Architecture and Data Flows Reference Guide

Similar documents
Architecture and Data Flows Reference Guide

McAfee Web Gateway

Package Contents. Wireless-G USB Network Adapter with SpeedBooster USB Cable Setup CD-ROM with User Guide (English only) Quick Installation

Troubleshooting. Verify the Cisco Prime Collaboration Provisioning Installation (for Advanced or Standard Mode), page

McAfee Network Security Platform

McAfee Data Loss Prevention Prevent

VMware Horizon FLEX Administration Guide

Enterprise Digital Signage Create a New Sign

LINX MATRIX SWITCHERS FIRMWARE UPDATE INSTRUCTIONS FIRMWARE VERSION

Operational Verification. 26 SEP 2017 VMware Validated Design 4.1 VMware Validated Design for Software-Defined Data Center 4.1

Error Numbers of the Standard Function Block

Certificate Replacement. 26 SEP 2017 VMware Validated Design 4.1 VMware Validated Design for Management and Workload Consolidation 4.

All in One Kit. Quick Start Guide CONNECTING WITH OTHER DEVICES SDE-4003/ * 27. English-1

Certificate Replacement. 21 AUG 2018 VMware Validated Design 4.3 VMware Validated Design for Software-Defined Data Center 4.3

the machine and check the components AC Power Cord Carrier Sheet/ Plastic Card Carrier Sheet DVD-ROM

Certificate Replacement. 21 AUG 2018 VMware Validated Design 4.3 VMware Validated Design for Management and Workload Consolidation 4.

Installation Guide for

VMware Virtual Dedicated Graphics Accelerator (vdga) and DirectPath I/O GPU Device Certification Guide ESXi 6.5 GA Release Workbench 3.5.

Start Here. Quick Setup Guide. the machine and check the components DCP-9015CDW DCP-9020CDW

Deployment of VMware NSX-T for Workload Domains. 19 MAR 2019 VMware Validated Design VMware NSX-T 2.4

To access your mailbox from inside your organization. For assistance, call:

McAfee Network Security Platform

Active Fail-Open Kit Quick Start Guide

In USA: To download other guides for this product, visit the Brother Solutions Center at solutions.brother.com/manuals and select your model.

Smart Output Field Installation for M-Series and L-Series Converter

INTEGRATED WORKFLOW ART DIRECTOR

Rolling Back Remote Provisioning Changes. Dell Command Integration for System Center

INSTALLING PRIVA GATEWAY FOR PRIVA CONNEXT

the machine and check the components Starter Ink Cartridges Basic User s Guide Product Safety Guide CD-ROM USB Interface Cable

Zenoss Core Installation Guide

the machine and check the components Introductory Ink Cartridges CD-ROM 1 Power Cord Telephone Line Cord

the machine and check the components Black Yellow Cyan Magenta Starter Ink Cartridges Telephone Line Cord Adapter (Hong Kong only)

the machine and check the components Introductory Ink Cartridges

Start Here. Quick Setup Guide DCP-8110DN DCP-8150DN DCP-8155DN. the machine and check the components

Zenoss Resource Manager Installation Guide

the machine and check the components Starter Ink Cartridges Basic User s Guide Product Safety Guide CD-ROM* Power Cord

Installer reference guide

UTMC APPLICATION NOTE UT1553B BCRT TO INTERFACE PSEUDO-DUAL-PORT RAM ARCHITECTURE INTRODUCTION ARBITRATION DETAILS DESIGN SELECTIONS

Distributed Systems Principles and Paradigms. Chapter 11: Distributed File Systems

McAfee Network Security Platform

The Network Layer: Routing in the Internet. The Network Layer: Routing & Addressing Outline

Start Here. Quick Setup Guide DCP-7055 / DCP-7060D DCP-7065DN WARNING WARNING CAUTION CAUTION

High-performance Monitoring Software. User s Manual

Internet Routing. IP Packet Format. IP Fragmentation & Reassembly. Principles of Internet Routing. Computer Networks 9/29/2014.

the machine and check the components Drum Unit and Toner Cartridge Assembly (pre-installed) AC Power Cord Installer CD-ROM Quick Setup Guide

Before you can use the machine, read this Quick Setup Guide for the correct setup and installation.

Start Here. Quick Setup Guide DCP-T300 DCP-T500W DCP-T700W WARNING CAUTION IMPORTANT NOTE WARNING

EasyMP Multi PC Projection Operation Guide

File Manager Quick Reference Guide. June Prepared for the Mayo Clinic Enterprise Kahua Deployment

Before you can use the machine, read this Quick Setup Guide for the correct setup and installation.

Installer reference guide

Control Center Installation Guide

Epson iprojection Operation Guide (Windows/Mac)

Registering as an HPE Reseller

Inter-domain Routing

Distributed Systems Principles and Paradigms

COMPUTER EDUCATION TECHNIQUES, INC. (MS_W2K3_SERVER ) SA:

Start Here MFC-7360 / MFC-7470D /

Sage CRM 2018 R1 Software Requirements and Mobile Features. Updated: May 2018

COMPUTER EDUCATION TECHNIQUES, INC. (WEBLOGIC_SVR_ADM ) SA:

McAfee Network Security Platform

Sage CRM 2017 R3 Software Requirements and Mobile Features. Updated: August 2017

Registering as a HPE Reseller. Quick Reference Guide for new Partners in Asia Pacific

VMware Horizon JMP Server Installation and Setup Guide. Modified on 06 SEP 2018 VMware Horizon 7 7.6

Sage CRM 2017 R2 Software Requirements and Mobile Features. Revision: IMP-MAT-ENG-2017R2-2.0 Updated: August 2017

Start Here. Quick Setup Guide HL-5470DW(T) HL-6180DW(T) WARNING CAUTION WARNING. Note

Certificate Replacement

Migrating vrealize Automation to 7.3 or March 2018 vrealize Automation 7.3

vcloud Director Service Provider Admin Portal Guide 04 OCT 2018 vcloud Director 9.5

MPE/iX HP 3000 Series 99X. Software Startup Manual

IaaS Configuration for Virtual Platforms

vcloud Director Tenant Portal Guide vcloud Director 9.0

Intelligent Operations Use Case Deployment Using vrealize Suite Lifecycle Manager

EasyMP Network Projection Operation Guide

SAS Event Stream Processing 5.1: Using SAS Event Stream Processing Studio

vcloud Director Service Provider Admin Portal Guide vcloud Director 9.1

Upgrading from vrealize Automation 7.1 or Later to June 2018 vrealize Automation 7.4

Midterm Exam CSC October 2001

License Manager Installation and Setup

Epson Projector Content Manager Operation Guide

Start Here. Quick Setup Guide MFC the machine and check the components. Note

LINX MATRIX SWITCHERS FIRMWARE UPDATE INSTRUCTIONS FIRMWARE VERSION

Configuration Guide. BlackBerry UEM. Version 12.9

McAfee Network Security Platform

Please read the Product Safety Guide first before you set up your machine. Then, read this Quick Setup Guide for the correct setup and installation.

Zenoss Service Impact Installation and Upgrade Guide for Resource Manager 5.x and 6.x

Scenarios. VMware Validated Design for IT Automating IT 4.0 EN

Use Case Deployment Using vrealize Suite Lifecycle Manager. Modified on 21 DEC 2017 VMware Validated Design 4.1

Start Here. Quick Setup Guide DCP-J4110DW WARNING CAUTION IMPORTANT NOTE WARNING

Paradigm 5. Data Structure. Suffix trees. What is a suffix tree? Suffix tree. Simple applications. Simple applications. Algorithms

User Manual. V1.0.1 Nov. 20, 2016

McAfee Network Security Platform

Upgrade. 17 JUL 2018 VMware Validated Design 4.3 VMware Validated Design for Software-Defined Data Center 4.3

Please read the Product Safety Guide first before you set up your machine. Then, read this Quick Setup Guide for the correct setup and installation.

CS 7790 ADVANCED FUNCTION DRIVE-UP ISLAND ATM WITH 13mm UL OR CEN L SAFE FRONT VIEW PLAN VIEW FRONT VIEW SIDE VIEW NOTE: PAGE 1 OF 5

the machine and check the components Basic User s Guide Quick Setup Guide Telephone Line Cord

Backup and Restore. 20 NOV 2018 VMware Validated Design 4.3 VMware Validated Design for Software-Defined Data Center 4.3

Scenarios. VMware Validated Design 4.0 VMware Validated Design for IT Automating IT 4.0

Operational Verification. 21 AUG 2018 VMware Validated Design 4.3 VMware Validated Design for Software-Defined Data Center 4.3

Software Configuration Management

Transcription:

Arhiteture nd Dt Flows Referene Guide BlkBerry UEM Version 12.7

Pulished: 2017-07-12 SWD-20170627140413745

Contents Aout this guide... 5 Arhiteture: BlkBerry UEM solution... 6 BlkBerry UEM omponents... 8 BlkBerry UEM distriuted instlltion... 11 BlkBerry UEM regionl deployment...15 Components used to mnge BlkBerry OS devies... 19 Ativting devies...23 Dt flow: Ativting BlkBerry 10 devie... 23 Dt flow: Ativting n Android devie for MDM...25 Dt flow: Ativting n Android devie to hve work profile in Google domin...27 Dt flow: Ativting n Android devie to hve work profile using mnged Google Ply ount... 29 Dt flow: Ativting n Android devie to hve only work profile in Google domin...31 Dt flow: Ativting n Android devie to hve only work profile using mnged Google Ply ount... 33 Dt flow: Ativting devie to use KNOX Workspe... 35 Dt flow: Ativting n ios devie...37 Dt flow: Ativting mos devie...39 Dt flow: Ativting Windows 10 devie... 40 Dt flow: Ativting Windows Phone 8.1 devie...42 Dt flow: Ativting BlkBerry OS devie...44 Sending nd reeiving work dt...47 Sending nd reeiving work dt using the BlkBerry Infrstruture... 48 Dt flow: Aessing n pplition or ontent server from BlkBerry 10 devie...49 Dt flow: Sending emil from BlkBerry 10 devie...50 Dt flow: Reeiving emil on BlkBerry 10 devie... 51 Dt flow: Reeiving enterprise push updtes on BlkBerry 10 devie...52 Dt flow: Sending n instnt messge from the BlkBerry Enterprise IM pp... 53 Dt flow: Sending emil from n ios devie using the BlkBerry Seure Gtewy Servie...54 Dt flow: Reeiving emil on n ios devie using the BlkBerry Seure Gtewy Servie...54

Dt flow: Aessing n pplition or ontent server using BlkBerry Seure Connet Plus... 55 Dt flow: Sending nd reeiving work dt from BlkBerry Dynmis pp...57 Dt flow: Sending nd reeiving work dt from BlkBerry Dynmis pp using BlkBerry Dynmis Diret Connet... 57 Sending nd reeiving work dt using VPN or work Wi-Fi network... 58 Dt flow: Sending emil from devie using VPN or work Wi-Fi network... 60 Dt flow: Reeiving emil on devie using VPN or work Wi-Fi network... 61 Dt flow: Aessing n pplition or ontent server using VPN or work Wi-Fi network...61 Reeiving devie onfigurtion updtes... 63 Dt flow: Reeiving onfigurtion updtes on BlkBerry 10 devie...63 Dt flow: Reeiving onfigurtion updtes on n Android devie... 65 Dt flow: Reeiving onfigurtion updtes on n ios devie... 66 Dt flow: Reeiving onfigurtion updtes on mos devie... 67 Dt flow: Reeiving onfigurtion updtes on Windows Phone 8.1 or Windows 10 devie... 68 Dt flow: Reeiving onfigurtion updtes on Windows Phone 8.0 devie... 69 Dt flow: Ativting BlkBerry Dynmis pp... 69 Glossry... 72 Legl notie...74

Aout this guide Aout this guide 1 BlkBerry Unified Endpoint Mnger helps you mnge BlkBerry 10, ios, Android, Windows, mos, nd BlkBerry OS (version 5.0 to 7.1) devies for your orgniztion. This guide explins the BlkBerry UEM rhiteture nd how dt trvels etween the devies mnged y BlkBerry UEM nd your orgniztion's network. This guide is intended for senior IT professionls who re responsile for evluting the produt nd plnning its deployment, s well s nyone who's interested in lerning more out BlkBerry UEM. 5

Arhiteture: BlkBerry UEM solution Arhiteture: BlkBerry UEM solution 2 Component BlkBerry UEM BlkBerry Infrstruture Desription BlkBerry UEM is unified endpoint mngement solution tht provides omprehensive multipltform devie, pplition, nd ontent mngement with integrted seurity nd onnetivity. The BlkBerry Infrstruture registers user informtion for devie tivtion, vlidtes liensing informtion for BlkBerry UEM, nd provides trusted pth etween the orgniztion nd every user sed on strong, ryptogrphi, mutul uthentition. BlkBerry UEM mintins onstnt onnetion to the BlkBerry Infrstruture, mening tht orgniztions require only single outound onnetion to trusted IP ddress to send dt to users. All the dt tht trvels etween the BlkBerry Infrstruture nd BlkBerry UEM is uthentited nd enrypted to provide seure ommunition hnnel into your orgniztion for devies outside the firewll. BlkBerry Dynmis NOC The BlkBerry Dynmis NOC is network opertions enter tht provides seure ommunitions etween BlkBerry Dynmis pps on devies nd BlkBerry Control, BlkBerry Proxy nd BlkBerry Enterprise Moility Server. 6

