Create or modify a
BlackBerry 2FA
profile in
BlackBerry UEM
version 12.8 or earlier

To use
BlackBerry 2FA
, you must create a
BlackBerry 2FA
profile and assign it to users.
  1. On the menu bar, click
    Policies and Profiles
    .
  2. Click
    Networks and connections
    >
    BlackBerry 2FA
    .
  3. Do one of the following:
    • To create a profile, click .
    • To modify a profile, click the name of the profile that you want to modify and click .
  4. Type a name for the
    BlackBerry 2FA
    profile.
  5. Optionally, add a description for the
    BlackBerry 2FA
    profile.
  6. Select an authentication option:
    1. Select
      Two-factor authentication
      if you are creating a standard
      BlackBerry 2FA
      profile.
    2. Select
      Single-factor authentication using enterprise password
      if you are creating a profile for users who do not have a device but need access to your organization's resources. This option is less secure because the user supplies only a directory password when they request authentication and no confirmation request to authenticate is sent. One-Time Password (OTP) tokens are not supported with this option.
  7. Select a password to use with device prompt:
    1. Select
      Enterprise password
      if you are creating a profile for users who first need to supply their directory password when they request authentication and then receive a confirmation request on their device.
    2. Select
      Passive device password
      if you are creating a profile for
      BlackBerry 10
      users who should receive a passive prompt to supply their workspace password to unlock their workspace and then receive a confirmation request for authentication on their devices. The passive prompt means that the user is not required to supply a workspace password if the device workspace is already unlocked when they request authentication.
    3. Select
      Active device password
      if you are creating a profile for
      BlackBerry 10
      users who should receive an active prompt to supply their workspace password to unlock their workspace and then receive a confirmation request to authenticate on their devices. The active prompt means that the user must supply a workspace password if the device workspace is already unlocked when they request authentication.
  8. Optionally, if you use the
    Enterprise password
    authentication policy, do any of the following:
    1. To allow users to use OTPs in the
      BlackBerry UEM Client
      app, select
      Allow One-Time Password token
      . Specify the length of the OTPs that are generated.
    2. To allow users to request Direct Authentication, select
      Allow Direct Authentication from user's device
      . Specify the duration, in seconds, that users have to compete the two-factor authentication process after they have started it on their mobile device. The maximum setting is "180."
    3. To allow users to set a self-rescue period, select
      Allow self-rescue from BlackBerry UEM Self-Service
      . Specify, in hours, the default and maximum time that users can access your organization's resources without needing to respond to a confirmation prompt on their devices.
    4. To allow users to set a Preauthentication period, select
      Allow Preauthentication from user's device
      . Specify, in hours, the default and maximum time that users can access your organization's resources without needing to respond to a confirmation prompt on their devices (the prompt will not appear).
  9. Click
    Add
    or
    Save
    .