Home  Support   BlackBerry Knowledge Base  

How to set up pull authorization to grant or restrict access to specific web sites on the BlackBerry Browser

Article ID: KB10342

Type: Support Content

Last Modified: 10-09-2012

 

Product(s) Affected:

  • BlackBerry Enterprise Server for Microsoft Exchange
  • BlackBerry Enterprise Server for IBM Lotus Domino
  • BlackBerry Enterprise Server for Novell GroupWise
CollapseEnvironment
  • BlackBerry Enterprise Server 4.0 to 5.0 SP4 for IBM Lotus Domino
  • BlackBerry Enterprise Server 4.0 to 5.0 SP4 for Microsoft Exchange
  • BlackBerry Enterprise Server 4.0 to 5.0 SP1 for Novell GroupWise®
CollapseOverview

The BlackBerry Mobile Data System used in BlackBerry Enterprise Server 4.0 and the BlackBerry Mobile Data Service Connection Service used in BlackBerry Enterprise Server 4.1 to 5.0 SP4 can be configured to grant or restrict access to specific websites based on roles defined by administrators in the Access Control List (ACL). A role may restrict or grant access to specific websites in the BlackBerry® Browser for BlackBerry smartphone users.

NOTE: This configuration will only affect the BlackBerry Browser, which uses the BlackBerry Mobile Data System/BlackBerry Mobile Data Service Connection Service. In order to ensure control of the devices ability to browse certain sites it will be required to block other browser services. Please see KB15242 for information on how to disable browsers on the BlackBerry smartphone.

To configure the pull authorization, complete the following set of tasks corresponding to the version of BlackBerry Enterprise Server in use:

For BlackBerry Enterprise Server 5.0

Task 1

Turn on pull authorization by completing the following steps:

  1. In the BlackBerry Administration Service, navigate to the Servers and components menu and expand BlackBerry Solution topology > BlackBerry Domain > Component View > MDS Connection Service.
  2. Click the instance that the BlackBerry smartphone users who will be affected by the pull authorization rule are assigned to.
  3. Click Edit instance.
  4. In the Access control section, click Yes from the Pull authorization drop-down list.
  5. Click Save all.

NOTE: Enabling pull authorization without configuring and assigning pull roles prevents all users from browsing to any website using the BlackBerry Browser.

Task 2

Specify web address patterns by completing the following steps:

  1. In the BlackBerry Administration Service navigate to the Servers and components menu and expand BlackBerry Solution topology > BlackBerry Domain > Component View.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. Select the Pull URL patterns tab, in the appropriate protocol section, type the web address pattern of a web server to which access will be controlled.
  5. Click the Add icon.
  6. Click Save all.

Example:

To allow access to all web pages, specify the pull URL pattern as .*.* . This allows all web pages to be accessible. Once this is done, specify any web pages or servers to be blocked.

To block a webpage, specify the URL displayed in the browser followed by .*.* , such as, www.example.com.*.* .

Task 3

Create a pull rule by completing the following steps:

  1. In the BlackBerry Administration Service, navigate to the Servers and components menu and expand BlackBerry Solution topology > BlackBerry Domain > Component View.
  2. Click the MDS Connection Service.
  3. Click Edit component.
  4. Select the Access control rules tab and type a name for the pull rule in the Rule name field.
  5. From the Control type drop-down list, click Pull.
  6. Click the Add icon.
  7. Click Save all.

Task 4

Restrict or permit web address patterns using a pull rule by completing the following steps:

  1. In the BlackBerry Administration Service navigate to the Servers and components menu and expand BlackBerry Solution topology > BlackBerry Domain > Component View.
  2. Click the MDS Connection Service.
  3. Click Edit component.
  4. Select the Access control rules tab and click the Edit icon for a pull rule.
  5. From the URL pattern group drop-down list, click the URL pattern group of the web address pattern to assign to the pull rule.
  6. From the URL pattern drop-down list, click the web address pattern to assign to the pull rule.
  7. From the Allowed drop-down list, choose one of the following options:
    • To prevent users from accessing web servers that match the specified web address pattern, click Deny.
    • To permit users to access web servers that match the specified web address pattern, click Allow.
  8. Click the Add icon.
  9. Click Save all.

Task 5

Assign the pull rule to the members of a group by completing the following steps:

  1. In the BlackBerry Administration Service navigate to the BlackBerry solution management menu, expand User.
  2. Click Manage users.
  3. Click Advanced search or View more criteria.

  4. In the section Group criteria, locate the group in the pull down box.

  5. Select Search.

  6. Select the check box to the left of Display name to select all users in that group.

  7. From the Add to user configuration list, click Add pull rule

  8. From the Available pull rules list, select the appropriate pull rule.

  9. Click Add.

  10. Click Save.

 Task 6

Assign a pull rule to a user account by completing the following steps:

  1. In the BlackBerry Administration Service, navigate to the BlackBerry solution management menu and expand User.
  2. Click Manage users.
  3. Search for one or more user accounts.
  4. Click Manage multiple users.
  5. Select the appropriate user accounts.
  6. From the Add to user configuration list, click Add pull rule.
  7. From the Available pull rules list, select the appropriate pull rule.
  8. Click Add.
  9. Click Save.

Task 7

Restart the BlackBerry MDS Connection Service.

Important: Restarting certain BlackBerry Enterprise Server services delays email message delivery to BlackBerry smartphones. See KB04789 for more information.

