In the previous chapter, we covered the steps required to provision users and activate devices within the BlackBerry Enterprise Server environment. As administrators, we want to see users interacting with their devices in accordance with organizational policies. In this chapter, we are going to explore the capabilities provided by the BlackBerry Enterprise Server to configure and enforce a variety of policies for device settings. Administrators have the ability to set over 400 granular IT policies; we will have a look at some of them next.
IT policies are used to control the behavior of BlackBerry Devices, BlackBerry Desktop Manager Software, and BlackBerry Web Desktop Manager within your organization. These policies comprise of individual IT policy rules that enforce specific behavior regarding applications on a BlackBerry device or security settings for the BlackBerry Enterprise Solution. IT policies can be applied to individual users or to a group of users within the BlackBerry Enterprise Server. When a device is activated on the BlackBerry Enterprise Server, the default IT policy is pushed out to the device. Many administrators will want to modify the default IT policy or create a new set of policies to apply within their organization.
New IT policies included in BES version 5 allow us to control the BlackBerry Messenger application more efficiently along with other instant messenger services. IT policy rules are grouped based on the type of behavior that is modified, such as password policies, Bluetooth policies, or Wi-Fi policies. Policy rule enforcement is determined based on the rule setting, which is set through pre-defined options such as True, False, and Default for the Allow Peer-to-Peer Messages Rule, or with a string value such as 6 for the Minimum Password Length Rule.
As BES 5 allows us to have users in more than one group and also allows us to nest groups, there is the potential for a user to be assigned more than one IT policy, by the virtue of being in multiple groups. A user can only be assigned one IT policy; later on in the chapter under the conflict section, we will be examining how the BES resolves this issue. As mentioned, in order to configure the IT policy rules for your organization we can either edit the default IT policy or we can create a new policy. In the following section, we are going to look at creating a new IT policy and applying it to an individual user, and then to groups within our organization. In Lab 4, we will be looking at setting the particular options within a policy in more detail, under the Creating the Sales Team IT policy section of this chapter.
- Log on to the BlackBerry Administration Service.
- Under BlackBerry solution management, expand Policy.
- Click on Create an IT policy.
- In IT policy information, enter the name and click on Save.
- To configure the IT policy, click on Manage IT policies and select the policy we just created.
- Click on Manage IT policies, select the Org Policy, and select Edit IT policy.
We can now see the group-based policies that we can configure. For example, we can select the tab for Camera and select the option to disable Photo and Video Camera on the BlackBerry device. It should be noted that some policies — to come into effect on the device — require the device to be running a certain version of the BlackBerry device software. For example, for the Video Camera to be disabled, the device must be running Java-based BlackBerry device software version 4.3.0 or higher. This information can be found by clicking the More links next to the policy description. Once we have made a change, we can select Save all.
We will look at the other options available to configure our policy in Lab 4, where we will be setting a robust policy for our sales team. Next, we are going to look at assigning this policy to a user rather than to a group.
Now that we have created an IT policy, we need to apply the policy to make it effective. Firstly, let's have a look at applying the policy we have just created to an individual user.
- Click on Manage users, search or select a user, and click on the Policies tab.
As you can see during the activation the default IT policy has already been assigned to the user. We need to change this so that the user is assigned the Org Policy we just created.
- Click on Edit user.
- From the drop-down select the Org Policy.
- Click on Save all.
We have now successfully applied the Org Policy to a user and to a group. Any user that joins that group in the future will automatically have the Org Policy pushed to their device. IT policies are pushed over the wireless network any time a policy is changed or when a new policy is applied, automatically. The policy is pushed out over the air and to the device within a 15 minute time frame. Once the IT policy hits the device, the changes are applied immediately. We have the option of sending an IT policy to a device manually, and we can also schedule the BES to send the IT policies to devices at scheduled time intervals whether or not the policy has been changed. We will look at how to do this in Lab 4, under the IT policy settings section of this chapter.
