Data flow: Activating a BlackBerry
Dynamics app on a Samsung KNOX Workspace device when BlackBerry Secure Connect Plus is enabled
BlackBerry
Dynamics
app on a Samsung KNOX Workspace
device when BlackBerry Secure Connect Plus
is enabledThis data flow describes how data travels when a
BlackBerry
Dynamics
app in the work space on a Samsung KNOX Workspace
device is activated over a BlackBerry Secure Connect Plus
connection.
- An administrator assigns one or moreBlackBerry Dynamicsapps to a user.
- The user installs the app on theSamsung KNOXdevice.
- If the device is not aSamsung KNOX Workspacedevice and theBlackBerry UEM Clientis installed on the device, theBlackBerry Dynamicsapp performs the following actions:
- Establishes a secure channel with theBlackBerry UEM Clienton the device. Data exchanged over the secure channel is encrypted using an AES-CBC cipher.
- Asks theBlackBerry UEM Clientto request an access key for the newBlackBerry Dynamicsapp. The request includes a randomly generated nonce.
- The device sends a request through a TLS tunnel, over port 443, to theBlackBerry Infrastructureto request a secure tunnel to the work network. The signal is encrypted by default using FIPS-140 certifiedCerticomlibraries. The signaling tunnel is encrypted end to end.
- BlackBerry Secure Connect Plusreceives the request from theBlackBerry Infrastructurethrough port 3101.
- The device andBlackBerry Secure Connect Plusnegotiate the tunnel parameters and establish a secure tunnel for the device through theBlackBerry Infrastructure. The tunnel is authenticated and encrypted end to end with DTLS.
- TheBlackBerry UEM Clientsends the access key request and the randomly generated nonce fromBlackBerry Secure Connect Plusto theBlackBerry UEM Core.
- TheBlackBerry UEM Coresends the requested access key fromBlackBerry Secure Connect Plusto theBlackBerry UEM Client.
- TheBlackBerry UEM Clientprovides the access key to theBlackBerry Dynamicsapp.
- TheBlackBerry Dynamicsapp establishes a connection usingBlackBerry Secure Connect Pluswith theBlackBerry Dynamics NOCand sends it a hash of the access key.
- TheBlackBerry Dynamics NOCverifies the access key and, if the verification is successful, sends provisioning data, including the master link key and connection information, usingBlackBerry Secure Connect Plusto theBlackBerry Dynamicsapp.
- TheBlackBerry Dynamicsapp begins the process of establishing a shared secret with theBlackBerry UEM Coreby sending a secure channel setup message to theBlackBerry Dynamics NOCusingBlackBerry Secure Connect Plus.The secure channel setup message contains a user identifier (email address), ephemeral ECDH public key, a salt value, a token, and a MAC of the message to authenticate the sender and guarantee the integrity of the message.
- TheBlackBerry Dynamics NOCforwards the secure channel setup message toBlackBerry Proxyover an HTTPS connection.
- BlackBerry Proxyforwards the secure channel setup message to theBlackBerry UEM Core.
- TheBlackBerry UEM Coreresponds to theBlackBerry Dynamicsapp usingBlackBerry Secure Connect Plus. The response contains a new ephemeral ECDH public key and a MAC of the message.
- TheBlackBerry Dynamicsapp requests provisioning data from theBlackBerry UEM Core. The request travels throughBlackBerry Secure Connect Plus, theBlackBerry Dynamics NOC, andBlackBerry Proxy.
- TheBlackBerry UEM Coresends encrypted provisioning data, including the master session key, app configuration data, and a list ofBlackBerry Proxyinstances, to theBlackBerry Dynamicsapp to complete the activation.