Now that we have completed the prerequisites and installation, it’s time to proceed with configuration. Or you can return to part 1 or part 2 of this series which describes the prerequisites and installation in details.
Since this is a new implementation, we need to first acquire one or more Server Routing Protocol Identifier (SRP ID) and SRP Authentication Key before logging onto the UEM web console.
To determine the approximate number of SRP ID you may need for your environment, we can run the Blackberry UEM Configuration Tool. It can generally be found under C:\BlackBerry\UEM\BlackBerry UEM 12.7.X\tools once installation completes. It can also be downloaded separately.
Next, log into Blackberry myAccount portal. Then click on My Organization.
Click on Servers on the left-hand side of the page. Then click on Add Server.
Take note of both the SRP ID and Authentication Key. We will need that during initial configuration.
Let’s go ahead and log onto the admin portal of this server. The URL should be https://FQDN_of_server/admin.
- Username: admin
- Password: password
Enter the SRP ID and key generated previously.
If you choose Download certificate in the previous step, take note of the location of the certificate. You can also Skip this step and configure it later.
If you like, you can click on Apple Push Certificate Portal to download the APNs certificate. Depending on your browser configuration, a separate tab should open for the portal.
Back in the Blackberry UEM web console, upload the APNs certificate.
If you have a Windows Active Directory in your environment, connecting your UEM environment to it will allow both user account management and policy assignment with ease.
Browse to Settings -> External integration -> Company directory -> Add a Microsoft Active Directory connection
For the Directory connection name, you can fill in whatever you like. Also, there is no need to add multiple domain controllers in here even if you have them.
Upon clicking Continue, you can configure additional options such as Sync settings and Sync schedule. Be sure to click Save at the bottom of the page.
If you are unable to sync, check out this link for further troubleshooting steps.
Next, we will connect to a SMTP server so activation email can be sent to users.
Browse to Settings -> External integration -> SMTP server
If you will be managing iOS devices and have not setup APNs certificate earlier, you can do so now by browsing to Settings > External integration > Apple Push Notification
For Blackberry Control and Blackberry Proxy under Settings -> Blackberry Dynamics -> Clusters, there is not much to configure, If you have additional UEM node, you will need to add it to the first/default Blackberry Proxy cluster.
More than likely, you will utilize Blackberry UEM beyond basic device management (MDM). Blackberry Dynamics comes with a list of apps, such as Blackberry Work and Blackberry Access, that give users access to their mailboxes and Intranet.
You can also change the settings within the individual app, such as Blackberry Work, by clicking on the app itself.
Next, we will add the work app catalog to the BlackBerry Dynamics Launcher so users can easily access and download apps that they are being assigned to. Start by clicking on Groups. Since we integrate with Windows Active Directory earlier, you can now add any groups within your AD infrastructure.
* You may think directory-linked group enablement we performed earlier should have created the necessary groups. However, this is not the case and a feature request is still being worked on to eliminate this additional step.
If required, you can also configure Compliance profile to further manage the devices. Below is a sample of what you can manage on iOS devices.
Before a user can activate a device with Blackberry UEM, he/she must already have an account present within the web console. This can be achieved by creating either user accounts or user groups. Keep the below in mind when deciding how you wish to proceed:
- A user group is a collection of related users who share common properties. Administering users as a group is more efficient than administering individual users because properties can be added, changed, or removed for all members of the group at the same time.
- Directory-linked groups link to groups in your company directory. Only directory user accounts can be members of a directory-linked group.
- Synchronizing directory-linked groups does not add or delete users in BlackBerry UEM. To allow BlackBerry UEM to create user accounts when new company directory users are created, you must enable and configure on-boarding.
In addition, you can configure the Activation profile to suit your need.
If you have any anti-virus solution in place (who doesn’t nowadays?), you need to exclude anti-virus scanning on specific directories and services.
