Getting started
- Configuring BlackBerry UEM for the first time
- Configuration tasks for managing BlackBerry OS devices
- Administrator permissions you need to configure BlackBerry UEM
- Obtaining and activating licenses
- BlackBerry Enterprise Mobility Suite services
Changing BlackBerry UEM certificates
- Considerations for changing BlackBerry Dynamics certificates
- Change a BlackBerry UEM certificate
Configuring BlackBerry UEM to send data through a proxy server
- Sending data through a TCP proxy server to the BlackBerry Infrastructure
- Sending data through the BlackBerry Router to the BlackBerry Infrastructure
  - Configure BlackBerry UEM to use the BlackBerry Router
- Sending data through an HTTP proxy to the BlackBerry Dynamics NOC
  - Configure HTTP proxy settings
Configuring connections through internal proxy servers
- Configure server-side proxy settings
Connecting to your company directories
- Configuring Microsoft Active Directory authentication in an environment that includes a resource forest
- Connect to a Microsoft Active Directory instance
- Connect to an LDAP directory
- Enable directory-linked groups
- Enabling onboarding
  - Enable and configure onboarding and offboarding
- Synchronize a company directory connection
Connecting to an SMTP server to send email notifications
- Connect to an SMTP server to send email notifications
Configuring single sign-on for BlackBerry UEM
- Configure constrained delegation for the Microsoft Active Directory account to support single sign-on
- Configure single sign-on for BlackBerry UEM
  - Console URLs for single sign-on
  - Browser requirements: Single sign-on
Obtaining an APNs certificate to manage iOS and macOS devices
- Obtain a signed CSR from BlackBerry
- Request an APNs certificate from Apple
- Register the APNs certificate
- Renew the APNs certificate
- Troubleshooting APNs
Controlling which devices can access Exchange ActiveSync
- Steps to configure Exchange ActiveSync and the BlackBerry Gatekeeping Service
- Configure permissions for gatekeeping
- Allow only authorized devices to access Exchange ActiveSync
  - Configure Microsoft Exchange to allow only authorized devices to access Exchange ActiveSync
  - Configure the mobile device access policy in Microsoft Office 365
- Configure Microsoft IIS permissions for gatekeeping
- Create a gatekeeping configuration
Connecting BlackBerry UEM to Microsoft Azure
- Create a Microsoft Azure account
- Synchronize Microsoft Active Directory with Microsoft Azure
- Create an enterprise endpoint in Azure
- Configuring BlackBerry UEM to synchronize with Microsoft Intune
  - Configure BlackBerry UEM to synchronize with Microsoft Intune
- Configuring BlackBerry UEM to synchronize with the Windows Store for Business
Configuring BlackBerry UEM to support Android Enterprise devices
- Configure BlackBerry UEM to support Android Enterprise devices
- Remove the connection to your Google domain
- Remove the Google domain connection using your Google account
- Edit or test the Google domain connection
Add an E-FOTA license
Manage attestation for Samsung KNOX devices
Manage attestation for Android devices and BlackBerry Dynamics apps using SafetyNet
- Considerations for configuring SafetyNet attestation
- Considerations for configuring SafetyNet attestation - App versions
- Configure attestation for Android devices and BlackBerry Dynamics apps using SafetyNet
Manage attestation for Windows 10 devices
Configuring BlackBerry UEM for DEP
- Create a DEP account
- Download a public key
- Generate a server token
- Register the server token with BlackBerry UEM
- Add the first enrollment configuration
- Update the server token
- Remove a DEP connection
Setting up BlackBerry UEM Self-Service for users
- Set up BlackBerry UEM Self-Service
Configuring high availability for a BlackBerry UEM domain
- High availability for the components that manage BlackBerry OS devices
- Architecture: High availability for BlackBerry UEM
- Load-balancing data for BlackBerry 10 devices
- High availability and the BlackBerry Connectivity Node
- How BlackBerry UEM evaluates the health of components
- Install an additional BlackBerry UEM instance
- Configuring high availability for the management console
Configuring database high availability using database mirroring
- Database high availability for components that manage BlackBerry OS devices
- Steps to configure database mirroring
- System requirements: Database mirroring
- Prerequisites: Configuring database mirroring
- Create and configure the mirror database
- Connect BlackBerry UEM to the mirror database
- Configuring a new mirror database
Configuring TLS/SSL connections to Exchange ActiveSync when you enable the BlackBerry Secure Gateway
- Configure BlackBerry UEM to trust the Exchange ActiveSync server certificate
- Configure BlackBerry UEM to use the TLS versions and ciphers that Exchange ActiveSync supports
Simplifying Windows 10 activations
- Deploy a discovery service to simplify Windows 10 activations
Migrating users, devices, groups, and other data from a source server
- Prerequisites: Migrating users, devices, groups, and other data from a source server
- Connect to a source server
  - Export the self-signed root certificate for the Good Control server
- Considerations: Migrating IT policies, profiles, and groups from a source server
- Migrate IT policies, profiles, and groups from a source server
- Complete policy and profile migration from Good Control to BlackBerry UEM
  - Good Control features in BlackBerry UEM
- Considerations: Migrating users from a source server
- Migrate users from a source server
- Considerations: Migrating devices from a source server
  - Device migration quick reference
- Migrate devices from a source server
- Migrating DEP devices
  - Migrate DEP devices that have the BlackBerry UEM Client installed
  - Migrate DEP devices that do not have the BlackBerry UEM Client installed
Configuring BlackBerry UEM to support BlackBerry Dynamics apps
- Manage BlackBerry Proxy clusters
- Configure Direct Connect or a web proxy for BlackBerry Proxy connections
- Configure BlackBerry Dynamics properties
- Configure communication settings for BlackBerry Dynamics apps
- Configuring certificates for BlackBerry Dynamics apps
  - Configure a time to live for client certificates
  - Configuring PKI connections for BlackBerry Dynamics apps
    - PKI connector interactions
Integrating BlackBerry UEM with Cisco ISE
- Requirements: Integrating BlackBerry UEM with Cisco ISE
- Create an administrator account that Cisco ISE can use
- Add the BlackBerry Web Services certificate to the Cisco ISE certificate store
- Connect BlackBerry UEM to Cisco ISE
- Example: Authorization policy rules for BlackBerry UEM
- Managing network access and device controls using Cisco ISE
  - Redirecting devices that are not activated on BlackBerry UEM
Monitoring BlackBerry UEM using SNMP tools
- Supported SNMP operations
- System requirements: SNMP monitoring
- MIBs for BlackBerry UEM
- Compile the MIB and configure the SNMP management tool
- Using SNMP to monitor components
  - Configure SNMP to monitor components

