device's microphone. You can enable it only if WebRTC is enabled.
Enable Camera Access	Windows macOS	This setting specifies whether BlackBerry Access should display a prompt that allows users to permit websites to use the device's camera. You can enable it only if WebRTC is enabled.
Enable UDP Protocol support	Windows macOS	This setting specifies whether to allow UDP connections initiated by websites.
Enable Printing	Windows macOS	This setting specifies whether to allow users to print web pages.
Enable embedded PDF viewer	Windows macOS	This setting specifies whether to allow users to view embedded PDFs from within BlackBerry Access .
Automatically open PDF and Microsoft Office documents after download	Windows macOS	This setting specifies whether to open PDF and Microsoft Office documents automatically after they are downloaded.
Enable Microsoft Office URI support	Windows macOS	Only Microsoft Office URIs that specify online documents are supported.
Enable Upgrade Notifications	Windows macOS	This setting specifies whether to push notifications to users when a new upgrade is available. If selected, specify the following: In the Min Windows Version field, specify the minimum BlackBerry Access for Windows version. If there are versions available that are later than the version specified in this field, users will be sent an upgrade notification. In the Min Mac Version field, specify the minimum BlackBerry Access for macOS version. If there are versions available that are later than the version specified in this field, users will be sent an upgrade notification. In the Win Download URL field, specify the URL for the BlackBerry Access for Windows app. In the Mac Download URL field, specify the URL for the BlackBerry Access for Windows app. In the Notification Message, you can create a custom message or leave the default message.
Enable Awingu Extension	Windows macOS	This setting specifies whether to enable the Awingu extension which allows users to store their Awingu credentials. Also, when enabled, an icon is added to the toolbar in BlackBerry Access and users can launch Awingu by clicking the icon in the toolbar. If selected, you must specify the following: In the Awingu URL field, specify your organization's Awingu URL. For example, yourcompany.awingu.com In the Awingu DOMAIN field, specify your organization's Awingu domain.
Enable installation of extensions	Windows macOS	This setting specifies whether to allow websites to download extensions for third-party apps. If selected, in the Permitted Extension Ids field, specify one more more extension IDs that can be installed. The source can be from any URL. WebEx and Skype can be enabled either by adding their extension ids or by adding their protocols to the external protocols list. In the Chrome app store, users can add only apps that have permitted extensions. If an extension is enabled and installed, and the administrator removes its ID, the extension is removed from BlackBerry Access . If the administrator re-adds the extension, the user must restart BlackBerry Access to be able to add the app from the Chrome app store.
Enable developer mode	Windows macOS	This setting allows you to enable developer mode in BlackBerry Access .

Policy Overrides For Mobile

These settings allow you to configure separate

BlackBerry Access

app configuration settings for mobile (

iOS

and

Android

) and desktop (

Windows

and

macOS

) devices for the same user. When these settings are enabled, the policy choices will override the equivalent policies that are listed in the tables above for

iOS

and

Android

devices.

Setting	Supported OS	Description
Enable policy overrides for iOS and Android Access clients only from clients version 3.5.1.x or later	Android iOS	When this setting is enabled, the selected policies in this table will override any equivalent policy settings that are listed in the tables above for iOS and Android devices.
Alert user for invalid or expired certificate	Android iOS	This setting specifies whether users will be notified when certificates are invalid or expired.
Enforce strict tunnel	Android iOS	This setting specifies whether BlackBerry Access can use only IP addresses and URLs listed in Connectivity profiles. If an IP address or a URL is explicitly defined to route DIRECT, the site is allowed and routes DIRECT. External sites that are not explicitly defined in the Connectivity profile are blocked. However, if the default route is configured to use a BlackBerry Proxy cluster, all undefined IP addresses and URLs are allowed. If external sites are not allowed, they are blocked. If the default route is set to DIRECT, all sites that are not explicitly allowed are blocked.
Allow URL not in Allowed Domains of Connectivity Profiles to be loaded in native browser	Android iOS	This setting specifies whether to open webpages from domains that aren't listed in the Connectivity profiles on the device's native browser or BlackBerry Access . This setting is valid only if the "Enforce strict tunnel" setting is selected.
When user selects apply to all during prompt to open in third party browser, do not prompt again for all the hosts under same domain	Android iOS	This setting specifies whether, when a user selects “Always open links from “<domain> in Safari“, the user will not be prompted again for any other hosts they access within same domain. When users select “Always open links from “<domain> in Safari“, this setting determines if the user will be prompted again for any other hosts they access within same domain. This setting is valid only if the "Allow URL not in Allowed Domains of Connectivity Profiles to be loaded in native browser" setting is selected.
Allow URL not in Allowed Domains of Connectivity Profiles to be loaded in native default browser	iOS	This setting determines whether webpages from domains not listed in the device’s native browser Connectivity profiles will open in the native browser. By default, the native default browser is Safari . Users also have the option to set a different default browser in their device settings. You must inform users that if they want to change the default browser in their device settings, they should avoid selecting “Access” or “BlackBerry Access.” Selecting these options may lead to unexpected behavior. This setting is valid only if the "Enforce strict tunnel" setting is selected.
Enable Web Proxy	Android iOS	This setting specifies whether BlackBerry Access can communicate through a web proxy server.
User Proxy Auto Configuration	Android iOS	PAC files make it easier for users to work with proxy servers by hiding the complexities of authentication from the end user. If your organization uses a PAC file to define proxy rules, you can select this setting to use the proxy server settings from the PAC file that you specify. Enabling this setting will override static web proxy settings. This setting requires BlackBerry Dynamics servers version 1.6 or later. This setting is valid only if the "Enable Web Proxy" setting is selected.
Enter URL for PAC file location	Android iOS	This setting specifies the URL for the web server that hosts the PAC file, including the PAC file name (for example, http://www.example.com/PACfile.pac). The PAC file must not be hosted on the same server as BlackBerry UEM , or any of its components. This configuration is not supported. The limit is 4000 characters. This setting is valid only if the "Enable Web Proxy" and "Use Proxy Auto Configuration" settings are selected.
Enable PAC proxy check for all the sub-resources	Android iOS	You can use this setting to enforce PAC processing without caching. Selecting this setting has an impact on the performance of your organization’s environment. You should use this feature for special circumstances only.
Use Static Web Proxy	Android iOS	This setting specifies whether communications are enabled only through a single web proxy service. This setting is valid only if the "Enable Web Proxy" setting is selected. Enabling this setting overrides "Enforce strict tunnel" settings.
Proxy Host	Android iOS	This setting specifies the the FQDN or IP address of the proxy server. This setting is valid only if the "Use Static Web Proxy (Full Tunnel)" setting is selected.
Proxy Port	Android iOS	This setting specifies the port number of the proxy server. This setting is valid only if the "Use Static Web Proxy (Full Tunnel)" setting is selected.
Use HTTPS web proxy tunnel for above host	Android iOS	The HTTPS proxy can be specified either as a static proxy or through PAC: You can specify the HTTPS proxy using a BlackBerry UEM policy. Sample code to set an HTTPS proxy: function FindProxyForURL(url, host) { return "HTTPS secureproxy.example.com:443"; }