- Exclude the directories below per this KB:
- D:\Program Files\BlackBerry
- Exclude the services below:
- BlackBerry UEM – BlackBerry Affinity Manager – BlackBerryAffinityManager.exe
- BlackBerry UEM – BlackBerry Control Service – tomcat8.exe
- BlackBerry UEM – BlackBerry Dispatcher – BlackBerryDispatcher.exe
- BlackBerry UEM – BlackBerry Gatekeeping Service – BlackBerry.BES.Gatekeeping.Windows.Service.exe
- BlackBerry UEM – BlackBerry MDS Connection Service – bmds.exe
- BlackBerry UEM – BlackBerry Proxy Service – prunsrv.exe
- BlackBerry UEM – BlackBerry Secure Connect Plus – BlackBerrySecureConnectPlus.exe
- BlackBerry UEM – BlackBerry Secure Gateway – BlackBerrySecureGateway.exe
- BlackBerry UEM – Management console – BESNG-UI.exe
- BlackBerry UEM – UEM Core – tomcat7.exe
In order to browse internal sites on your network using BlackBerry Access, you need to ensure that Route all traffic option within the connectivity profile is selected under Policies and Profiles -> Connectivity (BlackBerry Dynamics)
In case you wonder, BlackBerry Dynamics connectivity profiles define the network connections, Internet domains, IP address ranges, and app servers that devices can connect to when using BlackBerry Dynamics apps.
* A good practice to follow is to create separate policy and profile instead of modifying the default one. By doing so, you can always refer back to the default settings for comparison or troubleshooting purpose.
In another use case or for better security, you can leave it unchecked. Instead, specify a list of Allowed domains such as your Intranet. All other domains will prompt the user to use native browser on the mobile device for access.
Per Blackberry documentation: “Specify the default allowed domains (for example, qa.blackberry.com). BlackBerry Dynamics apps may try to connect to an unqualified hostname like “portal” instead of using a fully qualified name like “portal.sales.xyzcorp.com”. The domains in this list will be appended to unqualified hostnames to construct fully qualified names.”
In addition, you can also specify Default domains so that you can access internal servers without specifying the fully qualified domain name (i.e. http://server instead of http://server.domain.local).
Per Blackberry documentation: “Default domains in the connectivity profile are which domains/proxies will be attempted first since UEM supports multi-domain environments. For example with a domains/proxies hosted in Canada vs the UK, it would be possible to configure a connectivity profile for Canadian users to connect to their local domain first to reduce latency, while having a separate connectivity profile for UK users.”
There are couple additional steps to take within Blackberry Access app. Click on the app and then the applicable policy under App configuration.
Check off the options below under the Security tab.
We also need to configure a Blackberry Dynamics profile. The BlackBerry Dynamics profile enables BlackBerry Dynamics for users and allows devices to use BlackBerry Dynamics apps, such as BlackBerry Work, BlackBerry Access, and BlackBerry Connect.
In here, you can accept the default values or adjust accordingly. To simplify Blackberry Dynamics apps activation, check off the box within the Blackberry Dynamics profile under Policies and Profiles -> BlackBerry Dynamics.
We are close to the finish line. Let’s provide admin access to Blackberry UEM console for others. Again, you first need to add the AD group under Groups and follow the same steps earlier.
Then, navigate to Settings -> Administrators -> Groups.
Depending on your configuration, your administrator may receive email notification similar to the one below:
When an admin access the UEM console, he/she will then be able to authenticate with domain credential.
You can, of course, still authenticate with a local account.
Assuming all the steps above have been completed, you can go ahead and instruct users to activate an Android or an iOS device on BlackBerry UEM. Keep the below in mind:
- The BlackBerry UEM Client is an app that lets users activate devices on BlackBerry UEM. It also allows for the activation of BlackBerry Dynamics apps without the need for access keys.
- You can generate access keys and send them to users so they can activate BlackBerry Dynamics apps in the following situations:
- For iOS and Android devices that don’t need MDM and do not have the UEM Client installed
- For users that want to activate BlackBerry Dynamics apps on Windows Phone devices
In the last part of this series, I will focus on some of the troubleshooting steps you can take when dealing with various issues with Blackberry UEM.