BlackBerry Access
Administration Guide
3.4
2022-06-01Z
||2
Contents
What is BlackBerry Access?..............................................................................5
Getting started with BlackBerry Access............................................................ 6
System requirements............................................................................................................................................. 6
Deploying BlackBerry Access................................................................................................................................6
Downloading and activating BlackBerry Access..................................................................................................6
Prerequisites: Deploying BlackBerry Work with BlackBerry Access...................................................................7
Installing BlackBerry Access using a script (Windows only)..............................................................................8
Managing BlackBerry Access............................................................................9
Making BlackBerry Access available to users..................................................................................................... 9
MakeBlackBerry Accessavailable to users inBlackBerry UEM............................................................. 9
Making BlackBerry Access available to users in Good Control.............................................................. 9
Configuring BlackBerry Access app settings.......................................................................................................9
ConfigureBlackBerry Accessapp settings inBlackBerry UEM...............................................................9
Configure BlackBerry Access app settings in Good Control.................................................................10
BlackBerry Access app configuration settings.......................................................................................10
Configuring theBlackBerry Dynamics Launcher............................................................................................... 29
Adding the work app catalog to theBlackBerry Dynamics Launcher...................................................29
Whitelist theBlackBerry UEM App Catalogin theBlackBerry DynamicsConnectivity profile........................ 30
Configure single sign-on for BlackBerry Access in Good Control....................................................................30
Configure single sign-on for BlackBerry Access in BlackBerry UEM............................................................... 31
Setting up a PAC file to manage a proxy infrastructure...................................................................................32
PAC file example...................................................................................................................................... 33
Configure PAC settings inBlackBerry UEM............................................................................................35
Configure PAC settings in Good Control................................................................................................ 35
Test a PAC configuration.........................................................................................................................36
Refreshing PAC configuration on devices.............................................................................................. 36
PAC file FAQ..............................................................................................................................................37
Configure RSA SecurID soft token authentication............................................................................................ 38
Configure an RSA SecurID application policy in BlackBerry UEM.........................................................39
Configure an RSA SecurID application policy in Good Control............................................................. 39
Kerberos authentication support........................................................................................................................ 39
Mapping domains to Kerberos realms................................................................................................... 40
Managing certificates.......................................................................................................................................... 41
Verify that BlackBerry Access can use certificates in BlackBerry UEM............................................... 41
Verify that BlackBerry Access can use certificates in Good Control....................................................42
Upload certificates for users inBlackBerry UEM................................................................................... 42
Upload certificates for users in Good Control........................................................................................42
Delete certificates for users in BlackBerry UEM.................................................................................... 42
Delete certificates for users in Good Control.........................................................................................43
Security features...................................................................................................................................................43
Remote data wipe.....................................................................................................................................43
Send device commands to BlackBerry Access in BlackBerry UEM...................................................... 43
Send device commands to BlackBerry Access in Good Control.......................................................... 44
||iii
Secure storage of browsing activity........................................................................................................45
SSL and TLS..............................................................................................................................................45
NTLMv2 authentication............................................................................................................................ 45
HTTP basic authentication.......................................................................................................................45
User passwords........................................................................................................................................ 46
Video support....................................................................................................................................................... 46
Video support FAQ....................................................................................................................................46
Configuring allowed Internet domains............................................................................................................... 47
Changing communications protocols.................................................................................................................48
Configure access to WebRTC-based destinations............................................................................................ 48
Allow users to open custom URL schemes.......................................................................................................49
Allow users to securely edit files within an app in BlackBerry Access on Windows or macOS......................49
IdentifyingBlackBerry Accessin user agent..................................................................................................... 50
Good Control cloud deployments and intranet servers.................................................................................... 51
UsingBlackBerry Analyticsto collect app data.................................................................................................51
Configure a compliance rule for Windows antivirus detection in Good Control............................................. 51
Configure support for FQDN resolution in Good Control..................................................................................51
Troubleshooting.............................................................................................. 52
Diagnostics............................................................................................................................................................52
Generate a diagnostics report oniOSdevices.......................................................................................52
Generate a diagnostics report onAndroiddevices................................................................................52
Troubleshoot issues using theBlackBerry Accessconsole.............................................................................52
Upload log files to BlackBerry Support.............................................................................................................. 53
Troubleshoot connectivity issues....................................................................................................................... 53
Troubleshoot routing issues................................................................................................................................53
Feature support...............................................................................................57
Browser support for HTML5 and CSS3........................................................... 59
BlackBerry Access for Android HTML and CSS3 support................................................................................ 59
BlackBerry Access for iOS HTML and CSS3 support....................................................................................... 71
BlackBerry Access for macOS HTML and CSS3 support................................................................................. 85
BlackBerry Access for Windows HTML and CSS3 support.............................................................................. 98
Legal notice.................................................................................................. 111
||iv
What is BlackBerry Access?
BlackBerry Access is a secure browser that allows users to access your organization's intranet and business
applications through the work firewall, without using a VPN, on Android, iOS, Windows, and macOS devices.
BlackBerry Access is part of the suite of BlackBerry Dynamics mobile productivity apps. You deploy and manage
BlackBerry Access using BlackBerry UEM or a standalone Good Control server. Both solutions give you the ability
to configure app settings to meet the needs and standards of your organization.
The features offered by BlackBerry Access:
Feature Description
Secures data BlackBerry Access secures work web apps in containers, ensuring that data
is protected and never leaves your organization's control. All browsing data is
encrypted with industry-leading FIPS-validated AES encryption, and BlackBerry
Access uses PAC file URLs to route work data securely.
User authentication BlackBerry Access leverages standard user authentication methods, including
SSL, NTLM, and TLS, and supports credential persistence.
BlackBerry Access also supports single sign-on with Kerberos Constrained
Delegation across realms and RSA soft token generation.
Intuitive browser features BlackBerry Access provides an intuitive interface that makes it easy to
download content, set bookmarks, and browse in multiple tabs. BlackBerry
Access for iOS also captures and saves web clips, and allows users to view
streaming video with intuitive player controls.
App deployment BlackBerry Access supports pop-ups that streamline the deployment of web
apps, including Cisco WebEx, Salesforce, and custom-developed apps. You
can deploy your organization's HTML5 desktop apps securely, and can provide
users with offline access to those apps.
Remote commands If a user's device is compromised (for example, lost or stolen), you can
remotely delete browser data, lock the app, or wipe device data.
Integration with other apps BlackBerry Access for Windows and BlackBerry Access for macOS also
provide users with access to BlackBerry Work to access their mail, calendars,
and contacts from within the secure browser.
|What is BlackBerry Access?|5
Getting started with BlackBerry Access
System requirements
To use BlackBerry Access, your organization must meet the following requirements:
Item Requirement
Management solution One of the following:
BlackBerry UEM, version 12.6 MR1 or later
Good Control version 2.3 or later, Good Proxy version 2.3 or later
Device OS For device OS compatibility, see the Mobile/Desktop OS and Enterprise
Applications Compatibility Matrix.
Deploying BlackBerry Access
You can use either BlackBerry UEM or Good Control to manage BlackBerry Access. If you have not configured
your BlackBerry UEM or Good Control environment, you must complete configuration tasks before you can
continue with the tasks in this guide. Refer to the table below for more information on which solution to use and
where to find more information.
Management option Description
BlackBerry UEM If you require MDM capabilities, you must manage BlackBerry Access
using BlackBerry UEM.
To use BlackBerry UEM to manage BlackBerry Access, see Managing
BlackBerry Dynamics apps for information about deploying BlackBerry
Access in your organization.
Good Control Although it is recommended that you use BlackBerry UEM, if you do not
require MDM, you can use Good Control to manage BlackBerry Access.
For more information on the benefits of using BlackBerry UEM, see
Benefits of upgrading from Good Control to BlackBerry UEM.
To use Good Control to manage BlackBerry Access, see the Good Control
documentation for information about deploying BlackBerry Access in your
organization.
Downloading and activating BlackBerry Access
For MDM managed devices, you can use BlackBerry UEM to push BlackBerry Access to users, or you can make
the app available in users' work catalogs. Users can download the BlackBerry UEM Client from the Google Play
store or App Store. The UEM Client manages the activation of BlackBerry Dynamics apps, so users do not require
an access key to activate the apps.
|Getting started with BlackBerry Access|6
For devices that are not MDM managed, users can download BlackBerry Access from the Google Play store or
App Store. Using BlackBerry UEM or Good Control, you provide users with an access key to activate BlackBerry
Access (see Generate access keys, activation passwords, or QR codes for BlackBerry Dynamics apps).
Direct users to download and install BlackBerry Access from the BlackBerry Products and Application Support
page.
Using BlackBerry UEM or Good Control, you provide users with an access key to activate BlackBerry Access (see
Generate access keys, activation passwords, or QR codes for BlackBerry Dynamics apps).
Prerequisites: Deploying BlackBerry Work with BlackBerry Access
When users install BlackBerry Access for Windows or BlackBerry Access for macOS, BlackBerry Work is also
installed as an integrated web extension for BlackBerry Access.
Before you deploy BlackBerry Access for Windows or BlackBerry Access for macOS with BlackBerry Work, note
the following prerequisites:
Verify that the “Disable BlackBerry Work” app configuration setting is not selected (see BlackBerry Access app
configuration settings).
BlackBerry Work uses Microsoft Exchange Web Services instead of Microsoft Exchange ActiveSync.
BlackBerry Work doesn’t use a configuration file for the Microsoft Exchange Web Services Autodiscover
service. Verify that the Microsoft Exchange Web Services Autodiscover service is enabled. For
more information about using EWSEditor to check if the Autodiscover service is enabled, visit
support.blackberry.com/community to read article 40351.
Verify that the BlackBerry Enterprise Mobility Server is configured for the Microsoft Exchange Web Services
Autodiscover service. For instructions, see the BlackBerry Enterprise Mobility Server Installation and
Configuration content
Note: To use BEMS for Autodiscover, the user must be assigned theBlackBerry Core and Mail Services
or Good Enterprise Services entitlement.The entitlement must be configured in the BlackBerry Dynamics
connectivity profile linked to the FQDN of the BEMS and port 8443. For more information, see Configure
BlackBerry Work connection settings.
.
Autodiscovery of the user's mailbox occurs as follows:
1. BlackBerry Work connects to BEMS to perform autodiscovery if the proper BEMS-related entitlements
are configured in the BlackBerry Dynamics connectivity profile and assigned to the user.Good Enterprise
ServicesorBlackBerry Core and Mail Servicesentitlements both cover this requirement.
2. If that fails, BlackBerry Work attempts to connect to https://<emaildomain.com>/autodiscover/
autodiscover.svc
3. If that fails, BlackBerry Work attempts to connect tohttps://autodiscover.<emaildomain.com>/
autodiscover/autodiscover.svc.
If Microsoft Exchange Web Services is using a self-signed server certificate, ensure that the “Alert user for
invalid or expired certificate” app configuration setting is not selected.
If you want to enable Kerberos Constrained Delegation, note the following prerequisites:
In the Microsoft Internet Information Services (IIS), enable Kerberos authentication (under Windows
authentication) for the Microsoft Exchange Web Services web server.
In Microsoft Active Directory Users and Computers, in the Microsoft Management Console (MMC), on the
Delegation tab, add the Microsoft Exchange Web Services HTTP service for the UEM or Good administrator
account.
|Getting started with BlackBerry Access|7
If Kerberos Constrained Delegation is enabled, users can’t enter their authentication credentials (username
and password). Authentication is delegated to the UEM or Good administrator account.
For more information about setting up Kerberos Constrained Delegation, read Configuring Kerberos for
BlackBerry Dynamics apps in the BlackBerry UEM Configuration content.
Installing BlackBerry Access using a script (Windows only)
Optionally, you can install BlackBerry Access using a script.
Before you begin: Download the BlackBerry Access .exe file.
Install BlackBerry Access for one user
A user can install BlackBerry Access on their Windows device using this method.
1. Copy the BlackBerry Access_<version>.exe file toC:\Users\username\AppData\Local\BlackBerry\BlackBerry
Access.
2. To start the installation, double-click on the BlackBerry Access_<version>.exefile.
Install BlackBerry Access for multiple users
An administrator can install BlackBerry Access for multiple users on the same computer.
Before you begin:
You must have Administrator permissions to perform this task.
Uninstall all individual instances of BlackBerry Access on the computer. Use the /SaveContainer option to
preserve the users' data.
Note: If you do not use the /SaveContainer option, all user data for BlackBerry Access is deleted during the
installation.
.
1. Copy the BlackBerry Access_<version>.exe file toC:\Program Files\BlackBerry\BlackBerry Access.
2. To start the installation, open a command window and type BlackBerryAccess_3.0.1.331.exe /
PerMachine.
|Getting started with BlackBerry Access|8
Managing BlackBerry Access
Making BlackBerry Access available to users
MakeBlackBerry Accessavailable to users inBlackBerry UEM
To manageBlackBerry AccessinBlackBerry UEM, you must addBlackBerry Accessto the app list. Your
organization must be entitled to useBlackBerry Accessin theBlackBerry Marketplace for Enterprise Software.
After your organization is entitled to use the app, you can update the app list to synchronize the apps
withBlackBerry UEMimmediately, or wait until it synchronizes automatically (UEMsynchronizesBlackBerry
Dynamicsapps every 24 hours). AfterBlackBerry Accesshas been added to the app list, you can assign it to
users.
For complete instructions for managingBlackBerry Dynamicsapps inBlackBerry UEM, seesee Managing
BlackBerry Dynamics apps
1. Log in to your account athttps://marketplace.blackberry.com/apps.
2. Locate the app in theBlackBerry Marketplace for Enterprise Softwareand request a trial. The app will be made
available to your organization and can be assigned to users after the app has been synchronized toBlackBerry
UEM.
3. To purchase the app, follow the instructions provided by the app developer.
After you finish:
Update the app list.
To allow users to install and activateBlackBerry Accesson their devices,assignBlackBerry Accessto a user
group oruser account.
If you want to use theBlackBerry UEM Clientto manage the activation ofBlackBerry Access(and
otherBlackBerry Dynamicsapps) onAndroidoriOSdevices, instruct users to download theBlackBerry UEM
Clientfrom theGoogle Playstore orApp Store.
If you want users to activateBlackBerry Accessusing an access key, useto send users an email with the
email address and access key they need to activate the app (seeGenerate access keys for BlackBerry
Dynamics apps).
Update the app list
1. On the menu bar, clickApps.
2.
Click .
Making BlackBerry Access available to users in Good Control
For more information about makingBlackBerry Accessavailable to users inGood Control,see theGood
ControlOnline Help.
Configuring BlackBerry Access app settings
ConfigureBlackBerry Accessapp settings inBlackBerry UEM
1. On the menu bar, clickApps.
2. Click theBlackBerry Accessapp.
|Managing BlackBerry Access|9
3. On theBlackBerry Dynamicstab, in theApp configurationtable, click +.
4. Type a name for the app configuration.
5. Configure the app settings. SeeBlackBerry Access app configuration settingsfor a description of the settings
that you can configure.
6. ClickSave.
After you finish: AssignBlackBerry Accessto a user group or user account.
Configure BlackBerry Access app settings in Good Control
1. On the menu bar, click Policy Sets.
2. Click the name of the policy that you want to assign to BlackBerry Access users.
3. Click the APPS tab.
4. Expand APP SPECIFIC POLICIES > BLACKBERRY ACCESS.
5. Configure the app settings. See BlackBerry Access app configuration settings for a description of the settings
that you can configure.
6. Click Update.
BlackBerry Access app configuration settings
General
Setting Description Applies to
Homepage This setting specifies the URL for the website that you
want to appear as the home screen when users start
BlackBerry Access.
The URL must begin with "http://" or "https://".
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Allow user to set home
page
This setting specifies whether users can set their own
home pages in BlackBerry Access.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Use UIWebView to render
web content on devices
(only applicable to iOS
devices 12.0 or earlier)
This setting specifies whether to allow iOS 12.0 and
earlier devices to use UIWebView. The default view is
WKWebView.
Note: This setting is not supported in BlackBerry
Access version 3.1.0 and later. For more information,
see developer.apple.com/news to read "Updating
Apps that Use WebViews".
BlackBerry Access for
iOS
|Managing BlackBerry Access|10
Setting Description Applies to
Allow telephone and
maps URL
This setting specifies whether users can access
telephone and map URLs in BlackBerry Access.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Allow telephone only This setting specifies whether users can access
telephoneURLs only.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Allow maps only This setting specifies whether users can access map
URLs only.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Identify BlackBerry
Access in User Agent
This setting specifies whether BlackBerry Access can
send its user agent string to servers hosting websites
that users visit. The user agent string identifies
BlackBerry Access in the HTTP request headers.
Servers use the information in the user agent string to
provide content tailored to BlackBerry Access.
BlackBerry Access for
iOS
Allow phone number to
dial using entitled and
installed Dynamics VOIP
apps (iOS Only)
This setting specifies whether users can make phone
calls using a third-party phone call service such as
CellTrust.
BlackBerry Access for
iOS
Enable pop-up windows This setting specifies whether BlackBerry Access
allows pop-up windows.
Disabling pop-up windows may cause issues with
applications such as Microsoft Exchange, that open
pop-up windows for tasks like composing new email
messages. If you disable this setting, when an app
tries to open a pop-up window, BlackBerry Access
displays a message that pop-up windows are blocked.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Allow other applications
to open urls in full screen
mode. (iOS only)
This setting specifies whether apps can open in full
screen mode by default.
BlackBerry Access for
iOS
|Managing BlackBerry Access|11
Setting Description Applies to
Allow import of
bookmarks from Safari
or Firefox
This setting specifies whether users can import
bookmarks that they export from other browsers into
BlackBerry Access.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
BlackBerry Access for
Android
Push Bookmarks This setting specifies bookmarks that will be
preloaded in BlackBerry Access to make it easier for
users to access work intranet webpages.
