BlackBerry Access app configuration settings
BlackBerry Access
app configuration settingsGeneral
Setting | Description | Applies to |
|---|---|---|
Homepage | This setting specifies the URL for the website that you want to appear as the home screen when users start BlackBerry Access .The URL must begin with "http://" or "https://". |
|
Allow user to set home page | This setting specifies whether users can set their own home pages in BlackBerry Access . |
|
Use UIWebView to render web content on devices (only applicable to iOS devices 12.0 or earlier) | This setting specifies whether to allow iOS 12.0 and earlier devices to use UIWebView. The default view is WKWebView.
This setting is not supported in BlackBerry Access version 3.1.0 and later. For more information, see developer.apple.com/news to read "Updating Apps that Use Web Views". |
|
Allow telephone and maps URL | This setting specifies whether users can access telephone and map URLs in BlackBerry Access . |
|
Allow telephone only | This setting specifies whether users can access telephone URLs only. |
|
Allow maps only | This setting specifies whether users can access map URLs only. |
|
Identify BlackBerry Access in User Agent | This setting specifies whether BlackBerry Access can send its user agent string to servers hosting websites that users visit. The user agent string identifies BlackBerry Access in the HTTP request headers.Servers use the information in the user agent string to provide content tailored to BlackBerry Access . |
|
Allow phone number to dial using entitled and installed Dynamics VOIP apps (iOS Only) | This setting specifies whether users can make phone calls using a third-party phone call service such as CellTrust. |
|
Enable pop-up windows | This setting specifies whether BlackBerry Access allows pop-up windows.Disabling pop-up windows may cause issues with applications such as Microsoft
Exchange , that open pop-up windows for tasks like composing new email messages. If you disable this setting, when an app tries to open a pop-up window, BlackBerry Access displays a message that pop-up windows are blocked. |
|
Allow other applications to open urls in full screen mode. (iOS only) | This setting specifies whether apps can open in full screen mode by default. |
|
Allow import of bookmarks from Safari or Firefox | This setting specifies whether users can import bookmarks that they export from other browsers into BlackBerry Access . |
|
Push Bookmarks | This setting specifies bookmarks that will be preloaded in BlackBerry Access to make it easier for users to access work intranet webpages.You can copy and paste the text of your bookmarks file directly into this text box. The bookmarks must follow the Netscape bookmark file format. For more information, see https://gist.github.com/jgarber623/cdc8e2fa1cbcb6889872. |
|
Enable web clip feature | This setting specifies whether users can use web clips. Web clips are small icons on mobile devices that link to webpages. |
|
Allow users to perform app diagnostics | This setting specifies whether users can perform app diagnostics for BlackBerry Access . If this setting is selected, the “Run Diagnostics” option appears in the BlackBerry Access settings menu on users’ devices. |
|
Enable APK installation (Android only) | This setting specifies whether users can download and install .apk files. |
|
Allow external apps to open HTTP/HTTPS URLs through BlackBerry Access | This setting specifies whether third-party apps on the device can open webpages in BlackBerry Access .For BlackBerry Access for iOS , links in third-party, non-BlackBerry
Dynamics apps can open in BlackBerry Access only if they launch with the following URL scheme: access://open?url= (for example, access://open?url=http://www.blackberry.com ) |
|
Do not allow download from any HTTP or HTTPS site you have not approved by whitelisting it in BlackBerry Control | This setting specifies whether BlackBerry Access users can download content from HTTP or HTTPS webpages even if they haven't been added to an allowed list. |
|
Do not allow download from any HTTPS site you have not approved by whitelisting it in BlackBerry Control | This setting specifies whether BlackBerry Access users can download content from HTTPS webpages even if they haven't been added to an allowed list. |
|
Enable export of downloaded files to OS file system (Windows and Mac) | This setting specifies whether BlackBerry Work users can download files directly to their device's default download folder, instead of the BlackBerry
Dynamics secure container.Note that allowing users to bypass the secure container is a potential security risk. |
|
Enable import of files from OS file system ( Windows and Mac ) | This setting specifies whether BlackBerry Work users can attach files that aren't in the BlackBerry
Dynamics secure container. |
|
Enable Direct Downloads ( Windows and Mac ) | This setting specifies whether BlackBerry Work users can download attachments in email messages directly to the device's file system, instead of into the Download Manager in the BlackBerry Dynamics Launcher . |
|
Disable BlackBerry Work (Windows and Mac ) | This setting specifies whether users can use BlackBerry Work . |
|
Open HTML files from other BlackBerry
Dynamics applications | This setting specifies whether BlackBerry Access can open HTML files from other BlackBerry
Dynamics apps. |
|
Enable Geolocation | This setting specifies whether BlackBerry Access users can allow webpages to access their device's location. |
|
Enable 3rd Party Applications | This setting specifies whether BlackBerry Access can open custom URL schemes supported by third-party apps. By default, BlackBerry Access opens only HTTP and HTTPS URL schemes.If you select this setting, you must also set the "Enter comma separated URL schemes" setting.
