Skip Navigation

Create a 
BlackBerry Enterprise Identity
 authentication policy

BlackBerry Intelligent Security
 adds a new optional feature to 
BlackBerry Enterprise Identity
 authentication policies. You can now incorporate a user’s behavioral and/or geozone risk level into the factors that determine the authentication requirements for work apps and services. For example, you can configure the policy so that if a user’s geozone risk level is high, the user must enter both a password and use 
BlackBerry 2FA
 to access work apps.
For more information about how to enable and manage 
BlackBerry Enterprise Identity
, see the BlackBerry Enterprise Identity docs.
If you want to use 
BlackBerry Enterprise Identity
 authentication profiles to enforce 
BlackBerry 2FA
 authentication, you must enable 
BlackBerry 2FA
 for users' devices. For more information, see Steps to manage BlackBerry 2FA in BlackBerry UEM.
  1. In the 
    UEM
     management console, on the menu bar, click 
    Policies and profiles > BlackBerry Enterprise Identity
    .
  2. Click 
    Add a policy
    .
  3. Type a name and description.
  4. In the 
    Minimum authentication level
     level drop-down list, click the desired authentication level. For more information, see Managing authentication levels in the 
    BlackBerry Enterprise Identity
     Administration content.
  5. In the 
    Risk scenarios
     table, click  Add icon .
  6. Type a name and description for the risk scenario.
  7. In the 
    Minimum authentication level
     drop-down list, select the desired authentication level that is required when the risk factors are met.
  8. In the 
    Risk factor combination
     drop-down list, select the desired option.
  9. If you want 
    UEM
     to consider a 
    BlackBerry Intelligent Security
     risk level or a defined geozone to be a risk factor, select the 
    BlackBerry Intelligent Security
     check box. Do any of the following:
    • If you want a behavioral risk level to be a risk factor, in the 
      Identity risk level
       drop-down list, click the desired risk level.
    • If you want a geozone risk level to be a risk factor, in the 
      Geozone risk level
       drop-down list, click the desired risk level.
    • If you want a defined geozone to be a risk factor, in the 
      Administrator-defined geozone
       drop-down list, click the desired geozone. The geozone that you select will automatically set the 
      Geozone risk level
       based on the configuration of the defined geozone. 
  10. Click 
    Save
    .
  11. If necessary, repeat steps 5 to 10 to add additional risk scenarios.
  12. Click 
    Save
    .
  • Notify users that they will receive prompts asking whether they want to allow 
    BlackBerry Enterprise Identity
     to provide geolocation data and whether 
    BlackBerry Enterprise Identity
     can trust the browser. Encourage users to accept both prompts. If a user does not, 
    BlackBerry Intelligent Security
     cannot factor the data into the user’s risk model. Note that if a user logs in to the 
    BlackBerry Enterprise Identity
     service for the first time using Incognito mode, 
    BlackBerry Enterprise Identity
     cannot send location data. Location data will be sent in a subsequent login.