Controlling which devices can access Exchange ActiveSync
Exchange ActiveSync
If your organization uses
Microsoft Exchange ActiveSync
, you can stop unauthorized devices from using Exchange ActiveSync
unless they are explicitly added to the allowed list. Devices that are not on the allowed list can't access work email and organizer data. The BlackBerry Gatekeeping Service
makes it easier to add devices to the allowed list. You can use the BlackBerry Gatekeeping Service
whether you are using BlackBerry
Dynamics
apps or email profiles to manage email, calendar, and contact access on users devices.To use the
BlackBerry Gatekeeping Service
, you must create a gatekeeping configuration for Microsoft Exchange
Server
or Microsoft Office
365
, assign a gatekeeping profile, and configure an email profile or BlackBerry Work
that references the automatic gatekeeping server.After you configure
BlackBerry UEM
to use the BlackBerry Gatekeeping Service
, the users' devices are automatically added to the allowed list. If the gatekeeping profile, email profile, or email app is removed from a user, the user's device is removed from the allowed list and can no longer connect to Microsoft
Exchange
unless it is allowed using other means (for example, Windows PowerShell
).Most devices allow only one email client to be added to the allowed list for each device. For
Android Enterprise
and Samsung Knox
devices that use an app configuration that contains Exchange Server allowed data, the priority for allowing email applications is as follows:
- Email applications with application configurations that contain Exchange Server allowed data
- BlackBerry Work
- Email client for which theExchange ActiveSyncID is sent during enrollment
If your organization uses
BlackBerry UEM
in an on-premises environment, you can install one or more instances of the BlackBerry Connectivity Node
to add additional instances of the device connectivity components to your organization’s domain. Each BlackBerry Connectivity Node
contains an instance of the BlackBerry Gatekeeping Service
. Each instance must be able to access your organization’s gatekeeping server. If you want gatekeeping data to be managed only by the BlackBerry Gatekeeping Service
that is installed with the primary BlackBerry UEM
components, you can change the default settings to disable the BlackBerry Gatekeeping Service
in each BlackBerry Connectivity Node
. For more information about installing and configuring a BlackBerry Connectivity Node
, see the Planning content and the Installation and upgrade content.If your organization uses
BlackBerry UEM Cloud
, you can install one or two additional instances of the BlackBerry Connectivity Node
to add additional instances of the device connectivity components to your organization’s domain. Each BlackBerry Connectivity Node
contains an instance of the BlackBerry Gatekeeping Service
. Each instance must be able to access your organization’s Exchange ActiveSync
server. If you want to manage the Exchange ActiveSync
access settings only by the BlackBerry Gatekeeping Service
that is installed with the main BlackBerry Connectivity Node
, you can change the default settings to disable the BlackBerry Gatekeeping Service
in the additional BlackBerry Connectivity Node
instances. For more information about installing and configuring a BlackBerry Connectivity Node
, see Installing or upgrading the BlackBerry Connectivity Node in the BlackBerry UEM Cloud
configuration content. You can set up server groups to direct device connectivity traffic to a specific regional connection to the
BlackBerry Infrastructure
. When you associate a gatekeeping profile with a server group, any user that is assigned that gatekeeping profile uses any active instance of the BlackBerry Gatekeeping Service
in that server group. When you configure a server group, you can choose to disable the instances of the BlackBerry Gatekeeping Service
in the group.