Each URL string must be mapped as yourstring://your.URL.string. For example, for Webex, you could use wbx://yourcompany.webex.com. In Access, the user would click on the anchor tag <a href="wbx://blackberry.webex.com">wbx://blackberry.webex.com</a> to open the local Webex app and pass the string yourcompany.webex.com to the app. |
|
Enter comma separated URL schemes | This setting specifies the custom URL schemes that BlackBerry Access can open.The list must be separated by commas. For example, itms-services,market,wbx,lync, where "itms-services" is App Store , "market" is Google
Play , "watchdox" is BlackBerry Workspaces , "wbx" is WebEx , and "lync" is Microsoft Lync
Server .This setting is valid only if the "Enable 3rd Party Applications" setting is selected. |
|
Enter JSON for search engine titles and URLs | This setting specifies search engine links that are added to the end of users' search results for bookmarks, history, or downloads. They provide users with easier access to search engines when they perform searches. In the text box, specify the search engine labels to show in BlackBerry Access such as Google and the corresponding search engine URLs. The text must be in .json format and each entry must end with [[GASEARCHKEY]]. For example:[ { "Google" : "https://www.google.com/search?q=[[GASEARCHKEY]]"}, { "Yahoo" : "https://search.yahoo.com/search?p=[[GASEARCHKEY]]"}, { "Bing" : "http://www.bing.com/search?q=[[GASEARCHKEY]]"} ] |
|
Enable QR Code scanning | This setting specifies whether users can scan a QR code. |
|
Allow universal links to external apps from BlackBerry Access (iOS only) | This setting allows BlackBerry Access to open universal links to external apps, |
|
To force policy update to device, enter current date and time and click update | This setting allows you to send the updated app settings to devices. It also refreshes PAC files. Enter the current date and time, in either 24-hour format or 12-hour format (for example, 02-16-2017 12:04AM in 12-hour format and 02-16-2017 0004 in 24-hour format) and click Update. |
|
Security
Setting | Description | Applies to |
|---|---|---|
Allow SHA1 leaf or intermediate certificates | This setting specifies whether BlackBerry Access users can access https websites that use SHA1 signature TLS certificates and expired certificates. By default, this setting is selected. |
|
Allow legacy/weak algorithms (DES) | This setting specifies whether BlackBerry Access can use 3DES algorithms. |
|
Allow user to securely save authentication credentials | This setting specifies whether BlackBerry Access users can save their authentication credentials that they use to access webpages.
BlackBerry Access supports saving only NTLM or Kerberos authentication credentials. Passwords entered into web forms are not saved even if this setting is enabled. |
|
Expire stored credentials after | This setting specifies when the stored user credentials expire. You can choose between "'Never Expire" or "24 Hrs." This setting is valid only if the "Allow user to securely save authentication credentials" setting is selected. |
|
Allow to save web form credentials and credentials autofill | This setting specifies if a user can automatically fill fields with saved passwords and credentials. |
|
Alert user for invalid or expired certificate | This setting specifies whether users will be notified when certificates are invalid or expired. |
|
Enforce strict tunnel | This setting specifies whether BlackBerry Access can use only IP addresses and URLs listed in Connectivity profiles. If an IP address or a URL is explicitly defined to route DIRECT, the site is allowed and routes DIRECT. External sites that are not explicitly defined in the Connectivity profile are blocked. However, if the default route is configured to use a BlackBerry Proxy cluster, all undefined IP addresses and URLs are allowed. If external sites are not allowed, they are blocked. If the default route is set to DIRECT, all sites that are not explicitly allowed are blocked. |
|
Allow URL not in Allowed Domains of Connectivity Profiles to be loaded in native browser | This setting specifies whether, when BlackBerry Access users try to access webpages from domains that aren't listed in the allowed domains in Connectivity profiles, they are opened in the device's native browser instead of BlackBerry Access .This setting is valid only if the "Enforce strict tunnel" setting is selected. |
|
When user selects apply to all during prompt to open in third party browser, do not prompt again for all the hosts under same domain. | This setting specifies whether, when user selects “Always open links from “ <domain>” in Safari“, the user will not be prompted again for any other hosts user accesses within same domain. This setting is valid only if the "Allow URL not in Allowed Domains of Connectivity Profiles to be loaded in native browser" setting is selected. | BlackBerry Access for iOS |
Do not prompt client cert authorization for all sites | When a user uploads only one certificate to BlackBerry UEM that matches a recognized CA, selecting this setting allows the webpage requesting authorization to obtain the certificate without prompting the user. If the user has uploaded multiple certificates from the same CA, the user is prompted to select the certificate to use. |