For BlackBerry Enterprise Server 4.1

Task 1

Turn on pull authorization by completing the following steps:

  1. In the BlackBerry Manager, select the appropriate BlackBerry Enterprise Server instance for the BlackBerry MDS Connection Service.
  2. On the Connection Service tab, click Edit Properties.
  3. Select Access Control.
  4. Set Pull Authorization to True.
  5. Click OK.

NOTE: Enabling pull authorization without configuring and assigning pull rules prevents all users from browsing to any website using the BlackBerry Browser.

Task 2

Specify web address patterns by completing the following steps:

  1. In the BlackBerry Manager, select BlackBerry Domain.
  2. On the Global tab, click Edit Properties.
  3. Select Access Control.
  4. Double-click URL Patterns, and then click New.
  5. Complete one of the following:
    • To specify a specific web page, type www.example.com:80/webpage.htm in the URL Pattern field.
    • To specify a specific web resource, type www2.domain.com:80/main.gif in the URL Pattern field.

      Note: The asterisk character (*) is used for the URL pattern definition.

  6. Click Service Name. From the drop-down list, select the service that the web address pattern is bound to.
  7. Click OK.

Task 3

Create a pull rule by completing the following steps:

  1. In the BlackBerry Manager, select BlackBerry Domain.
  2. On the Global tab, click Edit Properties.
  3. Select Access Control.
  4. Double-click Pull Rules, and then click New.
  5. In the Name field, type the new rule name.
  6. In the Description field, type the rule description.
  7. Click OK.

Task 4

Restrict or allow web address patterns using a pull rule by completing the following steps:

  1. In the BlackBerry Manager, select BlackBerry Domain.
  2. On the Global tab, click Edit Properties.
  3. Select Access Control.
  4. Double-click URL Pattern Rules.
  5. In the left pane, select the appropriate pull rule.
  6. In the right pane, choose one of the following options:
    • To prevent users from accessing web servers that match a specified web address pattern, select the Deny check box.
    • To allow users to access web servers that match a specified web address pattern, select the Allow check box.
  7. Click OK.

Task 5

Assign a pull rule to a user group by completing the following steps:

  1. In the BlackBerry Manager, click a user group.
  2. On the Group Configuration tab, click Edit Group Template.
  3. In the left pane, click Access Control.
  4. Double-click Pull Rule Set.
  5. Select the check box of the pull rule to be assigned to the user group.
  6. Click OK.
  7. Select the Pull Rule Set check box.
  8. Click Reapply Template.
  9. Click Yes.
  10. Click OK.

Task 6

Assign a pull rule to a specific user by completing the following steps:

  1. In the BlackBerry Manager, select BlackBerry Domain.
  2. On the Global tab, click Edit Properties.
  3. Select Access Control.
  4. Double-click User Rules.
  5. In the left pane, select a pull rule.
  6. In the right pane, select a user.
  7. Click OK.

Task 7

Restart the BlackBerry MDS Connection Service.

Important: Restarting certain BlackBerry Enterprise Server services will delay email message delivery to BlackBerry smartphones. See KB04789 for more information.

For BlackBerry Enterprise Server 4.0

Task 1

Turn on pull authorization by completing the following steps:

  1. In the BlackBerry Manager, right-click a BlackBerry Enterprise Server instance and select Mobile Data Service Properties.
  2. Click the Access Control tab.
  3. In the Pull Access Control section, select the Authorization Enabled option.
  4. Click OK.

NOTE: Enabling pull authorization without configuring and assigning pull roles prevents all users from browsing to any website using the BlackBerry Browser.

Task 2

Create pull roles by completing the following steps:

  1. In the BlackBerry Manager, right-click a BlackBerry Enterprise Server instance and select Mobile Data Service Properties.
  2. Click the Access Control tab.
  3. Click Configure Roles, then click Add Role.
  4. In the Name field, type the new role name.
  5. In the Description field, type the role description.
  6. Click OK.
  7. Click OK again.

Task 3

Specify the web address by completing the following steps:

  1. In the BlackBerry Manager, right-click a BlackBerry Enterprise Server instance and select Mobile Data Service Properties.
  2. Click the Access Control tab.
  3. Click Configure Roles, select a role and click Edit Role.
  4. Click Add URL.
  5. Select the appropriate service from the drop-down list.
  6. In the URL field, type the URL for the role using the format <hostname:port/path> .
  7. Restrict or allow the web address by choosing one of the following:
    • Click Allow from the Policy drop-down list to permit the user assigned to the role to access the identified URL.
    • Click Deny from the Policy drop-down list to prevent the user assigned to the role from accessing the identified URL.
  8. Click OK.

Task 4

Assign a pull role to a user by completing the following steps:

  1. In the BlackBerry Manager, right-click a BlackBerry Enterprise Server instance and select Mobile Data Service Properties.
  2. Click the Access Control tab.
  3. In the Pull Access Control section, click Assign Roles.
  4. In the user list, click the user's email address.
  5. Click Assign Roles.
  6. Click the roles to be assigned to the user.
  7. Click OK.
  8. Click OK two more times.

Task 5

Restart the BlackBerry MDS service.

Important: Restarting certain BlackBerry Enterprise Server services delays email message delivery to BlackBerry smartphones. See KB04789 for more information.
CollapseAdditional Information

The pull roles or pull rules can be created based on logical user groups, such as Junior Executives, Senior Executives, and Management.

To block access to all internal websites, the pull rules can only be used if there is a pattern in common with all internal websites similar to an internal-only domain name.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.