Custom Application Control Policies and How to Use Them
For when you need more nuanced control over BlackBerry smartphone apps
IT departments of all sizes are quickly becoming aware of custom application control policies as a way to control applications for BlackBerry® smartphones. Unlike their all-or-nothing IT policy cousins, application control policies offer subtle, case-by-case control over how applications behave.
For any given application, you can, for example, prevent it from accessing the server or from using Bluetooth®, allow limited functionality for some users but not others, or simply disallow the application altogether, to name just a few. The end result is happier employees, a more secure network, and more options for the IT department. In the right hands application control policies can be used as a force for good, not evil. This article looks at how.
- What are custom application control policies?
- List of application control policy rules
- Application control policies vs. IT policies
- Who wins?
- How to create a custom application control policy
- Next steps
- Resources
What are custom application control policies?
In a nutshell, custom application control policies are a set of rules you create to manage the behavior of software applications downloaded onto BlackBerry smartphones. Use them to control the data and APIs that BlackBerry Java® Applications can access and to control the external data sources and network connections that applications can access. In short, they can control application permissions without blocking the application entirely (although you can do that too).
You create custom application control policies in the BlackBerry® Administration Service found in both BlackBerry® Enterprise Server and BlackBerry® Enterprise Server Express.
To make custom application control policies work, you add application control policy rules, of which there are about 26 in both BlackBerry Enterprise Server and BlackBerry Enterprise Server Express (see below for a list).
Application control policies give tremendous opportunities for case-by-case customization. You can ban an application for some users while allowing it for others. You can assign policies to the applications you push out to users, or assign policies to applications users download on their own. You can allow an application full access to your network, or just part of it.
Example: A sales rep downloads a time-tracking application she finds useful. Your company security policy prohibits third-party apps from accessing the company network. You can create a custom application control policy to allow the sales rep to use the app, but prevent it from accessing the network.
List of application control policy rules
- Are Internal Network Connections Allowed
- Are External Network Connections Allowed
- Are Local Connections Allowed
- Can Device Settings Be Modified
- Can the Security Timer Be Reset
- Disposition
- Is Access to the Browser Filters API Allowed
- Is Access to the Email API Allowed
- Is Access to the Event Injection API Allowed
- Is Access to the File API Allowed
- Is Access to the GPS API Allowed
- Is Access to the Handheld Key Store Allowed
- Is Access to the Interprocess Communication API Allowed
- Is Access to the Phone API Allowed
- Is Access to the Media API Allowed
- Is Access to the Module Management API Allowed
- Is Access to the PIM API Allowed
- Is Access to the Screen, Microphone, and Video Capturing APIs Allowed
- Is Access to the Serial Port Profile for Bluetooth API Allowed
- Is Access to the User Authenticator API Allowed
- Is Access to the Wi-Fi API Allowed
- Is Key Store Medium Security Allowed
- Is Theme Data Allowed
- List of Browser Filter Domains
- List of External Domains
- List of Internal Domains
Application control policies vs. IT policies
We introduced IT policies and how to use them in “Guide to IT Policies for BlackBerry Enterprise Server Express.” IT policies also let you control third-party applications, but they are an all-or-nothing instrument. That is, they are either on or they are off. Sometimes you need more customized control, which you get with custom application control policies.
- Jonathan Cooper, Principal Analyst, BlackBerry Technical Support at Research In Motion
Who wins?
IT policy rule settings override application control policy rule settings. For example, if you change the Allow Internal Connections IT policy rule to No for BlackBerry smartphones, and if these smartphones have an application control policy that allows a specific application to make internal connections, the IT policy prevails and the application cannot make internal connections.
How to create a custom application control policy
How you create a custom application control policy depends upon whether the application is a listed or unlisted application.
LISTED APPLICATIONS: These are applications you list in the repository. They are typically applications you want all BlackBerry smartphones to have, you want to disallow, or applications you want to make optional for users to install.
To create a custom application control policy for a listed application:
- In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software > Applications.
- Click Manage applications.
- Search for the BlackBerry Java Application for which you wish to make the policy.
- In the search results, click the BlackBerry Java Application.
- In the Application versions section, click the version of the application that you want to create a custom application control policy for.
- Click Edit application.
- On the Application control policies tab, in the Settings section, select the Use custom application control policies option.
- Perform any of the following tasks:
Task Steps Create an application control policy
for required BlackBerry Java
Applications.- In the Required application name
field, type a name for the application
control policy. - In the Settings section, configure the
settings for the application control
policy. - Click the Add icon.
- Repeat steps a to c for each
application control policy that you
want to create.
Create an application control policy
for optional BlackBerry Java
Applications.- In the Optional application name field, type a name
for the application control policy. - In the Settings section, configure the settings for the
application control policy. - Click the Add icon.
- Repeat steps a to c for each application control policy
that you want to create.
Create an application control policy
for BlackBerry Java Applications that
are not permitted.- In the Disallowed application name field, type a name
for the application control policy. - Click the Add icon.
- In the Required application name
- If necessary, in each section, click the up and down arrows to set the priority for the application control policies.
- Click Save all.
Example: The VP of marketing wants to give his team external Bluetooth keyboards to make typing emails faster. However, the Event Injector API is disabled by the default application control policy, preventing the keyboards from working. To fix the situation, you would create an application control policy that sets the Is Access to the Event Injection API Allowed application control policy rule to TRUE.
UNLISTED APPLICATIONS: These are third-party applications that your users can download and install on their own. To create a custom application control policy for unlisted applications:
- In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software.
- Click Create an application control policy for unlisted applications.
- In the Application control policy information section, in the Name field, type a name for the application control policy for unlisted applications.
- Click Save.
- On the BlackBerry solution management menu, click Manage application control policies for unlisted applications.
- Click the application control policy that you created.
- Click Edit application control policy.
- On the Access settings tab, in the Settings section, configure the settings for the application control policy.
- Click Save all.
Next steps
After you create your custom application control policy you need to:
- Create software configurations within the BlackBerry Administration Service
- Assign Software configurations to users
For instructions see Creating software configurations in the BlackBerry Enterprise Server Administration Guide.
Resources
BlackBerry Enterprise Server
- BlackBerry Enterprise Server Policy Reference Guide »
- BlackBerry Enterprise Server Administration Guide »
BlackBerry Enterprise Server Express
- BlackBerry Enterprise Server Express Policy Reference Guide »
- BlackBerry Enterprise Server Express Administration Guide »
Stay Informed with BlackBerry Connection
Not subscribed to BlackBerry Connection newsletter?
Get the latest news, offers, interviews and seminars sent direct to your inbox.Support Forums
The BlackBerry® Support Community Forums are a great place for your BlackBerry device users to get help—and a place for you to connect with other IT administrators. Do you have questions about BlackBerry Enterprise Solutions? Are you looking for support on devices or accessories? Visit the BlackBerry Support Community Forums.
Choose the BlackBerry Smartphone that Fits Your Lifestyle
Get help finding the perfect BlackBerry® solution. Click here to get started »