|
Do not prompt client cert authorization for white listed sites only | When a user uploads only one certificate to BlackBerry UEM that matches a recognized CA, selecting this setting allows all domains listed in the allowed domains portion in Connectivity profiles to obtain the certificate without prompting the user. If the user has uploaded multiple certificates from the same CA, the user is prompted to select the certificate to use. |
|
List all certificates available to user to choose for client cert authentication | Specify whether all uploaded encryption certificates are displayed when a user attempts to access websites that require a client cert. |
|
Enable DLP Watermark | This setting specifies whether or not to add a faint background watermark across all application screens, with the username and the current date and time. |
|
Allow SameSite cookies feature and associated restrictions. | This setting specifies whether to allow SameSite cookies. Some legacy websites may not function properly when this setting is enabled. |
|
Force authenticate using NTLM over Kerberos when NTLM authentication is possible to access resources. | This setting specifies whether to force authentication using NTML over Kerberos .This policy is not applied when the FIPS policy is enabled. If the NTLM override policy is enabled, BlackBerry Access will force NTLM authentication, if the website is configured to use Kerberos/KCD and NTLM. Use this setting only if Kerberos authentication is not available. This setting disables Kerberos to improve performance by preventing extra network roundtrips and timeouts to an unreachable KDC. |
|
Allow MDM web content restrictions (iOS Only) | This setting allows you to turn off MDM content filter rules that are configured for Safari in BlackBerry Access . | BlackBerry Access for iOS |
Enable biometric authentication while reusing saved credentials (iOS only) | Enable biometric authentication while reusing saved credentials (iOS only) | BlackBerry Access for iOS |
Allow JavaScript to clear credentials | Web developers can use a JavaScript API to clear credential storage when a user logs out of their account on a web page. If you are using the API, when you select this option, you then specify which domains or hosts the policy should apply to. You can add up to 10 domains. When you enable this feature, users will be prompted for credentials on their next login. |
|
Network
Setting | Description | Applies to |
|---|---|---|
Enter comma separated Kerberos realm mappings e.g.: foo=FOO.COMPANY.COM | This setting specifies Kerberos realm mappings. Kerberos authentication realms define areas that are under control of Kerberos . These mappings allow you to equate realm names with other names that are accessible or for some other reason.The limit is 4000 characters. |
|
Enable Kerberos Forwardable Ticket | This setting specifies whether Kerberos Forwardable tickets can be used.Forwardable tickets in Kerberos are client-side authentication credentials that are tied to a particular IP address that can be treated as new tickets with other IP addresses. |
|
Resolve short names to full qualified domain name (FQDN) for Kerberos authentication | This setting specifies whether users can reach servers by typing the unqualified domain name instead of the FQDN for Kerberos authentication.Enabling this setting may impact performance. |
|
Disable file upload and download on mobile connections (Windows Only) | This setting specifies whether files can be downloaded or uploaded when users are connected to a mobile network instead of a Wi-Fi network. |
|
Enable HTTP 2.0 Support | This setting specifies whether HTTP 2.0 is supported in BlackBerry Access . |
|
Enable Web Proxy | This setting specifies whether BlackBerry Access can communicate through a web proxy server. |
|
Use Proxy Auto Configuration | PAC files make it easier for users to work with proxy servers by hiding the complexities of authentication from the end user. If your organization uses a PAC file to define proxy rules, you can select this setting to use the proxy server settings from the PAC file that you specify. Enabling this setting will override static web proxy settings. This setting requires BlackBerry
Dynamics servers version 1.6 and later.This setting is valid only if the "Enable Web Proxy" setting is selected. |
|
Enter URL for PAC file location | This setting specifies the URL for the web server that hosts the PAC file, including the PAC file name. For example, http://www.example.com/PACfile.pac. The PAC file must not be hosted on the same server as Good Control or on the same server as BlackBerry UEM or any of its components. This configuration is not supported.The limit is 4000 characters. This setting is valid only if the "Enable Web Proxy" and "Use Proxy Auto Configuration" settings are selected. |
|
Use Static Web Proxy (Full Tunnel) | This setting specifies whether communications are enabled through a single web proxy service only. This setting is valid only if the "Enable Web Proxy" setting is selected. Enabling this setting overrides 'Enforce strict tunnel' settings.