Arhiteture: BlkBerry UEM solution Component Devies Notifition servies Desription BlkBerry UEM supports BlkBerry 10, ios, mos, Android, Windows, nd BlkBerry OS (version 5.0 to 7.1) devies. BlkBerry UEM sends notifitions to devies to ontt BlkBerry UEM for updtes nd to report informtion for your orgniztion s devie inventory. These notifitions re sent to the BlkBerry Infrstruture, where they re sent to the devies using the pproprite notifition servie: APNs is servie tht Apple provides to send notifitions to ios nd mos devies. GCM is servie tht Google provides to send notifitions to Android devies. Windows Push Notifition Servies (WNS) is servie tht Mirosoft provides to send notifitions to Windows devies. Routing omponents By defult, BlkBerry UEM mkes diret onnetion to the BlkBerry Infrstruture over ports 3101 nd 443, nd you do not need to instll more routing omponents. However, if your orgniztion's seurity poliy requires tht internl systems nnot mke onnetions diretly to the Internet, you n use the BlkBerry Router or proxy server. The BlkBerry Router ts s proxy server for onnetions over the BlkBerry Infrstruture etween BlkBerry UEM nd ll devies. The BlkBerry Router n support SOCKs v5 with no uthentition. If your orgniztion lredy hs TCP proxy server instlled or requires one to meet networking requirements, you n use TCP proxy server insted of the BlkBerry Router. The TCP proxy server n support SOCKs v5 with no uthentition. BlkBerry Control nd BlkBerry Proxy support using n HTTP proxy server to onnet to the BlkBerry Dynmis NOC. Third-prty pplition nd ontent servers BEMS nd BlkBerry plugins Additionl ontent servers nd pplition servers in your orgniztion's environment, inluding the ompny diretory, mil server, ertifite uthorities, nd so on. BlkBerry UEM works with dditionl BlkBerry enterprise produts suh s: BlkBerry Enterprise Identity, BlkBerry 2FA, BlkBerry Workspes, nd WorkLife y BlkBerry, to llow you to extend UEM pilities in your orgniztion. The BlkBerry Enterprise Moility Server provides severl servies used to send work dt to nd from BlkBerry Dynmis pps. 7

BlkBerry UEM omponents BlkBerry UEM omponents 3 This digrm shows how the BlkBerry UEM omponents onnet when ll omponents re instlled together in the produt's simplest onfigurtion. For informtion out the ports used for onnetions etween omponents, see "Configuring ports" in the Instlltion nd upgrde ontent. Component nme BlkBerry UEM Core Desription The BlkBerry UEM Core is the entrl omponent of the BlkBerry UEM rhiteture. It onsists of severl suomponents tht re responsile for: Logging, monitoring, reporting, nd mngement funtions 8

BlkBerry UEM omponents Component nme Desription Authentition nd uthoriztion servies Sheduling nd sending ommnds, IT poliies, nd profiles to devies BlkBerry UEM dtse BlkBerry Control BlkBerry Control dtse BlkBerry MDS Connetion Servie BlkBerry Collortion Servie The BlkBerry UEM dtse is reltionl dtse tht ontins user ount informtion nd onfigurtion informtion tht BlkBerry UEM uses to mnge devies. BlkBerry Control sends user, poliy, nd other onfigurtion dt to BlkBerry Dynmis pps on devies. The BlkBerry Control dtse is the repository tht BlkBerry UEM uses to store user, pp, nd poliy informtion for BlkBerry Dynmis pps. The BlkBerry MDS Connetion Servie provides seure onnetion etween BlkBerry 10 devies nd your orgniztion's network when the devie is not onneted to your work Wi- Fi network or using VPN onnetion. The BlkBerry Collortion Servie provides n enrypted onnetion etween your orgniztion's instnt messging server nd the BlkBerry Enterprise IM pp on BlkBerry 10 devies. BlkBerry Dispther The BlkBerry Dispther provides seure onnetivity using IPPP for BlkBerry 10 devies. BlkBerry Affinity Mnger BlkBerry Proxy BlkBerry Seure Connet Plus BlkBerry Seure Gtewy Servie BlkBerry Gtekeeping Servie The BlkBerry Affinity Mnger is responsile for mintining n tive SRP onnetion etween BlkBerry 10 devies nd the BlkBerry Infrstruture when the devies re not using BlkBerry Seure Connet Plus. BlkBerry Proxy mintins the seure onnetion etween your orgniztion nd the BlkBerry Dynmis NOC. It lso supports BlkBerry Dynmis Diret Connet, whih llows pp dt to ypss the BlkBerry Dynmis NOC. BlkBerry Seure Connet Plus provides seure IP tunnel etween work pps on devies nd your orgniztion's network. One tunnel tht supports stndrd IPv4 (TCP nd UDP) dt is estlished for eh devie through the BlkBerry Infrstruture. The BlkBerry Seure Gtewy Servie provides seure onnetion through the BlkBerry Infrstruture nd BlkBerry UEM to your orgniztion's mil server for ios devies. The BlkBerry Gtekeeping Servie sends ommnds to Exhnge AtiveSyn to dd devies to n llowed list when devies re tivted on BlkBerry UEM. Unmnged devies tht try to onnet to n orgniztion's mil server n e reviewed, verified, nd loked or llowed y n dministrtor using the BlkBerry UEM mngement onsole. 9

BlkBerry UEM omponents Component nme Mngement onsole nd BlkBerry UEM Self-Servie Desription The mngement onsole nd BlkBerry UEM Self-Servie provide we-sed user interfe for dministrtor nd user ess to BlkBerry UEM. You use the mngement onsole to mnge system settings, users, devies, nd pps. Users n use BlkBerry UEM Self-Servie to set n tivtion pssword nd send ommnds to devies, suh s set pssword, lok devie, nd delete devie dt. BlkBerry Enterprise Moility Server BlkBerry Enterprise Moility Server dtses BlkBerry Push Notifitions BlkBerry Connet BlkBerry Presene BlkBerry Dos BlkBerry Router nd/or proxy servers BEMS onsolidtes severl servies used to send work dt to nd from BlkBerry Dynmis pps, inluding: BlkBerry Push Notifitions, BlkBerry Connet, BlkBerry Presene, nd BlkBerry Dos. The BEMS dtses store user, pp, poliy, nd onfigurtion informtion. BlkBerry Push Notifitions epts push registrtion requests from ios nd Android devies nd then ommunites with Mirosoft Exhnge to monitor the user's work mil ount for hnges. BlkBerry Connet provides seure instnt messging, ompny diretory look-up, nd user presene informtion to ios nd Android devies. BlkBerry Presene provides rel-time presene sttus to BlkBerry Dynmis pps. BlkBerry Dos lets your BlkBerry Dynmis pp users ess, synhronize, nd shre douments using their work file server, ShrePoint, Box, nd ontent mngement systems supporting CMIS, without the need for VPN softwre, firewll reonfigurtion, or duplite dt stores. By defult, BlkBerry UEM mkes diret onnetion to the BlkBerry Infrstruture over ports 3101 nd 443. If your orgniztion's seurity poliy requires tht internl systems not onnet diretly to the Internet, you n instll the BlkBerry Router or use third-prty TCP proxy server tht supports SOCKs v5 with no uthentition. BlkBerry Control nd BlkBerry Proxy support using third-prty HTTP proxy server to onnet to the BlkBerry Dynmis NOC. BlkBerry Infrstruture nd BlkBerry Dynmis NOC The BlkBerry Infrstruture registers user informtion for devie tivtion, vlidtes liensing informtion for BlkBerry UEM nd provides trusted pth etween the orgniztion nd every user sed on strong, ryptogrphi, mutul uthentition. The BlkBerry Dynmis NOC is seprtely-loted NOC tht provides seure ommunitions etween BlkBerry Dynmis pps on devies nd BlkBerry Control, BlkBerry Proxy nd BlkBerry Enterprise Moility Server. 10

BlkBerry UEM distriuted instlltion BlkBerry UEM distriuted instlltion 4 This digrm shows how the BlkBerry UEM omponents onnet together when the BlkBerry Connetivity Node nd the user interfe re oth instlled seprtely from the primry BlkBerry UEM omponents. For informtion out the ports used for onnetions etween omponents, see "Configuring ports" in the Instlltion nd upgrde ontent. Component nme Primry BlkBerry UEM omponents Desription The primry BlkBerry UEM omponents inlude the BlkBerry UEM Core nd ll omponents instlled with it on the sme server. 11

BlkBerry UEM distriuted instlltion Component nme BlkBerry UEM Core Desription The BlkBerry UEM Core is the entrl omponent of the BlkBerry UEM rhiteture. It onsists of severl suomponents tht re responsile for: Logging, monitoring, reporting, nd mngement funtions Authentition nd uthoriztion servies Sheduling nd sending ommnds, IT poliies, nd profiles to devies BlkBerry UEM dtse BlkBerry Control BlkBerry Control dtse BlkBerry MDS Connetion Servie BlkBerry Collortion Servie The BlkBerry UEM dtse is reltionl dtse tht ontins user ount informtion nd onfigurtion informtion tht BlkBerry UEM uses to mnge devies. BlkBerry Control sends user, poliy, nd other onfigurtion dt to BlkBerry Dynmis pps on devies. The BlkBerry Control dtse is the repository tht BlkBerry UEM uses to store user, pp, nd poliy informtion. The BlkBerry MDS Connetion Servie provides seure onnetion etween BlkBerry 10 devies nd your orgniztion's network when the devie is not onneted to your work Wi- Fi network or using VPN onnetion. The BlkBerry Collortion Servie provides n enrypted onnetion etween your orgniztion's instnt messging server nd the Enterprise IM pp on BlkBerry 10 devies. BlkBerry Dispther The BlkBerry Dispther provides seure onnetivity using IPPP for BlkBerry 10 devies. BlkBerry Affinity Mnger BlkBerry Gtekeeping Servie (primry) Mngement onsole nd BlkBerry UEM Self-Servie The BlkBerry Affinity Mnger is responsile for mintining n tive SRP onnetion etween BlkBerry 10 devies nd the BlkBerry Infrstruture when the devies re not using BlkBerry Seure Connet Plus. The BlkBerry Gtekeeping Servie sends ommnds to Exhnge AtiveSyn to dd devies to n llowed list when devies re tivted on BlkBerry UEM. Unmnged devies tht try to onnet to n orgniztion's mil server n e reviewed, verified, nd loked or llowed through the BlkBerry UEM mngement onsole y n dministrtor. The mngement onsole nd BlkBerry UEM Self-Servie provide we-sed user interfe for dministrtor nd user ess to BlkBerry UEM. It n e instlled seprtely from other BlkBerry UEM omponents. You use the mngement onsole to mnge system settings, users, devies, nd pps. Users n ess BlkBerry UEM Self-Servie to set n tivtion pssword nd send ommnds, suh s set pssword, lok devie, nd delete devie dt, to devies. 12

BlkBerry UEM distriuted instlltion Component nme BlkBerry Connetivity Node Desription The BlkBerry Connetivity Node instlls instnes of the BlkBerry UEM devie onnetivity omponents to your orgniztion s domin on different server thn the BlkBerry UEM Core. Eh BlkBerry Connetivity Node ontins these omponents: BlkBerry Cloud Connetor BlkBerry Proxy BlkBerry Seure Connet Plus BlkBerry Seure Gtewy Servie BlkBerry Gtekeeping Servie BlkBerry Cloud Connetor BlkBerry Proxy BlkBerry Seure Connet Plus BlkBerry Seure Gtewy Servie BlkBerry Gtekeeping Servie (BlkBerry Connetivity Node) The BlkBerry Cloud Connetor llows the BlkBerry Connetivity Node omponents to ommunite with the BlkBerry UEM Core. All ommunition etween the BlkBerry Cloud Connetor nd BlkBerry UEM Core trvels through the BlkBerry Infrstruture. BlkBerry Proxy mintins the seure onnetion etween your orgniztion nd the BlkBerry Dynmis NOC. It lso supports BlkBerry Dynmis Diret Connet, whih llows pp dt to ypss the BlkBerry Dynmis NOC. BlkBerry Seure Connet Plus provides seure IP tunnel etween work pps on devies nd your orgniztion's network. One tunnel tht supports stndrd IPv4 (TCP nd UDP) dt is estlished for eh devie through the BlkBerry Infrstruture. The BlkBerry Seure Gtewy Servie provides seure onnetion through the BlkBerry Infrstruture nd BlkBerry UEM to your orgniztion's mil server for ios devies. BlkBerry UEM n use instnes of BlkBerry Gtekeeping Servie tht re instlled with the BlkBerry Connetivity Node to mnge gtekeeping for your mil server. Eh instne must e le to ess your orgniztion s gtekeeping server. If you wnt gtekeeping dt to e mnged only y the BlkBerry Gtekeeping Servie tht is instlled with the primry BlkBerry UEM omponents, you n disle the BlkBerry Gtekeeping Servie in eh BlkBerry Connetivity Node BlkBerry Enterprise Moility Server BlkBerry Enterprise Moility Server dtses BlkBerry Infrstruture nd BlkBerry Dynmis NOC BEMS onsolidtes severl servies used to send work dt to nd from BlkBerry Dynmis pps, inluding: BlkBerry Push Notifitions, BlkBerry Connet, BlkBerry Presene, nd BlkBerry Dos. The BEMS dtses store user, pp, poliy, nd onfigurtion informtion. The BlkBerry Infrstruture registers user informtion for devie tivtion, vlidtes liensing informtion for BlkBerry UEM nd provides trusted pth etween the orgniztion nd every user sed on strong, ryptogrphi, mutul uthentition. 13

BlkBerry UEM distriuted instlltion Component nme Desription The BlkBerry Dynmis NOC is seprtely-loted NOC tht provides seure ommunitions etween BlkBerry Dynmis pps on devies nd BlkBerry Control, BlkBerry Proxy nd BlkBerry Enterprise Moility Server. 14

BlkBerry UEM regionl deployment BlkBerry UEM regionl deployment 5 This digrm shows how the BlkBerry UEM omponents onnet together when one or more instnes of the BlkBerry Connetivity Node re instlled in seprte lotion. You n use server groups to speify the regionl instne of the BlkBerry Connetivity Node tht devie onnets to. For informtion out the ports used for onnetions etween omponents, see "Configuring ports" in the Instlltion nd upgrde ontent. 15

