Get the PDF

BlackBerry Work
app configuration settings

App Settings tab	Description
Autodiscover	If you select this option, BlackBerry Work automatically discovers the Exchange ActiveSync server. Due to possible security vulnerabilities, it is not recommended that you select this option.
Authorized Email Domains	Select the "Display warning while sending message if the number of unauthorized recipient email domain(s) is" option if you want to display a warning message to users that attempt to send a message to the number of unauthorized domains specified in the drop-down list. Select the "Display warning for received messages if the sender's email domain is unauthorized" option if you want to display a warning to users when they receive messages from senders that are not listed in the Authorized email domains list. If you select either of the options above, specify a list of authorized email domains. Use a comma separated list, with no spaces, to specify authorized email domains. You can edit the sample text displayed in the warning message field.
External Email Marking	If you select this option, the subject lines of email messages sent outside of the user's domain are prepended with the text specified in the Text to prepend field.
Avatar Photos	If you select this option, contact photographs are displayed in BlackBerry Work . If this option is not selected, the user's initials are displayed instead of a photograph.
Presence Service	If you select this option, users can see the online status of their Microsoft Lync contacts.
Email Search	If you select this option, users can search email messages on the server.
Diagnostics	If you select this option, users can perform app diagnostics from the BlackBerry Dynamics Launcher on their devices.
BlackBerry Gatekeeping Service	If you select this option, unauthorized devices are prevented from using Exchange ActiveSync unless they are explicitly added to the allowed list using the BlackBerry Gatekeeping Service . To use the BlackBerry Gatekeeping Service , you must create a gatekeeping configuration for the Microsoft Exchange Server or Microsoft Office 365 and assign an email profile to users that has the automatic gatekeeping server selected. For details on how to configure the BlackBerry Gatekeeping Service , see Controlling which devices can access Exchange ActiveSync.

Notifications tab	Description
Select level of detail in Email notifications	Select the level of detail that users see in email notifications.
Select level of detail in Calendar notifications	Select the level of detail that users see in calendar notifications. Select the Show only generic notifications when app is locked (Android only) option to show only generic information in notifications if the app is locked. Select the Show notifications on connected wearable devices ( Android Wear only) option to display notifications on Android Wear devices. Select the Show Work Calendar lock-screen widget ( iOS only) options to allow the work calendar widget to be accessed from the lock screen of iOS 10 and later devices.
Additional options for notifications on Android Wear devices	Select whether there are additional notifications for Android Wear devices. When using a device outside of a controlled wireless network, wearables require higher communications security with respect to encryption, information integrity, and non-repudiation. Since wearable computers are quite small, most do not come equipped with higher security features and any data that is sent and received is vulnerable. Consequently, BlackBerry Work 's support for wearables is confined to notifications and reminders.
iOS App Icon Badge	Select this option to allow users to choose between displaying a badge count for unread and new email messages as their default badge count on the app icon. If this option is not selected, the app icon badge will reflect the number of new email messages that were received since the user last closed the app, and the user cannot select “Unread Mails” as a badge count preference.

S/MIME tab	Description
Enhanced Security	Select the Periodically require PIN entry to access SMIME capabilities option if you want users to be required to periodically enter a PIN to use S/MIME.
Sending	In the Default signing algorithm drop-down list, select the algorithm to use for signing sent messages. In the Default encryption algorithm, select the encryption algorithm to use. Select whether emails must be signed and encrypted.
Receiving	In the Automatically download the body of S/MIME emails drop-down list, select how the body of S/MIME email messages is downloaded. Wi-Fi is supported on Android devices only. If you select this option, iOS devices are set to "Never." Select the Perform name checking (verify email address in certificate matches user's account) option to perform name checking. Name checking verifies that the email address in the certificate matches user's account.
Certificate Management	Specify when to clear the public certificate cache.
Revocation Checking when the OCSP server is available	Select the Enable revocation checking option to enable revocation checks and specify the depth of certificate checking. Select the Use AIA extension in certificate if present option to use the AIA extension in certificates if present. In the Default OCSP URL field, specify the default OCSP URL to use if the AIA extension cannot be used or it is not present in a certificate.