PKI connector interactions

BlackBerry UEM

makes API calls to the PKI connector using the HTTP POST method. The PKI connector supports password authentication and certificate-based authentication.

GetInfo API

This API detects the commands that the PKI connector has implemented. This command is also used to verify the authentication credentials provided in

BlackBerry UEM

and to test the connection between

BlackBerry UEM

and the PKI connector.

If this command is not implemented,

BlackBerry UEM

will assume this is not a valid PKI connector.

The path component of the URI sent is as follows:

customerSpecifiedPrefix/pki?operation=getInfo

The

customerSpecifiedPrefix

is optional. It specifies where the service is hosted on the server when it is not hosted in the default path.

The JSON formatted response expected in the HTTP body is as follows:

Element or Key	Type	Required	Response
operations	Array of strings	Y	Array listing all of the commands implemented by the PKI connector

Sample request/response

Assuming that in the

BlackBerry UEM

management console, the PKI connector URL is set as: https://cert.example.com

GET /pki?operation=getInfo HTTP/1.0
Host: cert.example.com
Content-Type: application/json
Content-Length: 0

Response

HTTP/1.0 200 OK Host: cert.example.com
Content-Type: application/json
Content-Length: XYZ

{
      “operations” : [“getInfo”, “getUserKeyPair”]
}

Request Key Pair API

This API is used to fetch a user certificate when the key pair has been created. This request may be used for initial certificate requests.

The path component of the URI is sent as follows:

customerSpecifiedPrefix/pki?operation=getUserKeyPair

The

customerSpecifiedPrefix

is optional. It specifies where the service is hosted on the server when it is not hosted in the default path.

The JSON formatted input sent in the HTTP body is as follows:

Element or Key	Type	Required	Comment
mType	String	Y	{"initialCert"]
user	String	Y	User email address or some other identifier Subject for the certificate created by the issuer
authToken	String	N	OTP or password (for initialCert)
reqId	String	Y	To assist sender to match response

The JSON formatted response in the HTTP body, a PKCS #12 payload which may be encrypted, is as follows:

Element/Key	Type	Required	Comments
status	String	Y	{success, failure}
failureInfo	String	N	See Failure reasons below
payloadType	String	N	=pkcs12
payload	Base64 encoded	N	pkcs12 containing the user's private key and public certificate. It may or may not be encrypted.
decryptionPassword	Base64 encoded	N	If the encryption password is the same as the OTP provided by the user, there is no need to provide descryptionPassword. If pkcs12 was password encrypted and OTP was not used, the password may be returned in the decryptionPassword.
reqId	String	Y	reqID received in the request

Sample request/response

Assuming that in the

BlackBerry UEM

management console, the PKI connector URL is set as: https://cert.example.com

Request: Over the SSL connection to server cert.example.com the following payload will be sent:

POST /pki?operation=getUserKeyPair HTTP/1.0
Host: cert.example.com
Content-Type: application/json
Content-Length: XYZ
{
      "mType": "initialCert",
      "user": "joe.foo@example.com",
      "authToken": "56ht12d0",
      "reqId": "12487" 
}

If the server URL was set as https://cert.example.com/foo, the request will look like:

POST /foo/pki?operation=getUserKeyPair HTTP/1.0
Host: cert.example.com
Content-Type: application/json
Content-Length: XYZ

Response:

HTTP/1.0 200 OK
Host: cert.example.com
Content-Type: application/json
Content-Length: XYZ
 {
      "status":"success",
      "reqId": "12487",
      "payloadType":"pkcs12",
      "decryptionPassword":"NTZodDEyZDA=",
      "payload":"BASE64 Encoded PKCS#12" 
}

Failure reasons

These errors may be returned by the CA:

Failure	Description
unknownUser	User does not exist or is not allowed
badRequest	Badly formatted request
unknownRequest	Requested action is not supported
authFailure	Expired or incorrect OTP or password
badAlg	Unsupported or unrecognized algorithm used
unknownCert	Certificate used or referenced in the operation not found
badMessageCheck	Signature or integrity check failed
badTime	Time in the signature was not close enough
unknown	Any other errors treated as unknown errors

Section:

Configuring PKI connections for BlackBerry Dynamics apps