You can copy and paste the text of your bookmarks
file directly into this text box. The bookmarks must
follow the Netscape bookmark file format. For more
information, see https://gist.github.com/jgarber623/
cdc8e2fa1cbcb6889872.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable web clip feature This setting specifies whether users can use web
clips. Web clips are small icons on mobile devices
that link to webpages.
BlackBerry Access for
iOS
Allow users to perform
app diagnostics
This setting specifies whether users can perform app
diagnostics for BlackBerry Access. If this setting is
selected, the “Run Diagnostics” option appears in the
BlackBerry Access settings menu on users’ devices.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Enable APK installation
(Android only)
This setting specifies whether users can download
and install .apk files.
BlackBerry Access for
Android
Allow external apps
to open HTTP/HTTPS
URLs through BlackBerry
Access
This setting specifies whether third-party apps on the
device can open webpages in BlackBerry Access.
Note: For BlackBerry Access for iOS, links in
third-party, non-BlackBerry Dynamics apps can
open in BlackBerry Access only if they launch
with the following URL scheme: access://open?
url= (for example, access://open?url=http://
www.blackberry.com)
BlackBerry Access for
Android
BlackBerry Access for
iOS
Do not allow download
from any HTTP or
HTTPS site you have not
approved by whitelisting
it in BlackBerry Control
This setting specifies whether BlackBerry Access
users can download content from HTTP or HTTPS
webpages even if they haven't been added to an
allowed list.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Do not allow download
from any HTTPS site
you have not approved
by whitelisting it in
BlackBerry Control
This setting specifies whether BlackBerry Access
users can download content from HTTPS webpages
even if they haven't been added to an allowed list.
BlackBerry Access for
Android
BlackBerry Access for
iOS
|Managing BlackBerry Access|12
Setting Description Applies to
Enable export of
downloaded files to OS
file system (Windows
and Mac)
This setting specifies whether BlackBerry Work users
can download files directly to their device's default
download folder, instead of the BlackBerry Dynamics
secure container.
Note that allowing users to bypass the secure
container is a potential security risk.
BlackBerry Work for
Windows
BlackBerry Work for
macOS
Enable import of files
from OS file system
(Windows and Mac)
This setting specifies whether BlackBerry Work users
can attach files that aren't in the BlackBerry Dynamics
secure container.
BlackBerry Work for
Windows
BlackBerry Work for
macOS
Enable Direct
Downloads(Windows
and Mac)
This setting specifies whether BlackBerry Work
users can download attachments in email messages
directly to the device's file system, instead of into
the Download Manager in the BlackBerry Dynamics
Launcher.
BlackBerry Work for
Windows
BlackBerry Work for
macOS
Disable BlackBerry Work
(Windows and Mac)
This setting specifies whether users can use
BlackBerry Work.
BlackBerry Work for
Windows
BlackBerry Work for
macOS
Open HTML files
from other BlackBerry
Dynamics applications
This setting specifies whether BlackBerry Access can
open HTML files from other BlackBerry Dynamics
apps.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Enable Geolocation This setting specifies whether BlackBerry Access
users can allow webpages to access their device's
location.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Enable 3rd Party
Applications
This setting specifies whether BlackBerry Access can
open custom URL schemes supported by third-party
apps. By default, BlackBerry Access opens only HTTP
and HTTPS URL schemes.
If you select this setting, you must also set the "Enter
comma separated URL schemes" setting.
Note: Each URL string must be mapped as
yourstring://your.URL.string. For example, for Webex,
you could use wbx://yourcompany.webex.com.
In Access, the user would click on the anchor tag
<a href="wbx://blackberry.webex.com">wbx://
blackberry.webex.com</a> to open the local Webex
app and pass the string yourcompany.webex.com to
the app.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
|Managing BlackBerry Access|13
Setting Description Applies to
Enter comma separated
URL schemes
This setting specifies the custom URL schemes that
BlackBerry Access can open.
The list must be separated by commas. For example,
itms-services,market,wbx,lync, where "itms-services"
is App Store, "market" is Google Play, "watchdox" is
BlackBerry Workspaces, "wbx" is WebEx, and "lync" is
Microsoft Lync Server.
This setting is valid only if the "Enable 3rd Party
Applications" setting is selected.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enter JSON for search
engine titles and URLs
This setting specifies search engine links that
are added to the end of users' search results for
bookmarks, history, or downloads. They provide
users with easier access to search engines when they
perform searches.
In the text box, specify the search engine labels to
show in BlackBerry Access such as Google and the
corresponding search engine URLs. The text must
be in .json format and each entry must end with
[[GASEARCHKEY]]. For example:
[
{"Google" : "https://www.google.com/search?
q=[[GASEARCHKEY]]"}, {"Yahoo":"https://
search.yahoo.com/search?p=[[GASEARCHKEY]]"},
{"Bing":"http://www.bing.com/search?
q=[[GASEARCHKEY]]"}
]
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable QR Code
scanning
This setting specifies whether users can scan a QR
code.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Allow universal links
to external apps from
BlackBerry Access (iOS
only)
This setting allows BlackBerry Access to open
universal links to external apps,
BlackBerry Access for
iOS
To force policy update
to device, enter current
date and time and click
update
This setting allows you to send the updated app
settings to devices. It also refreshes PAC files.
Enter the current date and time, in either 24-hour
format or 12-hour format (for example, 02-16-2017
12:04AM in 12-hour format and 02-16-2017 0004 in
24-hour format) and click Update.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
|Managing BlackBerry Access|14
Security
Setting Description Applies to
Allow SHA1 leaf or
intermediate certificates
This setting specifies whether BlackBerry Access
users can access https websites that use SHA1
signature TLS certificates and expired certificates. By
default, this setting is selected.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Allow legacy/weak
algorithms (DES)
This setting specifies whether BlackBerry Access can
use 3DES algorithms.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Allow user to securely
save authentication
credentials
This setting specifies whether BlackBerry Access
users can save their authentication credentials that
they use to access webpages.
Note: BlackBerry Access supports saving only NTLM
or Kerberos authentication credentials. Passwords
entered into web forms are not saved even if this
setting is enabled.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Expire stored credentials
after
This setting specifies when the stored user
credentials expire. You can choose between "'Never
Expire" or "24 Hrs."
This setting is valid only if the "Allow user to securely
save authentication credentials" setting is selected.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Allow to save web
form credentials and
credentials autofill
This setting specifies if a user can automatically fill
fields with saved passwords and credentials.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Alert user for invalid or
expired certificate
This setting specifies whether users will be notified
when certificates are invalid or expired.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
|Managing BlackBerry Access|15
Setting Description Applies to
Enforce strict tunnel This setting specifies whether BlackBerry Access can
use only IP addresses and URLs listed in Connectivity
profiles. If an IP address or a URL is explicitly defined
to route DIRECT, the site is allowed and routes
DIRECT.
External sites that are not explicitly defined in the
Connectivity profile are blocked. However, if the
default route is configured to use a BlackBerry Proxy
cluster, all undefined IP addresses and URLs are
allowed. If external sites are not allowed, they are
blocked.
If the default route is set to DIRECT, all sites that are
not explicitly allowed are blocked.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Allow URL not in Allowed
Domains of Connectivity
Profiles to be loaded in
native browser
This setting specifies whether, when BlackBerry
Access users try to access webpages from
domains that aren't listed in the allowed domains in
Connectivity profiles, they are opened in the device's
native browser instead of BlackBerry Access.
This setting is valid only if the "Enforce strict tunnel"
setting is selected.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
When user selects apply
to all during prompt
to open in third party
browser, do not prompt
again for all the hosts
under same domain.
This setting specifies whether,when user selects
“Always open links from “ <domain>” in Safari“, the
user will not be prompted again for any other hosts
user accesses within same domain.
This setting is valid only if the "Allow URL not in
Allowed Domains of Connectivity Profiles to be
loaded in native browser" setting is selected.
BlackBerry Access for
iOS
Do not prompt client cert
authorization for all sites
When a user uploads only one certificate to
BlackBerry UEM that matches a recognized CA,
selecting this setting allows the webpage requesting
authorization to obtain the certificate without
prompting the user. If the user has uploaded multiple
certificates from the same CA, the user is prompted
to select the certificate to use.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Do not prompt client cert
authorization for white
listed sites only
When a user uploads only one certificate to
BlackBerry UEM that matches a recognized CA,
selecting this setting allows all domains listed in the
allowed domains portion in Connectivity profiles to
obtain the certificate without prompting the user.
If the user has uploaded multiple certificates from
the same CA, the user is prompted to select the
certificate to use.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
|Managing BlackBerry Access|16
Setting Description Applies to
List all certificates
available to user to
choose for client cert
authentication
Specify whether all uploaded encryption certificates
are displayed when a user attempts to access
websites that require a client cert.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Enable DLP Watermark This setting specifies whether or not to add a faint
background watermark across all application screens,
with the username and the current date and time.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Allow SameSite cookies
feature and associated
restrictions.
This setting specifies whether to allow SameSite
cookies.
Note: Some legacy websites may not function
properly when this settingis enabled.
BlackBerry Access for
iOS
Force authenticate
using NTLM over
Kerberos when NTLM
authentication is
possible to access
resources.
This setting specifies whether to force authentication
using NTML over Kerberos.
This policy is not applied when the FIPS policy is
enabled.
Note: If the NTLM override policy is enabled,
BlackBerry Access will force NTLM authentication, if
the website is configured to use Kerberos/KCD and
NTLM.
Note: Use this setting only if Kerberos authentication
is not available. This setting disables Kerberos to
improve performance by preventing extra network
roundtrips and timeouts to an unreachable KDC.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Allow MDM web content
restrictions (iOS Only)
This setting allows you to turn off MDM content filter
rules that are configured for Safari in BlackBerry
Access.
BlackBerry Access for
iOS
Enable biometric
authentication while
reusing saved credentials
(iOS only)
Enable biometric authentication while reusing saved
credentials (iOS only)
BlackBerry Access for
iOS
Allow JavaScript to clear
credentials
Web developers can use a JavaScript API to clear
credential storage when a user logs out of their
account on a web page.
If you are using the API, when you select this option,
you then specify which domains or hosts the policy
should apply to. You can add up to 10 domains.
Note: When you enable this feature, users will be
prompted for credentials on their next login.
BlackBerry Access for
Android
BlackBerry Access for
iOS
|Managing BlackBerry Access|17
Network
Setting Description Applies to
Enter comma separated
Kerberos realm
mappings e.g.:
foo=FOO.COMPANY.COM
This setting specifies Kerberos realm mappings.
Kerberos authentication realms define areas that are
under control of Kerberos. These mappings allow you
to equate realm names with other names that are
accessible or for some other reason.
The limit is 4000 characters.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable Kerberos
Forwardable Ticket
This setting specifies whether Kerberos Forwardable
tickets can be used.
Forwardable tickets in Kerberos are client-side
authentication credentials that are tied to a particular
IP address that can be treated as new tickets with
other IP addresses.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Resolve short names
to full qualified domain
name (FQDN) for
Kerberos authentication
This setting specifies whether users can reach
servers by typing the unqualified domain name
instead of the FQDN for Kerberos authentication.
Enabling this setting may impact performance.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Disable file upload and
download on mobile
connections (Windows
Only)
This setting specifies whether files can be
downloaded or uploaded when users are connected
to a mobile network instead of a Wi-Fi network.
BlackBerry Access for
Windows
Enable HTTP 2.0 Support This setting specifies whether HTTP 2.0 is supported
in BlackBerry Access.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Enable Web Proxy This setting specifies whether BlackBerry Access can
communicate through a web proxy server.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
|Managing BlackBerry Access|18
Setting Description Applies to
Use Proxy Auto
Configuration
PAC files make it easier for users to work with proxy
servers by hiding the complexities of authentication
from the end user.
If your organization uses a PAC file to define proxy
rules, you can select this setting to use the proxy
server settings from the PAC file that you specify.
Enabling this setting will override static web proxy
settings.
This setting requires BlackBerry Dynamics servers
version 1.6 and later.
This setting is valid only if the "Enable Web Proxy"
setting is selected.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enter URL for PAC file
location
This setting specifies the URL for the web server that
hosts the PAC file, including the PAC file name. For
example, http://www.example.com/PACfile.pac.
Note: The PAC file must not be hosted on the same
server as Good Control or on the same server as
BlackBerry UEM or any of its components. This
configuration is not supported.
The limit is 4000 characters.
This setting is valid only if the "Enable Web Proxy" and
"Use Proxy Auto Configuration" settings are selected.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Use Static Web Proxy
(Full Tunnel)
This setting specifies whether communications are
enabled through a single web proxy service only.
This setting is valid only if the "Enable Web Proxy"
setting is selected.
Note: Enabling this setting overrides 'Enforce strict
tunnel' settings.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Proxy Host This setting specifies the the FQDN or IP address of
the proxy server.
This setting is valid only if the "Use Static Web Proxy
(Full Tunnel)" setting is selected.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
|Managing BlackBerry Access|19
Setting Description Applies to
Proxy Port This setting specifies the port number of the proxy
server.
This setting is valid only if the "Use Static Web Proxy
(Full Tunnel)" setting is selected.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Use HTTPS web proxy
tunnel for above host
The HTTPS proxy can be specified either as a static
proxy or through PAC:
You can specify the HTTPS using a BlackBerry
UEM policy.
Example PAC script for an HTTPS proxy:function
FindProxyForURL(url, host) { return "HTTPS secure-
proxy.example.com:443"; }
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable PAC proxy check
for all the sub-resources
You can use this setting to enforce PAC processing
without caching.
Selecting this setting has an impact on the
performance of your organization’s environment.
It is recommended to use this feature for special
circumstances only.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
RSA
Setting Description Applies to
Enable RSA SecurID This setting specifies whether users can use RSA
SecurID token authentication to authenticate with
BlackBerry Access, instead of a password.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Prompt PIN for PINPAD
Token
This setting specifies whether users are always
prompted for an RSA SecurID PIN.
This setting is valid only if the "Enable RSA SecurID"
setting is selected.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Token File Password
Retry Count
This setting specifies the number of times that a user
can enter an incorrect RSA SecurID PIN before they
are locked out.
This setting is valid only if the "Enable RSA SecurID"
setting is selected.
BlackBerry Access for
Android
BlackBerry Access for
iOS
|Managing BlackBerry Access|20
Setting Description Applies to
Token Request SendTo
Email Address
This setting specifies the email address of your RSA
authentication manager. All RSA SecurID token seed
record requests are sent to this address.
This setting is valid only if the "Enable RSA SecurID"
setting is selected.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Token Request CC Email
Address
This setting specifies the email address that should
be CC'd for all RSA SecurID token seed record
requests.
This setting is valid only if the "Enable RSA SecurID"
setting is selected.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Token Request Email
Subject
This setting specifies the email subject for token
request emails.
This setting is valid only if the "Enable RSA SecurID"
setting is selected.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Features
Setting Description Applies to
Allow user to upload This setting specifies whether users can upload files
to web pages in BlackBerry Access. Files can have a
maximum size of 20 MB.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Allow user to take new
photos/videos and
upload
This setting specifies whether users can take photos
and videos and upload the photos and videosto a
web page. Users must allow BlackBerry Access to
access their cameras. Files can have a maximum size
of 20 MB.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Allow user to select
existing photos/videos to
upload
This setting specifies whether users can upload
existing photos and videos from their photo libraries
to a web page. Files can have a maximum size of 20
MB.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Allow user to select files
from file providers to
upload
This setting specifies whether users can upload files
from other file apps. Files can have a maximum size
of 20 MB.
BlackBerry Access for
Android
BlackBerry Access for
iOS
Allow user to upload
files from theDynamics
container
This setting specifies whether users can upload files
that have been downloaded to the downloads folder in
BlackBerry Access.
BlackBerry Access for
Android
BlackBerry Access for
iOS
|Managing BlackBerry Access|21
Setting Description Applies to
Allow WebRTC (iOS only) This setting turns on the use of WebRTC, which
provides microphone and camera support required by
services such as Zoom and Webex.
Note: WebRTC traffic is not routed through the
BlackBerry Dynamics secure tunnel regardless of the
network connectivity profile settings. WebRTC traffic
goes direct to the internet. Also, Connectivity profile
settings do not apply to WebRTC traffic.
BlackBerry Access for
iOS
Enable exporting to 3rd-
party native apps
Select the "Enable exporting to 3rd-party native apps"
option to specify whether to allow the transfer of files
to third-party native apps on the user's device. You
can allow and disallow specific apps by app ID.By
default, this setting is not selected.
Consider the following scenarios when you enable
this feature to allow or block exporting to 3rd-party
native apps:
If you select "Allow exporting to only these apps",
but do not specify one or more app IDs, the "Share"
option is not available and users are restricted
from sharing files to apps of their choice.
If you select "Allow exporting to only these apps"
and specify one or more app IDs, users can
sharefiles to the specifiedapps.When users try to
share a file to an app that is not listed, they receive
an error message.
If you select "Block exporting to only these
apps",but do not specify one or more app IDs,
users can share files toapps of their choice.
If you select "Block exporting to only these apps",
and specify one or more app IDs, users cannot
share files to the specified apps.
This policy is not applied whentheCylanceAvert
policy"Do not allow copying data from BlackBerry
Dynamics apps into non BlackBerry Dynamics
apps"option is selected in the BlackBerry Dynamics
profile.For more information about the BlackBerry
Dynamics profile, see the Managing BlackBerry
Dynamics apps content.
BlackBerry Access for
iOS
|Managing BlackBerry Access|22
BlackBerry Work (Mac and Win)
Setting Description Applies to
Launch mail app on
browser start
This setting specifies whether the mail app opens
instead of a browser windowwhen BlackBerry Access
starts.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable avatar photos This setting specifies whether users can set avatar
photos. If it is disabled, the user's initials appear
instead.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
EWS server Optionally, you can use this setting to specify the
URL that the mail app uses for Microsoft Exchange
Web Services provisioning.Otherwise, BlackBerry
Work uses autodiscovery methods to locate the EWS
server.
