Configure the Docs security settings
Docs
security settingsDocs
security settings control acceptable Microsoft
SharePoint Online
domains, the URL of the approved Microsoft Office Web Apps
(OWAS) and Office Online
Server, the appropriate LDAP domains to use, whether you want to use Kerberos constrained delegation for user authentication, and Entra
-IP authentication. Delegation allows a service to impersonate a user account to access resources throughout the network. Constrained delegation limits this trust to a select group of services explicitly specified by a domain administrator. Verify that one or more of the following are configured in your environment:
- Kerberos constrained delegation for theBlackBerry Docsservice is configured in your environment. For instructions, see Configuring Kerberos constrained delegation for the Docs service.
- Resource-based Kerberos constrained delegation for theBlackBerry Docsservice is configured in your environment. For instructions, see Configuring resource based Kerberos constrained delegation for the Docs service.
- Your environment is configured to useEntra-IP, have the following information. For instructions, see Obtain an Entra app ID for the BEMS-Docs component service.
- EntraTenant Name
- BEMSServiceEntraApplication ID
- BEMSServiceEntraApplication Key
- Optionally, you can configureBEMSto allow users to authenticate toMicrosoft SharePoint Onlinewith an email address that is different from the email address that was used to install and activateBlackBerry Work. For instructions, see Enable the use of an alternate email address to authenticate to BEMS-Docs.
- In theBlackBerry Enterprise Mobility Server Dashboard, underBlackBerry Services Configuration, clickDocs.
- ClickSettings.
- Select theEnable Kerberos Constrained Delegationcheckbox to allowDocsto use Kerberos constrained delegation.
- Separated by a comma, enter each of the Microsoft SharePoint Online domains you plan to make available. For more information, see Configuring support for Microsoft SharePoint Online and Microsoft OneDrive for Business.
- Enter the URL for your approved Office Web App or Office Online Server.
- Provide your Microsoft Active Directory user domains (separated by commas), then enter the correspondingLDAP Port. LDAP (Lightweight Directory Access Protocol) is used to look up users and their membership in user groups.
- Optionally, specify the timeout before theBEMSconnection attempt to the LDAP server times out. In theLDAP Connection Timeoutfield, increase or decrease the value, in seconds, as required. The default value is 30 seconds. You can specify between zero and 300 seconds.
- Optionally, specify the timeout before theBEMSsearch for users and their membership in user groups times out. In theLDAP Search Timeoutfield, increase or decrease the value, in seconds, as required. The default value is 30 seconds. You can specify between zero and 300 seconds.
- Select theUse SSL for LDAPcheckbox for secure communication with your Microsoft Active Directory servers.
- Add theWorkspaces Public Key. Adding the public key allows BEMS and the BlackBerry Workspaces server to communicate with each other. For more information about locating the public key, contact BlackBerry Technical Support Services.
- Select theEnable Azure Information Protectionscheck box to allowDocsto authenticate toEntra-IP. Complete theAzure registrationfields to authenticateDocstoEntra-IP to allowDocsto decrypt protected documents and confirm the rights any given user has on a document. For instructions about obtaining theEntraregistration fields, see Obtain an Entra app ID for the BEMS-Docs component service.
- ClickSave.
- Restart the Good Technology Common Services service for the changes to take effect.