Getting started
- Configuring BlackBerry UEM for the first time
- Configuration tasks for managing BlackBerry OS devices
- Administrator permissions you need to configure BlackBerry UEM
- Obtaining and activating licenses
- BlackBerry Enterprise Mobility Suite services
Changing BlackBerry UEM certificates
- Considerations for changing BlackBerry Dynamics certificates
- Change a BlackBerry UEM certificate
Configuring BlackBerry UEM to send data through a proxy server
- Sending data through a TCP proxy server to the BlackBerry Infrastructure
- Sending data through the BlackBerry Router to the BlackBerry Infrastructure
  - Configure BlackBerry UEM to use the BlackBerry Router
- Sending data through an HTTP proxy to the BlackBerry Dynamics NOC
  - Configure HTTP proxy settings
Configuring connections through internal proxy servers
- Configure server-side proxy settings
Connecting to your company directories
- Configuring Microsoft Active Directory authentication in an environment that includes a resource forest
- Connect to a Microsoft Active Directory instance
- Connect to an LDAP directory
- Enable directory-linked groups
- Enabling onboarding
  - Enable and configure onboarding and offboarding
- Synchronize a company directory connection
Connecting to an SMTP server to send email notifications
- Connect to an SMTP server to send email notifications
Configuring single sign-on for BlackBerry UEM
- Configure constrained delegation for the Microsoft Active Directory account to support single sign-on
- Configure single sign-on for BlackBerry UEM
  - Console URLs for single sign-on
  - Browser requirements: Single sign-on
Obtaining an APNs certificate to manage iOS and macOS devices
- Obtain a signed CSR from BlackBerry
- Request an APNs certificate from Apple
- Register the APNs certificate
- Renew the APNs certificate
- Troubleshooting APNs
Controlling which devices can access Exchange ActiveSync
- Steps to configure Exchange ActiveSync and the BlackBerry Gatekeeping Service
- Configure permissions for gatekeeping
- Allow only authorized devices to access Exchange ActiveSync
  - Configure Microsoft Exchange to allow only authorized devices to access Exchange ActiveSync
  - Configure the mobile device access policy in Microsoft Office 365
- Configure Microsoft IIS permissions for gatekeeping
- Create a gatekeeping configuration
Connecting BlackBerry UEM to Microsoft Azure
- Create a Microsoft Azure account
- Synchronize Microsoft Active Directory with Microsoft Azure
- Create an enterprise endpoint in Azure
- Configuring BlackBerry UEM to synchronize with Microsoft Intune
  - Configure BlackBerry UEM to synchronize with Microsoft Intune
- Configuring BlackBerry UEM to synchronize with the Windows Store for Business
Configuring BlackBerry UEM to support Android Enterprise devices
- Configure BlackBerry UEM to support Android Enterprise devices
- Remove the connection to your Google domain
- Remove the Google domain connection using your Google account
- Edit or test the Google domain connection
Add an E-FOTA license
Manage attestation for Samsung KNOX devices
Manage attestation for Android devices and BlackBerry Dynamics apps using SafetyNet
- Considerations for configuring SafetyNet attestation
- Considerations for configuring SafetyNet attestation - App versions
- Configure attestation for Android devices and BlackBerry Dynamics apps using SafetyNet
Manage attestation for Windows 10 devices
Configuring BlackBerry UEM for DEP
- Create a DEP account
- Download a public key
- Generate a server token
