Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.10
  3. BlackBerry UEM Architecture and Data Flows
  4. Activating devices
  5. Data flow: Activating a BlackBerry 10 device

Data flow: Activating a 
BlackBerry 10
 device

 
Diagram showing the steps and the BlackBerry UEM components used when activating a BlackBerry 10 device
 
  1.  You perform the following actions:
    1. Add a user to 
      BlackBerry UEM
       as a local user account or using the account information retrieved from your company directory
    2. Assign an activation profile to the user
    3. Use one of the following options to provide the user with activation details:
      • Automatically generate a device activation password and send an email with activation instructions for the user
      • Set a device activation password and communicate the username and password to the user directly or by email
      • Don't set a device activation password and communicate the 
        BlackBerry UEM Self-Service
         address to the user so that they can set their own activation password
  2. The user performs the following actions:
    1. Types the username and activation password on the device
    2.  For a "
      Work and personal - Regulated
      " or "
      Work space only
      " activation, accepts the organization notice, which outlines the terms and conditions that the user must agree to
  3. If the activation is a "
    Work space only
    " activation, the device deletes all existing data and restarts. For other activation types, the 
    Enterprise Management Agent
     on the device performs the following actions:
    1. Establishes a connection to the 
      BlackBerry Infrastructure
    2. Sends a request for activation information to the 
      BlackBerry Infrastructure
  4. The 
    BlackBerry Infrastructure
     performs the following actions:
    1. Verifies that the user is a valid, registered user
    2. Retrieves the 
      BlackBerry UEM
       address for the user
    3. Sends the address to the 
      Enterprise Management Agent
  5. The device performs the following actions:
    1. Establishes a connection with 
      BlackBerry UEM
    2. Generates a shared symmetric key that is used to protect the CSR and response 
      BlackBerry UEM
       using the activation password and EC-SPEKE. 
    3. Creates an encrypted CSR and HMAC as follows:
      • Generates a key pair for the certificate
      • Creates a PKCS#10 CSR that includes the public key of the key pair
      • Encrypts the CSR using the shared symmetric key and AES-256 in CBC mode with PKCS#5 padding
      • Computes an HMAC of the encrypted CSR using SHA-256 and appends it to the CSR
    4. Sends the encrypted CSR and HMAC to 
      BlackBerry UEM
  6. BlackBerry UEM
     performs the following actions:
    1. Verifies the HMAC of the encrypted CSR and decrypts the CSR using the shared symmetric key
    2. Retrieves the username, work space ID, and your organization’s name from the 
      BlackBerry UEM
       database
    3. Packages a client certificate using the information it retrieved and the CSR that the device sent
    4. Signs the client certificate using the enterprise management root certificate
    5. Encrypts the client certificate, enterprise management root certificate, and the 
      BlackBerry UEM
       URL using the shared symmetric key and AES-256 in CBC mode with PKCS#5 padding
    6. Computes an HMAC of the encrypted client certificate, enterprise management root certificate, and the 
      BlackBerry UEM
       URL and appends it to the encrypted data
    7. Sends the encrypted data and HMAC to the device
  7. The device performs the following actions:
    1. Verifies the HMAC
    2. Decrypts the data it received from 
      BlackBerry UEM
    3. Stores the client certificate and the enterprise management root certificate in its keystore
  8. BlackBerry UEM
     performs the following actions:
    1. BlackBerry UEM Core
       assigns the new device to a 
      BlackBerry UEM
       instance in the domain
    2. BlackBerry UEM Core
       notifies the active 
      BlackBerry Affinity Manager
       that a new device is assigned to the 
      BlackBerry UEM
       instance
    3. The active 
      BlackBerry Affinity Manager
       notifies the 
      BlackBerry Dispatcher
       on that 
      BlackBerry UEM
       instance that there is a new device
    4. The 
      BlackBerry UEM Core
       sends configuration information, including enterprise connectivity settings to the device
  9. BlackBerry UEM Core
     and the device generate the device transport key using ECMQV and the authenticated long-term public keys from the client certificate and the server certificate for 
    BlackBerry UEM
    . This key is used to encrypt work data when not using 
    BlackBerry Secure Connect Plus
     and push to IPPP data.
  10. The device sends an acknowledgment over TLS to 
    BlackBerry UEM
     to confirm that it received and applied the IT policy and other data and created the work space. The activation process is complete.
 The elliptic curve protocols used during the activation process use the NIST-recommended 521-bit curve.