Optionally, you can enter a series of name=value pairs
separated by commas, where the name designates
an email domain and the value designates the URL
for the EWS endpoint for that domain.Using this
method, administrators can assign multiple users
with different EWS endpoints to the same application
policy and be able to controlwhere the mail app
accesses mail, based on the user’s email domain.
For example:
Single value: blackberry.com=http://
mail.blackberry.com
Multiple values: blackberry.com=http://
mail.blackberry.com,yahoo.com=https://
mail.yahoo.com
Note: BlackBerry Access does not validate the
entries. All related logs are prefixed by[WEB_MAIL]
EWS URL Resolution:at the INFO log level.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable KCD or PKNIT
Support
This setting specifies whether the mail app can use
Kerberos constrained delegation.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Use client certificate in
place of login/password
This setting specifies whether users can use SSL
certificates instead of using a login and password
to authenticate with BlackBerry Work. Depending
on your environment, SSL certificates must be
uploaded to BlackBerry UEM or Good Control. For
more information, see Managing certificates.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
|Managing BlackBerry Access|23
Setting Description Applies to
Disable Notifications This setting specifies whether BlackBerry Work
displays notifications for mail and calendar events.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable email
ClassificationMarkings
This setting specifies whether to enable email
classification markings, such as INTERNAL,
CONFIDENTIAL, NO FORWARD, and/or NO REPLY.If
selected, specify the following sample information in
theClassifications and caveatsfield as required:
<emailClassificationMarks>
<options>
<classifications>ON</
classifications>
<caveats>OFF</caveats>
<classificationDefault>INTERNAL</
classificationDefault>
<caveatDefault>NO FORWARD</
caveatDefault>
</options>
<classifications>
<classification>
<select>INTERNAL</select>
<subject>(INTERNAL)</subject>
</classification>
<classification>
<select>CONFIDENTIAL</select>
<subject>[CONFIDENTIAL]</
subject>
</classification>
</classifications>
<caveats>
<caveat>
<select>NO FORWARD</select>
<subject>(DO NOT FORWARD)</
subject>
</caveat>
<caveat>
<select>NO REPLY</select>
<subject>(DO NOT REPLY)</
subject>
</caveat>
</caveats>
</emailClassificationMarks>
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Require all emails to have
Email Classification
This setting specifies whether users are required to
specify one of the classification options that are set in
the 'Enable email Classification Markings' policy xml
file.
This setting is valid only if the "Enable email
Classification Markings" setting is selected.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
|Managing BlackBerry Access|24
Setting Description Applies to
Display warning while
sending message if
recipient's email domain
is unauthorized
This setting specifies whether to display a warning if
the user is sending an email to a recipient in an email
domain that is not authorized. If selected, specify
email domains you want to authorize in the Authorize
email domains field.
Users will notice that email addresses in untrusted
domains appear in purple text.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Default signing algorithm This setting specifies the algorithm to use for signing
sent messages.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Default encryption
algorithm
This setting specifies the algorithm to use for
encrypting sent messages.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable Revocation
Checking
This setting allows you to setrevocation checking
of all certificates used for signing/encryption and
signing verification/decryption of S/MIME messages.
When you select this box, Use AIA extension in
certificate if present is selected by default.
In the Default OSCP URL field, specify the web
address of the OSCP service.The OCSP URI is
used by the S/MIME verification APIs as an OCSP
revocation check service if an AIA extension is not
present in a certificate or if the Use AIA extension
in certificate if present check box is not selected.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
|Managing BlackBerry Access|25
Setting Description Applies to
Use Office 365 Modern
Authentication
This setting allows you to configure options for
Microsoft Office 365. Modern authentication enables
BlackBerry Work to us sign-in features such as Multi-
Factor Authentication and SAML-based third-party
Identity Providers. If selected, specify the following:
In the Azure App ID field, specify the Microsoft
Azure app ID for BlackBerry Work.
For information on how obtain an Azure app
ID, see Obtain anAzureapp ID forBlackBerry
WorkforWindowsandmacOS.
In the Office 365 Sign On URL field, specify the
web address that BlackBerry Work should use
when it signs in to Office 365.If you do not
specify a value, BlackBerry Work uses https://
login.microsoftonline.com during setup.
In the Office 365 Tenant ID field, specify the
tenant ID of the Office 365 server that you want
BlackBerry Work to connect to during setup.
In the Office 365 Resource field, specify the
resource URL of the Office 365 server that you
want BlackBerry Work to connect to during setup.
If you do not specify a value, BlackBerry Work
useshttps://outlook.office365.com during setup.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
BlackBerry Access (Mac and Win)
Setting Description Applies to
Enable WebRTC This setting specifies whether to enableaccess to
WebRTC protocol-based destinations such as Citrix
VDI browser-based access.
For information on how to configure BlackBerry
Access to support WebRTC, see Configure access to
WebRTC-based destinations.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable Microphone
Access
This setting specifies whether BlackBerry Access
should display a prompt that allows users to permit
websites to use the device's microphone. You can
enable it only if WebRTC is enabled.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable Camera Access This setting specifies whether BlackBerry Access
should display a prompt that allows users to permit
websites touse the device's camera.You can enable
it only if WebRTC is enabled.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
|Managing BlackBerry Access|26
Setting Description Applies to
Enable UDP Protocol
support
This setting specifies whether to allow UDP
connections initiated by websites.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable Printing This setting specifies whether to allow users to print
web pages.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable embedded PDF
viewer
This setting specifies whether to allow users to view
embedded PDFs from within BlackBerry Access.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Automatically open
PDF and Microsoft
Office documents after
download
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable Microsoft Office
URI support
Only Microsoft Office URIs that specify online
documents are supported.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable Upgrade
Notifications
This setting specifies whether to push notifications to
users when a new upgrade is available.
If selected, specify the following:
In the Min Windows Version field, specify the
minimum BlackBerry Access for Windows version.
If there are versions available that are later than
the version specified in this field, users will be sent
an upgrade notification.
In the Min Mac Version field, specify the minimum
BlackBerry Access for macOS version. If there are
versions available that are later than the version
specified in this field, users will be sent an upgrade
notification.
In the Win Download URL field, specify the URL for
the BlackBerry Access for Windows app.
In the Mac Download URL field, specify the URL
for the BlackBerry Access for Windows app.
In the Notification Message, you can create a
custom message or leave the default message.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
|Managing BlackBerry Access|27
Setting Description Applies to
Enable Awingu Extension This setting specifies whether to enable the Awingu
extension which allows users to store their Awingu
credentials. Also, when enabled, an icon is added to
the toolbar in BlackBerry Access and users can launch
Awingu by clicking the icon in the toolbar.
If selected, you must specify the following:
In the Awingu URL field, specify your
organization's Awingu URL. For example,
yourcompany.awingu.com
In the Awingu DOMAIN field, specify your
organization's Awingu domain.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable installation of
extensions
This setting specifies whether to allow websites to
download extensions for third-party apps.
If selected, in the Permitted Extension Ids field,
specify one more more extension IDs that can be
installed. The source can be from any URL.
Note: WebEx and Skype can be enabled either by
adding their extension ids or by adding their protocols
to the external protocols list.
In the Chrome app store, users can add only apps that
have permitted extensions.
If anextension is enabled and installed, and the
administrator removes its ID, the extension is
removed from BlackBerry Access. If the administrator
re-adds the extension, the user must restart
BlackBerry Access to be able to add the app from the
Chrome app store.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Enable developer mode This setting allows you to enable developer mode in
BlackBerry Access.
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Obtain anAzureapp ID forBlackBerry WorkforWindowsandmacOS
If you are configuringOffice 365settings in the app configuration forBlackBerry Work, you may need to obtain
and copy theAzureapp ID forBlackBerry WorkforWindowsandmacOS.
Note: If you have already created anAzureapp ID forBlackBerry WorkforiOSandBlackBerry
WorkforAndroid,make sure that you do not use the sameAzureapp ID forforBlackBerry
WorkforWindowsandmacOS.BlackBerry WorkforWindowsandmacOSneed their ownAzureapp ID.
1. Log on toportal.azure.com.
2. In the left column, clickAzure Active Directory.
3. ClickApp registrations.
4. ClickNew registration.
|Managing BlackBerry Access|28
5. In theNamefield, enter a name for the app. This is the name that users will see.
6. Select a supported account type.
7. In theRedirect URIdrop-down list, selectPublic client (mobile & desktop). and enterchrome-extension://
glilhfdenplejncjmngdaojopbobomfa/login.html
8. ClickRegister.
9. In theManagesection, clickAPI permissions.
10.ClickAdd a permission.
11.In theSelect an APIsection, click theMicrosoft APIstab.
12.SelectExchange.
13.If your environment is usingOffice 365 Exchange Online, set the following permissions:
Delegated permissions: Access mailboxes as the signed-in user via Exchange Web Services (EWS >
EWS.AccessAsUser.All).
14.ClickAdd permissions.
15.ClickMicrosoft Graph. IfMicrosoft Graphis not listed, addMicrosoft Graph.
16.Set the following permissions forMicrosoft Graph:
Delegated permissions
Sign in and read user profile (User > User.Read)
Send mail as a user(Mail > Mail.Send)
17.Click one of the following:
IfMicrosoft Graphexisted in the API permissions list, clickUpdate permissions.
If you needed to addMicrosoft Graph, clickCreate.
18.ClickGrant Permissionsto apply the permissions for the app. These settings will not be applied to the app
until you have granted the updated permissions.
19.ClickYes.
You can now copy the Application ID for the app that you created.In theManagesection, clickOverview.It is
located under the name of the app, in the Application ID field.
Configuring theBlackBerry Dynamics Launcher
TheBlackBerry Dynamics Launcherallows users to access theirBlackBerry Dynamicsapps in one place. Using
theBlackBerry Dynamics Launcherbutton, users can access things such asBlackBerry Work(mail, calendar,
contacts), app catalogs, and downloads, from theBlackBerry Accessbrowser window.
You can configure theBlackBerry Dynamics Launcherin theBlackBerry Enterprise Mobility Server. You can also
set a customized icon for theBlackBerry Dynamics Launcher.
For more information,see theBlackBerry Enterprise Mobility Servercontent.
Adding the work app catalog to theBlackBerry Dynamics Launcher
You can add the work app catalog to theBlackBerry Dynamics Launcherso that users have quick access to a list
of their assigned work apps.
ForBlackBerry Access for Androiddevices, when users select theBlackBerry UEM App Catalogicon in
theBlackBerry Dynamics Launcher, the work app catalog opens in theBlackBerry UEM Client.
ForBlackBerry Access for iOSdevices, when users select theBlackBerry UEM App Catalogicon in theBlackBerry
Dynamics Launcher, the work app catalog opens in theBlackBerry Access for iOSbrowser.
|Managing BlackBerry Access|29
Whitelist theBlackBerry UEM App Catalogin theBlackBerry
DynamicsConnectivity profile
TheBlackBerry UEM App Catalogfeature is configured automatically byBlackBerry UEMand must be able to
route through the Internet. If theRoute all trafficoption is not selected in theBlackBerry DynamicsConnectivity
profile, you must configure the *.bbsecure.com domain requests to route through Direct. For more information on
theBlackBerry DynamicsConnectivity profile, seeSetting up network connections for BlackBerry Dynamics apps.
1. On the menu bar, clickPolicies and Profiles.
2. ClickNetworks and connections>BlackBerry Dynamics connectivity.
3. Select the connectivity profile that you want to edit.
4. In theDomaintable, click+.
5. On theAllowed Domainscreen, enter the following:
a) In theDomainfield, enter*.bbsecure.com.
b) SelectDirect.
6. ClickSave.
Configure single sign-on for BlackBerry Access in Good Control
You can enable single sign-on for BlackBerry Access in an environment that's already set up for Microsoft Office
365 with Microsoft Active Directory Federation Services and single sign-on.
Before you begin:
Configure single sign-on in Office 365 with Active Directory Federation Services version 2.0 or 3.0, relying on
Windows Authentication and Kerberos.
Configure Good Control for Kerberos constrained delegation.
Verify that the "Identify BlackBerry Access in User Agent" app setting is selected in BlackBerry UEM or Good
Control.
1. Verify the SPN for Active Directory Federation Services. For Active Directory Federation Services to use
Kerberos, the Active Directory Federation Services service must have registered an SPN. This SPN should
already be registered by the prerequisite Active Directory Federation Services configuration in Office 365.
a) Open a command prompt on a computer with Active Directory RSAT tools installed.
b) Enter the command: setspn -q HOST/fqdn.of.adfs.server where fqdn.of.adfs.server is the FQDN of your
Active Directory Federation Services server.
This command exposes the name service account that serves Active Directory Federation Services. For a safer
form of delegation (HOST allows any protocol, only HTTP is needed) you might want to register the HTTP
SPN of the Active Directory Federation Services service account with the following command: setspn -S
HTTP/fqdn.of.adfs.serverADFS_service_account, where ADFS_service_account is the name of the Active
Directory Federation Services service account shown in the previous command.
2. Enable the User Agent in Active Directory Federation Services. By default, Active Directory Federation Services
allows only known user agents to use Windows Authentication. All other user agents are considered external
and are served with Forms Based Authentication (FBA) or certificate authentication.
a) To enable single sign-on in BlackBerry Access you need to add the BlackBerry Access user agent string
to Active Directory Federation Services to allow Windows Authentication for BlackBerry Access and
Kerberos constrained delegation. For all platforms, the BlackBerry Access user agent string begins with
Mozilla/5.0.
|Managing BlackBerry Access|30
b) To verify the Active Directory Federation Services user agents, enter the following command: Get-
ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
c) Edit and run the following script to add the new user agent to Active Directory Federation Services.
$NewUserAgent must be edited to the value that you will add.
$NewUserAgent = "Mozilla/5.0"
$CurrentUserAgents = Get-ADFSProperties | Select -ExpandProperty
WIASupportedUserAgents
$UserAgentAddArray = $CurrentUserAgents + $NewUserAgent
Set-ADFSProperties -WIASupportedUserAgents $UserAgentAddArray
d) To verify that the Active Directory Federation Services user agent has been added, run the Get-
ADFSProperties command again: Get-ADFSProperties | Select -ExpandProperty
WIASupportedUserAgents
e) Restart the Active Directory Federation Services service.
3. Set delegation on the Kerberos account of Good Control.
a) Log in to Good Control.
b) Navigate to the Server Properties tab.
c) Scroll to find the value of the gc.krb5.principal.name property. Set this object name in Microsoft Active
Directory.
d) On your Microsoft Active Directory server, click the Delegation tab.
e) Click ADD and enter the Active Directory Federation Services service account name that you discovered in
step 1.
f) Add the HTTP SPN.
g) Click OK.
Configure single sign-on for BlackBerry Access in BlackBerry UEM
You can enable single sign-on for BlackBerry Access in an environment that's already set up for Microsoft Office
365 with Microsoft Active Directory Federation Services and single sign-on.
Before you begin:
Configure single sign-on in Office 365 with Active Directory Federation Services version 2.0 or 3.0, relying on
Windows Authentication and Kerberos.
Configure BlackBerry UEM for Kerberos constrained delegation.
Verify that the "Identify BlackBerry Access in User Agent" app setting is selected in BlackBerry UEM.
1. Verify the SPN for Active Directory Federation Services. For Active Directory Federation Services to use
Kerberos, the Active Directory Federation Services service must have registered an SPN. This SPN should
already be registered by the prerequisite Active Directory Federation Services configuration in Office 365.
a) Open a command prompt on a computer with Active Directory RSAT tools installed.
b) Enter the command: setspn -q HOST/fqdn.of.adfs.server where fqdn.of.adfs.server is the FQDN of your
Active Directory Federation Services server.
This command exposes the name service account that serves Active Directory Federation Services. For a safer
form of delegation (HOST allows any protocol, only HTTP is needed) you might want to register the HTTP
SPN of the Active Directory Federation Services service account with the following command: setspn -S
HTTP/fqdn.of.adfs.serverADFS_service_account, where ADFS_service_account is the name of the Active
Directory Federation Services service account shown in the previous command.
|Managing BlackBerry Access|31
2. Enable the User Agent in Active Directory Federation Services. By default, Active Directory Federation Services
allows only known user agents to use Windows Authentication. All other user agents are considered external
and are served with Forms Based Authentication (FBA) or certificate authentication.
a) To enable single sign-on in BlackBerry Access you need to add the BlackBerry Access user agent string
to Active Directory Federation Services to allow Windows Authentication for BlackBerry Access and
Kerberos constrained delegation. For all platforms, the BlackBerry Access user agent string begins with
Mozilla/5.0..
b) To verify the Active Directory Federation Services user agents, enter the following command: Get-
ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
c) Edit and run the following script to add the new user agent to Active Directory Federation Services.
$NewUserAgent must be edited to the value that you will add.
$NewUserAgent = "Mozilla/5.0"
$CurrentUserAgents = Get-ADFSProperties | Select -ExpandProperty
WIASupportedUserAgents
$UserAgentAddArray = $CurrentUserAgents + $NewUserAgent
Set-ADFSProperties -WIASupportedUserAgents $UserAgentAddArray
d) To verify that the Active Directory Federation Services user agent has been added, run the Get-
ADFSProperties command again: Get-ADFSProperties | Select -ExpandProperty
WIASupportedUserAgents
e) Restart the Active Directory Federation Services service.
3. Set delegation on the Kerberos account.
a) Log in to BlackBerry UEM.
b) Click Settings > BlackBerry Dynamics > Properties.
c) Scroll to find the value of the gc.krb5.principal.name property. Set this object name in Microsoft Active
Directory.
d) On your Microsoft Active Directory server, click the Delegation tab.
e) Click ADD and enter the Active Directory Federation Services service account name that you discovered in
step 1.
f) Add the HTTP SPN.
g) Click OK.
Setting up a PAC file to manage a proxy infrastructure
A work network can have complex traffic flows between local networks, connected vendor and partner networks,
and the Internet. DNS domains are often split between internal and Internet hosts that require complex routing. A
PAC file is an efficient way to manage a complex proxy infrastructure.
