Data flow: Activating a BlackBerry
Dynamics app on a Samsung Knox Workspace device when BlackBerry Secure Connect Plus is enabled
BlackBerry
Dynamics
app on a Samsung Knox Workspace
device when BlackBerry Secure Connect Plus
is enabledThis data flow describes how data travels when a
BlackBerry
Dynamics
app in the work space on a Samsung Knox Workspace
device is activated over a BlackBerry Secure Connect Plus
connection.
- An administrator assigns one or moreBlackBerry Dynamicsapps to a user.
- The user installs the apps on theSamsung Knoxdevice.
- One of the following events occurs:
- If this is the firstBlackBerry Dynamicsapp activated in theKnox Workspace, the administrator generates an access key to send to the user or the user logs intoBlackBerry UEM Self-Serviceand generates an access key.
- If theKnox Workspacealready contains an activatedBlackBerry Dynamicsapp, the activated app sends an access key request and the randomly generated nonce toBlackBerry UEM Cloud.
- The device sends a request through a TLS tunnel, over port 443, to theBlackBerry Infrastructureto request a secure tunnel to the work network. The signal is encrypted by default using FIPS-140 certifiedCerticomlibraries. The signaling tunnel is encrypted end to end.
- BlackBerry Secure Connect Plusreceives the request from theBlackBerry Infrastructurethrough port 3101.
- The device andBlackBerry Secure Connect Plusnegotiate the tunnel parameters and establish a secure tunnel for the device through theBlackBerry Infrastructure. The tunnel is authenticated and encrypted end to end with DTLS.
- The activatedBlackBerry Dynamicsapp sends the access key request and the randomly generated nonce fromBlackBerry Secure Connect PlustoBlackBerry UEM Cloud.
- BlackBerry UEM Cloudsends the requested access key fromBlackBerry Secure Connect Plusto the activatedBlackBerry Dynamicsapp.
- The activatedBlackBerry Dynamicsapp provides the access key to the newBlackBerry Dynamicsapp.
- TheBlackBerry Dynamicsapp establishes a connection usingBlackBerry Secure Connect Pluswith theBlackBerry Dynamics NOCand sends it a hash of the access key.
- TheBlackBerry Dynamics NOCverifies the access key and, if the verification is successful, sends provisioning data, including the master link key and connection information, usingBlackBerry Secure Connect Plusto theBlackBerry Dynamicsapp.
- TheBlackBerry Dynamicsapp begins the process of establishing a shared secret withBlackBerry UEM Cloudby sending a secure channel setup message to theBlackBerry Dynamics NOCusingBlackBerry Secure Connect Plus.The secure channel setup message contains a user identifier (email address), ephemeral ECDH public key, a salt value, a token, and a MAC of the message to authenticate the sender and guarantee the integrity of the message.
- TheBlackBerry Dynamics NOCforwards the secure channel setup message toBlackBerry Proxyover an HTTPS connection.
- BlackBerry Proxythen forwards the secure channel setup message toBlackBerry UEM Cloud.
- BlackBerry UEM Cloudresponds to theBlackBerry Dynamicsapp usingBlackBerry Secure Connect Plus. The response contains a new ephemeral ECDH public key and a MAC of the message.
- TheBlackBerry Dynamicsapp requests provisioning data fromBlackBerry UEM Cloud. The request travels throughBlackBerry Secure Connect Plus, theBlackBerry Dynamics NOC, andBlackBerry Proxy.
- BlackBerry UEM Cloudsends encrypted provisioning data, including the master session key, app configuration data, and a list ofBlackBerry Proxyinstances, to theBlackBerry Dynamicsapp to complete the activation.