BlkBerry UEM regionl deployment Component nme Primry BlkBerry UEM omponents BlkBerry UEM Core Desription The primry BlkBerry UEM omponents inlude the BlkBerry UEM Core nd ll omponents instlled with it on the sme server. The BlkBerry UEM Core is the entrl omponent of the BlkBerry UEM rhiteture. It onsists of severl suomponents tht re responsile for: Logging, monitoring, reporting, nd mngement funtions Authentition nd uthoriztion servies Sheduling nd sending ommnds, IT poliies, nd profiles to devies BlkBerry UEM dtse BlkBerry Control BlkBerry Control dtse BlkBerry MDS Connetion Servie BlkBerry Collortion Servie The BlkBerry UEM dtse is reltionl dtse tht ontins user ount informtion nd onfigurtion informtion tht BlkBerry UEM uses to mnge devies. BlkBerry Control sends user, poliy, nd other onfigurtion dt to BlkBerry Dynmis pps on devies. The BlkBerry Control dtse is the repository used y BlkBerry UEM to store user, pp, nd poliy informtion. The BlkBerry MDS Connetion Servie provides seure onnetion etween BlkBerry 10 devies nd your orgniztion's network when the devie is not onneted to your work Wi- Fi network or using VPN onnetion. The BlkBerry Collortion Servie provides n enrypted onnetion etween your orgniztion's instnt messging server nd the Enterprise IM pp on BlkBerry 10 devies. BlkBerry Dispther The BlkBerry Dispther provides seure onnetivity using IPPP for BlkBerry 10 devies. BlkBerry Affinity Mnger BlkBerry Gtekeeping Servie (primry) Mngement onsole nd BlkBerry UEM Self-Servie The BlkBerry Affinity Mnger is responsile for mintining n tive SRP onnetion etween BlkBerry 10 devies nd the BlkBerry Infrstruture when the devies re not using BlkBerry Seure Connet Plus. The BlkBerry Gtekeeping Servie sends ommnds to Exhnge AtiveSyn to dd devies to n llowed list when devies re tivted on BlkBerry UEM. Unmnged devies tht try to onnet to n orgniztion's mil server n e reviewed, verified, nd loked or llowed through the BlkBerry UEM mngement onsole y n dministrtor. The Mngement onsole nd BlkBerry UEM Self-Servie provide we-sed user interfe for dministrtor nd user ess to BlkBerry UEM. It n e instlled seprtely from other BlkBerry UEM omponents. You use the mngement onsole to mnge system settings, users, devies, nd pps. 16

BlkBerry UEM regionl deployment Component nme Desription Users n ess BlkBerry UEM Self-Servie to set n tivtion pssword nd send ommnds, suh s set pssword, lok devie, nd delete devie dt, to devies. BlkBerry Connetivity Node The BlkBerry Connetivity Node instlls instnes of the BlkBerry UEM devie onnetivity omponents to your orgniztion s domin on different server thn the BlkBerry UEM Core. Eh BlkBerry Connetivity Node ontins these omponents: BlkBerry Cloud Connetor BlkBerry Proxy BlkBerry Seure Connet Plus BlkBerry Seure Gtewy Servie BlkBerry Gtekeeping Servie If you hve regionl deployments of the BlkBerry Connetivity Node you must onfigure the onnetion etween the BlkBerry UEM Core nd the server group ontining the regionl BlkBerry Connetivity Node. BlkBerry Cloud Connetor BlkBerry Proxy BlkBerry Seure Connet Plus BlkBerry Seure Gtewy Servie BlkBerry Gtekeeping Servie (BlkBerry Connetivity Node) The BlkBerry Cloud Connetor llows the BlkBerry Connetivity Node omponents to ommunite with the BlkBerry UEM Core. All ommunition etween the BlkBerry Cloud Connetor nd BlkBerry UEM Core trvels through the BlkBerry Infrstruture. BlkBerry Proxy mintins the seure onnetion etween your orgniztion nd the BlkBerry Dynmis NOC. It lso supports BlkBerry Dynmis Diret Connet, whih llows pp dt to ypss the BlkBerry Dynmis NOC. BlkBerry Seure Connet Plus provides seure IP tunnel etween work pps on devies nd your orgniztion's network. One tunnel tht supports stndrd IPv4 (TCP nd UDP) dt is estlished for eh devie through the BlkBerry Infrstruture. The BlkBerry Seure Gtewy Servie provides seure onnetion through the BlkBerry Infrstruture nd BlkBerry UEM to your orgniztion's mil server for ios devies. BlkBerry UEM n use instnes of BlkBerry Gtekeeping Servie instlled with the BlkBerry Connetivity Node to mnge gtekeeping for your mil server. Eh instne must e le to ess your orgniztion s gtekeeping server. If you wnt gtekeeping dt to e mnged only y the BlkBerry Gtekeeping Servie tht is instlled with the primry BlkBerry UEM omponents, you n disle the BlkBerry Gtekeeping Servie in eh BlkBerry Connetivity Node BlkBerry Enterprise Moility Server BEMS onsolidtes severl servies used to send work dt to nd from BlkBerry Dynmis pps, inluding: BlkBerry Push Notifitions, BlkBerry Connet, BlkBerry Presene, nd BlkBerry Dos. 17

BlkBerry UEM regionl deployment Component nme BlkBerry Enterprise Moility Server dtses BlkBerry Infrstruture nd BlkBerry Dynmis NOC Desription The BEMS dtses store user, pp, poliy, nd onfigurtion informtion. The BlkBerry Infrstruture registers user informtion for devie tivtion, vlidtes liensing informtion for BlkBerry UEM nd provides trusted pth etween the orgniztion nd every user sed on strong, ryptogrphi, mutul uthentition. The BlkBerry Dynmis NOC is seprtely-loted NOC tht provides seure ommunitions etween BlkBerry Dynmis pps on devies nd BlkBerry Control, BlkBerry Proxy nd BlkBerry Enterprise Moility Server. 18

Components used to mnge BlkBerry OS devies Components used to mnge BlkBerry OS devies 6 Some BlkBerry UEM omponents re used only for mnging BlkBerry OS (versions 5.0 to 7.1) devies. This digrm shows the BlkBerry UEM omponents used for mnging BlkBerry OS devies. Component nme BlkBerry UEM Core Desription The BlkBerry UEM Core is the entrl omponent of BlkBerry UEM rhiteture nd onsists of severl suomponents tht re responsile for: Logging, monitoring, reporting, nd mngement funtions Authentition nd uthoriztion servies for the BlkBerry UEM Core lol diretory nd ompny diretories Sheduling nd sending ommnds, IT poliies, nd profiles to devies If there re multiple BlkBerry UEM instnes in the domin, ll the BlkBerry UEM Core instnes re tive nd eh of them n onnet to the BlkBerry Infrstruture nd proesses trffi. After you instll BlkBerry UEM on omputer, you n instll the BlkBerry UEM Core on nother omputer. 19

Components used to mnge BlkBerry OS devies Component nme BlkBerry UEM dtse BlkBerry Administrtion Servie Desription The BlkBerry UEM dtse is reltionl dtse tht ontins user ount informtion nd onfigurtion informtion tht BlkBerry UEM uses to mnge devies. You n instll the BlkBerry UEM dtse on the sme omputer s BlkBerry UEM instne, or on seprte omputer. For redundny or usiness ontinuity, you n onfigure dtse mirroring. You n use the BlkBerry Administrtion Servie to onfigure BlkBerry OS devie softwre updtes, nd VPN nd Wi-Fi profiles for BlkBerry OS (versions 5.0 to 7.1) devies. The BlkBerry Administrtion Servie onnets to the BlkBerry UEM dtse. It lso provides onnetion servies for the mngement onsole so tht you n mnge BlkBerry OS devies. BlkBerry Atthment Servie BlkBerry Collortion Servie for BlkBerry OS BlkBerry Controller BlkBerry Dispther for BlkBerry OS The BlkBerry Atthment Servie onverts supported tthments into formt tht n e viewed on BlkBerry OS devies. The BlkBerry Atthment Servie onverts tthments for the BlkBerry Messging Agent, the BlkBerry MDS Connetion Servie for BlkBerry OS, nd the BlkBerry Collortion Servie. The BlkBerry Collortion Servie for BlkBerry OS is n optionl omponent tht provides onnetion etween your orgniztion's instnt messging server nd the ollortion lient on BlkBerry OS devies. The BlkBerry Controller monitors omponents used to mnge BlkBerry OS devies nd restrts these omponents when they stop responding. The BlkBerry Dispther for BlkBerry OS performs the following funtions: Trnsfers dt etween omponents used to mnge BlkBerry OS devies Compresses nd enrypts dt tht is sent to BlkBerry OS devies Derypts nd deompresses dt tht is reeived from BlkBerry OS devies Monitors nd ommunites the helth of BlkBerry OS mngement omponents Strts the proessing of BlkBerry OS devie users on the BlkBerry Messging Agent BlkBerry Mil Store Servie BlkBerry MDS Connetion Servie for BlkBerry OS The BlkBerry Mil Store Servie onnets to the mil servers in your orgniztion's environment nd retrieves the ontt informtion tht the BlkBerry Administrtion Servie requires to serh for user ounts on the mil servers. The BlkBerry MDS Connetion Servie for BlkBerry OS permits pplitions on BlkBerry OS devies to onnet to your orgniztion's pplition or ontent servers for pplition dt nd updtes. 20

Components used to mnge BlkBerry OS devies Component nme BlkBerry Messging Agent Desription The BlkBerry Messging Agent performs the following funtions: Connets to the mil server to provide messging servies, lendr mngement, ontt lookups, tthment viewing, nd tthment retrievl for BlkBerry OS devies Allows the BlkBerry Synhroniztion Servie to ess orgnizer dt on the mil server Synhronizes onfigurtion dt etween the BlkBerry UEM dtse nd BlkBerry OS devie user miloxes on the mil server BlkBerry Poliy Servie BlkBerry Router The BlkBerry Poliy Servie performs dministrtion servies for BlkBerry OS devies over the wireless network, suh s sending IT poliies, devie ommnds, nd servie ooks. The BlkBerry Router ts s proxy server for onnetions over the BlkBerry Infrstruture etween BlkBerry UEM nd ll devies. For BlkBerry OS (version 5.0 to 7.1) devies, the BlkBerry Router lso sends dt diretly to nd reeives dt from devies tht re onneted to work Wi-Fi network or to omputer tht hs the BlkBerry Devie Mnger. If you upgrde from BES5 version 5.0.4 MR10 to BlkBerry UEM, the BlkBerry Router you originlly instlled with your BES5 ontinues to work only for the omponents used to mnge BlkBerry OS devies. If you instll new instne of the BlkBerry Router with BlkBerry UEM, you n onfigure it to work with ll omponents If you use n existing TCP proxy server insted of the BlkBerry Router, BlkBerry OS devies tht re onneted to work Wi-Fi network or to omputer tht hs BlkBerry Devie Mnger instlled nnot ypss the BlkBerry Infrstruture to onnet to your orgniztion's network. BlkBerry Synhroniztion Servie BlkBerry We Desktop Mnger Mngement onsole The BlkBerry Synhroniztion Servie synhronizes orgnizer dt etween BlkBerry OS devies nd your orgniztion's mil server using the BlkBerry Messging Agent. The BlkBerry Synhroniztion Servie lso synhronizes BlkBerry OS devie user dt with the BlkBerry UEM dtse. BlkBerry OS devie users n ess BlkBerry We Desktop Mnger to set n tivtion pssword, tivte their devies y onneting them to the omputer, nd perform other devie mngement funtions for their BlkBerry OS devies, suh s updting the devie softwre or sending devie ommnds. The mngement onsole is we-sed onsole tht is used to: Complete postinstlltion onfigurtion settings View nd mnge users, devies, poliies, profiles, nd pps 21

Components used to mnge BlkBerry OS devies Component nme Desription View nd mnge system settings, inluding ustomizing the tivtion emil messge nd dding n APNs ertifite Move IT poliies, profiles, groups, nd users to BlkBerry UEM The mngement onsole lso provides ess to BlkBerry UEM Self-Servie nd llows ios devie users to mnge pps using the Work Apps ion. After you instll BlkBerry UEM on omputer, you n instll the mngement onsole on nother omputer. 22

Ativting devies Ativting devies 7 Depending on the devie type nd the tivtion type tht you speify for it, the devie nd BlkBerry UEM must omplete severl steps during the tivtion proess to uthentite to eh other, seure ommunition hnnel nd, if needed, rete work spe or enrypt the devie efore ny onfigurtion nd work dt is sent to the devie. For instrutions to tivte devies, see "Devie tivtion" in the Administrtion ontent. Devie tivtion types give you different degrees of ontrol over the work nd personl dt on devies, rnging from full ontrol over ll dt to speifi ontrol over work dt only. For more informtion out tivtion types, see "Creting tivtion profiles" in the Administrtion ontent. Dt flow: Ativting BlkBerry 10 devie 1. You perform the following tions: Add user to BlkBerry UEM s lol user ount or using the ount informtion retrieved from your ompny diretory Assign n tivtion profile to the user Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil 23