|
|
Proxy Host | This setting specifies the the FQDN or IP address of the proxy server. This setting is valid only if the "Use Static Web Proxy (Full Tunnel)" setting is selected. |
|
Proxy Port | This setting specifies the port number of the proxy server. This setting is valid only if the "Use Static Web Proxy (Full Tunnel)" setting is selected. |
|
Use HTTPS web proxy tunnel for above host | The HTTPS proxy can be specified either as a static proxy or through PAC:
|
|
Enable PAC proxy check for all the sub-resources | You can use this setting to enforce PAC processing without caching. Selecting this setting has an impact on the performance of your organization’s environment. It is recommended to use this feature for special circumstances only. |
|
RSA
Setting | Description | Applies to |
|---|---|---|
Enable RSA
SecurID | This setting specifies whether users can use RSA
SecurID token authentication to authenticate with BlackBerry Access , instead of a password. |
|
Prompt PIN for PINPAD Token | This setting specifies whether users are always prompted for an RSA
SecurID PIN.This setting is valid only if the "Enable RSA SecurID" setting is selected. |
|
Token File Password Retry Count | This setting specifies the number of times that a user can enter an incorrect RSA
SecurID PIN before they are locked out.This setting is valid only if the "Enable RSA SecurID" setting is selected. |
|
Token Request SendTo Email Address | This setting specifies the email address of your RSA authentication manager. All RSA
SecurID token seed record requests are sent to this address.This setting is valid only if the "Enable RSA SecurID" setting is selected. |
|
Token Request CC Email Address | This setting specifies the email address that should be CC'd for all RSA
SecurID token seed record requests.This setting is valid only if the "Enable RSA
SecurID " setting is selected. |
|
Token Request Email Subject | This setting specifies the email subject for token request emails. This setting is valid only if the "Enable RSA
SecurID " setting is selected. |
|
Features
Setting | Description | Applies to |
|---|---|---|
Allow user to upload | This setting specifies whether users can upload files to web pages in BlackBerry Access . Files can have a maximum size of 20 MB. |
|
Allow user to take new photos/videos and upload | This setting specifies whether users can take photos and videos and upload the photos and videos to a web page. Users must allow BlackBerry Access to access their cameras. Files can have a maximum size of 20 MB. |
|
Allow user to select existing photos/videos to upload | This setting specifies whether users can upload existing photos and videos from their photo libraries to a web page. Files can have a maximum size of 20 MB. |
|
Allow user to select files from file providers to upload | This setting specifies whether users can upload files from other file apps. Files can have a maximum size of 20 MB. |
|
Allow user to upload files from the Dynamics container | This setting specifies whether users can upload files that have been downloaded to the downloads folder in BlackBerry Access . |
|
Allow WebRTC (iOS only) | This setting turns on the use of WebRTC, which provides microphone and camera support required by services such as Zoom and Webex. Note : WebRTC traffic is not routed through the BlackBerry Dynamics secure tunnel regardless of the network connectivity profile settings. WebRTC traffic goes direct to the internet. Also, Connectivity profile settings do not apply to WebRTC traffic. | BlackBerry Access for iOS |
Enable exporting to 3rd-party native apps | Select the "Enable exporting to 3rd-party native apps" option to specify whether to allow the transfer of files to third-party native apps on the user's device. You can allow and disallow specific apps by app ID. By default, this setting is not selected. Consider the following scenarios when you enable this feature to allow or block exporting to 3rd-party native apps:
This policy is not applied when the CylanceAvert policy "Do not allow copying data from BlackBerry
Dynamics apps into non BlackBerry Dynamics apps" option is selected in the BlackBerry
Dynamics profile. For more information about the BlackBerry
Dynamics profile, see the Managing BlackBerry Dynamics apps content. |
|
BlackBerry Work (Mac and Win)
BlackBerry Work
(Mac and Win)Setting | Description | Applies to |
|---|---|---|
Launch mail app on browser start | This setting specifies whether the mail app opens instead of a browser window when BlackBerry Access starts. |
|
Enable avatar photos | This setting specifies whether users can set avatar photos. If it is disabled, the user's initials appear instead. |
|
EWS server | Optionally, you can use this setting to specify the URL that the mail app uses for Microsoft Exchange Web
Services provisioning. Otherwise, BlackBerry Work uses autodiscovery methods to locate the EWS server.Optionally, you can enter a series of name=value pairs separated by commas, where the name designates an email domain and the value designates the URL for the EWS endpoint for that domain. Using this method, administrators can assign multiple users with different EWS endpoints to the same application policy and be able to control where the mail app accesses mail, based on the user’s email domain. For example:
