I am trying to setup an IT policy for BES 5.0.2 for customer that will force activated devices to use their private APN. All browsing and tethering data must go via this APN. Effectively the private APN traffic is filtered through their internal network with appropriate web restrictions put in place etc. They also buy 'bulk' data and want users to draw from this for tethering/browsing.

I have followed the BB KB instructions for limiting the WAP browser etc and tested using the IBS both "on" (browsing didn't work) and "off" (browsing, but not via the correct APN).

The policy created with the above also has the APN defined with the static password used. The username is dynamic (the mobile number) as an AD account is created for each connection to allow proper access to the APN filtering. On the device, the user is still able to tick or un-tick the APN settings under TCP/IP. I cannot find the option in the policy to disable this ability.

With all the changes above being made to a test policy/group, I cannot get the changes to work in conjunction with each other to route the browser traffic in the correct way.

Is there a way, through IT policy that I can restrict the device from browsing/tethering via anything but the private APN - done in a way that disallows the user from disabling the APN AND allows for a dynamic username to be used?

I have access to the operator provisioning system as well as the customer BAS, so should be able to make most changes anyone can suggest.

Help is appreciated in advance!

Cheers, Jeff