Ativting devies Don't set devie tivtion pssword nd ommunite the BlkBerry UEM Self-Servie ddress to the user so tht they n set their own tivtion pssword 2. The user performs the following tions: Types the usernme nd tivtion pssword on the devie For "Work nd personl - Regulted" or "Work spe only" tivtion, epts the orgniztion notie, whih outlines the terms nd onditions tht the user must gree to 3. If the tivtion is "Work spe only" tivtion, the devie deletes ll existing dt nd restrts. For other tivtion types, the Enterprise Mngement Agent on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BlkBerry UEM ddress for the user Sends the ddress to the Enterprise Mngement Agent 5. The devie performs the following tions: Estlishes onnetion with BlkBerry UEM Genertes shred symmetri key tht is used to protet the CSR nd response BlkBerry UEM using the tivtion pssword nd EC-SPEKE. Cretes n enrypted CSR nd HMAC s follows: Genertes key pir for the ertifite Cretes PKCS#10 CSR tht inludes the puli key of the key pir Enrypts the CSR using the shred symmetri key nd AES-256 in CBC mode with PKCS#5 pdding Computes n HMAC of the enrypted CSR using SHA-256 nd ppends it to the CSR d Sends the enrypted CSR nd HMAC to BlkBerry UEM 6. BlkBerry UEM performs the following tions: d e f g Verifies the HMAC of the enrypted CSR nd derypts the CSR using the shred symmetri key Retrieves the usernme, work spe ID, nd your orgniztion s nme from the BlkBerry UEM dtse Pkges lient ertifite using the informtion it retrieved nd the CSR tht the devie sent Signs the lient ertifite using the enterprise mngement root ertifite Enrypts the lient ertifite, enterprise mngement root ertifite, nd the BlkBerry UEM URL using the shred symmetri key nd AES-256 in CBC mode with PKCS#5 pdding Computes n HMAC of the enrypted lient ertifite, enterprise mngement root ertifite, nd the BlkBerry UEM URL nd ppends it to the enrypted dt Sends the enrypted dt nd HMAC to the devie 24

Ativting devies 7. The devie performs the following tions: Verifies the HMAC Derypts the dt it reeived from BlkBerry UEM Stores the lient ertifite nd the enterprise mngement root ertifite in its keystore 8. BlkBerry UEM performs the following tions: d BlkBerry UEM Core ssigns the new devie to BlkBerry UEM instne in the domin BlkBerry UEM Core notifies the tive BlkBerry Affinity Mnger tht new devie is ssigned to the BlkBerry UEM instne The tive BlkBerry Affinity Mnger notifies the BlkBerry Dispther on tht BlkBerry UEM instne tht there is new devie The BlkBerry UEM Core sends onfigurtion informtion, inluding enterprise onnetivity settings to the devie 9. BlkBerry UEM Core nd the devie generte the devie trnsport key using ECMQV nd the uthentited long-term puli keys from the lient ertifite nd the server ertifite for BlkBerry UEM. This key is used to enrypt work dt when not using BlkBerry Seure Connet Plus nd push to IPPP dt. 10. The devie sends n knowledgment over TLS to BlkBerry UEM to onfirm tht it reeived nd pplied the IT poliy nd other dt nd reted the work spe. The tivtion proess is omplete. The ellipti urve protools used during the tivtion proess use the NIST-reommended 521-it urve. Dt flow: Ativting n Android devie for MDM 1. You perform the following tions: Add user to BlkBerry UEM s lol user ount or using the ount informtion retrieved from your ompny diretory Mke sure n tivtion profile tht speifies the "MDM ontrols" tivtion type is ssigned to the user 25

Ativting devies Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd, optionlly, QR Code nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BlkBerry UEM Self-Servie ddress to the user so tht they n set their own tivtion pssword nd view QR Code. 2. The user downlods nd instlls the BlkBerry UEM Client on the devie. After it is instlled, the user opens the BlkBerry UEM Client nd enters the emil ddress nd tivtion pssword or sns the QR Code. 3. The BlkBerry UEM Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BlkBerry UEM ddress for the user Sends the ddress to the BlkBerry UEM Client 5. The BlkBerry UEM Client estlishes onnetion with BlkBerry UEM using n HTTP CONNECT ll over port 443 nd sends n tivtion request to BlkBerry UEM. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 6. BlkBerry UEM performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BlkBerry UEM dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 7. The BlkBerry UEM Client retes CSR using the informtion reeived from BlkBerry UEM nd sends lient ertifite request to BlkBerry UEM over HTTPS. 8. BlkBerry UEM performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BlkBerry UEM Client A mutully uthentited TLS session is estlished etween the BlkBerry UEM Client nd BlkBerry UEM. 9. The BlkBerry UEM Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BlkBerry UEM. 26

Ativting devies 10. BlkBerry UEM stores the devie informtion in the dtse nd sends the requested onfigurtion informtion to the devie. 11. The BlkBerry UEM Client determines if the devie uses KNOX MDM nd is running supported MDM version. If the devie uses KNOX MDM, the devie onnets to the Smsung infrstruture nd tivtes the KNOX mngement liense. After it is tivted, the BlkBerry UEM Client pplies the KNOX MDM IT poliy rules from BlkBerry UEM. 12. The devie sends n knowledgment to BlkBerry UEM tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. Dt flow: Ativting n Android devie to hve work profile in Google domin This dt flow pplies when BlkBerry UEM is onneted to Google Cloud or G Suite domin. For more informtion see the Configurtion ontent. 1. You perform the following tions: d Verify tht the user hs Google ount tht is ssoited with the user s work emil ddress. Optionlly, you n onfigure BlkBerry UEM to rete the Google ount for the user during the tivtion proess. When BlkBerry UEM retes the ount for the user in Google, the user reeives n emil from the Google domin with their Google ount pssword. Add user to BlkBerry UEM s lol user ount or using the ount informtion retrieved from your ompny diretory. When you speify the emil ddress, use the emil ddress tht is ssoited with the user's Google ount. Mke sure the "Work nd personl - user privy or the "Work nd personl - user privy (Premium) tivtion type is ssigned to the user. Use one of the following options to provide the user with tivtion detils: 27

Ativting devies Automtilly generte devie tivtion pssword nd, optionlly, QR Code nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BlkBerry UEM Self-Servie ddress to the user so tht they n set their own tivtion pssword nd view QR Code. 2. The user downlods BlkBerry UEM Client from Google Ply nd instlls it on the devie. After it is instlled, the user opens the BlkBerry UEM Client nd enters their emil ddress nd tivtion pssword or sns the QR Code. 3. The BlkBerry UEM Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BlkBerry UEM ddress for the user Sends the ddress to the BlkBerry UEM Client 5. The BlkBerry UEM Client estlishes onnetion with BlkBerry UEM using n HTTP CONNECT ll over port 443 nd sends n tivtion request to BlkBerry UEM. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 6. BlkBerry UEM performs the following tions: d e f Determines the tivtion type ssigned to the user ount Connets to the mnged Google domin to verify the user informtion Cretes devie instne Assoites the devie instne with the speified user ount Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 7. If the devie is not enrypted, the user is prompted to enrypt the devie. 8. The BlkBerry UEM Client performs the following tions: Prompts the user for the user's Google ount informtion Connets to the mnged Google domin to uthentite the user Cretes CSR using the informtion reeived from BlkBerry UEM nd sends lient ertifite request to BlkBerry UEM over HTTPS. 9. BlkBerry UEM performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BlkBerry UEM Client 28

Ativting devies A mutully uthentited TLS session is estlished etween the BlkBerry UEM Client nd BlkBerry UEM. 10. The BlkBerry UEM Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BlkBerry UEM. 11. BlkBerry UEM stores the devie informtion nd sends the requested onfigurtion informtion to the devie. 12. The devie sends n knowledgment to BlkBerry UEM tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. Dt flow: Ativting n Android devie to hve work profile using mnged Google Ply ount This dt flow pplies when you llow BlkBerry UEM to mnge Google Ply ounts. For more informtion see the Configurtion ontent. 1. You perform the following tions: Add user to BlkBerry UEM s lol user ount or using the ount informtion retrieved from your ompny diretory. Mke sure the "Work nd personl - user privy or the "Work nd personl - user privy (Premium) tivtion type is ssigned to the user. Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd, optionlly, QR Code nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil 29

Ativting devies Don't set devie tivtion pssword nd ommunite the BlkBerry UEM Self-Servie ddress to the user so tht they n set their own tivtion pssword nd view QR Code. 2. The user downlods BlkBerry UEM Client from Google Ply nd instlls it on the devie. After it is instlled, the user opens the BlkBerry UEM Client nd enters their emil ddress nd tivtion pssword or sns the QR Code. 3. The BlkBerry UEM Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BlkBerry UEM ddress for the user Sends the ddress to the BlkBerry UEM Client 5. The BlkBerry UEM Client estlishes onnetion with BlkBerry UEM using n HTTP CONNECT ll over port 443 nd sends n tivtion request to BlkBerry UEM. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 6. BlkBerry UEM performs the following tions: d e f Determines the tivtion type ssigned to the user ount Connets to Google nd retes mnged Google Ply user Cretes devie instne Assoites the devie instne with the speified user ount Adds the enrollment session ID to n HTTP session Sends the user's mnged Google Ply ount informtion nd suessful uthentition messge to the devie 7. If the devie is not enrypted, the user is prompted to enrypt the devie. 8. The BlkBerry UEM Client performs the following tions: Connets to Google to verify the user Cretes CSR using the informtion reeived from BlkBerry UEM nd sends lient ertifite request to BlkBerry UEM over HTTPS. 9. BlkBerry UEM performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BlkBerry UEM Client A mutully uthentited TLS session is estlished etween the BlkBerry UEM Client nd BlkBerry UEM. 10. The BlkBerry UEM Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BlkBerry UEM. 11. BlkBerry UEM stores the devie informtion in the dtse nd sends the requested onfigurtion informtion to the devie. 30

Ativting devies 12. The devie sends n knowledgment to BlkBerry UEM tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. Dt flow: Ativting n Android devie to hve only work profile in Google domin This dt flow pplies when BlkBerry UEM is onneted to Google Cloud or G Suite domin. For more informtion see the Configurtion ontent. 1. You perform the following tions: d e Verify tht the user hs Google ount tht is ssoited with the user s work emil ddress. Optionlly, you n onfigure BlkBerry UEM to rete the Google ount for the user during the tivtion proess. When BlkBerry UEM retes the ount for the user in Google, the user reeives n emil from the Google domin with their Google ount pssword. If users hve devies with Android 6.0 or lter, verify tht the "Enfore EMM Poliy" setting is enled for the Google domin. This setting speifies tht tivted devies re mnged y n EMM provider, suh s BlkBerry UEM. Add user to BlkBerry UEM s lol user ount or using the ount informtion retrieved from your ompny diretory. When you speify the emil ddress, use the emil ddress tht is ssoited with the user's Google ount. Mke sure tht the "Work spe only" or "Work spe only (Premium)" tivtion type is ssigned to the user. Set the user's tivtion pssword. 2. For devies with version of Android erlier thn 6.0, BlkBerry UEM ommunites with the Google domin to generte n tivtion token for the user. The tivtion token nd the user's tivtion pssword re inluded in the tivtion emil tht is sent to the user's work emil ddress. 31

Ativting devies 3. The user resets their devie to the ftory defult settings. 4. The devie restrts nd prompts the user to selet Wi-Fi network nd to dd n ount. 5. The user performs one of the following tions: For devies with version of Android erlier thn 6.0, tps the More utton, tps "Setup work devie," nd enters their work emil ddress nd the tivtion token they reeived in their tivtion emil For devies with Android 6.0 nd lter, enters their work emil ddress nd pssword 6. The devie performs one of the following tions: For devies with version of Android erlier thn 6.0, ommunites with the Google domin to vlidte the tivtion token For devies with Android 6.0 nd lter, ommunites with the Google domin to verify tht the user is work user nd to hek if the Enfore EMM Poliy setting is enled After the devie performs the pproprite vlidtions, the devie performs the following tions: If the devie is not enrypted, prompts the user to enrypt the devie nd restrts Downlods the BlkBerry UEM Client from Google Ply nd instlls it 7. The BlkBerry UEM Client on the devie prompts the user to type their emil ddress nd tivtion pssword. 8. The user types their emil ddress nd tivtion pssword or sns the QR Code. 9. The BlkBerry UEM Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 10. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BlkBerry UEM server ddress for the user Sends the server ddress to the BlkBerry UEM Client 11. The BlkBerry UEM Client estlishes onnetion with BlkBerry UEM using n HTTP CONNECT ll over port 443 nd sends n tivtion request to BlkBerry UEM. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 12. BlkBerry UEM performs the following tions: d e f Determines the tivtion type ssigned to the user ount Connets to the Google domin to verify the user informtion Cretes devie instne Assoites the devie instne with the speified user ount Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 13. The BlkBerry UEM Client performs the following tions: 32

Ativting devies Prompts the user for the user's Google ount informtion Connets to the Google domin to uthentite the user Cretes CSR using the informtion reeived from BlkBerry UEM nd sends lient ertifite request to BlkBerry UEM over HTTPS 14. BlkBerry UEM performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BlkBerry UEM Client A mutully uthentited TLS session is estlished etween the BlkBerry UEM Client nd BlkBerry UEM. 15. The BlkBerry UEM Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BlkBerry UEM. 16. BlkBerry UEM stores the devie informtion nd sends the requested onfigurtion informtion to the devie. 17. The devie sends n knowledgment to BlkBerry UEM tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. Dt flow: Ativting n Android devie to hve only work profile using mnged Google Ply ount This dt flow pplies when you llow BlkBerry UEM to mnge Google Ply ounts. For more informtion see the Configurtion ontent. 33