A PAC file is aJavaScriptfunction definition that determines whether web browser requests (HTTP, HTTPS, and
FTP) go directly to the destination or if they are forwarded to a web proxy server. PAC files can support proxy
deployments in which clients are configured to send traffic to the web proxy.
The benefits of using a PAC file:
A PAC file allows you to automatically:
Send Internet-bound HTTP, HTTPS, and FTP traffic directly to the proxy
Send Intranet traffic directly to the destination
Make exceptions for internal or external sites that must be routed or bypass the proxy
A PAC file locks down theBlackBerry AccessLAN egress configuration
A PAC file provides a flexible, easy-to-maintain, and script-driven method of controlling the routing of web
requests
|Managing BlackBerry Access|32
A PAC file can include code that handles proxy load distribution and failover
A PAC file can be stored and updated in a central location, instead of distributed on multiple servers and
devices; when a PAC file is changed, client browsers retrieve the updated copy the next timeBlackBerry
Accessis launched
A PAC filecan be configured to return DIRECT, NATIVE, BLOCK, or PROXY to have more granular control over
browsing
Note:
It is a best practice to keep the PAC file size under 1 MB to ensure proper performance.
The return values in the PAC file must not contain spaces or newline characters.
The PAC file must not be hosted on the same server asGood Controlor on the same server asBlackBerry
UEMor any of its components. This configuration is not supported.
PAC file example
PAC files should start with a clear and concise coding methodology. You can achieve the same result
using several different methods using the PAC file functions that are available and the flexibility of
theJavaScriptlanguage. The following example shows how to:
Normalize the requested URL for pattern matching
Bypass the proxy when the destination is a plain hostname (a hostname that doesn't include a domain)
Bypass the proxy for a defined set of local domains
Bypass non-routable addresses (RFC 3330, better known as Special-Use IPv4 Addresses)
Send remaining HTTP, HTTPS, and FTP traffic to a specific proxy
function FindProxyForURL(url, host)
/* Normalize the URL for pattern matching */
{
url = url.toLowerCase();
host = host.toLowerCase();
/* Don't proxy local hostnames */
if (isPlainHostName(host))
{
return 'DIRECT';
}
/* Don't proxy local domains */
if (dnsDomainIs(host, ".example1.com") ||
(host == "example1.com") ||
dnsDomainIs(host, ".example2.com") ||
(host == "example2.com") ||
dnsDomainIs(host, ".example3.com") ||
(host == "example3.com"))
{
return 'DIRECT';
}
/* Don't proxy non-routable addresses (RFC 3330) */
if (isInNet(hostIP, '0.0.0.0', '255.0.0.0') ||
isInNet(hostIP, '10.0.0.0', '255.0.0.0') ||
isInNet(hostIP, '127.0.0.0', '255.0.0.0') ||
isInNet(hostIP, '169.254.0.0', '255.255.0.0') ||
isInNet(hostIP, '172.16.0.0', '255.240.0.0') ||
isInNet(hostIP, '192.0.2.0', '255.255.255.0') ||
isInNet(hostIP, '192.88.99.0', '255.255.255.0') ||
isInNet(hostIP, '192.168.0.0', '255.255.0.0') ||
|Managing BlackBerry Access|33
isInNet(hostIP, '198.18.0.0', '255.254.0.0') ||
isInNet(hostIP, '224.0.0.0', '240.0.0.0') ||
isInNet(hostIP, '240.0.0.0', '240.0.0.0'))
{
return 'DIRECT';
}
/* Don't proxy local addresses.*/
if (false)
{
return 'DIRECT';
}
}
if (url.substring(0, 5) == 'http:' ||
url.substring(0, 6) == 'https:' ||
url.substring(0, 4) == 'ftp:')
{
return 'PROXY xyz1.example.com:8080';
}
return 'DIRECT';
}
The following example shows a simple load distribution and failover using DNS:
{
if (isInNet(myIpAddress(), "10.1.0.0", "255.255.0.0"))
{ return "PROXY xyz1.example.com:8080; " +
"PROXY xyz2.example.com:8080";
}
if (isInNet(myIpAddress(), "10.2.0.0", "255.255.0.0"))
{ return "PROXY xyz1.example.com:8080; " +
"PROXY xyz2.example.com:8080";
}
if (isInNet(myIpAddress(), "10.3.0.0", "255.255.0.0"))
{ return "PROXY xyz2.example.com:8080; " +
"PROXY xyz1.example.com:8080";
}
if (isInNet(myIpAddress(), "10.4.0.0", "255.255.0.0"))
{ return "PROXY xyz2.example.com:8080; " +
"PROXY xyz1.example.com:8080";
}
else return "DIRECT";
}
The following example (new in version 2.9) shows how to specify URLs to open in the native browser and URLs to
block:
function FindProxyForURL(url, host)
{
if (shExpMatch (url, "*example.org*")){
return "PROXY example.net:8080; PROXY :3128";
}
if (dnsDomainIs (host, "blackberry.com")){
return "NATIVE";
}
if (dnsDomainIs (host, ".example.com")){
|Managing BlackBerry Access|34
return "BLOCK";
}
//redirect on http page
if (shExpMatch (url, "*domain123.example.net*")){
return "BLOCK http://domain1.example.org/";
}
return "DIRECT";
}
Configure PAC settings inBlackBerry UEM
Before you begin: Verify that the PAC file is not hosted on the same server asBlackBerry UEMor any of its
components. This configuration is not supported.
1. In theBlackBerry UEMmanagement console, on the menu bar, clickApps.
2. Click theBlackBerry Accessapp.
3. On theBlackBerry Dynamicstab, in theApp configurationtable, click the app configuration that you want to
edit.
4. Click theNetworktab.
5. Select theEnable Web Proxyoption.
6. Select theUse Proxy Auto Configurationoption.
7. In theEnter URL for PAC file locationfield, type the fully qualified PAC file location.
8. Click theSecuritytab.
9. Select theEnforce strict tunneloption.
10.ClickSave.
11.For theBlackBerry Dynamicssubsystem to route traffic to a proxy resolved by the PAC file, every proxy server
and the PAC location must be allowed access throughBlackBerry Proxy. Perform the following actions:
a) ClickPolicies and profiles.
b) ExpandConnectivity (BlackBerry Dynamics).
c) ClickDefault.
d)
Click .
e)
In theAllowed Domainstable, click .
f) Enter the domain and select theBlackBerry Proxyinstances to use with the proxy server that you included
in the PAC file .
g) ClickSave.
h)
Click to add more PAC hosts.
Configure PAC settings in Good Control
Before you begin: Verify that the PAC file is not hosted on the same server as Good Control. This configuration is
not supported.
1. In to the Good Control console, in the navigator, click Policy Sets.
2. Select the BlackBerry Access policy that you want to configure.
3. Click the Edit icon.
4. Click the Application Policies tab.
5. Click Good Access.
6. Click the Network tab.
|Managing BlackBerry Access|35
7. Select the Enable Web Proxy option and enter the fully qualified PAC file location.
8. In the Enter URL for PAC file location field, type the fully qualified PAC file location.
9. For on-premises deployments, click the Security tab and make sure that the Enforce strict tunnel option is
selected. For cloud deployments, Strict Tunnel must be disabled or you will block access to external sites.
10.Click Update.
11.For the BlackBerry Dynamics subsystem to route traffic to a proxy resolved by the PAC file, every proxy server
and the PAC location must be allowed access through Good Proxy. Perform the following actions:
a) In the navigator, under Policies, click Connectivity Profiles.
b) Click Master Connection Profile.
c) Beside Allowed Domains, click Edit.
d) Enter the domain and select the Good Proxy instances to use with the proxy server that you included in the
PAC file.
e) Click Add to include more entries.
f) Click Save to save these settings.
12.For on-premises deployments, verify that Strict Tunnel is enabled by repeating Steps 1 and 2 above and then
clicking the Security tab. For cloud deployments, Strict Tunnel must be disabled or you will block access to
external sites.
Test a PAC configuration
When you test PAC configurations, it's recommended that you enable debugging and detailed logging to
accurately capture the sequence of operations. When detailed logging is enabled from the app, BlackBerry
Access logs proxy-related errors to a special console found in device settings. To view this console, you can open
BlackBerry Access on the device, tap Settings > Console.
BlackBerry Access also provides network utilities that can be used to debug a PAC file policy. To view these
network utilities from the device, you can tap Settings > Advanced – Network Utilities, select PAC Resolve, and
enter an IP or Hostname to check how the currently applied PAC file resolves it.
Refreshing PAC configuration on devices
You can ensure that the latest PAC configuration has been pushed to all devices by forcing a policy refresh of the
BlackBerry Access policies and PAC settings in either BlackBerry UEM or Good Control.
Force a policy and PAC file refresh in BlackBerry UEM
If you have changed a policy and want to force BlackBerry UEM to send updates, including refreshing the PAC
files on devices, perform the following steps in BlackBerry UEM:
1. On the menu bar, click Apps.
2. Click the BlackBerry Access app.
3. On the BlackBerry Dynamics tab, in the App configuration table, click the app configuration that you want to
edit.
4. On the General tab, scroll to the To force policy update to device, enter current date and time and click update
field.
5. Enter the date and time in either 24 hour format or 12 hour format. For example, 02-16-2017 12:04AM (12-
hour) and 02-16-2017 0004 (24-hour).
6. Click Save.
Force a policy and PAC file refresh in Good Control
The Good Control server sends policy updates to all client devices when the policies have been changed.
|Managing BlackBerry Access|36
If you have changed a policy and want to force Good Control to send updates, including refreshing the PAC files
on devices, perform the following steps in Good Control:
1. Click Policy Sets.
2. Click the policy set that you want to configure.
3. Click the Apps tab.
4. Expand the App Specific Policies section.
5. Scroll to find the entry for BlackBerry Access and click to expand.
6. Click the General tab.
7. Scroll to the To force policy update to device, enter current date and time and click update field.
8. Enter the date and time in either 24 hour format or 12 hour format. For example, 02-16-2017 12:04AM (12-
hour) and 02-16-2017 0004 (24-hour).
9. Click Update.
PAC file FAQ
What happens when a PAC file can't be downloaded?
If a PAC policy is mentioned but the PAC file can't be downloaded, BlackBerry Access doesn't allow the browser
to navigate to any web sites, and users see the following message: "Invalid web proxy configuration". Users can
try reloading the page to restart the PAC file download so that BlackBerry Access can try to download the PAC file
again.
When is a PAC file downloaded and how long is it cached?
For iOS devices, the PAC file is downloaded whenever the BlackBerry Access policy is updated and the app is
unlocked. Whenever the BlackBerry Access policy comes to the app, the download sequence starts. When the
device starts receiving the PAC file, the previous PAC file is replaced with the new one. After it is downloaded, the
data is stored in a persisted file and it's not downloaded again unless a new policy is pushed by Good Control.
For Android devices, the PAC file is downloaded only at the time the user tries to load a webpage. When it's
downloaded, the PAC data is stored in memory (not persisted) and not downloaded again until either the policy is
updated, the app is restarted, or whenever the network changes. The PAC file is downloaded again when a user
accesses a webpage after restarting the device or when network changes occur.
You can use the "Enable PAC proxy check for all the sub-resources" app setting to enforce PAC processing
without caching. Setting this app setting has an impact on the performance of your organization’s environment.
It's recommended to use this feature for special circumstances only.
Is there a cache timeout that controls whether the client will download PAC regularly?
There's no cache timeout for PAC files. The client doesn't download a new configuration unless it meets the
criteria described in the previous question.
How can you force clients to update PAC files if the PAC URL is the same but the PAC content has changed?
Due to a limitation in Good Control, you cannot apply the policy without changing one of the fields in the policy.
You can force a refresh of BlackBerry Access policies, including PAC configuration, on user's devices.
|Managing BlackBerry Access|37
Why do users see an "Invalid Web Proxy Configuration" error message and how can users diagnose the problem?
This error message is displayed due to various conditions related to PAC files or the proxy server. Users can go
to the console in BlackBerry Access to see more details. This error message can be displayed for the following
reasons:
The PAC script couldn't be executed because of a JavaScript error. Unfortunately, BlackBerry Access can't
detect JavaScript errors. It's recommended that you first test the PAC file in a browser on a computer and then
deploy it to devices. A PAC tester tool is available to test the PAC here: https://code.google.com/p/pactester/.
The PAC file returns an empty value. In the case of computer browsers, they fall back to a connection without
a web proxy. However, for security reasons, BlackBerry Access doesn't fall back and displays an error message
instead.
None of the web proxies returned by the PAC files are whitelisted in Good Control client connections. For more
information, see Configure PAC settings in Good Control.
The PAC URL is invalid, is not whitelisted, or the PAC URL couldn't be connected to. For more information, see
Configure PAC settings in Good Control.
Manual proxy is set but the proxy details haven't been configured. For more information, see Configure PAC
settings in Good Control.
Configure RSA SecurID soft token authentication
BlackBerry Access for iOS and Android devices supports RSA SecurID soft token authentication. The software
consists of an app and a separately installed, software-based security token that transfers password protection
and authentication delegation to Good for Enterprise.
BlackBerry Access contains an embedded RSA SecurID authenticator that can generate and display a 6-digit or 8-
digit tokencode at 30 or 60 second intervals.
1. To start a user’s RSA SecurID software authenticator, provision an RSA SecurID software token seed record
and send it to the user in an email so that they can import the seed record into BlackBerry Access.
2. Configure an RSA SecurID application policy in BlackBerry UEM or Configure an RSA SecurID application policy
in Good Control. The policy includes the email address of an RSA Authentication Manager administrator who
is responsible for assigning and delivering software token seed records.
3. Generate the Compressed Token Format URL with the RSA Authentication Manager. Replace the protocol
portion of the URL to send an HTTP URL to Good for Enterprise so that it can import the RSA token into
BlackBerry Access:
Change the com.rsa.securid://ctf?ctfData=numeric_string or custom_url_scheme://ctf?
ctfData=numeric_string to http://ctf?ctfData=numeric_string.
The URL is case sensitive: ctfData must be mixed case, as shown.
4. The seed record must be delivered in an .sdtid file or a Compressed Token Format URL. The user imports the
seed record into BlackBerry Access.
5. A user that has BlackBerry Access already activated on their device opens the email message and clicks the
RSA token to install it in BlackBerry Access.
After you finish:
The RSA administrator assigns a software token to the user, binds it to the user’s device ID, and sends the
seed record to the user in a Compressed Token Format URL format.
The user opens the seed record in BlackBerry Access.
BlackBerry Access imports the seed record and instantiates the RSA SecurID authenticator.
|Managing BlackBerry Access|38
Configure an RSA SecurID application policy in BlackBerry UEM
1. In the BlackBerry UEM console, click Apps.
2. Click the BlackBerry Access app.
3. On the BlackBerry Dynamics tab, in the App configuration table, click the app configuration that you want to
edit.
4. Click the RSA tab.
5. Select the Enable RSA SecurID checkbox.
6. BlackBerry Access must prompt a PINPAD software token user to enter their PIN in order to generate an RSA
SecurID passcode. If you want BlackBerry Access to prompt users each time they request a passcode, select
the Prompt PIN for PINPAD Token check box. Otherwise, BlackBerry Access will cache the PIN.
7. Enter your RSA Authentication Manager administrator’s email address in the RSA Administrator Email
Address field. Good Control will send all token seed record requests to this address.
8. If you want to CC a recipient each time a BlackBerry Access user requests an RSA SecurID seed record, enter
the recipient’s email address in the RSA Administrator CC Email Address field.
9. Click Save.
Configure an RSA SecurID application policy in Good Control
1. In the Good Control console, click Policy Sets.
2. Locate the policy set that you want to configure in the Policy Sets table and click the edit icon in the Action
column.
3. Click the Apps tab.
4. In the App Specific Policies section, expand the BlackBerry Access policy.
5. Click the RSA tab.
6. Select the Enable RSA SecurID checkbox.
7. BlackBerry Access must prompt a PINPAD software token user to enter their PIN in order to generate an RSA
SecurID passcode. If you want BlackBerry Access to prompt users each time they request a passcode, select
the Prompt PIN for PINPAD Token check box. Otherwise, BlackBerry Access will cache the PIN.
8. Enter your RSA Authentication Manager administrator’s email address in the RSA Administrator Email
Address field. Good Control will send all token seed record requests to this address.
9. If you want to CC a recipient each time a BlackBerry Access user requests an RSA SecurID seed record, enter
the recipient’s email address in the RSA Administrator CC Email Address field.
10.Click Update.
Kerberos authentication support
BlackBerry Access fully supports Kerberos authentication. Kerberos authentication is an integral part of Microsoft
Active Directory implementations that has increasingly become a centerpiece of enterprise-level interoperability.
It provides secure user authentication through the Active Directory domain controller, which maintains the user
account and login information necessary to access your organization's network.
The Kerberos protocol governs three system participants:
1. A KDC
2. The client device
3. The server it wants to access
The KDC is installed as part of the domain controller and performs two service functions: the Authentication
Service and the TGS.
|Managing BlackBerry Access|39
When they log in to your network, users must negotiate access by providing a login name and password that's
verified by the AS portion of the KDC within their domain. The KDC has access to the Active Directory user
account information. After a user is authenticated, the user is granted a TGT that's valid for the local domain. The
TGT is cached on the device, which uses it to request sessions with services throughout the network. You can
configure the TGT’s default expiration.
In addition, BlackBerry Access is certified for Kerberos Constrained Delegation, a BlackBerry Dynamics platform
feature that lets domain administrators restrict the network resources that a service trusted for delegation can
access by limiting the scope where application services can act on a user’s behalf. When configured, Kerberos
Constrained Delegation restricts which front-end service accounts can delegate to their back-end services. By
supporting constrained delegation across domains, services can be configured to use constrained delegation to
authenticate to servers in other domains rather than using unconstrained delegation. This provides authentication
support for across-domain service solutions by using an existing Kerberos infrastructure without needing to trust
front-end services to delegate to any service.
