Get the PDF

BlackBerry 10
: VPN profile settings

BlackBerry 10 : VPN profile setting	Description
Enable VPN on demand	This setting specifies whether VPN on demand is enabled for this VPN profile. When this setting is selected, you specify the apps that use this VPN profile. Only the apps that are specified in this profile are allowed to use this profile. To use VPN on demand, make sure that the specified apps are developed to use VPN on demand, the apps are assigned to the BlackBerry 10 device users, and this VPN profile is assigned to the device users. The minimum requirement is BlackBerry 10 OS version 10.3.3.
Server address	This setting specifies the FQDN or IP address of a VPN server.
Gateway type	This setting specifies the type of VPN client that the VPN client on a BlackBerry 10 device emulates. Possible values: Check Point VPN-1 Cisco VPN 3000 Series Concentrator Cisco Secure PIX Firewall Cisco IOS Easy VPN Cisco ASA Series Cisco AnyConnect Juniper SRX Series (IPsec VPN) Juniper MAG Series or Juniper SA Series (SSL VPN) Microsoft IKEv2 VPN server Generic IKEv2 VPN server NIAP -compliant IKEv2 VPN server The default value is " Check Point VPN-1 ."
Authentication type	This setting specifies the authentication type for the VPN gateway. The "Gateway type" setting determines which authentication types are supported and the default value for this setting. Possible values: PSK PKI XAUTH-PSK XAUTH-PKI EAP-TLS EAP-MS-CHAPv2
Preshared key or Group password	This setting specifies the preshared key or group password for the VPN gateway. This setting is valid only if the "Authentication type" setting is set to "PSK" or "XAUTH-PSK."
Username	This setting specifies the username that a BlackBerry 10 device uses to authenticate with the VPN gateway. If the profile is for multiple users, you can use the %UserName% variable. This setting is valid only if the "Gateway type" setting is set to " Cisco AnyConnect " or if the "Authentication type" setting is set to "XAUTH-PSK" or "XAUTH-PKI."
Hardware token	This setting specifies whether a user must use a hardware token to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to "XAUTH-PSK" or "XAUTH-PKI."
Password	This setting specifies the password that a BlackBerry 10 device uses to authenticate with the VPN gateway. This setting is valid only if the "Gateway type" setting is set to " Cisco AnyConnect " or if the "Authentication type" setting is set to "XAUTH-PSK" or "XAUTH-PKI" and the "Hardware token" setting is not selected.
EAP identity	This setting specifies the EAP identity that a BlackBerry 10 device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to "EAP-TLS."
EAP-TLS Gateway ID	This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server" and the "Authentication type" is set to "EAP-TLS." The minimum requirement is BlackBerry 10 OS version 10.3.3.
MS-CHAPv2 EAP identity	This setting specifies the MS-CHAPv2 EAP identity that a BlackBerry 10 device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to "EAP-MS-CHAPv2."
MS-CHAPv2 username	This setting specifies the MS-CHAPv2 username that a BlackBerry 10 device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to "EAP-MS-CHAPv2."
MS-CHAPv2 password	This setting specifies the MS-CHAPv2 password that a BlackBerry 10 device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to "EAP-MS-CHAPv2."
Authentication ID type	This setting specifies the authentication ID type for the VPN gateway. This setting is valid only if the "Gateway type" setting is set to " Juniper MAG Series or Juniper SA Series (SSL VPN)," " Microsoft IKEv2 VPN server," "Generic IKEv2 VPN server," or " NIAP -compliant IKEv2 VPN server." The "Gateway type" setting determines which authentication ID types are supported and the default value for this setting. Possible values: IPv4 Fully qualified domain name Email address Identity certificate distinguished name Identity certificate general name Key ID
Authentication ID or Group username	This setting specifies the authentication ID or group username for the VPN gateway. This setting is valid only if the "Gateway type" setting is set to " Juniper MAG Series or Juniper SA Series (SSL VPN)," " Microsoft IKEv2 VPN server," or "Generic IKEv2 VPN server," or if the "Authentication type" setting is set to "PSK" or "XAUTH-PSK."