Ativting devies 1. You perform the following tions: Add user to BlkBerry UEM s lol user ount or using the ount informtion retrieved from your ompny diretor. Mke sure tht the "Work spe only or "Work spe only (Premium) tivtion type is ssigned to the user Set the user's tivtion pssword 2. The user resets their devie to the ftory defult settings. 3. The devie restrts nd prompts the user to selet Wi-Fi network nd to dd n ount. 4. The user enters fw#lkerry insted of their Google user nme. 5. The devie performs the following tions: If the devie is not enrypted, prompts the user to enrypt the devie nd restrts Downlods the BlkBerry UEM Client from Google Ply nd instlls it 6. The BlkBerry UEM Client on the devie prompts the user to type their emil ddress nd tivtion pssword. 7. The user types their emil ddress nd tivtion pssword or sns the QR Code. 8. The BlkBerry UEM Client performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 9. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BlkBerry UEM server ddress for the user Sends the server ddress to the BlkBerry UEM Client 10. The BlkBerry UEM Client estlishes onnetion with BlkBerry UEM using n HTTP CONNECT ll over port 443 nd sends n tivtion request to BlkBerry UEM. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 11. BlkBerry UEM performs the following tions: d e f Determines the tivtion type ssigned to the user ount Connets to Google nd retes mnged Google Ply user Cretes devie instne Assoites the devie instne with the speified user ount Adds the enrollment session ID to n HTTP session Sends the user's mnged Google Ply ount informtion nd suessful uthentition messge to the devie 12. The BlkBerry UEM Client performs the following tions: Connets to Google to verify the user Cretes CSR using the informtion reeived from BlkBerry UEM nd sends lient ertifite request to BlkBerry UEM over HTTPS 34

Ativting devies 13. BlkBerry UEM performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BlkBerry UEM Client A mutully uthentited TLS session is estlished etween the BlkBerry UEM Client nd BlkBerry UEM. 14. The BlkBerry UEM Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BlkBerry UEM. 15. BlkBerry UEM stores the devie informtion in the dtse nd sends the requested onfigurtion informtion to the devie. 16. The devie sends n knowledgment to BlkBerry UEM tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. Dt flow: Ativting devie to use KNOX Workspe 1. You perform the following tions: Add user to BlkBerry UEM s lol user ount or using the ount informtion retrieved from your ompny diretory Mke sure the "Work nd personl - full ontrol (Smsung KNOX)", "Work nd personl - user privy (Smsung KNOX)", or "Work spe only - (Smsung KNOX)" tivtion type is ssigned to the user Use one of the following options to provide the user with tivtion detils: 35

Ativting devies Automtilly generte devie tivtion pssword nd, optionlly, QR Code nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BlkBerry UEM Self-Servie ddress to the user so tht they n set their own tivtion pssword nd view QR Code. 2. The user downlods nd instlls the BlkBerry UEM Client on the devie. After it is instlled, the user opens the BlkBerry UEM Client nd enters the emil ddress nd tivtion pssword or sns the QR Code. 3. The BlkBerry UEM Client performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BlkBerry UEM ddress for the user Sends the ddress to the BlkBerry UEM Client 5. The BlkBerry UEM Client estlishes onnetion with BlkBerry UEM using n HTTP CONNECT ll over port 443 nd sends n tivtion request to BlkBerry UEM. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 6. BlkBerry UEM performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BlkBerry UEM dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 7. The BlkBerry UEM Client retes CSR using the informtion reeived from BlkBerry UEM nd sends lient ertifite request to BlkBerry UEM over HTTPS. 8. BlkBerry UEM performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BlkBerry UEM Client A mutully uthentited TLS session is estlished etween the BlkBerry UEM Client nd BlkBerry UEM. 9. The BlkBerry UEM Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BlkBerry UEM. 10. BlkBerry UEM stores the devie informtion in the dtse nd sends the requested onfigurtion informtion to the devie. 36

Ativting devies 11. The BlkBerry UEM Client determines if the devie uses KNOX Workspe nd is running supported version. If the devie uses KNOX Workspe, the devie onnets to the Smsung infrstruture nd tivtes the KNOX mngement liense. After it is tivted, the BlkBerry UEM Client pplies the KNOX MDM nd KNOX Workspe IT poliy rules. 12. The devie sends n knowledgment to BlkBerry UEM tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. After the tivtion is omplete, the user is prompted to rete work spe pssword for the KNOX Workspe. Dt in the KNOX Workspe is proteted using enryption nd method of uthentition suh s pssword, PIN, pttern, or fingerprint. Note: If the devie is tivted with the "Work spe only - (Smsung KNOX)" tivtion type, the personl spe is removed when the KNOX Workspe is set up. Dt flow: Ativting n ios devie 1. If you pln to use Apple's Devie Enrollment Progrm, you perform the following tions: Mke sure tht BlkBerry UEM is onfigured to synhronize with DEP Register the devie in DEP nd ssign it to n MDM server Assign n enrollment onfigurtion to the devie 2. You perform the following tions: Add user to BlkBerry UEM s lol user ount or using the ount informtion retrieved from your ompny diretory Assign n tivtion profile to the user Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd, optionlly, QR Code nd send n emil with tivtion instrutions for the user 37

Ativting devies Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BlkBerry UEM Self-Servie ddress to the user so tht they n set their own tivtion pssword nd view QR Code. 3. If the devie is registered in the Apple DEP, the devie ommunites with the Apple DEP we servie during its initil setup. If you onfigured the devie to instll the BlkBerry UEM Client pp, the devie utomtilly downlods nd instlls it. 4. If the devie is not registered in the Apple DEP or if you did not onfigure the devie to instll the BlkBerry UEM Client, the user mnully downlods nd instlls the BlkBerry UEM Client on the devie. After it is instlled, the user opens the BlkBerry UEM Client nd enters the emil ddress nd tivtion pssword or sns the QR Code. 5. The BlkBerry UEM Client performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 6. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BlkBerry UEM ddress for the user Sends the ddress to the BlkBerry UEM Client 7. The BlkBerry UEM Client estlishes onnetion with BlkBerry UEM using n HTTP CONNECT ll over port 443 nd sends n tivtion request to BlkBerry UEM. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 8. BlkBerry UEM performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BlkBerry UEM dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 9. The BlkBerry UEM Client retes CSR using the informtion reeived from BlkBerry UEM nd sends lient ertifite request over HTTPS. 10. BlkBerry UEM performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BlkBerry UEM Client A mutully uthentited TLS session is estlished etween the BlkBerry UEM Client nd BlkBerry UEM. 11. The BlkBerry UEM Client displys messge to inform the user tht ertifite must e instlled to omplete the tivtion. The user liks OK nd is redireted to the link for the ntive MDM Demon tivtion. The BlkBerry UEM Client estlishes onnetion to BlkBerry UEM. 38

Ativting devies 12. BlkBerry UEM provides the MDM profile to the devie. This profile ontins the MDM tivtion URL nd the hllenge. The MDM profile is wrpped s PKCS#7 signed messge tht inludes the full ertifite hin of the signer, whih llows the devie to vlidte the profile. This triggers the enrollment proess. 13. The ntive MDM Demon on the devie sends the devie profile, inluding the ustomer ID, lnguge, nd OS version, to BlkBerry UEM. 14. BlkBerry UEM vlidtes tht the request is signed y CA nd responds to the ntive MDM Demon with suessful uthentition notifition. 15. The ntive MDM Demon sends request to BlkBerry UEM sking for the CA ertifite, CA pilities informtion, nd devie-issued ertifite. 16. BlkBerry UEM sends the CA ertifite, CA pilities informtion, nd the devie-issued ertifite to the ntive MDM Demon. 17. The ntive MDM Demon instlls the MDM profile on the devie. The BlkBerry UEM Client notifies BlkBerry UEM of the suessful instlltion of the MDM profile nd ertifite nd polls BlkBerry UEM periodilly until it knowledges tht the MDM tivtion is omplete. 18. BlkBerry UEM knowledges tht the MDM tivtion is omplete. 19. The BlkBerry UEM Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BlkBerry UEM. 20. BlkBerry UEM stores the devie informtion in the dtse nd sends onfigurtion informtion to the devie. 21. The devie sends n knowledgment to BlkBerry UEM tht it reeived nd pplied the onfigurtion updtes. The tivtion proess is omplete. Dt flow: Ativting mos devie 1. You mke sure tht the user hs BlkBerry UEM user ount nd the login informtion for BlkBerry UEM Self- Servie, inluding: 39

Ativting devies We ddress for BlkBerry UEM Self-Servie Usernme nd pssword Domin nme 2. The user logs in to BlkBerry UEM Self-Servie on their mos devie nd tivtes the devie. 3. The devie sends n tivtion request to BlkBerry UEM on port 443. 4. BlkBerry UEM provides the MDM profile to the devie. This profile ontins the MDM tivtion URL nd the hllenge. The MDM profile is wrpped s PKCS#7 signed messge tht inludes the full ertifite hin of the signer, whih llows the devie to vlidte the profile. This triggers the enrollment proess. 5. The ntive MDM Demon on the devie sends the devie profile, inluding the ustomer ID, lnguge, nd OS version, to BlkBerry UEM. 6. BlkBerry UEM vlidtes tht the request is signed y CA nd responds to the ntive MDM Demon with suessful uthentition notifition. 7. The ntive MDM Demon sends request to BlkBerry UEM sking for the CA ertifite, CA pilities informtion, nd devie issued ertifite. 8. BlkBerry UEM sends the CA ertifite, CA pilities informtion, nd the devie issued ertifite to the ntive MDM Demon. 9. The ntive MDM Demon instlls the MDM profile on the devie. 10. BlkBerry UEM knowledges tht the MDM tivtion is omplete. 11. The devie requests ll onfigurtion informtion. 12. BlkBerry UEM stores the devie informtion in the dtse nd sends onfigurtion informtion to the devie. 13. The devie sends n knowledgment to BlkBerry UEM tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. Dt flow: Ativting Windows 10 devie 40

Ativting devies 1. You perform the following tions: Configure the disovery servie to simplify Windows 10 tivtions Add user to BlkBerry UEM s lol user ount or using the ount informtion retrieved from your ompny diretory Use one of the following options to provide the user with tivtion detils: d Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user. Set devie tivtion pssword nd selet the option to send the tivtion informtion to the user y emil. Don't set devie tivtion pssword nd ommunite the BlkBerry UEM Self-Servie ddress to the user so tht they n set their own tivtion pssword nd view their server ddress. Provide the user CA ertifite generted y BlkBerry UEM to instll on their devie 2. The user ompletes the following tions on their devie: Cheks tht the devie hs Internet onnetivity on port 443 d Opens nd instlls the ertifite Nvigtes to Settings > Aounts > Work ess nd tps Connet When prompted, enters their emil ddress nd tivtion pssword they reeived on the tivtion emil 3. The devie estlishes onnetion to the disovery servie tht you onfigured to simplify Windows 10 tivtions in your orgniztion. 4. The disovery servie heks tht the SRP ID for the BlkBerry UEM server is vlid nd redirets the devie to BlkBerry UEM. 5. The devie sends n tivtion request to BlkBerry UEM on port 443. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 6. BlkBerry UEM performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BlkBerry UEM dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 7. The devie retes CSR nd sends it to BlkBerry UEM over HTTPS. The CSR ontins the usernme nd tivtion pssword. 8. BlkBerry UEM vlidtes the usernme nd pssword, vlidtes the CSR, nd returns the lient ertifite nd the CA ertifite to the devie. 41

Ativting devies All ommunition etween the devie nd BlkBerry UEM is now mutully uthentited end to end using these ertifites. 9. The devie requests ll onfigurtion informtion. 10. BlkBerry UEM stores the devie informtion in the dtse nd sends onfigurtion informtion to the devie. 11. The devie sends n knowledgment to BlkBerry UEM tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. Dt flow: Ativting Windows Phone 8.1 devie 1. You perform the following tions: Add user to BlkBerry UEM s lol user ount or using the ount informtion retrieved from your ompny diretory Assign n tivtion profile to the user Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BlkBerry UEM Self-Servie ddress to the user so tht they n set their own tivtion pssword 42

Ativting devies 2. The user downlods nd instlls the BlkBerry UEM Client on the Windows Phone 8.1 devie. After it is instlled, the user opens the BlkBerry UEM Client nd enters the emil ddress nd tivtion pssword on the devie. 3. The BlkBerry UEM Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BlkBerry UEM ddress for the user Sends the ddress to the BlkBerry UEM Client 5. The BlkBerry UEM Client estlishes onnetion with BlkBerry UEM using n HTTP CONNECT ll over port 443. 6. BlkBerry UEM prompts the user to ept the BlkBerry UEM ertifite. This prompt inludes informtion out the SSL ertifite, inluding the Common Nme nd fingerprint. 7. The user epts the ertifite. 8. The BlkBerry UEM Client sends n tivtion request to BlkBerry UEM. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 9. BlkBerry UEM performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BlkBerry UEM dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 10. The BlkBerry UEM Client retes CSR using the informtion reeived from BlkBerry UEM nd sends lient ertifite request over HTTPS. 11. BlkBerry UEM performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BlkBerry UEM Client A mutully uthentited TLS session is estlished etween the BlkBerry UEM Client nd BlkBerry UEM. 12. The BlkBerry UEM Client displys messge nd video to show the user the steps the user must tke to omplete the tivtion. The BlkBerry UEM Client sends the devie informtion to BlkBerry UEM. 13. The user opies the server ddress nd nvigtes to the Windows Phone settings to omplete the tivtion. The user dds n ount using their usernme nd tivtion pssword nd pstes the server ddress. 14. The ntive MDM Demon on the Windows Phone devie sends CSR to BlkBerry UEM tht ontins the usernme nd tivtion pssword. 43

Ativting devies 15. BlkBerry UEM vlidtes the usernme nd pssword, vlidtes the CSR nd returns the lient ertifite nd the CA ertifite to the devie. All ommunition etween the ntive MDM Demon nd BlkBerry UEM is now mutully uthentited end to end using these ertifites. 16. The BlkBerry UEM Client polls BlkBerry UEM periodilly until it knowledges tht the MDM tivtion is omplete. 17. BlkBerry UEM knowledges tht the MDM tivtion is omplete. 18. The BlkBerry UEM Client requests ll onfigurtion informtion. 19. BlkBerry UEM stores the devie informtion in the dtse nd sends onfigurtion informtion to the devie. 20. The devie sends n knowledgment to BlkBerry UEM tht it reeived nd pplied the onfigurtion updtes. The tivtion proess is omplete. Dt flow: Ativting BlkBerry OS devie 1. You use the mngement onsole to rete new user ount nd use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil 44

