Controlling which devices can access Exchange ActiveSync for work email and organizer data Skip Navigation

Controlling which devices can access
Exchange ActiveSync
for work email and organizer data

If your organization uses
Microsoft Exchange ActiveSync
, you can stop unauthorized devices from accessing
Exchange ActiveSync
unless they are explicitly added to the allowed list. Devices that are not on the allowed list can't access work email and organizer data.
The
BlackBerry Gatekeeping Service
makes it easier to add devices to the allowed list by automatically adding them. You can use the
BlackBerry Gatekeeping Service
whether you are using
BlackBerry Dynamics
apps (such as
BlackBerry Work
) or email profiles to manage email, calendar, and contact access on users devices.
To configure and use the
BlackBerry Gatekeeping Service
, you do the following:
  1. Create a gatekeeping configuration for
    Microsoft Exchange Server
    or
    Microsoft Office 365
    .
  2. Assign a gatekeeping profile to user accounts, user groups, and device groups.
  3. Configure an email profile or
    BlackBerry Work
    to reference the automatic gatekeeping server.
If the gatekeeping profile, email profile, or email app is removed from a user, the user's device is removed from the allowed list and can no longer connect to
Microsoft Exchange
unless it is allowed using other means (for example,
Windows PowerShell
).
Most devices allow only one email client to be added to the allowed list for each device. For
Android Enterprise
and
Samsung Knox
devices that use an app configuration that contains Exchange Server allowed data, the priority for allowing email applications is as follows:
  1. Email applications with application configurations that contain Exchange Server allowed data
  2. BlackBerry Work
  3. Email client for which the
    Exchange ActiveSync
    ID is sent during enrollment
If your organization uses
BlackBerry UEM
in an on-premises environment, you can install one or more instances of the
BlackBerry Connectivity Node
to add additional instances of the device connectivity components to your organization’s domain. Each
BlackBerry Connectivity Node
contains an instance of the
BlackBerry Gatekeeping Service
. Each instance must be able to access your organization’s gatekeeping server. If you want gatekeeping data to be managed only by the
BlackBerry Gatekeeping Service
that is installed with the primary
UEM
components, you can change the default settings to disable the
BlackBerry Gatekeeping Service
in each
BlackBerry Connectivity Node
.
If your organization uses
UEM Cloud
, you can install one or two additional instances of the
BlackBerry Connectivity Node
to add additional instances of the device connectivity components to your organization’s domain. Each
BlackBerry Connectivity Node
contains an instance of the
BlackBerry Gatekeeping Service
. Each instance must be able to access your organization’s
Exchange ActiveSync
server. If you want to manage the
Exchange ActiveSync
access settings only by the
BlackBerry Gatekeeping Service
that is installed with the main
BlackBerry Connectivity Node
, you can change the default settings to disable the
BlackBerry Gatekeeping Service
in the additional
BlackBerry Connectivity Node
instances.
You can set up
BlackBerry Connectivity Node
server groups to direct device connectivity traffic to a specific regional connection to the
BlackBerry Infrastructure
. When you associate a gatekeeping profile with a server group, any user that is assigned that gatekeeping profile uses any active instance of the
BlackBerry Gatekeeping Service
in that server group. When you configure a server group, you can choose to disable the instances of the
BlackBerry Gatekeeping Service
in the group. See Create a server group to manage regional connections in the Configuration content.