Create or modify a
BlackBerry 2FA
profile in
BlackBerry UEM Cloud
or
BlackBerry UEM
version 12.9 or later

To use
BlackBerry 2FA
, you must create a
BlackBerry 2FA
profile and assign it to users.
  1. On the menu bar, click
    Policies and Profiles
    .
  2. Click
    Networks and connections
    >
    BlackBerry 2FA
    .
  3. Do one of the following:
    • To create a profile, click .
    • To modify a profile, click the name of the profile that you want to modify and click .
  4. Type a name for the
    BlackBerry 2FA
    profile.
  5. Optionally, add a description for the
    BlackBerry 2FA
    profile.
  6. Do one of the following:
    1. Select
      Authenticate with BlackBerry 2FA
      if you are creating a standard
      BlackBerry 2FA
      profile.
    2. Select
      Authenticate with Enterprise Password only
      if you are creating a profile for users who do not have a device but need access to your organization's resources. This option is less secure because the user supplies only a directory password when they request authentication and no confirmation request to authenticate is sent. One-Time Password (OTP) tokens are not supported with this option.
  7. If you selected the "Authenticate with
    BlackBerry 2FA
    " authentication mode, configure the following settings:
    Setting
    Description
    Allow Push Authentication
    This setting specifies whether to allow users to authenticate using the
    2FA
    confirmation prompt on their device.
    Require Enterprise Password
    This setting specifies whether users must provide their enterprise password when logging in to your organization's resources. After a user enters their password, the user is prompted to authenticate on their device.
    This setting is valid only if Allow Push Authentication is selected.
    Allow Preauthentication from mobile devices
    This setting specifies whether to allow users to use the Preauthentication feature to authenticate to your organization's resources for a short, predetermined period. If you select this option, the feature is available for users in the
    BlackBerry UEM Client
    app home screen.
    Specify the default and maximum duration, in hours, that users can access your organization's resources without being prompted to authenticate on their device.
    This setting is valid only if Allow Push Authentication and Require Enterprise Password are selected.
    Require device password if device locked
    This setting specifies whether users must unlock their device before they can respond to the authentication prompt on the device.
    This setting is valid only if Allow Push Authentication is selected.
    Require device password re-entry even if device already unlocked (
    BlackBerry 10
    devices only)
    This setting specifies whether
    BlackBerry 10
    device users must enter their device password, even if the device is already unlocked, before they can respond to the authentication prompt on the device.
    This setting is valid only if Allow Push Authentication and Require device password if device locked are selected.
    Allow Direct Authentication from mobile devices
    This setting specifies whether to allow users to use the Direct Authentication feature to start the authentication process on their mobile device. If you select this option, the feature is available for users in the
    BlackBerry UEM Client
    app home screen.
    You must specify the duration, in seconds, within which the users must compete the two-factor authentication process. The default setting is "120" and the maximum setting is "180."
    This setting is valid only if Allow Push Authentication is selected.
    Allow One-Time Password (OTP) authentication
    This setting specifies whether to allow users to use OTP codes as the second factor of authentication.
    Require Enterprise Password
    This setting specifies whether the user must enter their directory password together with the OTP code.
    This setting is valid only if Allow One-Time Password (OTP) authentication is selected.
    Allow OTP generation on mobile devices
    This setting specifies whether to generate OTP codes on their mobile device. If you select this option, users can use OTP codes that display in the
    BlackBerry UEM Client
    app home screen.
    Specify the length of the OTP codes that you want generated in the
    UEM Client
    . The default length is "6."
    This setting is valid only if Allow One-Time Password (OTP) authentication is selected.
    Allow hardware OTP tokens
    This setting specifies whether to allow users to use hardware OTP tokens. If you select this option, users can use OTP codes on the hardware tokens that are assigned to them.
    This setting is valid only if Allow One-Time Password (OTP) authentication is selected.
    Allow Self-Rescue from
    BlackBerry UEM Self-Service
    This setting specifies whether to allow users to use the Self-Rescue feature to authenticate to your organization's resources for a predetermined period. If you select this option, users can access the Self-Rescue feature from
    BlackBerry UEM Self-Service
    , which users can only access if they are connected to the organization’s network.
    Specify the default and maximum duration, in hours, that users can access your organization's resources without being prompted to authenticate on their device.
  8. Click
    Add
    or
    Save
    .