BlackBerry Access does not validate the entries. All related logs are prefixed by [WEB_MAIL] EWS URL Resolution: at the INFO log level. |
|
Enable KCD or PKNIT Support | This setting specifies whether the mail app can use Kerberos constrained delegation. |
|
Use client certificate in place of login/password | This setting specifies whether users can use SSL certificates instead of using a login and password to authenticate with BlackBerry Work . Depending on your environment, SSL certificates must be uploaded to BlackBerry UEM or Good Control . For more information, see Managing certificates. |
|
Disable Notifications | This setting specifies whether BlackBerry Work displays notifications for mail and calendar events. |
|
Enable email Classification Markings | This setting specifies whether to enable email classification markings, such as INTERNAL, CONFIDENTIAL, NO FORWARD, and/or NO REPLY. If selected, specify the following sample information in the Classifications and caveats field as required:
|
|
Require all emails to have Email Classification | This setting specifies whether users are required to specify one of the classification options that are set in the 'Enable email Classification Markings' policy xml file. This setting is valid only if the "Enable email Classification Markings" setting is selected. |
|
Display warning while sending message if recipient's email domain is unauthorized | This setting specifies whether to display a warning if the user is sending an email to a recipient in an email domain that is not authorized. If selected, specify email domains you want to authorize in the Authorize email domains field. Users will notice that email addresses in untrusted domains appear in purple text. |
|
Default signing algorithm | This setting specifies the algorithm to use for signing sent messages. |
|
Default encryption algorithm | This setting specifies the algorithm to use for encrypting sent messages. |
|
Enable Revocation Checking | This setting allows you to set revocation checking of all certificates used for signing/encryption and signing verification/decryption of S/MIME messages.
|
|
Use Office
365 Modern Authentication | This setting allows you to configure options for Microsoft Office
365 . Modern authentication enables BlackBerry Work to us sign-in features such as Multi-Factor Authentication and SAML-based third-party Identity Providers. If selected, specify the following:
|
|
BlackBerry Access (Mac and Win)
BlackBerry Access
(Mac and Win)Setting | Description | Applies to |
|---|---|---|
Enable WebRTC | This setting specifies whether to enable access to WebRTC protocol-based destinations such as Citrix VDI browser-based access.For information on how to configure BlackBerry Access to support WebRTC, see Configure access to WebRTC-based destinations. |
|
Enable Microphone Access | This setting specifies whether BlackBerry Access should display a prompt that allows users to permit websites to use the device's microphone. You can enable it only if WebRTC is enabled. |
|
Enable Camera Access | This setting specifies whether BlackBerry Access should display a prompt that allows users to permit websites to use the device's camera. You can enable it only if WebRTC is enabled. |
|
Enable UDP Protocol support | This setting specifies whether to allow UDP connections initiated by websites. |
|
Enable Printing | This setting specifies whether to allow users to print web pages. |
|
Enable embedded PDF viewer | This setting specifies whether to allow users to view embedded PDFs from within BlackBerry Access . |
|
Automatically open PDF and Microsoft
Office documents after download |
| |
Enable Microsoft
Office URI support | Only Microsoft
Office URIs that specify online documents are supported. |
|
Enable Upgrade Notifications | This setting specifies whether to push notifications to users when a new upgrade is available.
If selected, specify the following:
|
|
Enable Awingu Extension | This setting specifies whether to enable the Awingu extension which allows users to store their Awingu credentials. Also, when enabled, an icon is added to the toolbar in BlackBerry Access and users can launch Awingu by clicking the icon in the toolbar.
If selected, you must specify the following:
|
|
Enable installation of extensions | This setting specifies whether to allow websites to download extensions for third-party apps.
If selected, in the Permitted Extension Ids field, specify one more more extension IDs that can be installed. The source can be from any URL. WebEx and Skype can be enabled either by adding their extension ids or by adding their protocols to the external protocols list.In the Chrome app store, users can add only apps that have permitted extensions. If an extension is enabled and installed, and the administrator removes its ID, the extension is removed from BlackBerry Access . If the administrator re-adds the extension, the user must restart BlackBerry Access to be able to add the app from the Chrome app store. |
|
Enable developer mode | This setting allows you to enable developer mode in BlackBerry Access . |
|