Skip Navigation

BlackBerry Access
app configuration settings

General

Setting
Supported OS
Description
Homepage
Android
iOS
Windows
macOS
This setting specifies the URL for the website that you want to appear as the home screen when users start
BlackBerry Access
.
The URL must begin with "http://" or "https://".
Allow user to set home page
Windows
macOS
This setting specifies whether users can set their own home pages in
BlackBerry Access
.
Use UIWebView to render web content on devices (only applicable to
iOS
devices 12.0 or earlier)
iOS
This setting specifies whether to allow
iOS
12.0 and earlier devices to use UIWebView. The default view is WKWebView.
This setting is not supported in BlackBerry Access version 3.1.0 and later. For more information, see developer.apple.com/news to read "Updating Apps that Use Web Views".
Allow telephone and maps URL
Android
iOS
Windows
macOS
This setting specifies whether users can access telephone and map URLs in
BlackBerry Access
.
Allow telephone only
Android
iOS
This setting specifies whether users can access telephone URLs only.
Allow maps only
Android
iOS
This setting specifies whether users can access map URLs only.
Identify
BlackBerry Access
in User Agent
iOS
This setting specifies whether
BlackBerry Access
can send its user agent string to servers hosting websites that users visit. The user agent string identifies
BlackBerry Access
in the HTTP request headers.
Servers use the information in the user agent string to provide content tailored to
BlackBerry Access
.
Allow phone number to dial using entitled and installed Dynamics VOIP apps
Android
iOS
This setting specifies whether users can make phone calls using a third-party phone call service such as CellTrust.
Enable pop-up windows
Android
iOS
Windows
macOS
This setting specifies whether
BlackBerry Access
allows pop-up windows.
Disabling pop-up windows may cause issues with applications such as
Microsoft Exchange
, that open pop-up windows for tasks like composing new email messages. If you disable this setting, when an app tries to open a pop-up window,
BlackBerry Access
displays a message that pop-up windows are blocked.
Allow other applications to open urls in full screen mode. (iOS only)
iOS
This setting specifies whether apps can open in full screen mode by default.
Allow import of bookmarks from
Safari
or
Firefox
Android
Windows
macOS
This setting specifies whether users can import bookmarks that they export from other browsers into
BlackBerry Access
.
Push Bookmarks
Android
iOS
Windows
macOS
This setting specifies bookmarks that will be preloaded in
BlackBerry Access
to make it easier for users to access work intranet webpages.
You can copy and paste the text of your bookmarks file directly into this text box. The bookmarks must follow the
Netscape
bookmark file format. For more information, see https://gist.github.com/jgarber623/cdc8e2fa1cbcb6889872.
Enable web clip feature
iOS
This setting specifies whether users can use web clips. Web clips are small icons on mobile devices that link to webpages.
Allow users to perform app diagnostics
Android
iOS
This setting specifies whether users can perform app diagnostics for
BlackBerry Access
. If this setting is selected, the “Run Diagnostics” option appears in the
BlackBerry Access
settings menu on users’ devices.
Enable APK installation (Android only)
Android
This setting specifies whether users can download and install .apk files.
Allow external apps to open HTTP/HTTPS URLs through
BlackBerry Access
Android
iOS
This setting specifies whether third-party apps on the device can open webpages in
BlackBerry Access
.
For
BlackBerry Access for iOS
, links in third-party, non-
BlackBerry Dynamics
apps can open in
BlackBerry Access
only if they launch with the following URL scheme:
access://open?url=
(for example,
access://open?url=http://www.blackberry.com
)
Do not allow download from any HTTP or HTTPS site you have not approved by whitelisting it in
BlackBerry Control
Android
iOS
This setting specifies whether
BlackBerry Access