Mapping domains to Kerberos realms
When a client attempts to access a service running on a particular server, it knows the name of the service (host)
and the name of the server (for example, server01.example.com), but because more than one Kerberos realm may
be deployed on your network, it must guess the name of the realm in which the service resides.
By default, the name of the realm is taken to be the DNS domain name of the server in uppercase letters.
Example Domain Name EXAMPLE Kerberos REALM NAME
server01.example.org EXAMPLE.ORG
server01.example.com EXAMPLE.COM
server01.hq.example.com HQ.EXAMPLE.COM
In many configurations, this is sufficient, but in others, the derived realm name might not be the name of a
valid realm. In these cases, the mapping from the server's DNS domain name to the name of its realm must be
specified, as shown below.
For BlackBerry Access domain-to-realm mapping, you can record a list of comma-separated equivalencies in
which the first mapping in the list is treated as the default domain mapping. It will be used if the user has left the
domain field empty, as well as when the server requires NTLM or Kerberos authentication.
Another frequent use of this mapping is to equate a NetBiOS name that users might be familiar with to a Kerberos
realm name that becomes more recognizable.
Note: Do not hard code URLs that use IP addresses. If users can manually enter a URL, instruct users to avoid
URLs that use an IP address. Otherwise, when the app tries to access a web page using an IP address, after
the user enters their credentials, the web page does not load as expected and the user is prompted for their
credentials again in a loop.
Map domains to Kerberos realms in BlackBerry UEM
1. In the BlackBerry UEM console, click Apps.
2. Click the BlackBerry Access app.
3. On the BlackBerry Dynamics tab, in the App configuration table, click the app configuration that you want to
edit.
4. Click the Network tab.
|Managing BlackBerry Access|40
5. In the field provided, enter the list of comma-separated values, using this
syntax:domain=KERBEROS_REALM_NAME
The value of KERBEROS_REALM_NAME must always be in uppercase letters.
Example: eastdomain=EAST.EXAMPLE.CORP
6. Click Save.
Map domains to Kerberos realms in Good Control
1. In the Good Control console, click Policy Sets.
2. Locate the policy set that you want to configure in the Policy Sets table and click the edit icon in the Action
column.
3. Click the Apps tab.
4. In the App Specific Policies section, expand the BlackBerry Access policy.
5. Click the Network tab.
6. In the field provided, enter the list of comma-separated values, using this
syntax:domain=KERBEROS_REALM_NAME
The value of KERBEROS_REALM_NAME must always be in uppercase letters.
Example: eastdomain=EAST.EXAMPLE.CORP
7. Click Update.
Managing certificates
BlackBerry UEMandGood Controlsupport the use of public and private key (PKCS #12) certificates for signing
email and client authentication.
The following section explains how to allow users to use certificates withBlackBerry Access. It assumes that you
have already set up your environment to communicate with your CA. If you have not completed this step, refer to
the following instructions, depending on your environment:
Connect BlackBerry UEM to your organization’s BlackBerry Dynamics PKI Connector
In theGood Controlonline help, see theCertificates Definitions Tabsection.
For more information on setting up your environment to use certificates, refer to the following:
ForGood Control,see the Certificates section in theGood Controlonline help.
ForBlackBerry UEM,see the Certificates section in theBlackBerry UEMadministration content.
Verify that BlackBerry Access can use certificates in BlackBerry UEM
By default, the BlackBerry Work and BlackBerry Access apps are allowed to the use PKCS#12 certificates. For
other BlackBerry Dynamics apps, you must allow them to use certificates. To verify that BlackBerry Access can
use certificates, complete the following steps.
1. In the BlackBerry UEM console, click Apps.
2. Click the BlackBerry Access app.
3. On the BlackBerry Dynamics tab, in the User certificates section, make sure that the Allow BlackBerry
Dynamics apps to use user certificates, SCEP profiles, and user credential profiles option is selected.
4. Click Save.
|Managing BlackBerry Access|41
Verify that BlackBerry Access can use certificates in Good Control
By default, the BlackBerry Work and BlackBerry Access apps are allowed to the use PKCS#12 certificates. You
must add any other apps that you want to allow to the App Usage tab in Good Control. To veryify that BlackBerry
Access can use certificates, complete the following steps.
1. Navigate to the Certificates > App Usage tab.
2. To add an app, click Add App.
3. In the dialog box, find the app that you want to add and select it. Click OK.
4. To remove an application, scroll through the list to find the app to remove.
5. Click X beside the app.
6. Click OK to remove the app or Cancel to retain it.
Upload certificates for users inBlackBerry UEM
The client certificate must have a .pfx or .p12 file name extension. You can send more than one client certificate
to devices.
1. On the menu bar, clickUsers.
2. Search for a user account.
3. In the search results, click the name of a user account.
4.
In theIT policy and profilessection, click .
5. ClickUser certificate.
6. Type a description for the certificate.
7. In theCertificate filefield, clickBrowseto locate the certificate file.
8. ClickAdd.
Upload certificates for users in Good Control
You can upload PKCS#12 certificate files for users in Good Control.
Before you begin: The certificate files must have either a .p12 or .pfx file extension.
1. Navigate to Users and Groups.
2. Select a user to edit and click User Actions > Edit User.
3. Click the Certificates tab.
4. Click Upload.
5. Navigate to the PKCS#12 certificate file on your computer.
6. Select or open the file.
7. Follow the instructions on the screen to upload the certificate file.
Good Control displays the date of the upload. Good Control can't display more information about the certificate
until the user uses the certificate at least once by entering the password to the certificate file. Until the password
is entered, the certificate is encrypted and details can't be obtained from it.
Delete certificates for users in BlackBerry UEM
You can delete PKCS #12 certificate files for users in BlackBerry UEM.
1. On the menu bar, click Users.
2. Search for a user account.
3. In the search results, click the name of a user account.
|Managing BlackBerry Access|42
4.
In the BlackBerry Dynamics user certificates table, click beside the certificate that you want to delete.
Delete certificates for users in Good Control
You can delete PKCS#12 certificate files for users in Good Control.
1. Navigate to Users and Groups.
2. Select a user to edit and click User Actions > Edit User.
3. Click the Certificates tab.
4. Select the certificate that you want to delete.
5. Click Delete.
Security features
BlackBerry Accessis built using theBlackBerry Dynamics SDKand provides users with access to your
organization's network behind your firewall. For more information about security and theBlackBerry Dynamics
SDK, including how data-at-rest and data-in-transit is secured, cryptography details, and policy enforcement, see
theBlackBerry DynamicsSecurity White Paper.
BlackBerry Accessprotects data with anti-debugging techniques, method integrity checking, and source code
obfuscation of security-sensitive code on all platforms. Unlike users oniOSandAndroidplatforms, users on
aWindowsandmacOSplatforms have administrator privileges.BlackBerry Access for WindowsandBlackBerry
Access for macOSdo not have compliance rules that detect whether a device is jailbroken or rooted.BlackBerry
Access for WindowsandBlackBerry Access for macOShave an additional compliance policy to check for the
presence of antivirus software.
The following are some additional security features that are specific toBlackBerry Access:
All browser data stored in a secure container
Support for PAC files
Connectivity profiles that define the network connections, Internet domains, IP address ranges, and app
servers that devices can connect to when usingBlackBerry Access
DLP policy enforcement
Support for various authentication methods, including client certificates,Kerberos, and more
SeparateBlackBerry Dynamicscertificate store
Support for S/MIME inBlackBerry Work for WindowsandBlackBerry Work for macOS
Secure file downloads and secure file viewer
Policy that specifies which extensions can be downloaded inBlackBerry Access
Remote data wipe
Wiping data is a process that allows you to remotely erase data from a user's device when a violation or breach
of security policy is detected, a user’s network permissions are changed or revoked, or the user’s employment is
terminated. When data is wiped, the secure container on the device where files and folders that the organization
owns are located is physically rewritten with zeros to prevent data recovery. This is different from an ordinary file
deletion, where only the pointer to the file in the file allocation table is deleted.
Send device commands to BlackBerry Access in BlackBerry UEM
After BlackBerry Access, or any other BlackBerry Dynamics app, has been installed on a device, you can perform
actions on the apps. For example, you can delete app data if a user has lost a device.
1. On the menu bar, click Users.
|Managing BlackBerry Access|43
2. Search for a user account.
3. In the search results, click the name of the user account.
4. Select the device tab for the device that has installed the app that you want to manage.
5. Expand the BlackBerry Dynamics apps section.
6. Locate the row for the Dynamics app to manage.
7. Click the three dots in the App actions column to perform one of the following actions:
Task Description
Lock app Lock the BlackBerry Dynamics app. This is useful when a user has lost
a device but may recover it. The app cannot be accessed but app data
is not deleted.
Unlock app Unlock the BlackBerry Dynamics app. The user will regain access to
the app and app data.
Delete app data Delete all data for the BlackBerry Dynamics app and make the app
unusable. The app data cannot be recovered. This is useful when a
user has lost a device and cannot recover it.
Logging on Turn on app logging. Logging is set to debug level.
Logging off Turn off app logging.
Upload log files Upload the app logs from the device to the BlackBerry Dynamics NOC.
Get app events Display detailed information about compliance and other app events.
App details Displays detailed information about the app including the Container ID.
8. Confirm whether you want to complete the action.
Send device commands to BlackBerry Access in Good Control
After BlackBerry Access, or any other BlackBerry Dynamics app, has been installed on a device, you can perform
actions on the apps. For example, you can delete app data if a user has lost a device.
1. Navigate to Users and Groups > select a user > Edit > Devices and Apps > select a device > Installed Apps.
2. Check the checkboxes for the applications you want to change.
3. In the search results, click the name of the user account.
4. Using the App Actions menu on the right, perform one of the following actions:
Task Description
Lock app Lock the BlackBerry Dynamics app. This is useful when a user has lost
a device but may recover it. The app cannot be accessed but app data
is not deleted.
Unlock app Unlock the BlackBerry Dynamics app. The user will regain access to
the app and app data.
|Managing BlackBerry Access|44
Task Description
Delete app data Delete all data for the BlackBerry Dynamics app and make the app
unusable. The app data cannot be recovered. This is useful when a
user has lost a device and cannot recover it.
Logging on Turn on app logging. Logging is set to debug level.
Logging off Turn off app logging.
Upload log files Upload the app logs from the device to the BlackBerry Dynamics NOC.
Get app events Display detailed information about compliance and other app events.
5. Confirm whether you want to complete the action.
Secure storage of browsing activity
All BlackBerry Access browsing activity, including browser data, the cache, and cookies are encrypted and stored
in a secure container on devices. The secure container ensures that work data is stored separately from personal
data on devices.
SSL and TLS
SSL transmission protocol employs a cryptographic system that uses two keys to encrypt data: a public key
known to everyone and a private, or secret, key known only to the recipient of the message. TLS is the successor
to SSL.
Both protocols use X.509 certificates and asymmetric cryptography to identify the counterparty with whom they
are talking, and to exchange a symmetric key. This session key is then used to encrypt data flowing between
the parties, providing data and message confidentiality, along with message authentication codes for message
integrity and message authentication. An important characteristic is PFS, so the short term session key cannot be
derived from the long-term asymmetric secret key.
NTLMv2 authentication
NTLMv2 is a challenge-response authentication protocol and a cryptographically strengthened replacement for
NTLMv1. Kerberos, which is the preferred authentication protocol for Windows and Microsoft Active Directory
domains, is used when a server belongs to a Windows Server domain or if a trust relationship with a Windows
Server domain is established in some other way, such as Linux to Microsoft Active Directory authentication.
NTLMv2 sends two 16-byte responses to an 8-byte server challenge. The two responses are:
The HMAC-MD5 hash of the server challenge, which is a randomly generated client challenge
An HMAC-MD5 hash of the user's password and other identifying information
The formula that is used begins with the NT Hash, that is stored in the SAM or Active Directory, and continues to
hash in the username and domain name, using HMAC-MD5.
HTTP basic authentication
HTTP basic authentication implementation is the simplest technique for enforcing access controls to
web resources because it doesn’t require cookies, session identifiers, or login pages. Instead, HTTP basic
authentication uses static, standard HTTP headers, which means that no handshakes have to be done in
anticipation.
|Managing BlackBerry Access|45
However, the basic authentication mechanism provides no confidentiality protection for the transmitted
credentials. They are merely encoded with BASE64 in transit, but not encrypted or hashed. Basic authentication
should therefore only be used over HTTPS.
User passwords
Users can change their passwords in the BlackBerry Access settings.
Video support
BlackBerry Access for iOS devices supports many video formats. YouTube videos aren't supported because they
are served with non-compliant tags that can't be replaced or rewritten by BlackBerry Access. You must open
YouTube videos in a native browser instead. BlackBerry Access for iOS devices support the same video formats
that Apple does, except for the following legacy formats: M2V, 3GP, and 3GP-2.
To securely play videos on web sites, the HTML5 <video> tag with the <source> element's src attribute is required
at the time the page is loaded in the browser. If BlackBerry Access can't detect a <video> tag, the video playback
isn't secured. The following is a sample of the tags:
<video width="320" height="240" controls>
<source src=“test.mp4" type="video/mp4">
<source src=“test.ogg" type="video/ogg">
Your browser does not support the video tag.
</video>
Web servers that serve videos must be configured for byte streaming so that BlackBerry Access can play them.
The web server must support the HTTP header 206 Partial Content. Otherwise, videos are downloaded to the
device, and the user must play them manually.
Video support FAQ
Q. What are the limitations in BlackBerry Access capability to trap all video elements and in the website and
stream securely through BlackBerry Dynamics?
Because BlackBerry Access uses Apple's webkit to render the HTML data, it isn't possible to catch all video
elements and redirect them through the BlackBerry Dynamics network. Instead, BlackBerry Access will run some
additional Java scripts after the page is loaded to replace the video elements with custom URL which will make
the native player call back to BlackBerry Access application logic when it needs to fetch data so that the video
data can be streamed through BlackBerry Dynamics. There are few limitations due to the fact that BlackBerry
Access translates video elements after the page is loaded:
While a page is being loaded (not fully loaded), if the user taps on any of video elements, the player may
request data directly and not go through BlackBerry Dynamics. The video playback may not work if the HTTP
server that hosts video can't be reached directly. Users must wait for the page to load completely, and the
video icons must be replaced by BlackBerry Access playback icons.
Some of the pages have logic to dynamically create video elements based on user action after the page is
loaded. These dynamically inserted video elements may not be playable through BlackBerry Access secured
streaming.
Custom javascript players and HTML elements are not supported.
Q. What are the requirements for video to be streamed and played in BlackBerry Access through BlackBerry
Dynamics?
|Managing BlackBerry Access|46
BlackBerry Access supports secure streaming of video files hosted within corporate intranet through HTTP based
video streaming over BlackBerry Dynamics based secured connection. The current solution requires the following
setup to work seamlessly:
The HTTP server hosting video has to support range requests. Otherwise the video can't be played back.
The network over which the device is connected to should be able to support the minimum bitrate needed by
video files. The bitrate differs based on resolution of video, not meeting this rate will either not play back the
video or will have a lot of pauses while the player is trying to buffer the data.
It is recommended to have BlackBerry Access connected to the Good Proxy server using BlackBerry Dynamics
Direct Connect instead of through the BlackBerry Dynamics NOC for less latency and better video playback.
Q. What video files are supported by BlackBerry Access?
BlackBerry Access uses iOS native video player and should support most of audio/video codecs and containers
supported by the native player. BlackBerry Access has been tested for video and audio encoded with AAC, MP3,
MPEG 4, H.264, and MP4 contained in video containers. BlackBerry Access doesn't support 3GP.
Q. What is maximum size of video file supported?
BlackBerry Access uses 32 bit values to keep track of video offset, so it can support up to 2 GB of data. Only video
files up to 700 MB have been tested.
Q. Where are video files buffered and what are limitations with buffering?
BlackBerry Access has a limited amount of buffering in RAM (volatile program memory). The memory is capped
at 20 MB currently, and no video data is stored in the file. Because caching doesn't persist in the file, the video
player may have to fetch the same data repeatedly depending on how the user plays the video.
Q. Why does it take lot of time to start video playback when I go forward or back in a video?
Because seeking requires BlackBerry Access to fetch data from the network by issuing new connections and
requesting a new data range, it takes time for the connection request and fetch depending on the current
bandwidth and latency. Also, because of limited non-persistent buffering, BlackBerry Access may not have
previously played data when user seeks back while watching video and must request the data from server again.
Q. How do I download video file and watch it later?
The download option is available only for the video files.Whole locations are referred in the link tag (href) or when
the video URL is entered in the address bar. BlackBerry Access doesn't support download to file for videos that
are embedded in HTML files using <video> tags.
Q. Why does my BlackBerry Access application lock while watching video?
This because of a security restriction in BlackBerry Dynamics and the IT policy. The video player doesn't reset the
idle timeout, so the device can lock while user is watching video. You may have to tap the screen now and then to
reset the idle timeout.
Q. Is Apple's HTTP live streaming supported?
Yes.
Configuring allowed Internet domains
You can configure default and allowed Internet domains for users to use inBlackBerry Access. This allows users
to reach servers by typing the unqualified domain name instead of the FQDN. For example, if your organization
has an internal server running knowledge base software with an FQDN of kb.example.com, you can configure
domain information so that users can reach that server by simply typing "kb" in the browser.
|Managing BlackBerry Access|47
You use connectivity profiles to specify allowed Internet domains in eitherBlackBerry UEMorGood Control. You
can set up configurations that apply to your entire user base or configurations that apply only to specific user
groups.
For more information, see one of the following, depending on your environment:
If you are usingBlackBerry UEM, seeCreate aBlackBerry Dynamicsconnectivity profile in the BlackBerry UEM
Administration content..
If you are usingGood Control, see theGood ControlHelp content.
Changing communications protocols
UsingBlackBerry UEMorGood Control, you can allow certain secure communications protocols, such as TLSv1.0
or TLSv2, for communication with client devices.