Ativting devies Don't set devie tivtion pssword nd ommunite the BlkBerry We Desktop Mnger ddress to the user so tht they n set their own tivtion pssword The devie user list stored in the BlkBerry UEM dtse is updted with the new devie user nme, emil ddress, milox informtion, tivtion pssword, tivtion sttus, nd other informtion. 2. The BlkBerry Dispther for BlkBerry OS ssigns the new user to BlkBerry Messging Agent. The BlkBerry Messging Agent strts to monitor the user's milox on the mil server for new emil. An emil ontining n etp.dt file tthment is required to ontinue the tivtion proess. 3. The devie user nvigtes to the Enterprise Ativtion sreen on the BlkBerry OS (version 5.0 to 7.1) devie nd types the emil ddress nd tivtion pssword. The devie user opens the menu nd liks Ativte. The devie displys "Ativting." 4. The devie retes n tivtion request emil tht ontins the emil ddress, devie PIN, nd puli key uthentition informtion, sed on the enterprise tivtion pssword the user typed. The devie enrypts the emil using SPEKE nd sends it to the BlkBerry Infrstruture. 5. The BlkBerry Infrstruture reeives the tivtion request emil nd identifies it s n tivtion request. The BlkBerry Infrstruture forwrds the emil using SMTP to the emil ddress tht the user typed on the Enterprise Ativtion sreen. 6. When the tivtion request emil rrives in the user's milox, the BlkBerry Messging Agent identifies it nd removes it from the user's milox. The BlkBerry Messging Agent reognizes the etp.dt tthment in the tivtion request emil nd egins n uthentition proess. 7. The BlkBerry Messging Agent ompres the uthentition key reeived in the tivtion request emil with the uthentition key generted from the tivtion pssword nd stored in the BlkBerry UEM dtse. If the uthentition keys mth, the BlkBerry Messging Agent notifies the BlkBerry OS devie tht the tivtion request ws reeived. 8. BlkBerry UEM nd the BlkBerry OS devie estlish n enryption key nd verify their knowledge of the enryption key to eh other. The BlkBerry OS devie displys "Enryption Verified. Witing for Servies." All the dt sent etween the BlkBerry OS devie nd BlkBerry UEM from now on is ompressed nd enrypted using this enryption key nd the devie n now e mnged from the mngement onsole. 9. The BlkBerry Messging Agent forwrds request to the BlkBerry Poliy Servie to generte servie ooks. The BlkBerry Poliy Servie reeives nd queues the request. The BlkBerry Poliy Servie dds the unique uthentition key tht the BlkBerry UEM domin uses to sign IT poliy dt nd then forwrds the IT poliy dt through the BlkBerry Dispther for BlkBerry OS to the devie. The BlkBerry Poliy Servie wits for onfirmtion from the devie tht the IT poliy hs een pplied suessfully. 10. The BlkBerry OS devie pplies the IT poliy nd sends onfirmtion to BlkBerry UEM. The IT poliy pplied to the BlkBerry OS devie is now in red-only stte nd n e modified only y updtes sent from the sme BlkBerry UEM domin. 11. One the BlkBerry Poliy Servie reeives onfirmtion tht the IT poliy ws pplied suessfully, the BlkBerry Poliy Servie genertes nd sends the servie ooks to the BlkBerry OS devie. 45

Ativting devies 12. The BlkBerry OS devie reeives the servie ooks. The devie user is notified tht the emil ddress hs een tivted. The BlkBerry OS devie displys "Servies Reeived. Your emil ddress, <usernme>@<domin>.om is now enled." The devie user n now send nd reeive emil messges on the BlkBerry OS devie. 13. The slow synhroniztion proess egins. The BlkBerry OS devie requests the synhroniztion onfigurtion informtion from the BlkBerry Synhroniztion Servie. The onfigurtion informtion indites whether wireless dt synhroniztion on BlkBerry UEM is turned on nd whih orgnizer dtses n e synhronized. The onfigurtion informtion lso provides dtse synhroniztion types (unidiretionl or idiretionl) nd onflit resolution settings. 14. The BlkBerry Synhroniztion Servie returns the onfigurtion informtion nd synhronizes the dtses on the BlkBerry OS devie using tht informtion. The BlkBerry OS devie nd BlkBerry UEM do not delete reords during the initil synhroniztion proess. 15. The slow synhroniztion proess is omplete when ll dtses re synhronized etween the BlkBerry OS devie nd BlkBerry UEM. The tivtion proess is omplete when the BlkBerry OS devie displys Ativtion Complete nd the devie user ount sttus displys Completed in the mngement onsole or BlkBerry Administrtion Servie. 46

Sending nd reeiving work dt Sending nd reeiving work dt 8 When devies tht re tive on BlkBerry UEM send nd reeive work dt, they onnet to your orgniztion's mil, pplition, or ontent servers. For exmple, when they use the work emil or lendr pps, devies estlish onnetion to your orgniztion's mil server. When they use the work rowser to nvigte the intrnet, devies estlish onnetion to the we server in your orgniztion, nd so on. Depending on the type of devie, the tivtion type, liense types, nd onfigurtion settings, devie my estlish onnetions to your orgniztion's servers using the following pths: Dt Pth Work Wi-Fi network VPN BlkBerry UEM nd the BlkBerry Infrstruture or BlkBerry Dynmis NOC Desription You n use BlkBerry UEM to onfigure Wi-Fi profiles for devies so tht devies n onnet to your orgniztion's resoures using your work Wi-Fi network. You n use BlkBerry UEM to onfigure VPN profiles for devies or users my onfigure VPN profiles on their devies so tht devies n onnet to your orgniztion's resoures using VPN. Depending on the devie, tivtion, nd liense type, nd on the presene of BlkBerry Dynmis pps, devies my e le to use enterprise onnetivity to ommunite with your orgniztion's resoures through BlkBerry UEM nd the BlkBerry Infrstruture. BlkBerry 10 devies n use enterprise onnetivity for ll work dt. Enterprise onnetivity enrypts nd uthentites ll work dt nd sends it through BlkBerry UEM nd the BlkBerry Infrstruture. Enterprise onnetivity limits the numer of ports tht you need to open on your orgniztion's externl firewll to single port, 3101. For ios devies, if the devies hve n pproprite liense, you n enle the BlkBerry Seure Gtewy Servie to llow devies to onnet to your work mil server through the BlkBerry Infrstruture nd BlkBerry UEM. If you use the BlkBerry Seure Gtewy Servie, you don't hve to expose your mil server outside of the firewll to llow users with ios devies to onnet to Mirosoft Exhnge when they re not onneted to your VPN or work Wi-Fi network. For BlkBerry 10 nd ios devies, nd Android devies tivted to hve work profile or use Smsung KNOX Workspe, if the devies hve n pproprite liense, you n use enterprise onnetivity y enling BlkBerry Seure Connet Plus. When devies use BlkBerry Seure Connet Plus, work dt trvels in seure IP tunnel estlished etween pps on the devie nd your orgniztion's network through the BlkBerry Infrstruture. 47

Sending nd reeiving work dt Dt Pth Desription BlkBerry Dynmis pps instlled on devies ommunite with BlkBerry Proxy. Dt n trvel through the BlkBerry Dynmis NOC or n ypss the NOC using BlkBerry Dynmis Diret Connet. BlkBerry OS (version 5.0 to 7.1) devies lwys onnet to BlkBerry UEM to send or reeive work dt. BlkBerry UEM then estlishes onnetion to your orgniztion's mil, pplition, or ontent servers to send nd reeive work dt to nd from the devies. For more informtion out dt flows for BlkBerry OS (version 5.0 to 7.1) devies, see the BES5 Feture nd Tehnil Overview. Sending nd reeiving work dt using the BlkBerry Infrstruture Devies onnet to BlkBerry UEM through the BlkBerry Infrstruture to otin onfigurtion updtes nd to send nd reeive work dt using enterprise onnetivity or the BlkBerry Seure Gtewy Servie. The following digrm shows how devies onnet to BlkBerry UEM nd your orgniztion's resoures through the BlkBerry Infrstruture. The following tle lists the irumstnes when devies onnet to BlkBerry UEM nd your orgniztion's network through the BlkBerry Infrstruture. Devie type All devies Desription All devies use this ommunition pth to send nd reeive onfigurtion dt, suh s devie ommnds, poliy nd profile updtes, nd to send devie informtion nd tivity reports. For more informtion, see Reeiving devie onfigurtion updtes. 48

Sending nd reeiving work dt Devie type BlkBerry 10 devies ios devies BlkBerry 10 devies, ios devies, nd Android devies with work profile or Smsung KNOX Workspe Desription BlkBerry 10 devies use this ommunition pth to send nd reeive work dt when this is the most diret, ost-effiient route ville. You n enle the BlkBerry Seure Gtewy Servie to llow ios devies to onnet to your work mil server through the BlkBerry Infrstruture nd BlkBerry UEM. If you use the BlkBerry Seure Gtewy Servie, you don't hve to expose your mil server outside of the firewll to llow users to reeive work emil when they re not onneted to your orgniztion's VPN or work Wi-Fi network. Devies tht hve n enterprise onnetivity profile onfigured to use BlkBerry Seure Connet Plus n use seure IP tunnel through the BlkBerry Infrstruture to trnsfer dt etween pps nd your orgniztion's network. For BlkBerry 10 devies, KNOX Workspe devies, nd Android devies with work profile, BlkBerry Seure Connet Plus provides seure tunnel etween ll work spe pps nd your orgniztion's network. For ios devies, BlkBerry Seure Connet Plus n provide seure tunnel etween your orgniztion's network nd ll pps or only speified pps. ios nd Android devies with BlkBerry Dynmis pps instlled BlkBerry OS (version 5.0 to 7.1) devies Enterprise onnetivity for BlkBerry Dynmis pps does not use the BlkBerry Infrstruture. Insted, dt in trnsit etween BlkBerry Dynmis pps nd BlkBerry Proxy n trvel through the BlkBerry Dynmis NOC or n ypss the NOC using BlkBerry Dynmis Diret Connet. BlkBerry OS (version 5.0 to 7.1) devies use this ommunition pth to send nd reeive emil, orgnizer, nd pp dt updtes when this is the most diret, ost-effiient route ville. For more informtion on how to onfigure n enterprise onnetivity profile, see the Administrtion ontent. Relted informtion Sending nd reeiving work dt using VPN or work Wi-Fi network, on pge 58 Dt flow: Aessing n pplition or ontent server from BlkBerry 10 devie This dt flow desries how dt trvels when work pp on BlkBerry 10 devie esses n pplition or ontent server in your orgniztion when BlkBerry Seure Connet Plus is not enled. 49

Sending nd reeiving work dt 1. The user opens work pp to view work dt. For exmple, the user opens the work rowser to nvigte the intrnet or uses BlkBerry Work Drives to ess file on network drive. 2. The pp estlishes onnetion to the pplition or ontent server to retrieve the dt. The request trvels through the BlkBerry Infrstruture, BlkBerry Affinity Mnger, BlkBerry Dispther, nd BlkBerry MDS Connetion Servie to the pplition or ontent server. 3. The pplition or ontent server replies with the work dt. The work dt trvels through the BlkBerry MDS Connetion Servie, BlkBerry Dispther, BlkBerry Affinity Mnger, nd BlkBerry Infrstruture to devie. 4. The pp reeives nd displys the dt on the devie. Relted informtion Dt flow: Aessing n pplition or ontent server using BlkBerry Seure Connet Plus, on pge 55 Dt flow: Aessing n pplition or ontent server using VPN or work Wi-Fi network, on pge 61 Dt flow: Sending emil from BlkBerry 10 devie This dt flow desries how work emil nd lendr dt trvels from BlkBerry 10 devies to the Exhnge AtiveSyn server when BlkBerry Seure Connet Plus in not enled. 50

Sending nd reeiving work dt 1. A user retes n emil or updtes n orgnizer item in the work spe. 2. The devie sends the new or hnged item through the BlkBerry Infrstruture, BlkBerry Affinity Mnger, BlkBerry Dispther, nd BlkBerry MDS Connetion Servie to the mil server. 3. The mil server updtes the orgnizer dt on the user's milox or sends the mil item to the reipient nd sends onfirmtion to the devie. Relted informtion Dt flow: Sending emil from n ios devie using the BlkBerry Seure Gtewy Servie, on pge 54 Dt flow: Sending emil from devie using VPN or work Wi-Fi network, on pge 60 Dt flow: Reeiving emil on BlkBerry 10 devie This dt flow desries how work emil messges re reeived from the Exhnge AtiveSyn server on BlkBerry 10 devies when BlkBerry Seure Connet Plus is not enled. 51

Sending nd reeiving work dt 1. The ntive emil lient on the devie mintins permnent onnetion with the emil server over n enrypted nd uthentited hnnel through the BlkBerry Infrstruture, BlkBerry Affinity Mnger, BlkBerry Dispther, nd BlkBerry MDS Connetion Servie nd detets hnges in the folders onfigured for synhroniztion on the mil server. 2. When there re new or hnged items for the devie, suh s new emil messge or updted lendr entry, the mil server sends the updtes to the devie through the BlkBerry MDS Connetion Servie, BlkBerry Dispther, BlkBerry Affinity Mnger, nd BlkBerry Infrstruture to the emil or orgnizer pp on the devie using the Exhnge AtiveSyn protool. Relted informtion Dt flow: Reeiving emil on n ios devie using the BlkBerry Seure Gtewy Servie, on pge 54 Dt flow: Reeiving emil on devie using VPN or work Wi-Fi network, on pge 61 Dt flow: Reeiving enterprise push updtes on BlkBerry 10 devie This dt flow desries how work dt trvels from n pplition server to n pproprite pp in the work spe of BlkBerry 10 devie when BlkBerry Seure Connet Plus is not enled. 1. When there is new or updted dt for work pp on BlkBerry 10 devie, the pplition or ontent server pushes the dt to the BlkBerry MDS Connetion Servie using n HTTP or HTTPS request. 2. The BlkBerry MDS Connetion Servie sends the pushed dt through the BlkBerry Dispther, BlkBerry Affinity Mnger, nd BlkBerry Infrstruture over port 3101 on the firewll. 3. The BlkBerry Infrstruture sends the dt to the BlkBerry 10 devie. 4. The BlkBerry 10 devie sends delivery onfirmtion to the BlkBerry Infrstruture. The devie pp detets the inoming ontent nd displys the ontent when the user opens the pp. 5. The BlkBerry Infrstruture sends delivery onfirmtion through the BlkBerry Affinity Mnger nd the BlkBerry Dispther to the BlkBerry MDS Connetion Servie. 52