users can download content from HTTP or HTTPS webpages even if they haven't been added to an allowed list.
Do not allow download from any HTTPS site you have not approved by whitelisting it in
BlackBerry Control
Android
iOS
This setting specifies whether
BlackBerry Access
users can download content from HTTPS webpages even if they haven't been added to an allowed list.
Enable export of downloaded files to OS file system (Windows and Mac)
Windows
macOS
This setting specifies whether
BlackBerry Work
users can download files directly to their device's default download folder, instead of the
BlackBerry Dynamics
secure container.
Note that allowing users to bypass the secure container is a potential security risk.
Enable import of files from OS file system (
Windows
and
Mac
)
Windows
macOS
This setting specifies whether
BlackBerry Work
users can attach files that aren't in the
BlackBerry Dynamics
secure container.
Enable Direct Downloads (
Windows
and
Mac
)
Windows
macOS
This setting specifies whether
BlackBerry Work
users can download attachments in email messages directly to the device's file system, instead of into the Download Manager in the
BlackBerry Dynamics Launcher
.
Disable
BlackBerry Work
(
Windows
and
Mac
)
Windows
macOS
This setting specifies whether users can use
BlackBerry Work
.
Open HTML files from other
BlackBerry Dynamics
applications
Android
iOS
This setting specifies whether
BlackBerry Access
can open HTML files from other
BlackBerry Dynamics
apps.
Enable Geolocation
Android
iOS
This setting specifies whether
BlackBerry Access
users can allow webpages to access their device's location.
Enable 3rd-Party Applications
Android
iOS
Windows
macOS
This setting specifies whether
BlackBerry Access
can open custom URL schemes supported by third-party apps. By default,
BlackBerry Access
opens only HTTP and HTTPS URL schemes.
If you select this setting, you must also set the "Enter comma separated URL schemes" setting.
Each URL string must be mapped as
yourstring
://
your.URL.string
. For example, for Webex, you could use
wbx://
yourcompany
.webex.com
. In Access, the user would click on the anchor tag <a href="wbx://blackberry.webex.com">wbx://blackberry.webex.com</a> to open the local Webex app and pass the string yourcompany.webex.com to the app.
Enter comma-separated URL schemes
Android
iOS
Windows
macOS
This setting specifies the custom URL schemes that
BlackBerry Access
can open.
The list must be separated by commas. For example, itms-services,market,wbx,lync, where "itms-services" is
App Store
, "market" is
Google Play
, "watchdox" is
BlackBerry Workspaces
, "wbx" is
WebEx
, and "lync" is
Microsoft Lync Server
.
This setting is valid only if the "Enable 3rd-Party Applications" setting is selected.
Enter JSON for search engine titles and URLs
Android
iOS
Windows
macOS
This setting specifies search engine links that are added to the end of users' search results for bookmarks, history, or downloads. They provide users with easier access to search engines when they perform searches.
In the text box, specify the search engine labels to show in
BlackBerry Access
such as
Google
and the corresponding search engine URLs. The text must be in .json format and each entry must end with [[GASEARCHKEY]]. For example:
[
{ "Google" : "https://www.google.com/search?q=[[GASEARCHKEY]]"}, { "Yahoo" : "https://search.yahoo.com/search?p=[[GASEARCHKEY]]"}, { "Bing" : "http://www.bing.com/search?q=[[GASEARCHKEY]]"}
]
Enable QR Code scanning
Android
iOS
This setting specifies whether users can scan a QR code.
Allow universal links to external apps from
BlackBerry Access
(
iOS
only)
iOS
This setting allows BlackBerry Access to open universal links to external apps,
To force policy update to device, enter current date and time and click update
Android
iOS
Windows
macOS
This setting allows you to send the updated app settings to devices. It also refreshes PAC files.
Enter the current date and time, in either 24-hour format or 12-hour format (for example,
02-16-2021 12:04AM
in 12-hour format and
02-16-2021 0004
in 24-hour format) and click
Update
.

