Data flow: Activating an Android device for MDM
Android
device for MDM
The
MDM controls
activation type is deprecated for devices with Android
10. Attempts to activate Android
10 and later devices with the MDM controls
activation type will fail. For more information, visit https://support.blackberry.com/community to read article 48386.- You perform the following actions:
- Add a user toBlackBerry UEMas a local user account or using the account information retrieved from your company directory
- Make sure an activation profile that specifies the "MDM controls" activation type is assigned to the user
- Use one of the following options to provide the user with activation details:
- Automatically generate a device activation password and, optionally, aQR Codeand send an email with activation instructions for the user
- Set a device activation password and communicate the username and password to the user directly or by email
- Don't set a device activation password and communicate theBlackBerry UEM Self-Serviceaddress to the user so that they can set their own activation password and view aQR Code.
- The user downloads and installs theBlackBerry UEM Clienton the device. After it is installed, the user opens theBlackBerry UEM Clientand enters the email address and activation password or scans theQR Code.
- TheBlackBerry UEM Clienton the device performs the following actions:
- Establishes a connection to theBlackBerry Infrastructure
- Sends a request for activation information to theBlackBerry Infrastructure
- TheBlackBerry Infrastructureperforms the following actions:
- Verifies that the user is a valid, registered user
- Retrieves theBlackBerry UEMaddress for the user
- Sends the address to theBlackBerry UEM Client
- TheBlackBerry UEM Clientestablishes a connection withBlackBerry UEMusing an HTTP CONNECT call over port 443 and sends an activation request toBlackBerry UEM. The activation request includes the username, password, device operating system, and unique device identifier.
- BlackBerry UEMperforms following actions:
- Inspects the credentials for validity
- Creates a device instance
- Associates the device instance with the specified user account in theBlackBerry UEMdatabase
- Adds the enrollment session ID to an HTTP session
- Sends a successful authentication message to the device
- TheBlackBerry UEM Clientcreates a CSR using the information received fromBlackBerry UEMand sends a client certificate request toBlackBerry UEMover HTTPS.
- BlackBerry UEMperforms the following actions:
- Validates the client certificate request against the enrollment session ID in the HTTP session
- Signs the client certificate request with the root certificate
- Sends the signed client certificate and root certificate back to theBlackBerry UEM Client
A mutually authenticated TLS session is established between theBlackBerry UEM ClientandBlackBerry UEM. - TheBlackBerry UEM Clientrequests all configuration information and sends the device and software information toBlackBerry UEM.
- BlackBerry UEMstores the device information in the database and sends the requested configuration information to the device.
- TheBlackBerry UEM Clientdetermines if the device usesKnoxMDM and is running a supported MDM version. If the device usesKnoxMDM, the device connects to theSamsunginfrastructure and activates theKnoxmanagement license. After it is activated, theBlackBerry UEM Clientapplies theKnoxMDM IT policy rules fromBlackBerry UEM.
- The device sends an acknowledgment toBlackBerry UEMthat it received and applied the configuration information. The activation process is complete.