You should be careful when you disable protocols. Check with your organization's IT staff to find out which
protocols can be safely disabled. Otherwise, you might disable a protocol that's used on your network, and this
can disrupt the secure handshake that's required betweenBlackBerry UEMorGood Controland users' devices,
and users may receive a “Page Not Found” message.
BlackBerry Access for iOShas its own application policy that controls which communications protocol to use.
For more information, see one of the following, depending on your environment:
If you are usingBlackBerry UEM, seeConfiguringBlackBerry UEMto make TLS/SSL connections toExchange
ActiveSyncin theBlackBerry UEMConfiguration content.
If you are usingGood Control, see theGood ControlHelp content.
Configure access to WebRTC-based destinations
You canconfigure BlackBerry Access for macOS and BlackBerry Access for Windows toallow communication
using WebRTC protocol-based web clients such as Citrix VDI browser-based access.
Note: To allow Windows users to share their screens, ensure that the BlackBerry Dynamics policy in BlackBerry
UEM allows screen captures.
WebRTC trafficcan often have high bandwidth demands. For this reason, BlackBerry recommends routing this
traffic directly.
Route WebRTC traffic directly
If the WebRTC destination is accessible directly over the internet, use the following routing configuration:
On the Security tab of the BlackBerry Access app configuration policy, clear the Enforce Strict Tunnel
checkbox to disable strict tunnel.
Optionally, for improved performance, you can enable UDP protocol support. On the BlackBerry Access (Mac
and Win) tabof the BlackBerry Access app configuration policy, select the Enable UDP Protocol support
checkbox.
Configure the BlackBerry Dynamics Connectivity profile to route traffic directly to the WebRTC destination, as
follows:
For BlackBerry UEM version 12.11 and later: Add the WebRTC destination URL to the Additional servers
section and specify Direct connectivity. This allows the connection to route directly even if the default route
is set to use a BlackBerry Proxy cluster.
For BlackBerry UEM version 12.10 and earlier and Good Control: Disable Route All.Ensure that existing
internal domains or servers are configured to route through BlackBerry Proxy clusters. Do notadd the
|Managing BlackBerry Access|48
WebRTC destination to the BlackBerry Dynamics Connectivity profile. This will allow the connection to route
directly.
Note: The BlackBerry Dynamics Connectivity profile and strict tunnel configuration have no effect on UDP
connections. UDP connections route directly to the WebRTC destination through the local internet connection.
Route WebRTC traffic through BlackBerry Proxy
If the WebRTC destination is notdirectly accessible over the internet, or the traffic is required to route through a
BlackBerry Proxy cluster, take the following items into consideration:
To route WebRTC traffic through BlackBerry Proxy clusters, all BlackBerry Proxy clusters must be configured to
use Direct Connect.For more information, see the Direct Connect content.
Note: If you do not configure the BlackBerry Proxy clusters with Direct Connect, the WebRTC destination does
not load. For more information, visit support.blackberry.com/community to read article 62766.
Ensure that enough BlackBerry Proxy servers are installed to handle the load generated by the WebRTC traffic.
This configuration supportsonlyTCP-based WebRTC connections. BlackBerry Proxy servers support only TCP
protocol.
Allow users to open custom URL schemes
By default, BlackBerry Access opens only HTTP and HTTPS URL schemes. You can use the "Enable 3rd Party
Applications" and "Enter comma separated URL schemes" app settings in BlackBerry UEM or Good Control to
allow users to open custom URL schemes supported by third-party apps. For more information about these app
settings, see BlackBerry Access app configuration settings.
You must add the third-party URL scheme names in the "Enter comma separated URL schemes" app setting,
or users are blocked from accessing the third-party apps. You can find the names of blocked third-party URL
schemes in the BlackBerry Access console log.
Before you begin: Verify that detailed logging is enabled in BlackBerry Access.
1. In BlackBerry Access, click the URL to access the third-party application.
2. Wait until BlackBerry Access returns the following error message: URL scheme is blocked.
3. Go to the BlackBerry Access console.
4. Look for the error message for the blocked URL scheme.
5. In BlackBerry UEM or Good Control, add the name of the URL scheme to the "Enable 3rd Party Applications"
app setting.
Allow users to securely edit files within an app in BlackBerry Access
on Windows or macOS
To allow users to securely edit files within an app in BlackBerry Access on Windows or macOS, add the Secure
Document Editing app to the user's allowed apps in BlackBerry UEM.This requires the "Secure Editing of Office
Documents (Word, PPT and Excel)" license. Contact BlackBerry Sales for more information.For more information,
see Assign an app to a user account in the BlackBerry UEM Administration content.
|Managing BlackBerry Access|49
IdentifyingBlackBerry Accessin user agent
When aBlackBerry Accessuser visitsa website,BlackBerry Accesssends its user agent string to the server
that hosts the website. The user agent string contains tokens that provide information, such as the browser
description, operating system, and current browser mode, in the HTTP request headers. The website server may
use this information in the user agent string to provide content tailored to mobile browsers.
The user agent string does not include any identifiable tokens to indicate that the browser isBlackBerry Access.
Toadd "GoodAccess" or "Good Access" and the version information of theBlackBerry Accessapp to the user
agent string, enable the "IdentifyBlackBerry Accessin User Agent" setting on the General tab of theBlackBerry
Accessapp config inBlackBerry UEMor in the App Specific Policy of the assigned Policy Set inGood Control.
The following are examples of user agent strings when the setting is not enabled:
BlackBerry Access for Android:
Mozilla/5.0 (Linux; Android 8.1.0; BBF100-2) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36
BlackBerry Access for iOS:
Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit/604.5.6
(KHTML, like Gecko) Version/11.0 Mobile/15D100 Safari/604.5.6
BlackBerry Access for Windows:
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/61.0.3163.91 Safari/537.36
BlackBerry Access for macOS:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/61.0.3163.91 Safari/537.36
The following are examples of user agent strings when the setting is enabled:
BlackBerry Access for Android:
Mozilla/5.0 (Linux; Android 4.1.1; SAMSUNG-SGH-I747/JRO03L) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/28.0.1500.45 Mobile Safari/537.36 GoodAccess/<app
version>
BlackBerry Access for iOS:
Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit/604.5.6
(KHTML, like Gecko) Version/11.0 Mobile/15D100 Safari/604.5.6 GoodAccess/<app
version>
BlackBerry Access for Windows:
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/61.0.3163.91 Safari/537.36 Good Access/<app version>
BlackBerry Access for macOS:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/61.0.3163.91 Safari/537.36 Good Access/<app version>
|Managing BlackBerry Access|50
Good Control cloud deployments and intranet servers
When you use BlackBerry Access with the Good Control cloud configuration, intranet servers (resources on your
internal network) aren't accessible.
In on-premises instances of Good Control, you have access to a Good Proxy server, which must be configured to
allow access from outside your organization's firewall. However, in Good Control Cloud, there's no administrator-
accessible Good Proxy server because you don't configure servers, ports, web proxies, or other the hardware or
network settings. You can't configure access to an intranet in Good Control Cloud because there are multiple
distributed intranets that belong to different organizations. For security reasons, these intranets can't be part of
the shared cloud configuration.
UsingBlackBerry Analyticsto collect app data
You can enable theBlackBerry Analyticsfeature for your users if you want to capture events inBlackBerry
Dynamicsapps, such as when the user starts theBlackBerry Dynamicsapps, the user’s platform, and when
the app goes into the background. You can view and analyze the metrics by logging in to theBlackBerry
Dynamicsweb-based system and accessing the Analytics dashboard. For more information aboutBlackBerry
Analytics, visitBlackBerry Help and Manuals: BlackBerry Analytics.
Configure a compliance rule for Windows antivirus detection in Good
Control
You can use a compliance rule to check if antivirus software is installed and running on Windows.
1. On the menu bar, click Policy Sets.
2. Click the name of the policy that you want to assign to users.
3. Click the COMPLIANCE POLICIES tab.
4. Expand ANTIVIRUS STATUS (WIN32 ONLY).
5. For Checks Antivirus Status, select Enable.
6. For Failure Action, select the action to take if users are not compliant.
7. Click Update.
Configure support for FQDN resolution in Good Control
In Good Control, you can configure support for FQDN resolution for Kerberos authentication.
1. On the menu bar, click GP Server Properties.
2. On the DEFAULT GP SERVER PROPERTIES tab, select the check box for gp.gps.unalias.hostname.
3. Click Submit.
|Managing BlackBerry Access|51
Troubleshooting
Diagnostics
If a user is reporting an issue, you can ask them to perform app diagnostics.
You can use diagnostic tools to check the connection between BlackBerry Access and BlackBerry Proxy and other
target servers.
BlackBerry Access for iOS also has a “Collect network summary” option that you can use to collect and display a
summary of your internet usage. The summary, which can be used for diagnostics, displays information such as
delays in connections, authentication handshakes, and proxy resolution.
Generate a diagnostics report oniOSdevices
You can ask users to generate a diagnostics report and then email the results.
Before you begin: Provide the following instructions to users:
1.
Tap to open theBlackBerry Dynamics Launcher.
2.
Tap .
3. In the Support section, tapRun Diagnostics.
4. TapStart Diagnostic.
5. ClickStart.
6. When the diagnostics complete, clickShare logsto send an email with the report details.
Generate a diagnostics report onAndroiddevices
You can ask users to generate a diagnostics report and then email the results.
Before you begin: Provide the following instructions to users:
1.
Tap to open theBlackBerry Dynamics Launcher.
2.
Tap .
3. In the Support section, tapRun Diagnostics.
4. TapStart Diagnostics.
5. When the diagnostics complete, clickShare Resultsto send an email with the report details.
Troubleshoot issues using theBlackBerry Accessconsole
You can use theBlackBerry Accessconsole to help users find possible causes of issues that they might
encounter.
Provide the following instructions to users:
1.
Tap to open theBlackBerry Dynamics Launcher.
2.
Tap .
3. TapSettings.
4. TapConsole.
|Troubleshooting|52
5. Look at the displayed messages to see if they indicate what the problem is.
Upload log files to BlackBerry Support
If requested by BlackBerry Support, you can upload log files to help troubleshoot issues that your users are having
with BlackBerry Dynamics apps.
Provide the following instructions to users:
1.
Tap to open the BlackBerry Dynamics Launcher.
2.
Tap .
3. In the Advanced section, click Logs.
4. Click Upload Logs.
Troubleshoot connectivity issues
If users are reporting connectivity issues, you can ask them to perform connectivity tests. These tests also help
you troubleshoot proxy servers and PAC file configurations. Tests are performed on the connections between
the device, other servers, and the BlackBerry Dynamics NOC, and do not go through the BlackBerry Proxy (if using
BlackBerry UEM) or Good Proxy (if using Good Control).
Provide the following instructions to users:
1.
Tap to open the BlackBerry Dynamics Launcher.
2.
Tap .
3. In the Advanced section, choose one of the following:
On iOS devices, click Network Utilities.
On Android devices, click Net Tools.
4. Provide the URL or IP address that you want to test to users and tell them to enter it.
5. Depending on what you want to test, tell users to select either Ping, Trace, or Lookup.
Troubleshoot routing issues
The tables in this section provide details about howBlackBerry Accessroutes traffic depending on whether a
manual proxy or proxy autoconfiguration (PAC) is used. You can use this information to troubleshoot browsing
issues related to traffic routing.
Note: The table does not describe the situation where a target URL is configured to be blocked by either
theBlackBerry DynamicsConnectivity Profile or the PAC file because the URL is always blocked no matter which
other configurations are in place.
Legend
No proxy:The proxy server is not specified in theBlackBerry Accessapp configuration.
Manual proxy:A web proxy server is manually specified in theBlackBerry Accessapp configuration. When a
web proxy is specified in this way,BlackBerry Accessattempts to route all traffic through the web proxy.
|Troubleshooting|53
PAC:A PAC file is specified in theBlackBerry Accessapp configuration. When a PAC is configured,BlackBerry
Accessfollows the rules specified in the PAC to determine whether to send traffic through the web proxy.
Specifies the result of the PAC file check against the target host (DIRECT, PROXY, BLOCK, NATIVE).
Host route = BBP:The specified target URL is configured to route through aBlackBerry Proxycluster based on
theBlackBerry DynamicsConnectivity Profile. This URL is explicitly defined, or is under the Default Route or an
Allowed domains rule.
Host route = DIRECT:The specified target URL is configured to route directly based on theBlackBerry
DynamicsConnectivity Profile. This URL is explicitly defined or is under the Default Route.
Web Proxy Route = BBP:The proxy server's URL is configured to route through aBlackBerry Proxycluster
based on theBlackBerry DynamicsConnectivity Profile. This URL is explicitly defined, or is under the Default
Route or an Allowed domains rule.
Web proxy route = DIRECT:The proxy server's URL is configured to route directly based on theBlackBerry
DynamicsConnectivity Profile. This URL is explicitly defined or is under the Default Route.
Strict tunnel on Strict tunnel off
No proxy
Host route = BBP
BlackBerry Accessroutes traffic through
theBlackBerry Proxycluster.
BlackBerry Accessroutes traffic through
theBlackBerry Proxycluster.
No proxy
Host route =
DIRECT
The host is blocked because of strict
tunnel.
BlackBerry Accessroutes traffic directly to
the host.
Manual proxy
Host route = BBP
Web proxy route =
BBP
BlackBerry Accessroutes traffic though
theBlackBerry Proxycluster and then
through the web proxy.
BlackBerry Accessroutes traffic though
theBlackBerry Proxycluster and then
through the web proxy.
Manual proxy
Host route =
DIRECT
Web proxy route =
BBP
BlackBerry Accessroutes traffic though
theBlackBerry Proxycluster and then
through the web proxy.
BlackBerry Accessroutes traffic though
theBlackBerry Proxycluster and then
through the web proxy.
Note: Even though the host does
not resolve in theBlackBerry
DynamicsConnectivity Profile, the web
proxy does resolve. Therefore all traffic
through the web proxy goes through
theBlackBerry Proxycluster.
Manual proxy
Host route = BBP
Web proxy route =
DIRECT
The web proxy server is blocked because
of strict tunnel.
BlackBerry Accessroutes traffic directly to
the web proxy and then to the host.
Note: Even though the host resolves in
theBlackBerry DynamicsConnectivity
Profile, because the web proxy configured
as DIRECT, all traffic through that web
proxy is direct.
|Troubleshooting|54
Strict tunnel on Strict tunnel off
Manual proxy
Host route =
DIRECT
Web proxy route =
DIRECT
Both the host and the web proxy server are
blocked because of strict tunnel.
BlackBerry Accessroutes traffic directly to
the web proxy and then to the host.
PAC returns
DIRECT
Host route = BBP
The host is blocked because of strict
tunnel.
BlackBerry Accessroutes traffic directly to
the host.
PAC returns PROXY
Host route = BBP
Web proxy route =
BBP
BlackBerry Accessroutes traffic though
theBlackBerry Proxycluster and then
through the web proxy.
BlackBerry Accessroutes traffic though
theBlackBerry Proxycluster and then
through the web proxy.
Note: Even though the host does
not resolve in theBlackBerry
DynamicsConnectivity Profile, the web
proxy does resolve. Therefore all traffic
through the web proxy goes through
theBlackBerry Proxycluster.
PAC returns PROXY
Host route =
DIRECT
Web proxy route =
BBP
BlackBerry Accessroutes traffic though
theBlackBerry Proxycluster and then
through the web proxy.
BlackBerry Accessroutes traffic directly to
the web proxy and then to the host.
Note: Even though the host resolves in
theBlackBerry DynamicsConnectivity
Profile, because the web proxy configured
as DIRECT, all traffic through that web
proxy is direct.
PAC returns PROXY
Host route = BBP
Web proxy route =
DIRECT
The web proxy is blocked because of strict
tunnel.
BlackBerry Accessroutes traffic directly to
the web proxy and then to the host.
PAC returns PROXY
Host route =
DIRECT
Web proxy route =
DIRECT
The host is blocked because of strict
tunnel.
BlackBerry Accessroutes traffic directly to
the web proxy and then to the host.
Behavior of myIPAddress and DNSResolve
Depending on the routing configuration, the DNS resolution and the source IP address will differ. The following
table describes which endpoint makes the DNS calls and which endpoint is considered the source IP address
when connecting to a target host.
|Troubleshooting|55
DNSResolve during PAC
computation
DNSResolve for socket
connection
MyIPAddress for PAC
Host route = BBP
Strict tunnel = On
TheBlackBerry
Proxyresolves the IP
address of the host.
TheBlackBerry
Proxyresolves the IP
address of the host.
The IP address of
theBlackBerry Proxyis
used.
Host route = BBP
Strict tunnel = Off
TheBlackBerry
Proxyresolves the IP
address of the host.
TheBlackBerry
Proxyresolves the IP
address of the host.
The IP address of
theBlackBerry Proxyis
used.
Host route = DIRECT
Strict tunnel = On
TheBlackBerry
Proxyresolves the IP
address of the host.
DNSResolve is blocked
or there is no DNS
resolution.
The IP address of
theBlackBerry Proxyis
used.
Host route = DIRECT
Strict tunnel = Off
TheBlackBerry
Proxyresolves the IP
address of the host.
The device resolves the
IP address of the host.
The IP address of the
device is used.
|Troubleshooting|56
Feature support
Feature Description Applies to
Cookies Persistent cookies
Nonpersistent cookies
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
Uses native WKWebView for rendering BlackBerry Access for
iOS
JavaScriptengine
UsesGoogle’s open source V8JavaScriptengine for
rendering.
BlackBerry Access for
Android
Navigation return to HTML attachment BlackBerry Access for
Android
Maximum size of attachment is 3 MB BlackBerry Access for
Android
BlackBerry Access for
iOS
Long tap on attachment BlackBerry Access for
iOS
HTML attachments
No support for child pages or resources (relative links
from the parent page)
BlackBerry Access for
Android
BlackBerry Access for
iOS
Audio Support for the same audio formats
thatApplesupports.
To securely play audio on web sites, the
HTML5<audio>tag is required at the time the page
is loaded in the browser. IfBlackBerry Accesscan't
detect an<audio>tag, the audio playback isn't
secured.