Security

Setting
Supported OS
Description
Allow SHA1 leaf or intermediate certificates
Android
iOS
This setting specifies whether
BlackBerry Access
users can access https websites that use SHA1 signature TLS certificates and expired certificates. By default, this setting is selected.
Allow legacy/weak algorithms (DES)
Android
iOS
This setting specifies whether
BlackBerry Access
can use 3DES algorithms.
Allow user to securely save authentication credentials
Android
iOS
Windows
macOS
This setting specifies whether
BlackBerry Access
users can save their authentication credentials that they use to access webpages.
BlackBerry Access
supports saving only NTLM or Kerberos authentication credentials. Passwords entered into web forms are not saved even if this setting is enabled.
Expire stored credentials after
Android
iOS
Windows
macOS
This setting specifies when the stored user credentials expire. You can choose between "'Never Expire" or "24 Hrs."
This setting is valid only if the "Allow user to securely save authentication credentials" setting is selected.
Allow to save web form credentials and credentials autofill
Android
iOS
This setting specifies if a user can automatically fill fields with saved passwords and credentials.
Alert user for invalid or expired certificate
Android
iOS
Windows
macOS
This setting specifies whether users will be notified when certificates are invalid or expired.
Enforce strict tunnel
Android
iOS
Windows
macOS
This setting specifies whether
BlackBerry Access
can use only IP addresses and URLs listed in Connectivity profiles. If an IP address or a URL is explicitly defined to route DIRECT, the site is allowed and routes DIRECT.
External sites that are not explicitly defined in the Connectivity profile are blocked. However, if the default route is configured to use a
BlackBerry Proxy
cluster, all undefined IP addresses and URLs are allowed. If external sites are not allowed, they are blocked.
If the default route is set to DIRECT, all sites that are not explicitly allowed are blocked.
Allow URL not in Allowed Domains of Connectivity Profiles to be loaded in native browser
Android
iOS
Windows
macOS
This setting specifies whether, when
BlackBerry Access
users try to access webpages from domains that aren't listed in the allowed domains in Connectivity profiles, they are opened in the device's native browser instead of
BlackBerry Access
.
This setting is valid only if the "Enforce strict tunnel" setting is selected.
When user selects apply to all during prompt to open in third-party browser, do not prompt again for all the hosts under same domain.
iOS
This setting specifies whether, when user selects “Always open links from “ <domain>” in Safari“, the user will not be prompted again for any other hosts user accesses within same domain.
This setting is valid only if the "Allow URL not in Allowed Domains of Connectivity Profiles to be loaded in native browser" setting is selected.
Do not prompt client cert authorization for all sites
Android
iOS
Windows
macOS
When a user uploads only one certificate to
BlackBerry UEM
that matches a recognized CA, selecting this setting allows the webpage requesting authorization to obtain the certificate without prompting the user. If the user has uploaded multiple certificates from the same CA, the user is prompted to select the certificate to use.
Do not prompt client cert authorization for white listed sites only
Android
iOS
Windows
macOS
When a user uploads only one certificate to
BlackBerry UEM
that matches a recognized CA, selecting this setting allows all domains listed in the allowed domains portion in Connectivity profiles to obtain the certificate without prompting the user. If the user has uploaded multiple certificates from the same CA, the user is prompted to select the certificate to use.
List all certificates available to user to choose for client cert authentication
Android
iOS
Specify whether all uploaded encryption certificates are displayed when a user attempts to access websites that require a client cert.
Enable DLP Watermark
Android
iOS
This setting specifies whether to add a faint background watermark across all application screens, with the username and the current date and time.
Allow SameSite cookies feature and associated restrictions.
iOS
This setting specifies whether to allow SameSite cookies.
Some legacy websites may not function properly when this setting is enabled.
Force authenticate using NTLM over Kerberos when NTLM authentication is possible to access resources.
Android
iOS
This setting specifies whether to force authentication using NTML over
Kerberos
.
This policy is not applied when the FIPS policy is enabled.
If the NTLM override policy is enabled, BlackBerry Access will force NTLM authentication, if the website is configured to use Kerberos/KCD and NTLM.
Use this setting only if
Kerberos
authentication is not available. This setting disables
Kerberos
to improve performance by preventing extra network roundtrips and timeouts to an unreachable KDC.
Allow MDM web content restrictions (iOS Only)
iOS
This setting allows you to turn off MDM content filter rules that are configured for Safari in
BlackBerry Access
.
Enable biometric authentication while reusing saved credentials (iOS only)
iOS
Enable biometric authentication while reusing saved credentials.
Allow JavaScript to clear credentials
Android
iOS
Web developers can use a JavaScript API to clear credential storage when a user logs out of their account on a web page.
If you are using the API, when you select this option, you then specify which domains or hosts the policy should apply to. You can add up to 10 domains.
When you enable this feature, users will be prompted for credentials on their next login.

