Per this thread (very last comment is my problem exactly), I'm having trouble getting the Pull Authorization to work on BES 5.0.1.

When I enable Pull Authorization, it blocks access to all sites, instead of just the ones I'm explicitly allowing. I'm also noticing that users not assigned Pull Roles w/access to MDS are also being forced the same rules, i.e. they're getting "access denied/forbidden 403 messages", despite not being assigned any Pull Roles.

Any ideas/suggestions would be super helpful...I've tried tweaking my URL patterns every which way imaginable, but regardless, every Internet site is still blocked. My goal is literally as simple as, say, block CNN.com and allow everything else.

Please post your URL patterns here.

This describes what you need to do:
View Document 0 274269238

Once you enable Pull Authorization default is deny access to intranet and internet. You MUST create roles for example Intranet only and and add URLs allowed to that role. Then assign that role to a user.

Task 1
Turn on Pull authorization by completing the following steps:
1. In the BlackBerry Administration Service, navigate to the Servers and components menu and expand BlackBerry Solution topology > BlackBerry Domain > Component View > MDS Connection Service.
2. Click the instance that the BlackBerry smartphone users, who will be affected by the Pull authorization rule, are assigned to.
3. Click Edit instance.
4. In the Access control section, click Yes from the Pull authorization drop-down list.
5. Click Save all.
NOTE: Enabling Pull authorization without configuring and assigning Pull Roles will prevent all users from browsing to any web site using the BlackBerry Browser.
Task 2
Specify web address patterns by completing the following steps:
1. In the BlackBerry Administration Service navigate to the Servers and components menu and expand BlackBerry Solution topology > BlackBerry Domain > Component View.
2. Click MDS Connection Service.
3. Click Edit component.
4. Select the Pull URL patterns tab, in the appropriate protocol section, type the web address pattern of a web server to control access to. (i.e. *intranet.com:*/*
5. Click the Add icon.
6. Click Save all.
Task 3
Create a pull rule by completing the following steps:
1. In the BlackBerry Administration Service navigate to the Servers and components menu and expand BlackBerry Solution topology > BlackBerry Domain > Component View.
2. Click the MDS Connection Service.
3. Click Edit component.
4. Select the Access control rules tab and type a name for the pull rule in the Rule name field. (i.e. Intranet Only )
5. From the Control type drop-down list, click Pull.
6. Click the Add icon.
7. Click Save all.
Task 4
Restrict or permit web address patterns using a pull rule by completing the following steps:
1. In the BlackBerry Administration Service navigate to the Servers and components menu and expand BlackBerry Solution topology > BlackBerry Domain > Component View.
2. Click the MD Connection Service.
3. Click Edit component.
4. Select the Access control rules tab and click the Edit icon for a pull rule.
5. From the URL pattern group drop-down list, click the URL pattern group of the web address pattern to assign to the pull rule.
6. From the URL pattern drop-down list, click the web address pattern (from task 2) to assign to the pull rule.
7. From the Allowed drop-down list, choose one of the following options:
o To prevent users from accessing web servers that match the specified web address pattern, click Deny.
o To permit users to access web servers that match the specified web address pattern, click Allow.
8. Click the Add icon.
9. Click Save all.
Task 5
Assign the pull rule to the members of a group by completing the following steps:
1. In the BlackBerry Administration Server navigate to the BlackBerry solution management menu, expand User.
2. Click Manager users.
3. Click Advanced search.
4. Search for a group.
5. Click Manage multiple users.
6. Select all users.
7. From the Add to user configuration list, click Add pull rule.
8. From the Available pull rules list, select the appropriate pull rule.
9. Click Add.
10. Click Save.
Task 6
Assign the pull rule to user account by completing the following steps:
1. In the BlackBerry Administration Server, navigate to the BlackBerry solution management menu and expand User.
2. Click Manage users.
3. Search for one or more user accounts.
4. Click Manage multiple users.
5. Select the appropriate user accounts.
6. From the Add to user configuration list, click Add pull rule.
7. From the Available pull rules list, select the appropriate pull rule.
8. Click Add.
9. Click Save.
Task 7
Restart the BlackBerry MDS Connection Service.

Thanks for the responses.

I've tried the following URL patterns (all set to deny):

.*://.*\.cnn\.com.*
*.cnn.com
*cnn*

i.e., I'd like to block everything related to cnn, and allow access to everything else. When I set Pull Authorization = yes, everything is blocked, for all users, regardless if they policy is applied to them.

I followed the tutorial posted by fadmin to initially set this whole thing up....it was that document that got me started....

Also - theoretically, if I just set the URL pattern to "*" and set it to "allow", shouldn't that at least grant me access to every site after I enable pull authorization? It's definitely not behaving that way...

You don't need a pattern for http://

This is already covered by selecting the service in the pattern definition. A valid pattern for CNN would be

*.cnn.com:*/*

A valid pattern for all sites would be

*:*/*

Please test that. That works for me. The reason for this is that internally, the cnn site is represented as

www.cnn.com:80/

To specify all web sites, type *:*/* in the URL Pattern field.
To specify a web domain, type *.<domain_name>.com:*/* in the URL Pattern field.
To specify a specific web page, type www.<domain_name>.com:80/<subfolder>/webpage.htm in the URL Pattern field.
To specify a specific web resource, type www2.<domain_name>.com:80/<subfolder>/main.gif in the URL Pattern field.
Note: The asterisk character (*) is used for the URL Pattern definition.