Gateway authentication type	This setting specifies the gateway authentication type for the VPN gateway. This setting is valid only if the "Gateway type" setting is set to " Juniper MAG Series or Juniper SA Series (SSL VPN)," " Microsoft IKEv2 VPN server," or "Generic IKEv2 VPN server." Possible values: None PSK PKI The default value is "None."
Enable OCSP/CRL check on the certificates from the VPN	This setting enables certificate revocation checking for the certificates used during authentication. This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server" and the "Authentication type" setting is set to "PKI" or "EAP-TLS." The minimum requirement is BlackBerry 10 OS version 10.3.3.
Gateway preshared key	This setting specifies the gateway preshared key for the VPN gateway. This setting is valid only if the "Gateway authentication type" setting is set to "PSK."
Gateway authentication ID type	This setting specifies the gateway authentication ID type for the VPN gateway. This setting is valid only if the "Gateway type" setting is set to " Juniper MAG Series or Juniper SA Series (SSL VPN)," " Microsoft IKEv2 VPN server," or "Generic IKEv2 VPN server." Possible values: IPv4 Fully qualified domain name Email address Identity certificate distinguished name Identity certificate general name Key ID The default value is "IPv4."
Gateway authentication ID	This setting specifies the gateway authentication ID for the VPN gateway. This setting is valid only if the "Gateway authentication ID type" setting is set to "Fully qualified domain name" or "Email address."
Send additional Gateway request ID in message 1 of IKEv2 protocol	The default value is disabled. This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server." The minimum requirement is BlackBerry 10 OS version 10.3.3.
Requested gateway ID type	This setting specifies the requested gateway ID type for the VPN. This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server" and the "Send requested gateway ID in message 1 of IKEv2 protocol" setting is selected. Possible values: IPv4 Fully qualified domain name Email address Identity certificate distinguished name Identity certificate general name Key ID The default value is "IPv4." The minimum requirement is BlackBerry 10 OS version 10.3.3.
Requested gateway ID	This setting requests a specific gateway ID in the first IKE message during login, if the VPN server supports multiple IDs. May be different than the gateway ID used for authentication. This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server" and the "Send requested gateway ID in message 1 of IKEv2 protocol" setting is selected. The minimum requirement is BlackBerry 10 OS version 10.3.3.
Secondary username	This setting specifies the username that a BlackBerry 10 device uses for secondary authentication with the VPN gateway. If the profile is for multiple users, you can use the %UserName% variable. This setting is valid only if the "Gateway type" setting is set to " Cisco AnyConnect ." The minimum requirement is BlackBerry 10 OS version 10.3.1.
Secondary password	This setting specifies the password that a BlackBerry 10 device uses for secondary authentication with the VPN gateway. This setting is valid only if the "Gateway type" setting is set to " Cisco AnyConnect ." The minimum requirement is BlackBerry 10 OS version 10.3.1.
Group name	This setting specifies the group name for the VPN gateway. This setting is valid only if the "Gateway type" setting is set to " Cisco AnyConnect ." The minimum requirement is BlackBerry 10 OS version 10.3.1.
Enable automatic client certificate processing	This setting specifies whether a client certificate is automatically selected when a VPN connection is made. This setting is valid only if the "Gateway type" setting is set to " Cisco AnyConnect ." The minimum requirement is BlackBerry 10 OS version 10.3.1.
Enable IPsec authentication	This setting specifies whether the VPN gateway uses IPsec authentication. This setting is valid only if the "Gateway type" setting is set to " Cisco AnyConnect ." The minimum requirement is BlackBerry 10 OS version 10.3.1.
IPsec authentication type	This setting specifies the authentication type for an IPsec VPN connection. This setting is valid only if the "Enable IPsec authentication" setting is selected. Possible values: EAP-MS-CHAPv2 EAP-MD5 EAP-GTC EAP-AnyConnect IKE- RSA The default value is "EAP-MS-CHAPv2." The minimum requirement is BlackBerry 10 OS version 10.3.1.
EAP authentication ID	This setting specifies the EAP identity that a BlackBerry 10 device uses to authenticate with the VPN gateway. This setting is valid only if the "IPSec authentication type" setting is set to "EAP MSCHAPv2," "EAP MD5," or "EAP GTC."