- Register the server token with BlackBerry UEM
- Add the first enrollment configuration
- Update the server token
- Remove a DEP connection
Setting up BlackBerry UEM Self-Service for users
- Set up BlackBerry UEM Self-Service
Configuring high availability for a BlackBerry UEM domain
- High availability for the components that manage BlackBerry OS devices
- Architecture: High availability for BlackBerry UEM
- Load-balancing data for BlackBerry 10 devices
- High availability and the BlackBerry Connectivity Node
- How BlackBerry UEM evaluates the health of components
- Install an additional BlackBerry UEM instance
- Configuring high availability for the management console
Configuring database high availability using database mirroring
- Database high availability for components that manage BlackBerry OS devices
- Steps to configure database mirroring
- System requirements: Database mirroring
- Prerequisites: Configuring database mirroring
- Create and configure the mirror database
- Connect BlackBerry UEM to the mirror database
- Configuring a new mirror database
Configuring TLS/SSL connections to Exchange ActiveSync when you enable the BlackBerry Secure Gateway
- Configure BlackBerry UEM to trust the Exchange ActiveSync server certificate
- Configure BlackBerry UEM to use the TLS versions and ciphers that Exchange ActiveSync supports
Simplifying Windows 10 activations
- Deploy a discovery service to simplify Windows 10 activations
Migrating users, devices, groups, and other data from a source server
- Prerequisites: Migrating users, devices, groups, and other data from a source server
- Connect to a source server
  - Export the self-signed root certificate for the Good Control server
- Considerations: Migrating IT policies, profiles, and groups from a source server
- Migrate IT policies, profiles, and groups from a source server
- Complete policy and profile migration from Good Control to BlackBerry UEM
  - Good Control features in BlackBerry UEM
- Considerations: Migrating users from a source server
- Migrate users from a source server
- Considerations: Migrating devices from a source server
  - Device migration quick reference
- Migrate devices from a source server
- Migrating DEP devices
  - Migrate DEP devices that have the BlackBerry UEM Client installed
  - Migrate DEP devices that do not have the BlackBerry UEM Client installed
Configuring BlackBerry UEM to support BlackBerry Dynamics apps
- Manage BlackBerry Proxy clusters
- Configure Direct Connect or a web proxy for BlackBerry Proxy connections
- Configure BlackBerry Dynamics properties
- Configure communication settings for BlackBerry Dynamics apps
- Configuring certificates for BlackBerry Dynamics apps
  - Configure a time to live for client certificates
  - Configuring PKI connections for BlackBerry Dynamics apps
    - PKI connector interactions
Integrating BlackBerry UEM with Cisco ISE
- Requirements: Integrating BlackBerry UEM with Cisco ISE
- Create an administrator account that Cisco ISE can use
- Add the BlackBerry Web Services certificate to the Cisco ISE certificate store
- Connect BlackBerry UEM to Cisco ISE
- Example: Authorization policy rules for BlackBerry UEM
- Managing network access and device controls using Cisco ISE
  - Redirecting devices that are not activated on BlackBerry UEM
Monitoring BlackBerry UEM using SNMP tools
- Supported SNMP operations
- System requirements: SNMP monitoring
- MIBs for BlackBerry UEM
- Compile the MIB and configure the SNMP management tool
- Using SNMP to monitor components
  - Configure SNMP to monitor components