Network

Setting
Supported OS
Description
Enter comma-separated
Kerberos
realm mappings e.g.: foo=FOO. COMPANY.COM
Android
iOS
Windows
macOS
This setting specifies
Kerberos
realm mappings.
Kerberos
authentication realms define areas that are under control of
Kerberos
. These mappings allow you to equate realm names with other names that are accessible or for some other reason.
The limit is 4000 characters.
Enable
Kerberos
Forwardable Ticket
Android
iOS
This setting specifies whether
Kerberos
Forwardable tickets can be used.
Forwardable tickets in
Kerberos
are client-side authentication credentials that are tied to a particular IP address that can be treated as new tickets with other IP addresses.
Resolve short names to fully qualified domain name (FQDN) for
Kerberos
authentication
Android
iOS
Windows
macOS
This setting specifies whether users can reach servers by typing the unqualified domain name instead of the FQDN for
Kerberos
authentication.
Enabling this setting may impact performance.
Disable file upload and download on mobile connections (Windows Only)
Windows
This setting specifies whether files can be downloaded or uploaded when users are connected to a mobile network instead of a
Wi-Fi
network.
Enable HTTP 2.0 Support
Android
iOS
This setting specifies whether HTTP 2.0 is supported in
BlackBerry Access
.
Enable Web Proxy
Android
iOS
Windows
macOS
This setting specifies whether
BlackBerry Access
can communicate through a web proxy server.
Use Proxy Auto Configuration
Android
iOS
Windows
macOS
PAC files make it easier for users to work with proxy servers by hiding the complexities of authentication from the end user.
If your organization uses a PAC file to define proxy rules, you can select this setting to use the proxy server settings from the PAC file that you specify.
Enabling this setting will override static web proxy settings.
This setting requires
BlackBerry Dynamics
servers version 1.6 and later.
This setting is valid only if the "Enable Web Proxy" setting is selected.
Enter URL for PAC file location
Android
iOS
Windows
macOS
This setting specifies the URL for the web server that hosts the PAC file, including the PAC file name. For example, http://www.example.com/PACfile.pac.
The PAC file must not be hosted on the same server as
Good Control
or on the same server as
BlackBerry UEM
or any of its components. This configuration is not supported.
The limit is 4000 characters.
This setting is valid only if the "Enable Web Proxy" and "Use Proxy Auto Configuration" settings are selected.
Use Static Web Proxy (Full Tunnel)
Android
iOS
Windows
macOS
This setting specifies whether communications are enabled through a single web proxy service only.
This setting is valid only if the "Enable Web Proxy" setting is selected.
Enabling this setting overrides 'Enforce strict tunnel' settings.
Proxy Host
Android
iOS
Windows
macOS
This setting specifies the the FQDN or IP address of the proxy server.
This setting is valid only if the "Use Static Web Proxy (Full Tunnel)" setting is selected.
Proxy Port
Android
iOS
Windows
macOS
This setting specifies the port number of the proxy server.
This setting is valid only if the "Use Static Web Proxy (Full Tunnel)" setting is selected.
Use HTTPS web proxy tunnel for above host
Android
iOS
Windows
macOS
The HTTPS proxy can be specified either as a static proxy or through PAC:
  • You can specify the HTTPS using a BlackBerry UEM policy.
  • Example PAC script for an HTTPS proxy: function FindProxyForURL(url, host) { return "HTTPS secure-proxy.example.com:443"; }
Enable PAC proxy check for all the sub-resources
Android
iOS
Windows
macOS
You can use this setting to enforce PAC processing without caching.
Selecting this setting has an impact on the performance of your organization’s environment. It is recommended to use this feature for special circumstances only.

RSA

Setting
Supported OS
Description
Enable
RSA SecurID
Android
iOS
This setting specifies whether users can use
RSA SecurID
token authentication to authenticate with
BlackBerry Access
, instead of a password.
Prompt PIN for PINPAD Token
Android
iOS
This setting specifies whether users are always prompted for an
RSA SecurID
PIN.
This setting is valid only if the "Enable RSA SecurID" setting is selected.
Token File Password Retry Count
Android
iOS
This setting specifies the number of times that a user can enter an incorrect
RSA SecurID
PIN before they are locked out.
This setting is valid only if the "Enable RSA SecurID" setting is selected.
Token Request SendTo Email Address
Android
iOS
This setting specifies the email address of your
RSA
authentication manager. All
RSA SecurID
token seed record requests are sent to this address.
This setting is valid only if the "Enable RSA SecurID" setting is selected.
Token Request CC Email Address
Android
iOS
This setting specifies the email address that should be CC'd for all
RSA SecurID
token seed record requests.
This setting is valid only if the "Enable
RSA SecurID
" setting is selected.
Token Request Email Subject
Android
iOS
This setting specifies the email subject for token request emails.
This setting is valid only if the "Enable
RSA SecurID
" setting is selected.

Features

Setting
Supported OS
Description
Allow user to upload
Android
iOS
This setting specifies whether users can upload files to web pages in
BlackBerry Access
. Files can have a maximum size of 20 MB.
Allow user to take new photos/videos and upload
Android
iOS
This setting specifies whether users can take photos and videos and upload the photos and videos to a web page. Users must allow
BlackBerry Access
to access their cameras. Files can have a maximum size of 20 MB.
Allow user to select existing photos/videos to upload
Android
iOS
This setting specifies whether users can upload existing photos and videos from their photo libraries to a web page. Files can have a maximum size of 20 MB.
Allow user to select files from file providers to upload
Android
iOS
This setting specifies whether users can upload files from other file apps. Files can have a maximum size of 20 MB.
Allow user to upload files from the Dynamics container
Android
iOS
This setting specifies whether users can upload files that have been downloaded to the downloads folder in
BlackBerry Access
.
Allow WebRTC
iOS
This setting turns on the use of WebRTC, which provides microphone and camera support required by services such as Zoom and Webex.
WebRTC traffic is not routed through the BlackBerry Dynamics secure tunnel regardless of the network connectivity profile settings. WebRTC traffic goes direct to the internet. Also, Connectivity profile settings do not apply to WebRTC traffic.
Enable exporting to 3rd-party native apps
Android
iOS
Select the "Enable exporting to 3rd-party native apps" option to specify whether to allow the transfer of files to third-party native apps on the user's device. You can allow and disallow specific apps by app ID. By default, this setting is not selected.
Consider the following scenarios when you enable this feature to allow or block exporting to 3rd-party native apps:
  • If you select "Allow exporting to only these apps", but do not specify one or more app IDs, the "Share" option is not available and users are restricted from sharing files to apps of their choice.
  • If you select "Allow exporting to only these apps" and specify one or more app IDs, users can share files to the specified apps. When users try to share a file to an app that is not listed, they receive an error message.
  • If you select "Block exporting to only these apps", but do not specify one or more app IDs, users can share files to apps of their choice.
  • If you select "Block exporting to only these apps", and specify one or more app IDs, users cannot share files to the specified apps.
This policy is not applied when the
CylanceAVERT
policy "Do not allow copying data from
BlackBerry Dynamics
apps into non BlackBerry Dynamics apps" option is selected in the
BlackBerry Dynamics
profile. For more information about the
BlackBerry Dynamics
profile, see the Managing BlackBerry Dynamics apps content.

