Controlling which devices can access

Exchange ActiveSync

for work email and organizer data

If your organization uses

Microsoft Exchange ActiveSync

, you can stop unauthorized devices from accessing

Exchange ActiveSync

unless they are explicitly added to the allowed list. Devices that are not on the allowed list can't access work email and organizer data.

The

BlackBerry Gatekeeping Service

makes it easier to add devices to the allowed list by automatically adding them. You can use the

BlackBerry Gatekeeping Service

whether you are using

BlackBerry Dynamics

apps (such as

BlackBerry Work

) or email profiles to manage email, calendar, and contact access on users devices.

To configure and use the

BlackBerry Gatekeeping Service

, you do the following:

Create a gatekeeping configuration for
Microsoft Exchange Server
or
Microsoft Office 365
.
Assign a gatekeeping profile to user accounts, user groups, and device groups.
Configure an email profile or
BlackBerry Work
to reference the automatic gatekeeping server.

If the gatekeeping profile, email profile, or email app is removed from a user, the user's device is removed from the allowed list and can no longer connect to

Microsoft Exchange

unless it is allowed using other means (for example,

Windows PowerShell

).

Most devices allow only one email client to be added to the allowed list for each device. For

Android Enterprise

and

Samsung Knox

devices that use an app configuration that contains Exchange Server allowed data, the priority for allowing email applications is as follows:

Email applications with application configurations that contain Exchange Server allowed data
BlackBerry Work
Email client for which the
Exchange ActiveSync
ID is sent during enrollment

If your organization uses

BlackBerry UEM

in an on-premises environment, you can install one or more instances of the

BlackBerry Connectivity Node

to add additional instances of the device connectivity components to your organization’s domain. Each

BlackBerry Connectivity Node

contains an instance of the

BlackBerry Gatekeeping Service

. Each instance must be able to access your organization’s gatekeeping server. If you want gatekeeping data to be managed only by the

BlackBerry Gatekeeping Service

that is installed with the primary

UEM

components, you can change the default settings to disable the

BlackBerry Gatekeeping Service

in each

BlackBerry Connectivity Node

.

If your organization uses

UEM Cloud

, you can install one or two additional instances of the

BlackBerry Connectivity Node

to add additional instances of the device connectivity components to your organization’s domain. Each

BlackBerry Connectivity Node

contains an instance of the

BlackBerry Gatekeeping Service

. Each instance must be able to access your organization’s

Exchange ActiveSync

server. If you want to manage the

Exchange ActiveSync

access settings only by the

BlackBerry Gatekeeping Service

that is installed with the main

BlackBerry Connectivity Node

, you can change the default settings to disable the

BlackBerry Gatekeeping Service

in the additional

BlackBerry Connectivity Node

instances.

You can set up

BlackBerry Connectivity Node

server groups to direct device connectivity traffic to a specific regional connection to the

BlackBerry Infrastructure

. When you associate a gatekeeping profile with a server group, any user that is assigned that gatekeeping profile uses any active instance of the

BlackBerry Gatekeeping Service

in that server group. When you configure a server group, you can choose to disable the instances of the

BlackBerry Gatekeeping Service

in the group. See Create a server group to manage regional connections in the Configuration content.