Create a BlackBerry Enterprise Identity authentication policy
BlackBerry Enterprise Identityauthentication policy
BlackBerry Personaadds a new optional feature to
BlackBerry Enterprise Identityauthentication policies. You can now incorporate a user’s behavioral and/or geozone risk level into the factors that determine the authentication requirements for work apps and services. For example, you can configure the policy so that if a user’s geozone risk level is high, the user must enter both a password and use
BlackBerry 2FAto access work apps.
For more information about how to enable and manage
BlackBerry Enterprise Identity, see the BlackBerry Enterprise Identity docs.
If you want to use
BlackBerry Enterprise Identityauthentication profiles to enforce
BlackBerry 2FAauthentication, you must enable
BlackBerry 2FAfor users' devices. For more information, see Steps to manage BlackBerry 2FA in BlackBerry UEM.
- In theUEMmanagement console, on the menu bar, clickPolicies and profiles > BlackBerry Enterprise Identity.
- ClickAdd a policy.
- Type a name and description.
- In theMinimum authentication levellevel drop-down list, click the desired authentication level. For more information, see Managing authentication levels in theBlackBerry Enterprise IdentityAdministration content.
- In theRisk scenariostable, click .
- Type a name and description for the risk scenario.
- In theMinimum authentication leveldrop-down list, select the desired authentication level that is required when the risk factors are met.
- In theRisk factor combinationdrop-down list, select the desired option.
- If you wantUEMto consider aPersonarisk level or a defined geozone to be a risk factor, select theBlackBerry Personacheck box. Do any of the following:
- If you want a behavioral risk level to be a risk factor, in theIdentity risk leveldrop-down list, click the desired risk level.
- If you want a geozone risk level to be a risk factor, in theGeozone risk leveldrop-down list, click the desired risk level.
- If you want a defined geozone to be a risk factor, in theAdministrator-defined geozonedrop-down list, click the desired geozone. The geozone that you select will automatically set theGeozone risk levelbased on the configuration of the defined geozone.
- If necessary, repeat steps 5 to 10 to add additional risk scenarios.
- Notify users that they will receive prompts asking whether they want to allowBlackBerry Enterprise Identityto provide location data and whetherBlackBerry Enterprise Identitycan trust the browser. Encourage users to accept both prompts. If a user does not,Personacannot factor the data into the user’s risk model. Note that if a user logs in to theBlackBerry Enterprise Identityservice for the first time using Incognito mode,BlackBerry Enterprise Identitycannot send location data. Location data will be sent in a subsequent login.