BlackBerry Access for
iOS
Fingerprint
authentication
SamsungPass for user authentication using
fingerprints. You can use the same application
policies that you use to manageAndroidfingerprint
authentication forSamsungPass.
BlackBerry Access for
Android
|Feature support|57
Feature Description Applies to
English, Danish, Dutch, French, German, Italian,
Japanese, Korean, Simplified Chinese, Spanish, and
Swedish
BlackBerry Access for
Android
BlackBerry Access for
iOS
Languages supported
byBlackBerry
Accesscontrols
English, Dutch, French, Japanese, Korean, Simplified
Chinese, and Swedish
BlackBerry Access for
Windows
BlackBerry Access for
macOS
File types Unsupported file types:
.msg:Microsoft Outlookmessage format
.zip: Compressed file archive
BlackBerry Work for
Windows
BlackBerry Work for
macOS
Plugins Adobe Flash: Not supported
Applets: Not supported
Microsoft ActiveX: Not supported
WebSockets: Supported only forBlackBerry
Access for iOS,BlackBerry Access for macOS,
andBlackBerry Access for Windows. WebSockets
are not secured byBlackBerry Access for Android.
BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
SAML and ADAL Supported BlackBerry Access for
Android
BlackBerry Access for
iOS
BlackBerry Access for
Windows
BlackBerry Access for
macOS
|Feature support|58
Browser support for HTML5 and CSS3
BlackBerry Access for Android HTML and CSS3 support
Feature list Tags
BlackBerry Access for
Android
Score 464 of 555
Parsing rules
<!DOCTYPE html> triggers standards mode Supported
HTML5 tokenizer Supported
HTML5 tree building Supported
SVG in text/html Supported
MathML in text/html Supported
Video
video element Supported
Subtitle Supported Supported
Poster image Supported Supported
MPEG-4 Supported Unsupported
H.264 Supported Supported
Ogg Theora Supported Unsupported
WebM Supported with VP8 Supported Supported
WebM Supported with VP9 Supported Unsupported
Audio
audio element Supported
PCM audio Supported Supported
AAC Supported Supported
MP3 Supported Supported
|Browser support for HTML5 and CSS3|59
Feature list Tags
BlackBerry Access for
Android
Ogg Vorbis Supported Supported
Ogg Opus Supported Unsupported
WebM Supported Supported
Elements
Embedding custom non-visible data Supported
New or modified elements
section element Supported
section element Supported
nav element Supported
article element Supported
aside element Supported
hgroup element Supported
header element Supported
footer element Supported
Grouping content elements
figure element Supported
figcaption element Supported
reversed attribute on the ol element Supported
Text-level semantic elements
download attribute on the a element Supported
ping attribute on the a element Supported
mark element Supported
ruby, rt and rp elements Supported
time element Unsupported
wbr element Supported
|Browser support for HTML5 and CSS3|60
Feature list Tags
BlackBerry Access for
Android
Interactive elements
details element Supported
summary element Supported
menu element of type toolbar Unsupported
menu element of type popup Unsupported
dialog element Unsupported
Global attributes or methods
hidden attribute Supported
Dynamic markup insertion
outerHTML property Supported
insertAdjacentHTML function Supported
Forms
Field types
input type=text Supported
Minimal element Supported Supported
Selection Direction Supported
input type=search Supported
Minimal element Supported Supported
input type=tel Supported
Minimal element Supported Supported
input type=url Supported
Minimal element Supported Supported
Field validation Supported
input type=email Supported
Minimal element Supported Supported
|Browser support for HTML5 and CSS3|61
Feature list Tags
BlackBerry Access for
Android
Field validation Supported
input type=datetime Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Unsupported
min attribute Unsupported
max attribute Unsupported
step attribute Unsupported
stepDown() method Unsupported
stepUp() method Unsupported
valueAsDate()mothen Unsupported
valueAsNumber() method Unsupported
input type=month Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=week Unsupported
Minimal element Supported Unsupported
|Browser support for HTML5 and CSS3|62
Feature list Tags
BlackBerry Access for
Android
Custom user-interface Unsupported
Value sanitization Unsupported
min attribute Unsupported
max attribute Unsupported
step attribute Unsupported
stepDown() method Unsupported
stepUp() method Unsupported
valueAsDate()mothen Unsupported
valueAsNumber() method Unsupported
input type=time Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=datetime-local Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
|Browser support for HTML5 and CSS3|63
Feature list Tags
BlackBerry Access for
Android
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=number Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
Field validation Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=range Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
|Browser support for HTML5 and CSS3|64
Feature list Tags
BlackBerry Access for
Android
valueAsNumber() method Supported
input type=color Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Supported
input type=checkbox Supported
Minimal element Supported Supported
indeterminate property Supported
input type=image Supported
Minimal element Supported Supported
width property Supported
height property Supported
input type=file Supported (except for
Android SB)
Minimal element Supported Supported
files property Supported
textarea Supported
Minimal element Supported Supported
maxlength attribute Supported
wrap attribute Supported
select Supported
Minimal element Supported Supported
required attribute Supported
fieldset Supported
Minimal element Supported Supported
|Browser support for HTML5 and CSS3|65
Feature list Tags
BlackBerry Access for
Android
elements attribute Supported
disabled attribute Supported
datalist Unsupported
Minimal element Supported Unsupported
list attribute for fields Unsupported
keygen Supported
Minimal element Supported Supported
challenge attribute Supported
keytype attribute Supported
output Supported
Minimal element Supported Supported
progress Supported
Minimal element Supported Supported
meter Supported
Minimal element Supported Supported
Fields
Field validation Supported
pattern attribute Supported
required attribute Supported
Association of controls and forms Supported
control property on labels Supported
form property on fields Supported
formAction property on fields Supported
formEnctype property on fields Supported
formMethod property on fields Supported
|Browser support for HTML5 and CSS3|66
Feature list Tags
BlackBerry Access for
Android
formNoValidate property on fields Supported
formTarget property on fields Supported
labels property on fields Supported
Other attributes Supported
autofocus attribute Supported
autocomplete attribute Supported
placeholder attribute Supported
multiple attribute Supported
dirName attribute Supported
CSS selectors Supported
:valid selector Supported
:invalid selector Supported
:optional selector Supported
:required selector Supported
:in-range selector Supported
:out-of-range selector Supported
:read-write selector Supported
:read-only selector Supported
Events Supported
oninput event Supported
onchange event Supported
oninvalid event Supported
Forms Supported
Form validation Supported
checkValidity method Supported
|Browser support for HTML5 and CSS3|67
Feature list Tags
BlackBerry Access for
Android
noValidate attribute Supported
User interaction
Drag and drop
Attributes Unsupported
draggable attribute Unsupported
dropzone attribute Unsupported
Events Unsupported
ondrag event Unsupported
ondragstart event Unsupported
ondragenter event Unsupported
ondragover event Unsupported
ondragleave event Unsupported
ondragend event Unsupported
ondrop event Unsupported
HTML editing
Editing elements Supported
contentEditable attribute Supported
isContentEditable property Supported
Editing documents Supported
designMode attribute Supported
CSS selectors Unsupported
APIs Supported
execCommand method Supported
queryCommandEnabled method Supported
queryCommandIndeterm method Supported
|Browser support for HTML5 and CSS3|68
Feature list Tags
BlackBerry Access for
Android
queryCommandState method Supported
queryCommandsupporteded method Supported
queryCommandValue method Supported
Spellcheck Supported
spellcheck attribute Supported
History and navigation
Session history Supported
Microdata
Microdata Unsupported
Web applications
Application Cache Supported
Custom scheme handlers Unsupported
Custom content handlers Unsupported
Custom search providers Supported
Security
Sandboxed iframe Supported
Seamless iframe Unsupported
iframe with inline contents Supported
Various
Scoped style element Unsupported
Asyncronous script execution Supported
Runtime script error reporting Supported
Base64 encoding and decoding Supported
Related specifications
Location and Orientation
|Browser support for HTML5 and CSS3|69
Feature list Tags
BlackBerry Access for
Android
Device Orientation Supported
Communication
Cross-document messaging
Server-Sent Events Supported
XMLHttpRequest Level 2 Supported
Upload files Supported
Text response type Supported
Document response type Supported
Array buffer response type Supported
Blob response type Supported
Files
File API Supported
File
API:
Directories and System Supported
Storage
Session Storage Unsupported
Secure Local Storage wit persistence Supported
IndexedDB Unsupported
Web SQL Database Unsupported
Workers
Web Workers Supported
Shared Workers Supported
Local multimedia
Access the webcam Unsupported
Notifications
|Browser support for HTML5 and CSS3|70
Feature list Tags
BlackBerry Access for
Android
Web Notifications Unsupported
Other
Page Visibility Supported
Text selection Supported
Scroll into view Supported
Mutation Observer Supported
Experimental
Audio
Web Audio API Unsupported
Video and Animation
1
Full screen Supported Supported
Pointer Lock Supported Supported
window.requestAnimationFrame Supported
1
These media formats may be rendered by invoking native device players when device is connected to corporate
Wi-Fi network.
BlackBerry Access for iOS HTML and CSS3 support
Feature list Tags
BlackBerry Access for
iOS
Score 410
Parsing rules 10
<!DOCTYPE html> triggers standards mode Supported
HTML5 tokenizer Supported
HTML5 tree building Supported
SVG in text/html Supported
MathML in text/html Supported
|Browser support for HTML5 and CSS3|71
Feature list Tags
BlackBerry Access for
iOS
Canvas 20
canvas element Supported
2D context Supported
Text Supported
Video 21/30
video element Supported
Subtitle Supported Unsupported
Poster image Supported Supported
MPEG-4 Supported Supported
H.264 Supported Supported
Ogg Theora Supported Unsupported
WebM Supported Unsupported
WebM Supported with VP9 Supported Unsupported
Audio 20
audio element Supported
PCM audio Supported Supported
AAC Supported Supported
MP3 Supported Supported
Ogg Vorbis Supported Unsupported
Ogg Opus Supported Unsupported
WebM Supported Unsupported
Elements 29/35
Embedding custom non-visible data Supported
New or modified elements
section element Supported
|Browser support for HTML5 and CSS3|72
Feature list Tags
BlackBerry Access for
iOS
section element Supported
nav element Supported
article element Supported
aside element Supported
hgroup element Supported
header element Supported
footer element Supported
Grouping content elements Supported
figure element Supported
figcaption element Supported
reversed attribute on the ol element Supported
Text-level semantic elements partially Supported
download attribute on the a element Unsupported
ping attribute on the a element Supported
mark element Supported
ruby, rt and rp elements Supported
time element Unsupported
wbr element Supported
Interactive elements partially Supported
details element Supported
summary element Supported
command element Unsupported
menu element of type list Supported
menu element of type toolbar Unsupported
menu element of type context Unsupported
|Browser support for HTML5 and CSS3|73
Feature list Tags
BlackBerry Access for
iOS
Global attributes or methods
hidden attribute Supported
Dynamic markup insertion Supported
outerHTML property Supported
insertAdjacentHTML function Supported
Forms 102/115
Field types
input type=text Supported
Minimal element Supported Supported
Selection Direction Supported
input type=search Supported
Minimal element Supported Supported
input type=tel Supported
Minimal element Supported Supported
input type=url Supported
Minimal element Supported Supported
Field validation Supported
input type=email Supported
Minimal element Supported Supported
Field validation Supported
input type=datetime Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
|Browser support for HTML5 and CSS3|74
Feature list Tags
BlackBerry Access for
iOS
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=date Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=month Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
|Browser support for HTML5 and CSS3|75
Feature list Tags
BlackBerry Access for
iOS
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=time partially Supported
Minimal element Supported Supported
Custom user-interface Unsupported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=time Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
|Browser support for HTML5 and CSS3|76
Feature list Tags
BlackBerry Access for
iOS
input type=datetime-local Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=number Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
Field validation Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=range Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
|Browser support for HTML5 and CSS3|77
Feature list Tags
BlackBerry Access for
iOS
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=color Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Unsupported
input type=checkbox Supported
Minimal element Supported Supported
indeterminate property Supported
input type=image Supported
Minimal element Supported Supported
width property Supported
height property Supported
input type=file Supported
Minimal element Supported Supported
files property Supported
textarea Supported
Minimal element Supported Supported
maxlength attribute Supported
wrap attribute Supported
select Supported
|Browser support for HTML5 and CSS3|78
Feature list Tags
BlackBerry Access for
iOS
Minimal element Supported Supported
required attribute Supported
fieldset partially Supported
Minimal element Supported Supported
elements attribute Unsupported
disabled attribute Supported
datalist Unsupported
Minimal element Supported Unsupported
list attribute for fields Unsupported
keygen Supported
Minimal element Supported Supported
challenge attribute Supported
keytype attribute Supported
output Supported
Minimal element Supported Supported
progress Unsupported
Minimal element Supported Unsupported
meter Unsupported
Minimal element Supported Unsupported
Fields
Field validation Supported
pattern attribute Supported
required attribute Supported
Association of controls and forms Supported
control property on labels Supported
|Browser support for HTML5 and CSS3|79
Feature list Tags
BlackBerry Access for
iOS
form property on fields Supported
formAction property on fields Supported
formEnctype property on fields Supported
formMethod property on fields Supported
formNoValidate property on fields Supported
formTarget property on fields Supported
labels property on fields Supported
Other attributes Supported
autofocus attribute Supported
autocomplete attribute Supported
placeholder attribute Supported
multiple attribute Supported
dirName attribute Supported
CSS selectors Supported
:valid selector Supported
:invalid selector Supported
:optional selector Supported
:required selector Supported
:in-range selector Supported
:out-of-range selector Supported
:read-write selector Supported
:read-only selector Supported
Events Supported
oninput event Supported
onchange event Supported
|Browser support for HTML5 and CSS3|80
Feature list Tags
BlackBerry Access for
iOS
oninvalid event Supported
Forms Supported
Form validation Supported
checkValidity method Supported
noValidate attribute Supported
User interaction 20 20
Drag and drop Unsupported
Attributes Unsupported
draggable attribute Unsupported
dropzone attribute Unsupported
Events Unsupported
ondrag event Unsupported
ondragstart event Unsupported
ondragenter event Unsupported
ondragover event Unsupported
ondragleave event Unsupported
ondragend event Unsupported
ondrop event Unsupported
HTML editing
Editing elements Supported
contentEditable attribute Supported
isContentEditable property Supported
Editing documents Supported
designMode attribute Supported
APIs Supported
|Browser support for HTML5 and CSS3|81
Feature list Tags
BlackBerry Access for
iOS
execCommand method Supported
queryCommandEnabled method Supported
queryCommandIndeterm method Supported
queryCommandState method Supported
queryCommandsupporteded method Supported
queryCommandValue method Supported
Spellcheck
spellcheck attribute Supported
History and navigation 10
Session history Supported
Microdata 0/15
Microdata Unsupported
Web applications 15/20
Application Cache Supported
Custom scheme handlers Unsupported
Custom content handlers Unsupported
Custom search providers Unsupported
Security 15/20
Sandboxed iframe Supported
Seamless iframe Unsupported
iframe with inline contents Supported
Various 5/10
Scoped style element Unsupported
Asyncronous script execution Supported
Runtime script error reporting Supported
|Browser support for HTML5 and CSS3|82
Feature list Tags
BlackBerry Access for
iOS
Base64 encoding and decoding Supported
Related specifications
Location and Orientation 20
Device Orientation Supported
WebGL 10/25
3D context Unsupported
Native binary data Supported
ArrayBuffer Supported
Int8Array Supported
Uint8Array Supported
Int16Array Supported
Uint16Array Supported
Int32Array Supported
Uint32Array Supported
Float32Array Supported
Float64Array Supported
DataView Supported
Communication 33/35
Cross-document messaging Supported
Server-Sent Events Supported
XMLHttpRequest Level 2 partially Supported
Upload files Supported
Text response type Supported
Document response type Supported
Array buffer response type Supported
|Browser support for HTML5 and CSS3|83
Feature list Tags
BlackBerry Access for
iOS
Blob response type Unsupported
Files 10
File API Supported
File
API:
Directories and System Unsupported
Storage 15/25
Session Storage Supported
Secure Local Storage without persistence Supported
IndexedDB Unsupported
Web SQL Database Unsupported
Workers 15
Web Workers Supported
Shared Workers Supported
Local multimedia 0/10
Access the webcam Unsupported
Notifications 0/10
Web Notifications Unsupported
Other 8/10
Page Visibility Unsupported
Text selection Supported
Scroll into view Supported
Mutation Observer Supported
Experimental
Audio 5
Web Audio API Supported
Video and Animation
1
3/10
|Browser support for HTML5 and CSS3|84
Feature list Tags
BlackBerry Access for
iOS
Full screen Supported Unsupported
Pointer Lock Supported Unsupported
window.requestAnimationFrame Supported
1
These media formats may be rendered by invoking native device players when device is connected to corporate
Wi-Fi network.