BlackBerry Work
(Mac and Win)

Setting
Supported OS
Description
Launch mail app on browser start
Windows
macOS
This setting specifies whether the mail app opens instead of a browser window when
BlackBerry Access
starts.
Enable avatar photos
Windows
macOS
This setting specifies whether users can set avatar photos. If it is disabled, the user's initials appear instead.
EWS server
Windows
macOS
Optionally, you can use this setting to specify the URL that the mail app uses for
Microsoft Exchange Web Services
provisioning. Otherwise,
BlackBerry Work
uses autodiscovery methods to locate the EWS server.
Optionally, you can enter a series of name=value pairs separated by commas, where the name designates an email domain and the value designates the URL for the EWS endpoint for that domain. Using this method, administrators can assign multiple users with different EWS endpoints to the same application policy and be able to control where the mail app accesses mail, based on the user’s email domain.
For example:
  • Single value: blackberry.com=http://mail.blackberry.com
  • Multiple values: blackberry.com=http://mail.blackberry.com,yahoo.com=https://mail.yahoo.com
BlackBerry Access
does not validate the entries. All related logs are prefixed by [WEB_MAIL] EWS URL Resolution: at the INFO log level.
Enable KCD or PKNIT Support
Windows
macOS
This setting specifies whether the mail app can use
Kerberos
constrained delegation.
Use client certificate in place of login/password
Windows
macOS
This setting specifies whether users can use SSL certificates instead of using a login and password to authenticate with
BlackBerry Work
. Depending on your environment, SSL certificates must be uploaded to
BlackBerry UEM
or
Good Control
. For more information, see Managing certificates.
Disable Notifications
Windows
macOS
This setting specifies whether
BlackBerry Work
displays notifications for mail and calendar events.
Enable email Classification  Markings
Windows
macOS
This setting specifies whether to enable email classification markings, such as INTERNAL, CONFIDENTIAL, NO FORWARD, and/or NO REPLY. If selected, specify the following sample information in the Classifications and caveats field as required:
<emailClassificationMarks> <options> <classifications>ON</classifications> <caveats>OFF</caveats> <classificationDefault>INTERNAL</classificationDefault> <caveatDefault>NO FORWARD</caveatDefault> </options> <classifications> <classification> <select>INTERNAL</select> <subject>(INTERNAL)</subject> </classification> <classification> <select>CONFIDENTIAL</select> <subject>[CONFIDENTIAL]</subject> </classification> </classifications> <caveats> <caveat> <select>NO FORWARD</select> <subject>(DO NOT FORWARD)</subject> </caveat> <caveat> <select>NO REPLY</select> <subject>(DO NOT REPLY)</subject> </caveat> </caveats> </emailClassificationMarks>
Require all emails to have Email Classification
Windows
macOS
This setting specifies whether users are required to specify one of the classification options that are set in the 'Enable email Classification Markings' policy xml file.
This setting is valid only if the "Enable email Classification Markings" setting is selected.
Display warning while sending message if recipient's email domain is unauthorized
Windows
macOS
This setting specifies whether to display a warning if the user is sending an email to a recipient in an email domain that is not authorized. If selected, specify email domains you want to authorize in the Authorize email domains field.
Users will notice that email addresses in untrusted domains appear in purple text.
Default signing algorithm
Windows
macOS
This setting specifies the algorithm to use for signing sent messages.
Default encryption algorithm
Windows
macOS
This setting specifies the algorithm to use for encrypting sent messages.
Enable Revocation Checking
Windows
macOS
This setting allows you to set revocation checking of all certificates used for signing/encryption and signing verification/decryption of S/MIME messages.
  • When you select this box,
    Use AIA extension in certificate if present
    is selected by default.
  • In the
    Default OSCP URL
    field, specify the web address of the OSCP service. The OCSP URI is used by the S/MIME verification APIs as an OCSP revocation check service if an AIA extension is not present in a certificate or if the
    Use AIA extension in certificate if present
    check box is not selected.
Use
Office 365
Modern Authentication
Windows
macOS
This setting allows you to configure options for
Microsoft Office 365
. Modern authentication enables
BlackBerry Work
to us sign-in features such as Multi-Factor Authentication and SAML-based third-party Identity Providers. If selected, specify the following:
  • In the
    Azure
    App ID field, specify the
    Microsoft Azure
    app ID for
    BlackBerry Work
    .
    For information on how obtain an
    Azure
    app ID, see Obtain an Azure app ID for BlackBerry Work for Windows and macOS.
  • In the
    Office 365
    Sign On URL field, specify the web address that
    BlackBerry Work
    should use when it signs in to
    Office 365
    . If you do not specify a value,
    BlackBerry Work
    uses https://login.microsoftonline.com during setup.
  • In the
    Office 365
    Tenant ID field, specify the tenant ID of the
    Office 365
    server that you want
    BlackBerry Work
    to connect to during setup.
  • In the
    Office 365
    Resource field, specify the resource URL of the
    Office 365
    server that you want
    BlackBerry Work
    to connect to during setup. If you do not specify a value,
    BlackBerry Work
    uses https://outlook.office365.com during setup.

