How to whitelist BlackBerry 10 smartphones and BlackBerry PlayBook tablets for use with Exchange ActiveSync Gatekeeping

Article ID: KB33531

Type: Support Content

Last Modified: 04-09-2014

 

Product(s) Affected:

  • Porsche Design P'9982 smartphone from BlackBerry
  • BlackBerry Z30
  • BlackBerry Z10
  • BlackBerry Q10
  • BlackBerry Q5
  • BlackBerry Enterprise Service 10
  • Tablets
  • BlackBerry PlayBook
  • 4G LTE BlackBerry PlayBook
CollapseEnvironment
  • BlackBerry Enterprise Service 10
  • BlackBerry 10 smartphones
  • BlackBerry PlayBook tablet
  • 4G LTE Blackberry PlayBook tablet
  • Microsoft Exchange 2010
  • Microsoft Exchange 2013
  • Microsoft Exchange ActiveSync
CollapseOverview
Microsoft Exchange Server 2010 SP1 and Microsoft Exchange ActiveSync offer a variety of features that can help Administrators to govern access to corporate Exchange ActiveSync servers and Microsoft Exchange. They are able to create allow lists, block lists and quarantine lists to choose the mobile devices that can connect to Microsoft Exchange mailboxes. This article outlines the information that is necessary to whitelist BlackBerry devices against an Exchange ActiveSync server that has the Exchange ActiveSync Gatekeeping Service enabled. Exchange ActiveSync Device Access Rules provide enterprises with the ability to limit access to Exchange ActiveSync to managed and compliant devices.

On the Exchange ActiveSync server, each mobile device can be assigned a device access state of either Allowed, Blocked or Quarantined:

Device Access State Description
Allowed The mobile device can synchronize through Exchange ActiveSync and connect to the Microsoft Exchange Server to retrieve e-mail and manipulate calendar information, contacts, tasks, and notes.
Blocked The mobile device is not allowed to connect to the Microsoft Exchange Server and will receive HTTP 403 Forbidden errors. The user will receive an e-mail message from the Microsoft Exchange Server telling them that the mobile device was blocked from accessing their mailbox.
Quarantined The mobile device is allowed to connect to the Microsoft Exchange Server, however, it is given only limited access to data. The user can add content to their own Calendar, Contacts, Tasks, and Notes folders but the server won't allow the device to retrieve any content from the user's mailbox. The user will receive a single e-mail message that tells them that the mobile device is quarantined.



To allow BlackBerry devices to connect to the Exchange ActiveSync servers, Access Policies can be configured using these specific device client properties:

  • Device Model (DeviceModel)
  • Device Type (DeviceType)
  • Device User Agent (UserAgent)

Mobile devices can be whitelisted using the Exchange Control Panel (ECP) or by using PowerShell. The Exchange Control Panel is a local web application that is hosted on a Client Access Server (CAS). It is installed when each Client Access Server is created in the organization. To use the Exchange Control Panel, Administrators must enter the URL for the application in their web browser's Address field. By default, the Exchange Control Panel URL is https://server.domain.com/ecp; if the user does not have the proper Exchange permissions for accessing the web application, they will be redirected to their Outlook Web Access (OWA) mailbox.

There is more flexibility by using PowerShell (as commands can be scripted), however the Exchange Control Panel allows for a simpler enforcement of the Device Access Rules for some Administrators. Organizational access rules can be created by setting the CASMailbox cmdlet in the Exchange Management Shell or through using Exchange ActiveSync Device Access Rules in the Exchange Control Panel.

If Administrators prefer to use PowerShell commands, they must open the Exchange Management Shell:

  • Click Start > Programs > Microsoft Exchange Server 2010 > Exchange Management Shell.

Allow individual mobile devices using Device Characteristics (PowerShell)

If Administrators wish to allow an individual mobile device using Device Characteristics, this is done by setting the ActiveSyncDeviceAccessRule and using both the user’s Device Model and the applicable Device Type; the Device Model corresponds to the BlackBerry Device Model you wish to whitelist and the Device Type represents the Device type category that the Device Model is in (for example, the Device Model PlayBook4G would be used in conjunction with the Device Type PlayBook).

Here is an example of the appropriate PowerShell syntax to use:

Set-ActiveSyncDeviceAccessRule –QueryString PlayBook4G –Characteristic PlayBook –AccessLevel Allow

Allowing Exchange mailbox access to individual mobile devices using Device ID (PowerShell):

If Administrators wish to allow an individual mobile device using a Device ID, this is done by using both the user’s SMTP email address and the applicable Device ID; the SMTP email address corresponds to the email address of the user for whom you wish to whitelist and the Device ID is a combination of the prefix BB and the user’s BlackBerry PIN number (for example, BB12G34H56).

Here is an example of the appropriate PowerShell syntax to use:

Set-CASMailbox -Identity email@domain.com –ActiveSyncAllowedDeviceIDs BB12G34H56

ActiveSync device characteristics for BlackBerry 10 smartphones:

Device Name Device Model Device Type Device ID Used Agent
BlackBerry Z10 Z10 STL100-1 BlackBerry BB+PIN RIM-Z10-STL100-1/osversion
Z10 STL100-2 BlackBerry BB+PIN RIM-Z10-STL100-2/osversion
Z10 STL100-3 BlackBerry BB+PIN RIM-Z10-STL100-3/osversion
Z10 STL100-4 BlackBerry BB+PIN RIM-Z10-STL100-4/osversion
BlackBerry Z30 Z30 STA100-2 BlackBerry BB+PIN RIM-Z30-STA100-2/osversion
Z30 STA100-5 BlackBerry BB+PIN RIM-Z30-STA100-5/osversion
BlackBerry Q5 Q5 SQR100-1 BlackBerry BB+PIN RIM-Q5-SQR100-1/osversion
Q5 SQR100-2 BlackBerry BB+PIN RIM-Q5-SQR100-2/osversion
Q5 SQR100-3 BlackBerry BB+PIN RIM-Q5-SQR100-3/osversion
BlackBerry Q10 Q10 SQN100-1 BlackBerry BB+PIN RIM-Q10-SQN100-1/osversion
Q10 SQN100-2 BlackBerry BB+PIN RIM-Q10-SQN100-2/osversion
Q10 SQN100-3 BlackBerry BB+PIN RIM-Q10-SQN100-3/osversion
Q10 SQN100-4 BlackBerry BB+PIN RIM-Q10-SQN100-4/osversion


ActiveSync device characteristics for BlackBerry PlayBook tablets:

Device Name Device Model Device Type Device ID Used Agent
BlackBerry PlayBook PlayBook PlayBook BB+PIN RIM-PlayBook/+osversion
BlackBerry PlayBook 3G+ PlayBook3G PlayBook BB+PIN RIM-PlayBook3G/+osversion
Blackberry PlayBook 4G PlayBook4G PlayBook BB+PIN RIM-PlayBook4G/+osversion



CollapseAdditional Information

BlackBerry Enterprise Service 10 is only fully supported with Microsoft GateKeeping commands with Exchange 2010 and 2013.

The cmdlet Set-ActiveSyncDeviceAccessRule may be valid for some Exchange 2007 environments, but is not fully supported by the BlackBerry Enterprise Service 10 solution.


Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.