BlackBerry Access for macOS HTML and CSS3 support
Feature list Tags
BlackBerry Access for
macOS
Score 504 of 555
Parsing rules
<!DOCTYPE html> triggers standards mode Supported
HTML5 tokenizer Supported
HTML5 tree building Supported
SVG in text/html Supported
MathML in text/html Supported
Video
video element Supported
Audio track selection Unsupported
Video track selection Unsupported
Subtitle Supported Supported
Poster image Supported Supported
MPEG-4 Supported Unsupported
H.264 Supported Unsupported
H.265 Supported Unsupported
Ogg Theora Supported Supported
|Browser support for HTML5 and CSS3|85
Feature list Tags
BlackBerry Access for
macOS
WebM Supported with VP8 Supported Supported
WebM Supported with VP9 Supported Supported
Audio
audio element Supported
PCM audio Supported Supported
AAC Supported Unsupported
MP3 Supported Supported
Ogg Vorbis Supported Supported
Ogg Opus Supported Supported
WebM Supported Supported
Elements
Embedding custom non-visible data Supported
New or modified elements
section element Supported
section element Supported
nav element Supported
article element Supported
aside element Supported
hgroup element Supported
header element Supported
footer element Supported
Grouping content elements
figure element Supported
figcaption element Supported
reversed attribute on the ol element Supported
|Browser support for HTML5 and CSS3|86
Feature list Tags
BlackBerry Access for
macOS
Text-level semantic elements
download attribute on the a element Supported
ping attribute on the a element Supported
mark element Supported
ruby, rt and rp elements Supported
time element Unsupported
wbr element Supported
Interactive elements
details element Supported
summary element Supported
menu element of type toolbar Unsupported
menu element of type popup Unsupported
dialog element Unsupported
Global attributes or methods
hidden attribute Supported
Dynamic markup insertion
outerHTML property Supported
insertAdjacentHTML function Supported
Forms
Field types
input type=text Supported
Minimal element Supported Supported
Selection Direction Supported
input type=search Supported
Minimal element Supported Supported
|Browser support for HTML5 and CSS3|87
Feature list Tags
BlackBerry Access for
macOS
input type=tel Supported
Minimal element Supported Supported
input type=url Supported
Minimal element Supported Supported
Field validation Supported
input type=email Supported
Minimal element Supported Supported
Field validation Supported
input type=datetime Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Unsupported
min attribute Unsupported
max attribute Unsupported
step attribute Unsupported
stepDown() method Unsupported
stepUp() method Unsupported
valueAsDate()mothen Unsupported
valueAsNumber() method Unsupported
input type=month Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
|Browser support for HTML5 and CSS3|88
Feature list Tags
BlackBerry Access for
macOS
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=week Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Unsupported
min attribute Unsupported
max attribute Unsupported
step attribute Unsupported
stepDown() method Unsupported
stepUp() method Unsupported
valueAsDate()mothen Unsupported
valueAsNumber() method Unsupported
input type=time Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
|Browser support for HTML5 and CSS3|89
Feature list Tags
BlackBerry Access for
macOS
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=datetime-local Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=number Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
Field validation Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=range Supported
|Browser support for HTML5 and CSS3|90
Feature list Tags
BlackBerry Access for
macOS
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=color Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Supported
input type=checkbox Supported
Minimal element Supported Supported
indeterminate property Supported
input type=image Supported
Minimal element Supported Supported
width property Supported
height property Supported
input type=file Supported (except for
Android SB)
Minimal element Supported Supported
files property Supported
textarea Supported
|Browser support for HTML5 and CSS3|91
Feature list Tags
BlackBerry Access for
macOS
Minimal element Supported Supported
maxlength attribute Supported
wrap attribute Supported
select Supported
Minimal element Supported Supported
required attribute Supported
fieldset Supported
Minimal element Supported Supported
elements attribute Unsupported
disabled attribute Supported
datalist Unsupported
Minimal element Supported Unsupported
list attribute for fields Unsupported
keygen Supported
Minimal element Supported Supported
challenge attribute Supported
keytype attribute Supported
output Supported
Minimal element Supported Supported
progress Supported
Minimal element Supported Supported
meter Supported
Minimal element Supported Supported
Fields
Field validation Supported
|Browser support for HTML5 and CSS3|92
Feature list Tags
BlackBerry Access for
macOS
pattern attribute Supported
required attribute Supported
Association of controls and forms Supported
control property on labels Supported
form property on fields Supported
formAction property on fields Supported
formEnctype property on fields Supported
formMethod property on fields Supported
formNoValidate property on fields Supported
formTarget property on fields Supported
labels property on fields Supported
Other attributes Supported
autofocus attribute Supported
autocomplete attribute Supported
placeholder attribute Supported
multiple attribute Supported
dirName attribute Supported
CSS selectors Supported
:valid selector Supported
:invalid selector Supported
:optional selector Supported
:required selector Supported
:in-range selector Supported
:out-of-range selector Supported
:read-write selector Supported
|Browser support for HTML5 and CSS3|93
Feature list Tags
BlackBerry Access for
macOS
:read-only selector Supported
Events Supported
oninput event Supported
onchange event Supported
oninvalid event Supported
Forms Supported
Form validation Supported
checkValidity method Supported
noValidate attribute Supported
User interaction
Drag and drop
Attributes Unsupported
draggable attribute Unsupported
dropzone attribute Unsupported
Events Unsupported
ondrag event Unsupported
ondragstart event Unsupported
ondragenter event Unsupported
ondragover event Unsupported
ondragleave event Unsupported
ondragend event Unsupported
ondrop event Unsupported
HTML editing
Editing elements Supported
contentEditable attribute Supported
|Browser support for HTML5 and CSS3|94
Feature list Tags
BlackBerry Access for
macOS
isContentEditable property Supported
Editing documents Supported
designMode attribute Supported
CSS selectors Unsupported
APIs Supported
execCommand method Supported
queryCommandEnabled method Supported
queryCommandIndeterm method Supported
queryCommandState method Supported
queryCommandsupported method Supported
queryCommandValue method Supported
Spellcheck Supported
spellcheck attribute Supported
History and navigation
Session history Supported
Microdata
Microdata Unsupported
Web applications
Application Cache Supported
Custom scheme handlers Unsupported
Custom content handlers Unsupported
Custom search providers Supported
Security
Sandboxed iframe Supported
Seamless iframe Unsupported
|Browser support for HTML5 and CSS3|95
Feature list Tags
BlackBerry Access for
macOS
iframe with inline contents Supported
Various
Scoped style element Unsupported
Asyncronous script execution Supported
Runtime script error reporting Supported
Base64 encoding and decoding Supported
Related specifications
Location and Orientation
Device Orientation Supported
Communication
Cross-document messaging
Server-Sent Events Supported
XMLHttpRequest Level 2 Supported
Upload files Supported
Text response type Supported
Document response type Supported
Array buffer response type Supported
Blob response type Supported
Files
File API Supported
File
API:
Directories and System Supported
Storage
Session Storage Unsupported
Secure Local Storage with persistence Supported
IndexedDB Unsupported
|Browser support for HTML5 and CSS3|96
Feature list Tags
BlackBerry Access for
macOS
Web SQL Database Unsupported
Workers
Web Workers Supported
Shared Workers Supported
Local multimedia
Access the webcam Unsupported
Notifications
Web Notifications Unsupported
Other
Page Visibility Supported
Text selection Supported
Scroll into view Supported
Mutation Observer Supported
Experimental
Audio
Web Audio API Unsupported
Video and Animation
1
Full screen Supported Supported
Pointer Lock Supported Supported
window.requestAnimationFrame Supported
1
These media formats may be rendered by invoking native device players when device is connected to corporate
Wi-Fi network.
|Browser support for HTML5 and CSS3|97
BlackBerry Access for Windows HTML and CSS3 support
Feature list Tags
BlackBerry Access for
Windows
Score 504 of 555
Parsing rules
<!DOCTYPE html> triggers standards mode Supported
HTML5 tokenizer Supported
HTML5 tree building Supported
SVG in text/html Supported
MathML in text/html Supported
Video
video element Supported
Audio track selection Unsupported
Audio track selection Unsupported
Subtitle Supported Supported
Poster image Supported Supported
MPEG-4 Supported Unsupported
H.264 Supported Unsupported
H.265 Supported Unsupported
Ogg Theora Supported Supported
WebM Supported with VP8 Supported Supported
WebM Supported with VP9 Supported Supported
Audio
audio element Supported
PCM audio Supported Supported
AAC Supported Unsupported
|Browser support for HTML5 and CSS3|98
Feature list Tags
BlackBerry Access for
Windows
MP3 Supported Supported
Ogg Vorbis Supported Supported
Ogg Opus Supported Supported
WebM Supported Supported
Elements
Embedding custom non-visible data Supported
New or modified elements
section element Supported
section element Supported
nav element Supported
article element Supported
aside element Supported
hgroup element Supported
header element Supported
footer element Supported
Grouping content elements
figure element Supported
figcaption element Supported
reversed attribute on the ol element Supported
Text-level semantic elements
download attribute on the a element Supported
ping attribute on the a element Supported
mark element Supported
ruby, rt and rp elements Supported
time element Unsupported
|Browser support for HTML5 and CSS3|99
Feature list Tags
BlackBerry Access for
Windows
wbr element Supported
Interactive elements
details element Supported
summary element Supported
menu element of type toolbar Unsupported
menu element of type popup Unsupported
dialog element Unsupported
Global attributes or methods
hidden attribute Supported
Dynamic markup insertion
outerHTML property Supported
insertAdjacentHTML function Supported
Forms
Field types
input type=text Supported
Minimal element Supported Supported
Selection Direction Supported
input type=search Supported
Minimal element Supported Supported
input type=tel Supported
Minimal element Supported Supported
input type=url Supported
Minimal element Supported Supported
Field validation Supported
input type=email Supported
|Browser support for HTML5 and CSS3|100
Feature list Tags
BlackBerry Access for
Windows
Minimal element Supported Supported
Field validation Supported
input type=datetime Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Unsupported
min attribute Unsupported
max attribute Unsupported
step attribute Unsupported
stepDown() method Unsupported
stepUp() method Unsupported
valueAsDate()mothen Unsupported
valueAsNumber() method Unsupported
input type=month Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=week Unsupported
|Browser support for HTML5 and CSS3|101
Feature list Tags
BlackBerry Access for
Windows
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Unsupported
min attribute Unsupported
max attribute Unsupported
step attribute Unsupported
stepDown() method Unsupported
stepUp() method Unsupported
valueAsDate()mothen Unsupported
valueAsNumber() method Unsupported
input type=time Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsDate()mothen Supported
valueAsNumber() method Supported
input type=datetime-local Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
|Browser support for HTML5 and CSS3|102
Feature list Tags
BlackBerry Access for
Windows
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=number Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
Field validation Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
stepUp() method Supported
valueAsNumber() method Supported
input type=range Supported
Minimal element Supported Supported
Custom user-interface Supported
Value sanitization Supported
min attribute Supported
max attribute Supported
step attribute Supported
stepDown() method Supported
|Browser support for HTML5 and CSS3|103
Feature list Tags
BlackBerry Access for
Windows
stepUp() method Supported
valueAsNumber() method Supported
input type=color Unsupported
Minimal element Supported Unsupported
Custom user-interface Unsupported
Value sanitization Supported
input type=checkbox Supported
Minimal element Supported Supported
indeterminate property Supported
input type=image Supported
Minimal element Supported Supported
width property Supported
height property Supported
input type=file Supported (except for
Android SB)
Minimal element Supported Supported
files property Supported
textarea Supported
Minimal element Supported Supported
maxlength attribute Supported
wrap attribute Supported
select Supported
Minimal element Supported Supported
required attribute Supported
fieldset Supported
|Browser support for HTML5 and CSS3|104
Feature list Tags
BlackBerry Access for
Windows
Minimal element Supported Supported
elements attribute Unsupported
disabled attribute Supported
datalist Unsupported
Minimal element Supported Unsupported
list attribute for fields Unsupported
keygen Supported
Minimal element Supported Supported
challenge attribute Supported
keytype attribute Supported
output Supported
Minimal element Supported Supported
progress Supported
Minimal element Supported Supported
meter Supported
Minimal element Supported Supported
Fields
Field validation Supported
pattern attribute Supported
required attribute Supported
Association of controls and forms Supported
control property on labels Supported
form property on fields Supported
formAction property on fields Supported
formEnctype property on fields Supported
|Browser support for HTML5 and CSS3|105
Feature list Tags
BlackBerry Access for
Windows
formMethod property on fields Supported
formNoValidate property on fields Supported
formTarget property on fields Supported
labels property on fields Supported
Other attributes Supported
autofocus attribute Supported
autocomplete attribute Supported
placeholder attribute Supported
multiple attribute Supported
dirName attribute Supported
CSS selectors Supported
:valid selector Supported
:invalid selector Supported
:optional selector Supported
:required selector Supported
:in-range selector Supported
:out-of-range selector Supported
:read-write selector Supported
:read-only selector Supported
Events Supported
oninput event Supported
onchange event Supported
oninvalid event Supported
Forms Supported
Form validation Supported
|Browser support for HTML5 and CSS3|106
Feature list Tags
BlackBerry Access for
Windows
checkValidity method Supported
noValidate attribute Supported
User interaction
Drag and drop
Attributes Unsupported
draggable attribute Unsupported
dropzone attribute Unsupported
Events Unsupported
ondrag event Unsupported
ondragstart event Unsupported
ondragenter event Unsupported
ondragover event Unsupported
ondragleave event Unsupported
ondragend event Unsupported
ondrop event Unsupported
HTML editing
Editing elements Supported
contentEditable attribute Supported
isContentEditable property Supported
Editing documents Supported
designMode attribute Supported
CSS selectors Unsupported
APIs Supported
execCommand method Supported
queryCommandEnabled method Supported
|Browser support for HTML5 and CSS3|107
Feature list Tags
BlackBerry Access for
Windows
queryCommandIndeterm method Supported
queryCommandState method Supported
queryCommandsupported method Supported
queryCommandValue method Supported
Spellcheck Supported
spellcheck attribute Supported
History and navigation
Session history Supported
Microdata
Microdata Unsupported
Web applications
Application Cache Supported
Custom scheme handlers Unsupported
Custom content handlers Unsupported
Custom search providers Supported
Security
Sandboxed iframe Supported
Seamless iframe Unsupported
iframe with inline contents Supported
Various
Scoped style element Unsupported
Asyncronous script execution Supported
Runtime script error reporting Supported
Base64 encoding and decoding Supported
Related specifications
|Browser support for HTML5 and CSS3|108
Feature list Tags
BlackBerry Access for
Windows
Location and Orientation
Device Orientation Supported
Communication
Cross-document messaging
Server-Sent Events Supported
XMLHttpRequest Level 2 Supported
Upload files Supported
Text response type Supported
Document response type Supported
Array buffer response type Supported
Blob response type Supported
Files
File API Supported
File
API:
Directories and System Supported
Storage
Session Storage Unsupported
Secure Local Storage with persistence Supported
IndexedDB Unsupported
Web SQL Database Unsupported
Workers
Web Workers Supported
Shared Workers Supported
Local multimedia
Access the webcam Unsupported
Notifications
|Browser support for HTML5 and CSS3|109
Feature list Tags
BlackBerry Access for
Windows
Web Notifications Unsupported
Other
Page Visibility Supported
Text selection Supported
Scroll into view Supported
Mutation Observer Supported
Experimental
Audio
Web Audio API Unsupported
Video and Animation
1
Full screen Supported Supported
Pointer Lock Supported Supported
window.requestAnimationFrame Supported
1
These media formats may be rendered by invoking native device players when device is connected to corporate
Wi-Fi network.
|Browser support for HTML5 and CSS3|110
Legal notice
©
2022 BlackBerry Limited. Trademarks, including but not limited to BLACKBERRY, BBM, BES, EMBLEM Design,
ATHOC, CYLANCE and SECUSMART are the trademarks or registered trademarks of BlackBerry Limited, its
subsidiaries and/or affiliates, used under license, and the exclusive rights to such trademarks are expressly
reserved. All other trademarks are the property of their respective owners.
Adobe and Flash are either registered trademarks or trademarks of Adobe Systems Incorporated in the United
States and/or other countries. Apple, App Store, iPhone, macOS, OS X, Safari, and WebKit are trademarks of
Apple Inc. Cisco WebEx is a trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain
other countries. Google, Android, Google Chrome, Google Play, and YouTube are trademarks of Google Inc.
iOS is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS
®
is
used under license by Apple Inc. JavaScript is a trademark of Oracle and/or its affiliates. Linux is a trademark of
Linus Torvalds. Mozilla is a trademark of Mozilla Foundation. Microsoft, Active Directory, ActiveSync, ActiveX,
Office 365, Outlook, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries. Netscape is a trademark of Netscape Communication
Corporation. RSA SecurID is a trademark of RSA Security. Samsung is a trademark of Samsung Electronics Co.,
Ltd. Wi-Fi is a trademark of the Wi-Fi Alliance. Yahoo! is a trademark of Yahoo! Inc. All other trademarks are the
property of their respective owners.
This documentation including all documentation incorporated by reference herein such as documentation
provided or made available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE"
and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and
its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical,
or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and
confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry
technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained
in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates,
enhancements, or other additions to this documentation to you in a timely manner or at all.
This documentation might contain references to third-party sources of information, hardware or software,
products or services including components and content such as content protected by copyright and/or third-
party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is not
responsible for, any Third Party Products and Services including, without limitation the content, accuracy,
copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect
of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this
documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third
party in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL
CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES,
REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE,
MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR
ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE
DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE,
SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED.
YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY
NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT
PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO
THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO
NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE
SUBJECT OF THE CLAIM.
|Legal notice|111
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL
BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE,
OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD
PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE
FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE,
OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY
EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS
OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA,
PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR
SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION
THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR
SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES
WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL
HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO
YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE
OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF
CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A
FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT
OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR
SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED
BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE
DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR,
EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY
AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to
ensure that your airtime service provider has agreed to support all of their features. Some airtime service
providers might not offer Internet browsing functionality with a subscription to the BlackBerry
®
Internet Service.
Check with your service provider for availability, roaming arrangements, service plans and features. Installation
or use of Third Party Products and Services with BlackBerry's products and services may require one or more
patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You
are solely responsible for determining whether to use Third Party Products and Services and if any third party
licenses are required to do so. If required you are responsible for acquiring them. You should not install or use
Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and
Services that are provided with BlackBerry's products and services are provided as a convenience to you and are
provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties
of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third
Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses
and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or
other agreement with BlackBerry.
The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with
BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS
WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY
PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.
BlackBerry Enterprise Software incorporates certain third-party software. The license and copyright information
associated with this software is available at http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp.
|Legal notice|112
BlackBerry Limited
2200 University Avenue East
Waterloo, Ontario
Canada N2K 0A7
BlackBerry UK Limited
Ground Floor, The Pearce Building, West Street,
Maidenhead, Berkshire SL6 1RL
United Kingdom
Published in Canada
|Legal notice|113