BlackBerry Access
(Mac and Win)

Setting
Supported OS
Description
Enable WebRTC
Windows
macOS
This setting specifies whether to enable access to WebRTC protocol-based destinations such as
Citrix
VDI browser-based access.
For information on how to configure
BlackBerry Access
to support WebRTC, see Configure access to WebRTC-based destinations.
Enable Microphone Access
Windows
macOS
This setting specifies whether
BlackBerry Access
should display a prompt that allows users to permit websites to use the device's microphone. You can enable it only if WebRTC is enabled.
Enable Camera Access
Windows
macOS
This setting specifies whether
BlackBerry Access
should display a prompt that allows users to permit websites to use the device's camera. You can enable it only if WebRTC is enabled.
Enable UDP Protocol support
Windows
macOS
This setting specifies whether to allow UDP connections initiated by websites.
Enable Printing
Windows
macOS
This setting specifies whether to allow users to print web pages.
Enable embedded PDF viewer
Windows
macOS
This setting specifies whether to allow users to view embedded PDFs from within
BlackBerry Access
.
Automatically open PDF and
Microsoft Office
documents after download
Windows
macOS
This setting specifies whether to open PDF and
Microsoft Office
documents automatically after they are downloaded.
Enable
Microsoft Office
URI support
Windows
macOS
Only
Microsoft Office
URIs that specify online documents are supported.
Enable Upgrade Notifications
Windows
macOS
This setting specifies whether to push notifications to users when a new upgrade is available.
If selected, specify the following:
  • In the Min Windows Version field, specify the minimum
    BlackBerry Access for Windows
    version. If there are versions available that are later than the version specified in this field, users will be sent an upgrade notification.
  • In the Min Mac Version field, specify the minimum
    BlackBerry Access for macOS
    version. If there are versions available that are later than the version specified in this field, users will be sent an upgrade notification.
  • In the Win Download URL field, specify the URL  for the
    BlackBerry Access for Windows
    app.
  • In the Mac Download URL field, specify the URL  for the
    BlackBerry Access for Windows
    app.
  • In the Notification Message, you can create a custom message or leave the default message.
Enable Awingu Extension
Windows
macOS
This setting specifies whether to enable the Awingu extension which allows users to store their Awingu credentials. Also, when enabled, an icon is added to the toolbar in
BlackBerry Access
and users can launch Awingu by clicking the icon in the toolbar.
If selected, you must specify the following:
  • In the Awingu URL field, specify your organization's Awingu URL. For example, yourcompany.awingu.com
  • In the Awingu DOMAIN field, specify your organization's Awingu domain.
Enable installation of extensions
Windows
macOS
This setting specifies whether to allow websites to download extensions for third-party apps.
If selected, in the Permitted Extension Ids field, specify one more more extension IDs that can be installed. The source can be from any URL.
WebEx
and
Skype
can be enabled either by adding their extension ids or by adding their protocols to the external protocols list.
In the
Chrome
app store, users can add only apps that have permitted extensions.
If an extension is enabled and installed, and the administrator removes its ID, the extension is removed from
BlackBerry Access
. If the administrator re-adds the extension, the user must restart
BlackBerry Access
to be able to add the app from the
Chrome
app store.
Enable developer mode
Windows
macOS
This setting allows you to enable developer mode in
BlackBerry Access
.

