Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.10
  3. BlackBerry UEM Architecture and Data Flows
  4. Activating devices
  5. Data flow: Activating an Android device to have only a work profile in a Google domain

Data flow: Activating an 
Android
 device to have only a work profile in a 
Google
 domain

Diagram showing the steps and the BlackBerry UEM components used when activating an Android device to have only a work profile
This data flow applies when 
BlackBerry UEM
 is connected to a 
Google Cloud
 or 
G Suite
 domain. For more information see the Configuration content.
  1. You perform the following actions:
    1. Verify that the user has a 
      Google
       account that is associated with the user’s work email address. Optionally, you can configure 
      BlackBerry UEM
       to create the 
      Google
       account for the user during the activation process. When 
      BlackBerry UEM
       creates the account for the user in 
      Google
      , the user receives an email from the 
      Google
       domain with their 
      Google
       account password.
    2. If users have devices with 
      Android
       6.0 or later, verify that the "Enforce EMM Policy" setting is enabled for the 
      Google
       domain. This setting specifies that activated devices are managed by an EMM provider, such as 
      BlackBerry UEM
      .
    3. Add a user to 
      BlackBerry UEM
       as a local user account or using the account information retrieved from your company directory. When you specify the email address, use the email address that is associated with the user's 
      Google
       account.
    4. Make sure that the "
      Work space only
      " or "
      Work space only
       (Premium)" activation type is assigned to the user.
    5. Set the user's activation password.
  2. For devices with a version of 
    Android
     earlier than 6.0, 
    BlackBerry UEM
     communicates with the 
    Google
     domain to generate an activation token for the user. The activation token and the user's activation password are included in the activation email that is sent to the user's work email address.
  3. The user resets their device to the factory default settings. 
  4. The device restarts and prompts the user to select a 
    Wi-Fi
     network and to add an account.
  5. The user performs one of the following actions:
    • For devices with a version of 
      Android
       earlier than 6.0, taps the More button, taps "Setup work device," and enters their work email address and the activation token they received in their activation email
    • For devices with 
      Android
       6.0 and later, enters their work email address and password
  6. The device performs one of the following actions:
    • For devices with a version of 
      Android
       earlier than 6.0, communicates with the 
      Google
       domain to validate the activation token
    • For devices with 
      Android
       6.0 and later, communicates with the 
      Google
       domain to verify that the user is a work user and to check if the Enforce EMM Policy setting is enabled
    After the device performs the appropriate validations, the device performs the following actions:
    1. If the device is not encrypted, prompts the user to encrypt the device and restarts
    2. Downloads the 
      BlackBerry UEM Client
       from 
      Google Play
       and installs it
  7. The 
    BlackBerry UEM Client
     on the device prompts the user to type their email address and activation password.
  8. The user types their email address and activation password or scans the 
    QR Code
    .
  9. The 
    BlackBerry UEM Client
     on the device performs the following actions:
    1. Establishes a connection to the 
      BlackBerry Infrastructure
    2. Sends a request for activation information to the 
      BlackBerry Infrastructure
  10. The 
    BlackBerry Infrastructure
     performs the following actions:
    1. Verifies that the user is a valid, registered user
    2. Retrieves the 
      BlackBerry UEM
       server address for the user
    3. Sends the server address to the 
      BlackBerry UEM Client
  11. The 
    BlackBerry UEM Client
     establishes a connection with 
    BlackBerry UEM
     using an HTTP CONNECT call over port 443 and sends an activation request to 
    BlackBerry UEM
    . The activation request includes the username, password, device operating system, and unique device identifier.
  12. BlackBerry UEM
     performs the following actions:
    1. Determines the activation type assigned to the user account
    2. Connects to the 
      Google
       domain to verify the user information
    3. Creates a device instance
    4. Associates the device instance with the specified user account
    5. Adds the enrollment session ID to an HTTP session
    6. Sends a successful authentication message to the device
  13. The 
    BlackBerry UEM Client
     performs the following actions:
    1. Prompts the user for the user's 
      Google
       account information 
    2. Connects to the 
      Google
       domain to authenticate the user
    3. Creates a CSR using the information received from 
      BlackBerry UEM
       and sends a client certificate request to 
      BlackBerry UEM
       over HTTPS
  14. BlackBerry UEM
     performs the following actions:
    1. Validates the client certificate request against the enrollment session ID in the HTTP session
    2. Signs the client certificate request with the root certificate
    3. Sends the signed client certificate and root certificate back to the 
      BlackBerry UEM Client
    A mutually authenticated TLS session is established between the 
    BlackBerry UEM Client
     and 
    BlackBerry UEM
    .
  15. The 
    BlackBerry UEM Client
     requests all configuration information and sends the device and software information to 
    BlackBerry UEM
    .
  16. BlackBerry UEM
     stores the device information and sends the requested configuration information to the device.
  17. The device sends an acknowledgment to 
    BlackBerry UEM
     that it received and applied the configuration information. The activation process is complete.