Sending nd reeiving work dt 6. If onfigured to do so, the BlkBerry MDS Connetion Servie sends the delivery onfirmtion to the push inititor using n HTTP request. Dt flow: Sending n instnt messge from the BlkBerry Enterprise IM pp This dt flow desries how instnt messges trvel from BlkBerry 10 devies when your orgniztion uses BlkBerry Enterprise IM. 1. A user logs in to the BlkBerry Enterprise IM pp on BlkBerry 10 devie tht is running BlkBerry 10 OS version 10.2.1 or lter. The BlkBerry 10 devie ompresses nd enrypts the user ID nd pssword. 2. The Enterprise IM pp request on the devie opens n SSL onnetion through the BlkBerry Infrstruture, BlkBerry Affinity Mnger, BlkBerry Dispther, nd BlkBerry MDS Connetion Servie to the BlkBerry Collortion Servie over port 8181. 3. The BlkBerry Collortion Servie heks the BlkBerry UEM dtse to hek whether the mximum numer of ville sessions hs een rehed. 4. The BlkBerry Collortion Servie onnets to Mirosoft Ative Diretory to vlidte the user's login informtion. 5. The BlkBerry Collortion Servie onnets to the instnt messging server nd registers n tive endpoint for the user using UCMA, over n MTLS onnetion over port 5061. 6. The instnt messging server sends the registrtion informtion k to the BlkBerry Collortion Servie. 7. The BlkBerry Collortion Servie sends the registrtion response to the devie using the SSL onnetion through the BlkBerry MDS Connetion Servie, BlkBerry Dispther, BlkBerry Affinity Mnger, nd BlkBerry Infrstruture. 8. The session is reted etween the BlkBerry 10 devie nd the BlkBerry Collortion Servie nd etween the BlkBerry Collortion Servie nd the Mirosoft Lyn Server. For more informtion out BlkBerry Enterprise IM, see the BlkBerry Enterprise IM ontent. 53

Sending nd reeiving work dt Dt flow: Sending emil from n ios devie using the BlkBerry Seure Gtewy Servie This dt flow desries how work emil nd lendr dt trvels from ios devies to the Exhnge AtiveSyn server using the BlkBerry Seure Gtewy Servie. 1. A user retes n emil or updtes n orgnizer item in the work spe. 2. The devie sends the new or hnged item through the BlkBerry Infrstruture nd the BlkBerry Seure Gtewy Servie to the mil server. 3. The mil server updtes the orgnizer dt on the user's milox or sends the mil item to the reipient nd sends onfirmtion to the devie. Relted informtion Dt flow: Sending emil from BlkBerry 10 devie, on pge 50 Dt flow: Sending emil from devie using VPN or work Wi-Fi network, on pge 60 Dt flow: Reeiving emil on n ios devie using the BlkBerry Seure Gtewy Servie This dt flow desries how work emil nd lendr dt trvels etween ios devies nd the Exhnge AtiveSyn server using the BlkBerry Seure Gtewy Servie. 54

Sending nd reeiving work dt 1. The ntive emil lient on ios mintins permnent onnetion with the emil server over n enrypted nd uthentited hnnel etween the BlkBerry Infrstruture nd the BlkBerry Seure Gtewy Servie nd detets hnges in the folders onfigured for synhroniztion on the mil server. 2. When there re new or hnged items for the devie, suh s new emil messge or updted lendr entry, the mil server sends the updtes to the devie through the seure hnnel etween the BlkBerry Seure Gtewy Servie nd the BlkBerry Infrstruture to the emil or orgnizer pp on the devie using the Exhnge AtiveSyn protool. Relted informtion Dt flow: Reeiving emil on BlkBerry 10 devie, on pge 51 Dt flow: Reeiving emil on devie using VPN or work Wi-Fi network, on pge 61 Dt flow: Aessing n pplition or ontent server using BlkBerry Seure Connet Plus This dt flow desries how dt trvels when n pp on devie tht is onfigured to use BlkBerry Seure Connet Plus esses n pplition or ontent server in your orgniztion. 55

Sending nd reeiving work dt 1. The user opens n pp to ess work dt from ontent or pplition server ehind your orgniztion's firewll. For BlkBerry 10 devies, Smsung KNOX Workspe devies, nd Android devies with work profile, ll work spe pps use BlkBerry Seure Connet Plus. For ios devies, you speify whether ll pps or only speified pps use BlkBerry Seure Connet Plus. 2. The devie sends requests through TLS tunnel, over port 443, to the BlkBerry Infrstruture to request seure tunnel to the work network. The signl is enrypted y defult using FIPS-140 ertified Certiom lirries. The signling tunnel is enrypted end-to-end. 3. BlkBerry Seure Connet Plus reeives the request from the BlkBerry Infrstruture through port 3101. 4. The devie nd BlkBerry Seure Connet Plus negotite the tunnel prmeters nd estlish seure tunnel for the devie through the BlkBerry Infrstruture. The tunnel is uthentited nd enrypted end-to-end with DTLS. 5. The pp uses the tunnel to onnet to the pplition or ontent server using stndrd IPv4 protools (TCP nd UDP). 6. BlkBerry Seure Connet Plus trnsfers the IP dt to nd from your orgniztion's network. BlkBerry Seure Connet Plus enrypts nd derypts trffi using FIPS-140 ertified Certiom lirries. 7. The pp reeives nd displys the dt on the devie. 8. As long s the tunnel is open, supported pps use it to ess network resoures. When the tunnel is no longer the est ville method to onnet to your orgniztion's network, BlkBerry Seure Connet Plus termintes it. Relted informtion Dt flow: Aessing n pplition or ontent server from BlkBerry 10 devie, on pge 49 Dt flow: Aessing n pplition or ontent server using VPN or work Wi-Fi network, on pge 61 56

Sending nd reeiving work dt Dt flow: Sending nd reeiving work dt from BlkBerry Dynmis pp This dt flow desries how dt trvels when BlkBerry Dynmis pp esses n pplition or ontent server in your orgniztion through BlkBerry UEM. 1. The user opens BlkBerry Dynmis pp to ess work dt. 2. The BlkBerry Dynmis pp estlishes onnetion to the BlkBerry Dynmis NOC. The onnetion is uthentited with the mster link key tht ws reted when the pp ws tivted. 3. The BlkBerry Dynmis NOC ommunites with BlkBerry Proxy over pre-estlished seure onnetion to estlish n end-to-end onnetion etween the BlkBerry Dynmis pp nd BlkBerry Proxy tht rries the work dt. The work dt is enrypted with session key tht is not known to the BlkBerry Dynmis NOC. 4. When the seure end-to-end onnetion is estlished, work dt n trvel etween the devie nd pplition or ontent servers ehind the firewll vi BlkBerry Proxy. Dt flow: Sending nd reeiving work dt from BlkBerry Dynmis pp using BlkBerry Dynmis Diret Connet This dt flow desries how dt trvels when BlkBerry Dynmis pp esses n pplition or ontent server in your orgniztion through BlkBerry Dynmis Diret Connet nd BlkBerry UEM. 57

Sending nd reeiving work dt 1. The user opens BlkBerry Dynmis pp to ess work dt. 2. The BlkBerry Dynmis pp estlishes TLS onnetion to BlkBerry Proxy. 3. BlkBerry Proxy uthentites with the BlkBerry Dynmis pp. BlkBerry Proxy uthentites with the pp using its server ertifite. BlkBerry Proxy vlidtes the pp using MAC keyed with session key known only to BlkBerry Proxy nd the pp. 4. When the seure end-to-end onnetion is estlished, work dt n trvel etween the devie nd pplition or ontent servers ehind the firewll vi BlkBerry Proxy. Sending nd reeiving work dt using VPN or work Wi-Fi network Devies tht hve VPN or Wi-Fi profiles onfigured y you or y the users, my e le to ess your orgniztion's resoures using your orgniztion's VPN or work Wi-Fi network. To use your orgniztion's VPN, users with Windows Phone 8.1 devie or n Android devie tht does not hve work profile or Smsung KNOX Workspe must mnully onfigure VPN profile on their devies. This digrm shows how dt n trvel when BlkBerry 10, ios, Android, Windows, or mos devie onnets to your orgniztion's resoures using your orgniztion's VPN or work Wi-Fi network. 58

Sending nd reeiving work dt This digrm shows how dt n trvel when BlkBerry OS (version 5.0 to 7.1) devie onnets to your orgniztion's resoures using your orgniztion's VPN or work Wi-Fi network. The following tle desries when devies use your orgniztion's VPN or work Wi-Fi network to onnet to your orgniztion's network. Devie type Android devies with work profile nd KNOX Workspe devies Windows nd mos devies, nd Android devies with the MDM ontrols tivtion type ios Desription Android devies tht hve work profile or use KNOX Workspe use your orgniztion's VPN or work Wi-Fi network to send nd reeive work dt only when BlkBerry Seure Connet Plus is not enled. Windows nd mos devies nd Android devies with the MDM ontrols tivtion type your orgniztion's VPN or work Wi-Fi network to send nd reeive work dt. To use your orgniztion's VPN, Android nd Windows Phone 8.1 devie users must mnully onfigure VPN profile on their devies. ios devies use your orgniztion's VPN or work Wi-Fi network to send nd reeive Exhnge AtiveSyn dt if the BlkBerry Seure Gtewy Servie is not enled. All other work dt uses your orgniztion's VPN or work Wi-Fi network. 59

Sending nd reeiving work dt Devie type BlkBerry 10 BlkBerry OS Desription BlkBerry 10 devies use your orgniztion's VPN or work Wi-Fi network to send nd reeive work dt when this is the most diret, ost-effiient route ville. BlkBerry 10 devies use only VPN nd Wi-Fi profiles onfigured y you, not y the user, when essing work dt. BlkBerry OS (version 5.0 to 7.1) devies use your orgniztion's VPN or work Wi- Fi network to send nd reeive ll emil, orgnizer, nd pp dt updtes when this is the most diret, ost-effiient route ville. Relted informtion Sending nd reeiving work dt using the BlkBerry Infrstruture, on pge 48 Dt flow: Sending emil from devie using VPN or work Wi- Fi network This dt flow desries how work emil nd lendr dt trvels from the devie to the mil server over your orgniztion's VPN or work Wi-Fi network using Exhnge AtiveSyn. 1. A user retes n emil or updtes n orgnizer item in the work spe. 2. The devie sends the new or hnged item to the mil server over your orgniztion's VPN or work Wi-Fi network. 3. The mil server updtes the orgnizer dt on the user's milox or sends the mil item to the reipient nd sends onfirmtion to the devie. Relted informtion Dt flow: Sending emil from BlkBerry 10 devie, on pge 50 Dt flow: Sending emil from n ios devie using the BlkBerry Seure Gtewy Servie, on pge 54 60

Sending nd reeiving work dt Dt flow: Reeiving emil on devie using VPN or work Wi- Fi network This dt flow desries how work emil nd lendr dt trvels from the devie to the mil server over your orgniztion's VPN or work Wi-Fi network using Exhnge AtiveSyn. 1. The devie issues n HTTPS request to the mil server nd requests tht the mil server notify the devie when ny items hnge in the folders tht re onfigured to synhronize. The request trvels through your orgniztion's VPN or work Wi- Fi network to the mil server. 2. The devie stnds y. 3. When there re new or hnged items for the devie, suh s new emil or updted lendr entry, the mil server sends the updtes to the devie. The new or hnged items trvel through your orgniztion's VPN or work Wi-Fi network to the emil or orgnizer dt pp on the devie. 4. When the synhroniztion is omplete, the devie issues nother request to restrt the proess. 5. If there re no new or hnged items during this intervl, the mil or pplition server sends messge to the devie using the Exhnge AtiveSyn protool. 6. The devie issues new request nd the proess strts over. Relted informtion Dt flow: Reeiving emil on BlkBerry 10 devie, on pge 51 Dt flow: Reeiving emil on n ios devie using the BlkBerry Seure Gtewy Servie, on pge 54 Dt flow: Aessing n pplition or ontent server using VPN or work Wi-Fi network This dt flow desries how dt trvels etween n pplition or ontent server in your orgniztion nd n pp on devie using VPN onnetion or work Wi-Fi network. 61

Sending nd reeiving work dt 1. The user opens work pp to view work dt. For exmple, the user opens the work rowser to nvigte the intrnet or uses n internlly developed pp to ess your orgniztion's ustomer dt. 2. The pp estlishes onnetion to the pplition or ontent server to retrieve the dt. The request trvels through your VPN or work Wi-Fi network to the pplition or ontent server. 3. The pplition or ontent server replies with the work dt. The work dt trvels through your VPN or work Wi-Fi network to the pp on the work spe of the devie. 4. The pp reeives nd displys the dt on the devie. Relted informtion Dt flow: Aessing n pplition or ontent server from BlkBerry 10 devie, on pge 49 Dt flow: Aessing n pplition or ontent server using BlkBerry Seure Connet Plus, on pge 55 62