Exclude subnets	This setting specifies whether to exclude specified subnets from using the VPN connection. This setting is valid only if the "Gateway type" setting is set to " Cisco AnyConnect ." The minimum requirement is BlackBerry 10 OS version 10.3.1.
Exclusion subnets	This setting specifies the subnets and subnet masks that are not sent through the VPN connection. This setting is valid only if the "Exclude subnets flag" setting is selected.
Cisco AnyConnect configuration file (.xml)	This setting specifies the location of the Cisco AnyConnect configuration file to send to BlackBerry 10 devices. This setting is valid only if the "Gateway type" setting is set to " Cisco AnyConnect ." The minimum requirement is BlackBerry 10 OS version 10.3.1.
Allow personal apps on work networks	This setting specifies whether personal apps on a BlackBerry 10 device can use the VPN connection. This setting is valid only if the "Allow personal apps to use work networks" IT policy rule is selected. The minimum requirement is BlackBerry 10 OS version 10.3.1.
Untrusted certificate action	This setting specifies whether a BlackBerry 10 device accepts untrusted certificates. If this setting is set to "Allow," the device accepts untrusted certificates automatically. If this setting is set to "Prompt," the user can choose whether to accept untrusted certificates. If this setting is set to "Disallow," the device does not accept untrusted certificates. The "Gateway type" setting determines which untrusted certificate actions are supported and the default value for this setting. Possible values: Allow Prompt Disallow The minimum requirement is BlackBerry 10 OS version 10.3.2.
Client certificate source	This setting specifies how BlackBerry 10 devices can obtain the client certificate. There are four options for devices to obtain client certificates: If you choose "Smart card," the user must pair the device with a smart card that includes the client certificate. If you choose "SCEP," you must also specify the associated SCEP profile that the device can use to download the client certificate. If you choose “User credential," you must also specify the user credential profile that the device can use to download the client certificate. If you choose "Other," the user must add the client certificate to the device manually. Smart card support is available for devices that are running BlackBerry 10 OS version 10.3.1 and later. This setting is valid only if the "Authentication type" setting is set to "PKI" or "XAUTH-PKI." Possible values: Smart card SCEP User credential Other The default value is "Other."
Associated SCEP profile	This setting specifies the associated SCEP profile that a BlackBerry 10 device uses to obtain a client certificate to authenticate with the VPN. This setting is valid only if the "Client certificate source" setting is set to "SCEP."
Associated user credential profile	This setting specifies the associated user credential profile that a BlackBerry 10 device uses to obtain a client certificate to use for authentication with the VPN. This setting is valid only if the "Client certificate source" setting is set to "User credential." The minimum requirement for using a user credential profile is BlackBerry 10 OS version 10.3.1.
IKE lifetime	This setting specifies the lifetime, in seconds, of the IKE connection. If you set an unsupported value or a null value, the BlackBerry 10 device default value is used. The possible values are from 1 to 2,147,483,647.
IKE threshold	This setting specifies the percentage of the IKE lifetime at which the VPN client will initiate a new key exchange. Possible values: 0-100% The default value is "90". This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server." The minimum requirement is BlackBerry 10 OS version 10.3.3.
IPsec lifetime	This setting specifies the lifetime, in seconds, of the IPsec connection. If you set an unsupported value or a null value, the BlackBerry 10 device default value is used. The possible values are from 1 to 2,147,483,647.
IPsec threshold	This setting specifies the percentage of the IPsec threshold at which the VPN client will initiate a new key exchange. Possible values: 0-100% The default value is "90". This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server." The minimum requirement is BlackBerry 10 OS version 10.3.3.
Allow VPN extensions	This setting allows you to enable or disable extensions. This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server." The minimum requirement is BlackBerry 10 OS version 10.3.3.
VPN Extensions list	This setting allows you to enter a list of extensions that are used to generate Vendor ID payloads and perform additional certificate validation. This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server" and the "Allow VPN extensions" setting is selected. The minimum requirement is BlackBerry 10 OS version 10.3.3.
Require vendor ID extension	This setting indicates that the administrator wants to use one of the extensions in the VPN extension list to generate a Vendor ID payload during the login. This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server" and the "Allow VPN extensions" setting is selected. The minimum requirement is BlackBerry 10 OS version 10.3.3.