Address Book tab	Description
Address Book Sync	Select the Allow syncing BlackBerry Contacts to device option to synchronize contacts to devices and choose the fields that are synchronized. In the Maximum length for notes field field, specify the maximum length for the notes field. Select the Even if iCloud is enabled, allow syncing BlackBerry Contacts to device option to allow synchronization to occur when iCloud is enabled.
Caller ID	Select the Allow device to use BlackBerry Contacts option if you want to allow BlackBerry Work to access the user's BlackBerry Work contact list to display contact name for incoming and outgoing phone calls.
GAL Search	Specify the maximum number of results to display when searching the global address list (GAL).
Recipients	Specify whether caching is enabled. When caching is enabled, the cache is used to offer autocomplete suggestions for recipients during email composition.

Interoperability	Description
Camera and Device Photo Gallery permissions	Specify whether to allow access to the device camera, the photo gallery, or both.
Voice	Specify whether to allow users to use the native phone app on a device or VOIP apps.
SMS	Specify whether to allow users to initiate their native SMS apps by tapping the SMS icon or whether they must use BlackBerry Dynamics SMS apps.
Misc	Specify whether to allow access to the user's native browser or native map app.
Launch 3rd Party App ( iOS only)	Specify whether to enable two-factor authentication integration with a third-party RSA SecurID app using a CTF token seed. Note: BlackBerry Work supports CTF-based and file-based provisioning using BlackBerry Access , as well as CTF-based provisioning using a native RSA SecurID app. For more information about configuring RSA soft-token authentication and provisioning the token seed record your organization sends to users, see the BlackBerry Access Administration Guide.
Launch 3rd Party App Universal link ( iOS only, BETA)	Universal links allow iOS users to be automatically redirected to an installed app without going through Safari when they click links in a website. If the app isn’t installed on the device, the link opens the website in Safari . You can specify a list of universal links that users can open from BlackBerry Work for iOS . If you add a universal link to this list, the link will redirect to the appropriate app if it is installed on a user's device. If a user clicks on a universal link that is not added to this list, the link will not be redirected to an app and will open in Safari , even if the app is installed on a user's device. To add multiple URLs, insert a carriage return between each URL that you want to add.
Allow 3rd Party App to Send Mail	Specify whether email messages can be sent using mailto:/gmmmailto:/gwmailto
File Transfer Privileges	Specify whether to allow the transfer of files to third-party native apps on the user's device. You can allow and disallow specific apps by app ID.
Skype for Business	If you are currently using Skype for Business 2015 or later in your environment, you can allow users to add meetings and join meetings directly from their calendars. Select the Allow to create Skype For Business meetings in calendar option to allow users to add Skype for Business meetings to their calendars. Select the Allow launching into Skype for Business app on mobile option to allow users to make voice and video calls and to be able to join Skype for Business meetings directly from a calendar invitation. The meeting is automatically opened in the Skype for Business client and users must have the Skype for Business client installed on their devices. In the Domain of Skype for Business meeting link field, enter the fully qualified domain name of the Skype for Business meeting links to allow internal users to use the Join meeting button in event details. By entering this domain name, BlackBerry Work knows which domain to use if links are created by users in a different domain in Microsoft Outlook or the Outlook Web App.

Docs and Attachments tab	Description
Docs Repository	Specify whether to enable a file repository on the device, local or server docs repositories, and Box , and whether to force users to save pending uploads. Note: By default users are alerted about any pending uploads every 24 hours. If Forced Pending Uploads Policy is selected, users are blocked from taking any document related actions in BlackBerry Work until all files are successfully uploaded to the server.
Sending Attachments	Specify whether to allow outgoing attachments and specify the maximum size and the file extensions that are allowed or disallowed.
Receiving/Opening Attachments	Specify whether to allow incoming attachments and specify a maximum size and the file extensions that are allowed or disallowed.

Classification tab	Description
Email classification	Specify whether to enable email classification markings, such as INTERNAL, CONFIDENTIAL, NO FORWARD, and/or NO REPLY. To edit the XML classes, select and delete the code that you want to remove. For more information on classifications, including an example, see Email classifications . After you have enabled email classifications, you can select the Require all emails to have Email Classification option to force all email messages to include a classification setting.

Classification tab

Description

Email classification

Specify whether to enable email classification markings, such as INTERNAL, CONFIDENTIAL, NO FORWARD, and/or NO REPLY. To edit the XML classes, select and delete the code that you want to remove. For more information on classifications, including an example, see Email classifications .

After you have enabled email classifications, you can select the Require all emails to have Email Classification option to force all email messages to include a classification setting.

Basic Configuration tab	Description
Security Settings	Select Disable SSL Certificate Checking to disable SSL certificate verification for ActiveSync / Microsoft Exchange Web Services in test and POC environments. Select Expect Kerberos Constrained Delegation and supress username/password entry for Exchange to specify whether Kerberos Constrained Delegation will be used for logging in to Microsoft Exchange . If this option is not selected, NTLM/Basic authentication will be used. Select Clients must have individual login certificates (SSL) uploaded in the GC to specify whether clients must have individual login certificates (SSL) uploaded to the BlackBerry UEM management console. These certificates are used for login instead of basic credentials (username/password).
Enterprise Server Settings	In the Server List Reshuffle Period (minutes) field, specify the frequency that the server list, if present, is reshuffled for load balancing purposes. In the Server List Quarantine Period (minutes) field, specify how long BlackBerry Work waits before retrying if BlackBerry UEM is not working.
Client Settings	In the Sync Email Body Size (Kb) field, specify the size, in KB, of the partial message body downloaded from the server if the user selects the option to download partial message content. Select the Use BEMS to perform AutoDiscover of the EAS/EWS endpoint for the user option to specify that the client will use the BlackBerry Server Autodiscover service to determine the EAS/EWS endpoint for the user. Select the Create and consume rights-managed email messages option to specify that IRM must be enabled for user mailboxes on Microsoft Exchange .
Other Settings	In the Send Feedback Email Address field, specify the email address where client feedback email messages are sent. Add multiple comma delimited recipients as needed. In the Report Phishing Email Address field, specify whether users can report emails as phishing. The reported emails are forwarded to the email address provided in this field then moved to Trash folder.
Account Setup	When Skip Email Short Form Setup\|Active Directory is selected, users must input their Microsoft Active Directory usernames, passwords, and domains during device activation.
ActiveSync and Auto Discover Authentication Methods ( iOS Only)	Specify the authentication methods to use. If only certain authentication methods are supported from Microsoft Exchange , set those values to minimize the user setup time. (For example, if Auto Discover and ActiveSync IIS Auth Settings are set to allow only NTLM and Basic, then de-select Negotiate in above app setting.) If none are selected, the default Microsoft Exchange setting is used. If using client-based authentication, check none of the options.
Exchange Web Services Authentication Methods ( iOS Only)	Specify the authentication methods to use. If only certain authentication methods are supported from Microsoft Exchange , set those values to minimize the user setup time. (For example, if EWS IIS Auth Setting is set to allow only NTLM, then select only NTLM above for an optimal setup experience.) If none are selected above, the default Microsoft Exchange setting is used. If using client-based authentication, check none of the options.
Exchange Web Services Settings	Specify the Microsoft Exchange Web Services URL endpoint (for example, https://mydomain.com/EWS/Exchange.asmx).
Exchange ActiveSync Settings	In the Default Domain field, specify the Windows NT Domain to try automatically when logging in. If your server uses newer UPN (email@host.com) style login instead of the older (domain\user) style login, this field should be left blank. In the ActiveSync Server field, specify the default Microsoft Exchange Server to connect to (for example, cas.mydomain.com). In the Autodiscover URL field, specify the auto discover URL if known. This speeds up the auto discover setup process (for example, https://autodiscover.mydomain.com). In the Autodiscover Connection Timeout in Seconds (iOS only) field, specify the timeout setting for iOS devices.
Advanced Settings	Specify additional configuration parameters in this text area. Contact BlackBerry Support for more details.

Advanced Settings tab	Description
ActiveSync User Name Formats ( iOS Only)	Select the username formats that can be used to authenticate with your Exchange ActiveSync server. To simplify user setup time, select only the username formats that are supported by your Exchange ActiveSync server. If you do not select an option, all options are allowed.
Exchange Web Services User Name Formats ( iOS Only)	Select the username formats that can be used to authenticate with Microsoft Exchange Web Services . To simplify user setup, select only the username formats that are supported by Microsoft Exchange Web Services . If you do not select an option, all options are allowed.
Exchange TLS Certificate Settings	Specify the user credential profile that contains the TLS certificate to be used to connect to Microsoft Exchange . The name of the profile that you specify here must match the name of the user credential profile that was created in the BlackBerry UEM management console. For more information on user credential profiles, see Using user credential profiles to send certificates to devices.
Email Sync Window	Specify the number of days in the past to synchronize email messages to devices. If the setting on a device allows for more days than the server setting, the server setting is used and email messages that are older than the server setting are removed from the device. If the setting on the device allows fewer days than the server setting, the setting on the device remains the same. The user can change the setting on the device to fewer days than the server setting.
Exchange ActiveSync 16.0 Protocol (Moved to the Deprecated tab)	If supported by your Microsoft Exchange server, specify whether to use Exchange ActiveSync version 16 for synchronization between Microsoft Exchange and BlackBerry Work version 2.14 or earlier. This setting must be enabled if you want to allow users to be able to synchronize their Drafts folder to BlackBerry Work version 2.14 or earlier. For more information on how to synchronize the Drafts folder, see KB50339 Synchronizing draft messages in BlackBerry Work . This policy does not apply to BlackBerry Work version 2.15 or later as this version will automatically upgrade to Exchange ActiveSync version 16 if supported by your organization's Microsoft Exchange server. After upgrading to BlackBerry Work version 2.15, users will see a message that tells them that BlackBerry Work must resynchronize with their Microsoft Exchange server. Documents stored in Local Docs and user preferences are retained and are not impacted. After the resynchronization completes, users will be able to synchronize their Drafts folder to BlackBerry Work .
Shared Mailboxes	Select the Enable access to Shared Mailboxes option if you want to allow users to add a shared mailbox that they are a delegate for in BlackBerry Work . If this option is disabled after shared mailboxes have been added, existing shared mailboxes are removed, and they are not restored if the setting is enabled again. Also, if a user attempts to add a shared mailbox when this option is disabled, they will not be able to add the mailbox and will see a message in the BlackBerry Work app stating that they must contact their administrator. For users to be able to receive notifications for shared mailboxes, BEMS 2.10 or later is required.
Office 365 Settings	Select the Use Office 365 Settings option to configure options for Microsoft Office 365 . If selected, specify the following: Select the Use Office 365 Modern Authentication option to use modern authentication instead of basic authentication. Modern authentication enables BlackBerry Work to use sign-in features such as Multi-Factor Authentication, SAML-based third-party Identity Providers, and smart card and certificate-based authentication. In the Azure App ID field, specify the Microsoft Azure app ID for BlackBerry Work . For information on how obtain an Azure ID, see Obtain an Azure app ID for BlackBerry Work. In the Office 365 Sign On URL field, specify the web address that BlackBerry Work should use when signing in to Office 365 . If you do not specify a value, BlackBerry Work will use https://login.microsoftonline.com during setup. In the Office 365 Tenant ID field, specify the tenant ID of Office 365 server that you want BlackBerry Work to connect to during setup. If you do not specify a value, a value of "common" is used. In the Office 365 Resource field, specify the URL of the Microsoft Exchange Online server. In the Redirect URI field, specify the URI that you entered in the Microsoft Azure portal. Select the Proxy Office 365 Modern Authentication requests ( Android only) setting to force all Office 365 Modern Authentication requests to go through the BlackBerry Proxy instead of connecting directly to the Internet.

Performance Reporting tab	Description
Enable Performance Reporting	Specify whether to monitor performance of the BlackBerry Work app.
HTTP Connection Error	Specify whether to report HTTP connection errors between BlackBerry Work and the specified application servers.
HTTP Response Time	Specify whether to report HTTP responses that are taking longer than the specified time. Enter the application server addresses to monitor.
HTTP Status Code	Specify whether to report a specified HTTP status code. Enter the application server addresses to monitor.
Don't send reports for duration (in seconds)	Specify the amount of time to wait before sending another report.

Section:

Configure BlackBerry Work app settings

Obtain an Azure app ID for BlackBerry Work

BlackBerry Work app configuration settings

BlackBerry Work
app configuration settings