Reeiving devie onfigurtion updtes Reeiving devie onfigurtion updtes 9 When you use the mngement onsole to send devie ommnds, suh s lok devie or delete the work dt, or when you perform other devie mngement tsks, suh s updtes to poliy, profile, nd pp settings or ssignments, you trigger onfigurtion updte for the devie. When onfigurtion updte needs to e sent to devie, BlkBerry UEM notifies the devie tht onfigurtion updte is pending. Devies lso poll BlkBerry UEM regulrly to sk for ny tions tht need to e run on the devie to prevent ny onfigurtion updte from eing missed if notifition is not reeived on the devie. Windows Phone 8.0 devies don't reeive updte notifitions. Insted, these devies poll BlkBerry UEM every hour to request pending updtes. On BlkBerry 10 devies, the Enterprise Mngement Agent reeives nd ompletes ll onfigurtion updtes. On Android devies, the BlkBerry UEM Client reeives nd ompletes ll onfigurtion updtes. On ios devies, the BlkBerry UEM Client pp displys ompline sttus nd onfigurtion informtion for the devie, suh s pps or poliies ssigned to it. However, the ntive MDM Demon on the devie reeives nd ompletes ll onfigurtion updtes sent to the devie. On Windows Phone devies, the BlkBerry UEM Client displys ompline sttus nd onfigurtion informtion for the devie, suh s pps or poliies ssigned to it. However, the ntive MDM Demon on the devie reeives nd ompletes ll onfigurtion updtes sent to the devie. On Windows 10 nd mos devies, whih do not require the BlkBerry UEM Client for tivtion, the ntive MDM Demon reeives nd ompletes ll onfigurtion updtes sent to the devie. Dt flow: Reeiving onfigurtion updtes on BlkBerry 10 devie 63

Reeiving devie onfigurtion updtes 1. An tion is tken in the mngement onsole tht triggers onfigurtion updte for the devie. For exmple, you updte the IT poliy or ssign new profile or pp to the user ount. 2. Updtes re pplied in BlkBerry UEM, nd ojets tht must e shred with the devie re identified. 3. The BlkBerry UEM Core notifies the BlkBerry Infrstruture tht there is n updte for devie. The notifition psses through the BlkBerry Router or TCP proxy server, if instlled, nd the externl firewll, over port 3101. 4. The BlkBerry Infrstruture notifies the Enterprise Mngement Agent on the devie tht there is n updte. 5. The Enterprise Mngement Agent on the devie polls the BlkBerry UEM Core to request ny pending tions nd ommnds tht must e performed on the devie. This poll psses through the BlkBerry Infrstruture nd the BlkBerry Router, if instlled, to the BlkBerry UEM Core. 6. The BlkBerry UEM Core replies, through the BlkBerry Infrstruture nd BlkBerry Router or TCP proxy server, if instlled, with the highest priority tion. Priority is given to IT dministrtion ommnds, suh s Delete devie dt nd Lok devie, followed y requests for devie informtion, instlled pps, nd so on. The BlkBerry UEM Core sends only one ommnd t time. If neessry, dditionl informtion is inluded in the response. 7. The Enterprise Mngement Agent on the devie reeives the onfigurtion updtes nd pplies the new or updted onfigurtion on the devie. The Enterprise Mngement Agent sends response to the BlkBerry UEM Core, through the BlkBerry Infrstruture, to updte the ommnd sttus. The sttus indites whether the ommnd rn suessfully nd provides n error messge in the event of filure. 8. If more tions or ommnds re pending for the devie, the BlkBerry UEM Core replies, through the BlkBerry Infrstruture, with the highest priority tion. If no tions or ommnds re pending for the devie, the BlkBerry UEM Core replies with n idle ommnd. Steps 6 to 8 re repeted until no more pending tions or ommnds must e performed on the devie. 64

Reeiving devie onfigurtion updtes Dt flow: Reeiving onfigurtion updtes on n Android devie 1. An tion is tken in the mngement onsole tht triggers onfigurtion updte for n Android devie. 2. Updtes re pplied in BlkBerry UEM, nd ojets tht must e shred with the devie re identified. 3. The BlkBerry UEM Core ontts the BlkBerry Infrstruture, through the BlkBerry Router or TCP proxy server, if instlled, nd the externl firewll over port 3101. 4. The BlkBerry Infrstruture uses the GCM to notify Android devies tht n updte is pending. 5. The GCM sends notifition to the BlkBerry UEM Client on the Android devie to ontt the BlkBerry UEM Core. 6. The BlkBerry UEM Client ontts the BlkBerry UEM Core, on port 3101 on the externl firewll, to request ny pending tions nd ommnds tht must e performed on the devie. 7. The BlkBerry UEM Core replies, through the BlkBerry Infrstruture nd BlkBerry Router or TCP proxy server, if instlled, with the highest priority tion. Priority is given to IT dministrtion ommnds, suh s Delete devie dt nd Lok devie, followed y requests for devie informtion, instlled pps, nd so on. The BlkBerry UEM Core sends only one ommnd t time. If neessry, dditionl informtion is inluded in the response. 8. The BlkBerry UEM Client inspets the response, shedules the ommnd to e proessed, nd wits for the ommnd to e run. The BlkBerry UEM Client sends response to the BlkBerry UEM Core, through the BlkBerry Infrstruture, to updte the ommnd sttus. The sttus indites whether the ommnd rn suessfully nd provides n error messge in the event of filure. 9. If more tions or ommnds re pending for the devie, the BlkBerry UEM Core replies, through the BlkBerry Infrstruture, with the highest priority tion. If no tions or ommnds re pending for the devie, the BlkBerry UEM Core replies with n idle ommnd. 65

Reeiving devie onfigurtion updtes Steps 7 to 9 re repeted until no more pending tions or ommnds must e performed on the devie. Dt flow: Reeiving onfigurtion updtes on n ios devie 1. An tion is tken in the mngement onsole tht triggers onfigurtion updte for n ios devie. For exmple, you updte the IT poliy or ssign new profile or pp to the user ount. 2. Updtes re pplied in BlkBerry UEM nd ojets tht must e shred with the devie re identified. 3. The BlkBerry UEM Core performs the following tions: Contts the BlkBerry Infrstruture, through the BlkBerry Router or TCP proxy server, if instlled, nd the externl firewll over port 3101. Sends request through the BlkBerry Infrstruture to the APNs to notify the devie tht n updte is pending. 4. The APNs sends notifition to the ntive MDM Demon on the ios devie to ontt the BlkBerry UEM Core. 5. When the ntive MDM Demon on the ios devie reeives the notifition, it ontts the BlkBerry UEM Core, on port 3101 on the externl firewll, pssing through the BlkBerry Router or TCP proxy server, if instlled, to retrieve ny pending tions. 6. The BlkBerry UEM Core replies with the highest priority tion. Priority is given to devie tions, suh s Delete devie dt nd Lok devie. The BlkBerry UEM Core sends only one ommnd t time. If neessry, dditionl informtion is inluded in the response. If no tions or ommnds re pending for the devie, the BlkBerry UEM Core replies to the devie with n idle ommnd. 7. The ntive MDM Demon on the ios devie performs the following tions: Inspets the response from the BlkBerry UEM Core, shedules the ommnd to e proessed, nd wits for the ommnd to run. 66

Reeiving devie onfigurtion updtes Sends response to the BlkBerry UEM Core to updte the ommnd sttus. The sttus indites whether the ommnd rn suessfully nd provides n error messge in the event of filure. Steps 6 nd 7 re repeted until no more pending tions or ommnds must e performed on the devie. Dt flow: Reeiving onfigurtion updtes on mos devie 1. An tion is tken in the mngement onsole tht triggers onfigurtion updte for mos devie. For exmple, you updte the IT poliy or ssign new profile or pp to the user ount. 2. Updtes re pplied in BlkBerry UEM, nd ojets tht must e shred with the devie re identified. 3. The BlkBerry UEM Core performs the following tions: Contts the BlkBerry Infrstruture, through the BlkBerry Router or TCP proxy server, if instlled, nd the externl firewll over port 3101. Sends request through the BlkBerry Infrstruture to the APNs to notify the devie tht n updte is pending. 4. The APNs sends notifition to the devie to ontt the BlkBerry UEM Core. 5. When the devie reeives the notifition, it ontts the BlkBerry UEM Core, on port 3101 on the externl firewll, pssing through the BlkBerry Router or TCP proxy server, if instlled, to retrieve ny pending tions. 6. When n updte is pending for the devie, the BlkBerry UEM Core replies with the highest priority tion. Priority is given to devie tions, suh s Delete devie dt nd Lok devie. If neessry, dditionl informtion is inluded in the response. If no tions or ommnds re pending for the devie, the BlkBerry UEM Core replies to the devie with n empty messge. 7. The devie performs the following tions: Inspets the response from the BlkBerry UEM Core, shedules the ommnd to e proessed, nd wits for the ommnd to run. 67

Reeiving devie onfigurtion updtes Sends response to the BlkBerry UEM Core to updte the ommnd sttus. The sttus indites whether the ommnd rn suessfully nd provides n error messge in the event of filure. Steps 6 nd 7 re repeted until no more pending tions or ommnds must e performed on the devie. Dt flow: Reeiving onfigurtion updtes on Windows Phone 8.1 or Windows 10 devie 1. An tion is tken in the mngement onsole tht triggers onfigurtion updte for Windows Phone 8.1 or Windows 10 devie. For exmple, you updte the IT poliy or ssign new profile or pp to the user ount. 2. Updtes re pplied in BlkBerry UEM, nd ojets tht must e shred with the devie re identified. 3. The BlkBerry UEM Core ontts the BlkBerry Infrstruture, through the BlkBerry Router or TCP proxy server, if instlled, nd the externl firewll over port 3101. 4. The BlkBerry Infrstruture uses the WNS to notify the devie tht n updte is pending. 5. The WNS sends notifition to the devie to ontt the BlkBerry UEM Core. 6. When the devie reeives the notifition, it ontts the BlkBerry UEM Core, on port 3101 on the externl firewll, pssing through the BlkBerry Router or TCP proxy server, if instlled, to retrieve ny pending tions. 7. When n updte is pending for the devie, the BlkBerry UEM Core replies with the highest priority tion. Priority is given to devie tions, suh s Delete devie dt nd Lok devie. If neessry, dditionl informtion is inluded in the response. If no tions or ommnds re pending for the devie, the BlkBerry UEM Core replies to the devie with n empty messge. 8. The devie inspets the response, shedules the ommnd to e proessed, nd wits for the ommnd to e run. The devie sends response to the BlkBerry UEM Core to updte the ommnd sttus. The sttus indites whether the ommnd rn suessfully nd provides n error messge in the event of filure. 68

Reeiving devie onfigurtion updtes Steps 7 nd 8 re repeted until no more tions or ommnds re pending for the devie. Dt flow: Reeiving onfigurtion updtes on Windows Phone 8.0 devie 1. An tion is tken in the mngement onsole tht triggers onfigurtion updte for Windows Phone 8.0 devie. For exmple, you updte the IT poliy or ssign new profile or pp to the user ount. 2. Updtes re pplied in BlkBerry UEM, nd ojets tht must e shred with the devie re identified. 3. The ntive MDM Demon on the Windows Phone devie polls BlkBerry UEM for updtes t regulr intervls. 4. When n updte is pending for the devie, the BlkBerry UEM Core replies with the highest priority tion. Priority is given to devie tions, suh s Delete devie dt nd Lok devie. If neessry, dditionl informtion is inluded in the response. If no tions or ommnds re pending for the devie, the BlkBerry UEM Core replies to the devie with n empty messge. 5. The ntive MDM servie on the Windows Phone devie inspets the response, shedules the ommnd to e proessed, nd wits for the ommnd to e run. The ntive MDM Demon on the Windows Phone devie sends response to the BlkBerry UEM Core to updte the ommnd sttus. The sttus indites whether the ommnd rn suessfully nd provides n error messge in the event of filure. Steps 4 nd 5 re repeted until no more tions or ommnds re pending for the devie. Dt flow: Ativting BlkBerry Dynmis pp 69

Reeiving devie onfigurtion updtes 1. An dministrtor ssigns one or more BlkBerry Dynmis pps to user. 2. The user instlls the pp on the devie. 3. The BlkBerry Dynmis pp performs the following tions: Estlishes seure hnnel with the BlkBerry UEM Client on the devie. Dt exhnged over the seure hnnel is enrypted using n AES-CBC ipher. Asks the BlkBerry UEM Client to requests n ess key for the new BlkBerry Dynmis pp. The request inludes rndomly generted none. 4. The BlkBerry UEM Client sends the ess key request nd the rndomly generted none to BlkBerry Control. 5. BlkBerry Control sends the requested ess key to the BlkBerry UEM Client. 6. The BlkBerry UEM Client provides the ess key to the BlkBerry Dynmis pp. 7. The BlkBerry Dynmis pp estlishes n SSL onnetion with the BlkBerry Dynmis NOC nd sends it hsh of the ess key. 8. The BlkBerry Dynmis NOC verifies the ess key nd, if the verifition is suessful, sends provisioning dt, inluding the mster link key nd onnetion informtion, to the BlkBerry Dynmis pp. 9. The BlkBerry Dynmis pp egins the proess of estlishing shred seret with BlkBerry Control y sending seure hnnel setup messge to the BlkBerry Dynmis NOC over the SSL onnetion. The seure hnnel setup messge ontins user identifier (emil ddress), ephemerl ECDH puli key, slt vlue, token, nd MAC of the messge to uthentite the sender nd gurntee the integrity of the messge. 10. The BlkBerry Dynmis NOC forwrds the seure hnnel setup messge to BlkBerry Proxy over n HTTPS onnetion. 11. BlkBerry Proxy then forwrds the seure hnnel setup messge to BlkBerry Control. 70

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback