BlackBerry Connection > IT Edition > Custom Application Control Policies and How to Use Them

Custom Application Control Policies and How to Use Them

Custom Application Control Policies and How to Use Them

For when you need more nuanced control over BlackBerry smartphone apps

IT departments of all sizes are quickly becoming aware of custom application control policies as a way to control applications for BlackBerry® smartphones. Unlike their all-or-nothing IT policy cousins, application control policies offer subtle, case-by-case control over how applications behave.

For any given application, you can, for example, prevent it from accessing the server or from using Bluetooth®, allow limited functionality for some users but not others, or simply disallow the application altogether, to name just a few. The end result is happier employees, a more secure network, and more options for the IT department. In the right hands application control policies can be used as a force for good, not evil. This article looks at how.

What are custom application control policies?

In a nutshell, custom application control policies are a set of rules you create to manage the behavior of software applications downloaded onto BlackBerry smartphones. Use them to control the data and APIs that BlackBerry Java® Applications can access and to control the external data sources and network connections that applications can access. In short, they can control application permissions without blocking the application entirely (although you can do that too).

You create custom application control policies in the BlackBerry® Administration Service found in both BlackBerry® Enterprise Server and BlackBerry® Enterprise Server Express.

To make custom application control policies work, you add application control policy rules, of which there are about 26 in both BlackBerry Enterprise Server and BlackBerry Enterprise Server Express (see below for a list).

Application control policies give tremendous opportunities for case-by-case customization. You can ban an application for some users while allowing it for others. You can assign policies to the applications you push out to users, or assign policies to applications users download on their own. You can allow an application full access to your network, or just part of it.

Example: A sales rep downloads a time-tracking application she finds useful. Your company security policy prohibits third-party apps from accessing the company network. You can create a custom application control policy to allow the sales rep to use the app, but prevent it from accessing the network.

List of application control policy rules

Application control policies vs. IT policies

We introduced IT policies and how to use them in “Guide to IT Policies for BlackBerry Enterprise Server Express.” IT policies also let you control third-party applications, but they are an all-or-nothing instrument. That is, they are either on or they are off. Sometimes you need more customized control, which you get with custom application control policies.

IT policies are all or nothing checklists; you either allow applications or not. But with application control policies you can allow some applications and disallow others. Or allow certain applications, but restrict what they can do. You can, for example, allow an application but disallow it from accessing Contacts.            
- Jonathan Cooper, Principal Analyst, BlackBerry Technical Support at Research In Motion

Who wins?

IT policy rule settings override application control policy rule settings. For example, if you change the Allow Internal Connections IT policy rule to No for BlackBerry smartphones, and if these smartphones have an application control policy that allows a specific application to make internal connections, the IT policy prevails and the application cannot make internal connections.

How to create a custom application control policy

How you create a custom application control policy depends upon whether the application is a listed or unlisted application.

LISTED APPLICATIONS: These are applications you list in the repository. They are typically applications you want all BlackBerry smartphones to have, you want to disallow, or applications you want to make optional for users to install.

To create a custom application control policy for a listed application:

  1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software > Applications.
  2. Click Manage applications.
  3. Search for the BlackBerry Java Application for which you wish to make the policy.
  4. In the search results, click the BlackBerry Java Application.
  5. In the Application versions section, click the version of the application that you want to create a custom application control policy for.
  6. Click Edit application.
  7. On the Application control policies tab, in the Settings section, select the Use custom application control policies option.
  8. Perform any of the following tasks:
    Task Steps
    Create an application control policy
    for required BlackBerry Java
    Applications.
    1. In the Required application name
      field, type a name for the application
      control policy.
    2. In the Settings section, configure the
      settings for the application control
      policy.
    3. Click the Add icon.
    4. Repeat steps a to c for each
      application control policy that you
      want to create.
    Create an application control policy
    for optional BlackBerry Java
    Applications.
    1. In the Optional application name field, type a name
      for the application control policy.
    2. In the Settings section, configure the settings for the
      application control policy.
    3. Click the Add icon.
    4. Repeat steps a to c for each application control policy
      that you want to create.
    Create an application control policy
    for BlackBerry Java Applications that
    are not permitted.
    1. In the Disallowed application name field, type a name
      for the application control policy.
    2. Click the Add icon.
  9. If necessary, in each section, click the up and down arrows to set the priority for the application control policies.
  10. Click Save all.

Example: The VP of marketing wants to give his team external Bluetooth keyboards to make typing emails faster. However, the Event Injector API is disabled by the default application control policy, preventing the keyboards from working. To fix the situation, you would create an application control policy that sets the Is Access to the Event Injection API Allowed application control policy rule to TRUE.

UNLISTED APPLICATIONS: These are third-party applications that your users can download and install on their own. To create a custom application control policy for unlisted applications:

  1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software.
  2. Click Create an application control policy for unlisted applications.
  3. In the Application control policy information section, in the Name field, type a name for the application control policy for unlisted applications.
  4. Click Save.
  5. On the BlackBerry solution management menu, click Manage application control policies for unlisted applications.
  6. Click the application control policy that you created.
  7. Click Edit application control policy.
  8. On the Access settings tab, in the Settings section, configure the settings for the application control policy.
  9. Click Save all.

Next steps

After you create your custom application control policy you need to:

  1. Create software configurations within the BlackBerry Administration Service
  2. Assign Software configurations to users

For instructions see Creating software configurations in the BlackBerry Enterprise Server Administration Guide.


Resources

BlackBerry Enterprise Server

BlackBerry Enterprise Server Express


Click for more on BlackBerry Enterprise Server »

Click for more on BlackBerry Enterprise Server Express »

BlackBerry Enterprise Server Express

Support Forums

The BlackBerry® Support Community Forums are a great place for your BlackBerry device users to get help—and a place for you to connect with other IT administrators. Do you have questions about BlackBerry Enterprise Solutions? Are you looking for support on devices or accessories? Visit the BlackBerry Support Community Forums.