The BlackBerry Enterprise Server can only apply one IT policy per user account, so there is the potential for a conflict to happen, as a different IT policy can be applied to a user, a group, and the BlackBerry Domain. The default conflict resolution rules built into the BlackBerry Enterprise Server state that: An IT policy applied to a user account has the highest priority — so regardless of any group memberships or any BlackBerry Domain IT policy, the user will have the IT policy that was applied to his user account enforced.
Groups — users with no IT policies assigned to them directly will use the highest priority IT policy from any group that they belong to — so if a user finds himself in several groups and has no direct IT policy assigned to him, the IT policy which has the highest priority from the groups will be enforced.
Domain — if no individual or group IT policy is assigned to the user account, the default IT policy is applied; as we saw when we activated the users in Chapter 3, Activating Devices and Users, they were all assigned the default IT policy.
Now we have an understanding of the conflict rules, we need to set up the priorities of our IT policies, so when users find themselves in multiple groups, the correct policy is applied.
As the IT policy assignment to a user is automatic, based on these conflict resolution rules, we can double-check which policy has been assigned to a user by following the procedure described next.
Now that we have seen how crucial IT policies are within our setup, we need to ensure that all devices have an IT policy applied to them at all times; this will ensure that the device is operated within our organizational policy. Therefore, there is a setting discussed in Lab 4 under the Deactivating devices that do not have an IT Policy section of this chapter, which allows us to deactivate from our BlackBerry Enterprise Solution any device that does not have an IT policy assigned to it.
We also have the ability in BES 5 to create new IT policy rules for third-party applications that we could be running in our organization that are available on users' devices. We can create the new rules for the third-party applications and add the rules to an existing IT policy such as the Org-the one we created or the default IT policy-or we can create a new IT policy. Please note you cannot create new rules to control already existing BlackBerry features and applications.
To set a new rule for a third-party application that your organization is using, the following options are available to us:
- Expand Policy, click on Create an IT policy rule.
- Type a name for the policy.
- In the Type drop-down, select the value that the rule would use:
- Boolean: True, False, or Default
- Integer: Number, which can further be specified by a minimum and maximum value
- String: A single line of characters, for example, a web link
- Bitmask: It is specified in binary numbers to enable or disable features
- Multi-line string: To define a list of options
- In the Destination drop-down list, choose whether you want the BlackBerry Device, or BlackBerry Desktop Manager to be able to use the IT policy rule, or both.
- Click on Save.
Our IT policy rule for the third-party application will then appear on IT policies in our organization under the User defined tab. In Lab 4, we will be creating an IT policy rule for a sales application that our organization runs, to ensure we can disable the application on non-sales employees.
Before we move on to Lab 4, we need to take a look at how the IT policy is sent out to the device. We have mentioned previously that the IT policy is sent to a device within 15 minutes of the IT policy being created or changed. When we assign an IT policy to a user or a group of users, the BlackBerry Administration Service creates a deployment job, which has a default setting of creating job schedules every 15 minutes. In Chapter 5, Software Configuration and Java Applications, we will have a look at changing these default settings for job scheduling as a whole. Next, we are going to have a look at the options available to us regarding how IT policies are sent to BlackBerry devices.
- Expand Deployment jobs.
- Click on Specify IT policy distribution settings.
- Click on Edit distribution settings.
- Under the Default schedule tab, we can change the default recurring day for sending out IT policy updates. By default the setting is to send out Every day, and the start time is All day.
- Under the System throttling tab, we can specify the maximum number of simultaneous tasks the BlackBerry Administration Service instance can carry out. The default setting is 1000 tasks at the same time (all types of job tasks not just related to IT policies).
- Under the Job throttling tab, we can set more load balance options regarding IT policies. Change the radio tab to Enabled to reduce load on system.
- We can then set the maximum number of simultaneous IT policy tasks that the BlackBerry Administration Service instance can carry out in a day. (The time window by default is a day, which is set to 25 tasks by default.)
- We can also specify the total number of IT policy tasks the BlackBerry Administration Service instance can carry out in a day; default is set to 150.
So the above settings allow us to control and change the way an IT policy is pushed out to user devices. These changes would be made depending on the number of users in the organization and the load balance requirements of your organization. The default values are generally accepted for a typical 500 user installation.