Require certificate validation extension	This setting indicates that the administrator wants to use one of the extensions to perform additional certificate validation. This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server" and the "Allow VPN extensions" setting is selected. The minimum requirement is BlackBerry 10 OS version 10.3.3.
Enable session resumption	This setting enables IKEv2 session resumption settings. If the VPN server supports this feature, the VPN client will suspend and resume a session instead of completely disconnecting and reconnecting whenever VPN auto-connect is enabled. This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server." The minimum requirement is BlackBerry 10 OS version 10.3.3.
Ticket threshold	This setting specifies at what percentage of the ticket threshold session resumption will occur. Possible values: 0-100% The default value is "90". This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server" and the "Enable session resumption" setting is selected. The minimum requirement is BlackBerry 10 OS version 10.3.3.
Enable hash-and-URL format certificate payloads during IKE	This setting specifies whether the VPN client advertises to the VPN server that it supports using IKEv2 to exchange certificates using URLs and fetches certificates, if available, from a provided HTTP URL. This setting is valid only if the "Gateway type"setting is set to " NIAP -compliant IKEv2 VPN server." The minimum requirement is BlackBerry 10 OS version 10.3.3.
Enable strict enforcement of approved algorithms	This setting specifies whether the use of NIAP-approved algorithms is strictly enforced. This setting is valid only if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server." The minimum requirement is BlackBerry 10 OS version 10.3.3.
Split tunneling	This setting specifies whether a BlackBerry 10 device can use split tunneling to bypass the VPN gateway, if the VPN gateway supports it. This setting is not valid if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server."
Disable banner	This setting specifies whether a BlackBerry 10 device blocks the VPN banner. This setting is not valid if the "Gateway type" setting is set to " NIAP -compliant IKEv2 VPN server."
Trusted certificate source	This setting specifies the source of the trusted certificate. If this setting is set to "Trusted certificate store," a BlackBerry 10 device can connect to a VPN that uses any certificate in the VPN certificate store. This setting is valid only if the "Authentication type" setting is set to "PKI" or "XAUTH-PKI." Possible values: None Trusted certificate store The default value is "None."
Automatically determine IP	This setting specifies whether a BlackBerry 10 device automatically determines the IP configuration of the VPN gateway.
Private IP	This setting specifies the private IP of the VPN gateway. This setting is valid only if the "Automatically determine IP" setting is not selected.
Private IP mask	This setting specifies the private IP mask of the VPN gateway. This setting is valid only if the "Automatically determine IP" setting is not selected.
Subnet	This setting specifies the subnet of the VPN gateway. This setting is valid only if the "Automatically determine IP" setting is not selected.
Subnet mask	This setting specifies the subnet mask of the VPN gateway. This setting is valid only if the "Automatically determine IP" setting is not selected.
Automatically determine DNS	This setting specifies whether a BlackBerry 10 device automatically determines the DNS configuration of the VPN gateway.
Primary DNS	This setting specifies the primary DNS server in dot-decimal notation (for example, 192.0.2.0). This setting is valid only if the "Automatically determine DNS" setting is not selected.
Secondary DNS	This setting specifies the secondary DNS server in dot-decimal notation (for example, 192.0.2.0). This setting is valid only if the "Automatically determine DNS" setting is not selected.
Domain suffix	This setting specifies the FQDN of the DNS suffix. This setting is valid only if the "Automatically determine DNS" setting is not selected.
Perfect forward secrecy	This setting specifies whether the VPN gateway supports PFS. If this setting is selected, the "IPsec DH group" setting must not be set to 0.
Manual algorithm selection	This setting specifies whether you must set the cryptographic algorithms for the VPN gateway.
IKE DH group	This setting specifies the DH group that a BlackBerry 10 device uses to generate key material. This setting is valid only if the "Manual algorithm selection" setting is selected. Possible values: 1 to 26, except 3, 4, and 6 Custom 1 to Custom 5 The default value is "1."
Custom IKE DH provider	This setting specifies the name of the provider for custom IKE DH. This setting is valid only if the "IKE DH group" setting is set to one of the Custom values.
