To illustrate the importance of IT policies and also to get you familiar with using them in your organization, we are going to create a mock lab that will set the following IT policy rules and IT policy for all user accounts that belong to sales employees.
So far our lab has a sales group which has around six users, who have been activated with the default IT policy. It is good practice not to edit the default IT policy and to create a new one. We need to ensure that the following requirements are met for the BlackBerry devices, for all sales employees:
- The user has to enter a new password every 45 days
- The minimum password length should be eight characters
- Company security policy states that a duress e-mail must be set up — so if the sales user is forced to unlock the device, the head admin at the organization is notified
- Users cannot be allowed to use the BCC (Blind Carbon Copy) when sending messages from their devices
- Must allow access to the third-party application SalesStock
- Log on to the BlackBerry Administration Service.
- Create an IT policy called Sales IT policy (see Creating a new IT policy section of this chapter for additional help).
- Click on Manage IT policies and select the Sales policy.
- Click on Edit policy and select the Device only tab.
- For the rule Password Required, we must select Yes from the drop-down menu, as the default setting is No for this rule.
- For the rule Maximum Password Age enter
45. - For the rule Minimum Password Length enter
8. - For the rule User Can Disable Password select No; by default this is set to Yes.
- Scroll further down and change the drop-down menu for Allow BCC Recipients to NO.
- Select Save all.
- Click on the Password tab and for the rule Duress Notification Address enter an e-mail address for the head admin so he is notified when the user is unlocking the device under duress.
- Please note when we enable this rule by default the number of password attempts are halved. By default the number of password attempts are 10, so once we enable this rule they will become 5.
- For the user to enable the duress call of unlocking the BlackBerry, they would need to move the first character of the password to the end. For example, if the user's password was blackberry, then if they were unlocking the device under duress they would enter lackberryb. This would then send an e-mail message to the address above letting them know the device was unlocked under duress.
- Save this IT policy.
- For our final rule, we need to create a third-party application rule that has Boolean value, see Creating a new IT policy section of this chapter, give the policy name as
SalesStock, choose a Boolean value, and for the Destination choose Handheld, as shown in the following screenshot:
- Go back to the Sales IT policy and click on the User defined tab and select Yes for SalesStock and click on Save all, as shown in the following screenshot:
So we have successfully created the Sales IT Policy and applied it to our Sales Team group. From now on, any user created in that group will have the Sales IT Policy applied to them. We need to ensure that no member of our Sales Team has an IT policy directly applied to their user account, as doing so will mean that the directly applied policy will take priority.
We also need to make sure that if users belonging to the Sales Team are in different groups, we either set the IT policy priorities correctly, or we assign the user account a policy directly, so it is always used.
As mentioned previously, we can resend an IT policy manually to a user account. This is shown next:
- Click on Manage users.
- Select or search for the user account which needs the policy sent to.
- Select the Policies tab, and click on View resolved IT policy data.
- Select Resend IT policy to a device.
Now this IT policy will be sent to the device within 15 minutes. We can also, as mentioned, program the BlackBerry Enterprise Server to resend IT policies out to devices every X hours even if there is no update or change in the IT policies.
- Expand BlackBerry Solution topology, expand BlackBerry Domain and expand Component view.
- Expand Policy and select the instance and click on Edit instance.
- In the General section for the field Policy resend interval (hours) specify
3to resend the IT policies every three hours automatically.
- Select Save all.
We can deactivate devices in our BlackBerry Enterprise Solution that do not have a valid IT policy assigned to them.
In the General section, change the drop-down for Disable users with unapplied IT policy to True, as shown in the following screenshot:
Ensure that you have viewed IT policy settings for users that belong to different groups, to ensure that they have the right IT policy applied. If they don't, check the priority settings for the IT policies within the organization.
If the IT policy seems to be stuck on waiting to apply to the device, this usually indicates that the device already has an IT policy assigned to it. Best practice is to wipe the device, by following the procedure in Chapter 3, Activating Devices and Users; this will clear the IT policy on the Smartphone. If the policy is still enforced after the wipe then you will need to refer to RIM documentation on how to use the policy bin tool to remove the IT policy.