Controlling which devices can access Exchange ActiveSync for work email and organizer data
Exchange ActiveSync
for work email and organizer dataIf your organization uses
Microsoft Exchange ActiveSync
, you can stop unauthorized devices from accessing Exchange ActiveSync
unless they are explicitly added to the allowed list. Devices that are not on the allowed list can't access work email and organizer data. The
BlackBerry Gatekeeping Service
makes it easier to add devices to the allowed list by automatically adding them. You can use the BlackBerry Gatekeeping Service
whether you are using BlackBerry
Dynamics
apps (such as BlackBerry Work
) or email profiles to manage email, calendar, and contact access on users devices. To configure and use the
BlackBerry Gatekeeping Service
, you do the following:
- Create a gatekeeping configuration forMicrosoft Exchange ServerorMicrosoft Office 365.
- Assign a gatekeeping profile to user accounts, user groups, and device groups.
- Configure an email profile orBlackBerry Workto reference the automatic gatekeeping server.
If the gatekeeping profile, email profile, or email app is removed from a user, the user's device is removed from the allowed list and can no longer connect to
Microsoft
Exchange
unless it is allowed using other means (for example, Windows PowerShell
).Most devices allow only one email client to be added to the allowed list for each device. For
Android Enterprise
and Samsung Knox
devices that use an app configuration that contains Exchange Server allowed data, the priority for allowing email applications is as follows:
- Email applications with application configurations that contain Exchange Server allowed data
- BlackBerry Work
- Email client for which theExchange ActiveSyncID is sent during enrollment
If your organization uses
BlackBerry UEM
in an on-premises environment, you can install one or more instances of the BlackBerry Connectivity Node
to add additional instances of the device connectivity components to your organization’s domain. Each BlackBerry Connectivity Node
contains an instance of the BlackBerry Gatekeeping Service
. Each instance must be able to access your organization’s gatekeeping server. If you want gatekeeping data to be managed only by the BlackBerry Gatekeeping Service
that is installed with the primary UEM
components, you can change the default settings to disable the BlackBerry Gatekeeping Service
in each BlackBerry Connectivity Node
.If your organization uses
UEM Cloud
, you can install one or two additional instances of the BlackBerry Connectivity Node
to add additional instances of the device connectivity components to your organization’s domain. Each BlackBerry Connectivity Node
contains an instance of the BlackBerry Gatekeeping Service
. Each instance must be able to access your organization’s Exchange ActiveSync
server. If you want to manage the Exchange ActiveSync
access settings only by the BlackBerry Gatekeeping Service
that is installed with the main BlackBerry Connectivity Node
, you can change the default settings to disable the BlackBerry Gatekeeping Service
in the additional BlackBerry Connectivity Node
instances.You can set up
BlackBerry Connectivity Node
server groups to direct device connectivity traffic to a specific regional connection to the BlackBerry Infrastructure
. When you associate a gatekeeping profile with a server group, any user that is assigned that gatekeeping profile uses any active instance of the BlackBerry Gatekeeping Service
in that server group. When you configure a server group, you can choose to disable the instances of the BlackBerry Gatekeeping Service
in the group. See Create a server group to manage regional connections in the Configuration content.