Enable MOBIKE	This setting specifies whether the VPN gateway supports MOBIKE. This setting is valid only if the "Gateway type" setting is set to " Microsoft IKEv2 VPN server," or "Generic IKEv2 VPN server," the "Authentication type" setting is set to "PKI," and the "IKE DH group" setting is set to one of the Custom values. The minimum requirement is BlackBerry 10 OS version 10.3.1.
IKE cipher	This setting specifies the algorithm that a BlackBerry 10 device uses to generate a shared secret key. This setting is valid only if the "Manual algorithm selection" setting is selected. Possible values: None DES (56-bit key) Triple DES (168-bit key) AES (128-bit key) AES (192-bit key) AES (256-bit key) The default value is "None."
IKE hash	This setting specifies the hash function that a BlackBerry 10 device uses with IKE. This setting is valid only if the "Manual algorithm selection" setting is selected. Possible values: None MD5 AES-XCBC SHA-1 SHA-256 SHA-384 SHA-512 The default value is "None."
IKE PRF	This setting specifies the PRF that a BlackBerry 10 device uses with IKE. This setting is valid only if the "Manual algorithm selection" setting is selected. Possible values: None HMAC HMAC-MD5 AES-XCBC HMAC-SHA-1 HMAC-SHA-256 HMAC-SHA-384 HMAC-SHA-512 The default value is "None."
IPsec DH group	This setting specifies the DH group that a BlackBerry 10 device uses with IPsec. This setting is valid only if the "Manual algorithm selection" setting is selected. The possible values are from 0 to 26, except 3, 4, and 6. The default value is "0."
IPsec cipher	This setting specifies the algorithm that a BlackBerry 10 device uses with IPsec. This setting is valid only if the "Manual algorithm selection" setting is selected. Possible values: None DES (56-bit key) Triple DES (168-bit key) AES (128-bit key) AES (192-bit key) AES (256-bit key) The default value is "None."
IPsec hash	This setting specifies the hash function that a BlackBerry 10 device uses with IPsec. This setting is valid only if the "Manual algorithm selection" setting is selected. Possible values: None MD5 AES-XCBC SHA-1 SHA-256 SHA-384 SHA-512 The default value is "None."
NAT keepalive	This setting specifies how often a device sends a NAT keepalive packet. If you set an unsupported value or a null value, the BlackBerry 10 device default value is used. The possible values are from 1 to 2,147,483,647.
DPD frequency	This setting specifies the DPD frequency, in seconds. A BlackBerry 10 device supports a minimum setting of 10 seconds. If you set an unsupported value or a null value, the device default value is used. The possible values are from 1 to 2,147,483,647.
User can edit	This setting specifies the VPN settings that a BlackBerry 10 device user can change. If this setting is set to "Read only," the user can't change any settings. If this setting is set to "Credentials only," the user can change the username and password. Possible values: Read only Credentials only The default value is "Read only."
Display VPN information on device	This setting specifies whether VPN information is displayed on a BlackBerry 10 device. If this setting is set to "Visible," most of the VPN profile information appears on the device. If this setting is set to "Invisible," only the profile name appears on the device. If this setting is set to "Credentials only," the profile name and the credential fields appear on the device. Possible values: Visible Invisible Credentials only The default value is "Visible."
Data security level	This setting specifies the domain in the work space where the VPN profile is stored when the work space uses advanced data at rest protection. This setting is valid only if the "Force advanced data at rest protection" IT policy rule is selected. If this setting is set to "Always available," the profile is stored in the Startup domain and is available when the work space is locked. If this setting is set to "Available after authentication," the profile is stored in the Operational domain and is available after the work space is unlocked once until the device restarts. If this setting is set to "Available only when work space unlocked," the profile is stored in the Lock domain and can be used for VPN connections only when the work space is unlocked. Possible values: Always available Available after authentication Available only when work space unlocked The default value is "Always available." The minimum requirement is BlackBerry 10 OS version 10.3.1.
Associated proxy profile	This setting specifies the associated proxy profile that a BlackBerry 10 device uses to connect to a proxy server when the device is connected to the VPN.

Section:

VPN profile settings

BlackBerry 10: VPN profile settings

BlackBerry 10
: VPN profile settings