Policy Overrides For Mobile

These settings allow you to configure separate
BlackBerry Access
app configuration settings for mobile (
iOS
and
Android
) and desktop (
Windows
and
macOS
) devices for the same user. When these settings are enabled, the policy choices will override the equivalent policies that are listed in the tables above for
iOS
and
Android
devices.
Setting
Supported OS
Description
Enable policy overrides for
iOS
and
Android
Access clients only from clients version 3.5.1.x or later
Android
iOS
When this setting is enabled, the selected policies in this table will override any equivalent policy settings that are listed in the tables above for
iOS
and
Android
devices.
Alert user for invalid or expired certificate
Android
iOS
This setting specifies whether users will be notified when certificates are invalid or expired.
Enforce strict tunnel
Android
iOS
This setting specifies whether
BlackBerry Access
can use only IP addresses and URLs listed in Connectivity profiles. If an IP address or a URL is explicitly defined to route DIRECT, the site is allowed and routes DIRECT.
External sites that are not explicitly defined in the Connectivity profile are blocked. However, if the default route is configured to use a
BlackBerry Proxy
cluster, all undefined IP addresses and URLs are allowed. If external sites are not allowed, they are blocked.
If the default route is set to DIRECT, all sites that are not explicitly allowed are blocked.
Allow URL not in Allowed Domains of Connectivity Profiles to be loaded in native browser
Android
iOS
This setting specifies whether to open webpages from domains that aren't listed in the Connectivity profiles on the device's native browser or
BlackBerry Access
.
This setting is valid only if the "Enforce strict tunnel" setting is selected.
When user selects apply to all during prompt to open in third party browser, do not prompt again for all the hosts under same domain
Android
iOS
This setting specifies whether, when a user selects “Always open links from “ <domain>” in Safari“, the user will not be prompted again for any other hosts they access within same domain.
This setting is valid only if the "Allow URL not in Allowed Domains of Connectivity Profiles to be loaded in native browser" setting is selected.
Enable Web Proxy
Android
iOS
This setting specifies whether
BlackBerry Access
can communicate through a web proxy server.
User Proxy Auto Configuration
Android
iOS
PAC files make it easier for users to work with proxy servers by hiding the complexities of authentication from the end user.
If your organization uses a PAC file to define proxy rules, you can select this setting to use the proxy server settings from the PAC file that you specify.
Enabling this setting will override static web proxy settings.
This setting requires
BlackBerry Dynamics
servers version 1.6 or later.
This setting is valid only if the "Enable Web Proxy" setting is selected.
Enter URL for PAC file location
Android
iOS
This setting specifies the URL for the web server that hosts the PAC file, including the PAC file name (for example, http://www.example.com/PACfile.pac).
The PAC file must not be hosted on the same server as
Good Control
,
BlackBerry UEM
, or any of its components. This configuration is not supported.
The limit is 4000 characters.
This setting is valid only if the "Enable Web Proxy" and "Use Proxy Auto Configuration" settings are selected.
Enable PAC proxy check for all the sub-resources
Android
iOS
You can use this setting to enforce PAC processing without caching.
Selecting this setting has an impact on the performance of your organization’s environment. You should use this feature for special circumstances only.
Use Static Web Proxy
Android
iOS
This setting specifies whether communications are enabled only through a single web proxy service.
This setting is valid only if the "Enable Web Proxy" setting is selected.
Enabling this setting overrides "Enforce strict tunnel" settings.
Proxy Host
Android
iOS
This setting specifies the the FQDN or IP address of the proxy server.
This setting is valid only if the "Use Static Web Proxy (Full Tunnel)" setting is selected.
Proxy Port
Android
iOS
This setting specifies the port number of the proxy server.
This setting is valid only if the "Use Static Web Proxy (Full Tunnel)" setting is selected.
Use HTTPS web proxy tunnel for above host
Android
iOS
The HTTPS proxy can be specified either as a static proxy or through PAC:
  • You can specify the HTTPS proxy using a BlackBerry UEM policy.
  • Sample code to set an HTTPS proxy:
    function FindProxyForURL(url, host) { return "HTTPS secureproxy.example.com:443"; }