Configuring
BlackBerry UEM
for the first time

The following table summarizes the configuration tasks covered in this guide. The tasks are optional based on your organization's needs. Use this table to determine which configuration tasks you should complete.

After you complete the appropriate tasks, you are ready to set up administrators, set up device controls, create users and groups, and activate devices.

Task	Required or Optional	Description
Replace default certificates with trusted certificates	Optional	You can replace the default SSL certificate used by the BlackBerry UEM consoles and the default certificate that BlackBerry UEM uses to sign the MDM profile for iOS devices with trusted certificates.
Configure BlackBerry UEM to send data through a proxy server	Optional	You can configure BlackBerry UEM to send data through a TCP proxy server or an instance of the BlackBerry Router before it reaches the BlackBerry Infrastructure . You can also configure BlackBerry UEM to send data through an HTTP proxy before it reaches the BlackBerry Dynamics NOC .
Configure connections through internal proxy servers	Optional	If your organization uses a proxy server for connections between servers inside your network, you may need to configure server-side proxy settings to allow the BlackBerry UEM Core to communicate with remote instances of the management console.
Connect BlackBerry UEM to company directories	Optional	You can connect BlackBerry UEM to one or more company directories, such as Microsoft Active Directory or an LDAP directory, so that BlackBerry UEM can access user data to create user accounts.
Connect BlackBerry UEM to an SMTP server	Optional	If you want BlackBerry UEM to send activation emails and other notifications to users, you must specify the SMTP server settings that BlackBerry UEM can use.
Configure single sign-on for BlackBerry UEM administrators	Optional	If you connect BlackBerry UEM to Microsoft Active Directory , you can configure single sign-on authentication to permit administrators or users to bypass the login webpage and access the management console or BlackBerry UEM Self-Service directly.
Obtain and register an APNs certificate	Optional	If you want to manage and send data to iOS or macOS devices, you must obtain a signed CSR from BlackBerry , use it to obtain an APNs certificate from Apple , and register the APNs certificate with the BlackBerry UEM domain.
Control which devices can access Exchange ActiveSync	Optional	If you configured Microsoft Exchange to block devices from accessing work email and organizer data unless the devices are added to an allowed list, you must create a Microsoft Exchange configuration in BlackBerry UEM .
Configure BlackBerry UEM to support Android devices that have a work profile	Optional	To support Android devices that have a work profile, you need to configure your G Suite or Google Cloud domain to support third-party mobile device management providers and configure BlackBerry UEM to communicate with your G Suite or Google Cloud domain.
Manage attestation for Samsung KNOX devices	Optional	If you turn on attestation, BlackBerry UEM sends challenges to test the authenticity and integrity of Samsung KNOX devices.
Configure BlackBerry UEM for the Apple Device Enrollment Program	Optional	If you want to use the BlackBerry UEM management console to manage iOS devices that your organization purchased from Apple for DEP, you must configure this feature.
Set up BlackBerry UEM Self-Service	Optional	If you want to allow users to perform certain management tasks, such as changing their passwords, you can set up and distribute the BlackBerry UEM Self-Service web application.
Enable BlackBerry Enterprise Identity	Optional	You can enable BlackBerry Enterprise Identity to give users single sign-on access to service providers such as Box , Concur , Dropbox , Salesforce , Workspaces , and more.
Configure high availability	Optional	To minimize service interruptions for users, you can install more than one active BlackBerry UEM instance.
Configure database mirroring	Optional	To retain database service and data integrity if issues occur with the BlackBerry UEM database, you can install and configure a failover database that serves as a backup to the principal database.
Configure BlackBerry UEM to make TLS/SSL connections to Exchange ActiveSync	Optional	If you enable the BlackBerry Secure Gateway to provide a secure connection between your mail server and iOS devices with the MDM controls activation type, you may need to add the Exchange ActiveSync server certificate to BlackBerry UEM .
Configure your network to simplify Windows 10 activations	Optional	You can simplify the process for activating Windows 10 devices by making configuration changes to your network so that users don't need to type a server address.
Connect BlackBerry UEM to Microsoft Azure	Optional	If you want to use BlackBerry UEM to deploy iOS and Android apps managed by Microsoft Intune or if you want to manage Windows 10 apps in BlackBerry UEM , connect BlackBerry UEM to Microsoft Azure .
Migrating users, devices, groups, and other data from a source server	Optional	You can use the management console to migrate users, devices, groups, and other data from a source on-premises BES10 or BlackBerry UEM .
Configure BlackBerry Dynamics settings	Optional	You can configure settings that are specific to BlackBerry Proxy and BlackBerry Dynamics apps.
Configure certificates for BlackBerry Dynamics apps	Optional	If you want BlackBerry Dynamics apps on users' devices to be able to use client certificates, you can upload certificates to individual user accounts or configure a PKI connector to allow BlackBerry UEM to automatically enroll client certificates from your CA and send them to devices.
Integrate BlackBerry UEM with Cisco ISE	Optional	You can create a connection between Cisco ISE and BlackBerry UEM so that Cisco ISE can retrieve device data from BlackBerry UEM and enforce network access control policies.
Configure SNMP monitoring	Optional	You can use third-party SNMP tools to monitor the activity of BlackBerry UEM components.

Configuring BlackBerry UEM for the first time

Configuring
BlackBerry UEM
for the first time