Early this year, I transitioned my BYOD users from Good For Enterprise (GFE) to Blackberry Unified Endpoint Manager (UEM) in an on-premise environment. I’ve shared all the steps taken via a series of blog posts starting with this one.
In early June of 2018, I received another email from Blackberry about End of Life for Good Control (GC) cloud which is used by one of my company’s clients. Per Blackberry, action must be taken before July 31, 2018. Otherwise, devices currently enrolled may be wiped during normal compliance check as the back-end infrastructure will no longer be present to validate.
You can review the Guide for Good Control MDM Decommissioning for further details.
Now that we know we must transition users from Good Control to Blackberry UEM cloud, I will take this opportunity to share the steps with you here. My previous experience setting up Blackberry UEM for the on-premise environment comes in handy as well during the setup.
For better readability and organization purpose, this series will consist of several parts:
- Part 1 – Introduction, Prerequisites, and Setup (you are here!)
- Part 2 – Install and Configure Blackberry Connectivity Node
- Part 3 – Configure AD sync with Blackberry Connectivity Node
- Part 4 – Configure Push Notification with BlackBerry Enterprise Mobility Server (BEMS)
Unlike setup for the on-premise environment, Blackberry UEM cloud can be set up and ready to use very quickly since there is no server to build and no software to install. In fact, I was pleasantly surprised to set up Good Control cloud and begin provisioning devices with access to Microsoft Exchange mailbox in as little as 30 minutes. This Blackberry UEM cloud setup is no different at all.
One minor disadvantage (or inconvenience) with this quick setup, however, is that there is no synchronization between Blackberry UEM cloud and on-premise Active Directory. As a result, each user must be set up and removed manually within the management console as a user joins or leaves the organization. Maybe this is not a concern to you if your organization runs Microsoft Azure Active Directory. If you have an on-premise Active Directory and wish to eliminate this headache, you will need to set up Blackberry Connectivity Node.
Similar to Blackberry Enterprise Mobility Server (BEMS), this connectivity node offers more than just synchronization:
- BlackBerry Cloud Connector – synchronizes Blackberry UEM cloud with on-premise directory
- Blackberry Proxy – offers Blackberry Dynamics apps, such as Blackberry Work, access to the backend resources behind the firewall
- BlackBerry Secure Connect Plus – provides VPN like connectivity for 3rd party apps
- BlackBerry Secure Gateway – acts as a proxy between devices and mail server
- BlackBerry Gatekeeping Service – controls which device can access Exchange ActiveSync
As stated earlier, I will share the steps to install and configure the Blackberry Connectivity Node via part 2 of this series.
Keep in mind you cannot export the list of users/profiles/policies/apps from Good Control cloud to Blackberry UEM cloud. The main reason is that the values from which you will be exporting from to where you will be importing are not the same. So whether you are a new or an existing customer, Blackberry UEM cloud will pretty much be a new setup.
Let’s return to regular programming where we will go through all the steps to set up Blackberry UEM cloud.
Assuming either you are an existing Good Control cloud customer or you have purchased the necessary license from Blackberry, we will set up an instance of Blackberry UEM cloud through myAccount. Click on My Organization -> Servers once you log in.
Continue to follow the steps below to create an instance of Blackberry UEM cloud under your account.
The custom domain is currently used only by Blackberry Workspaces and must not already be in use. Otherwise, you will get the error below:
You may also get the error below. If so, try again or contact Blackberry technical support for further assistance.
If all goes well after clicking Add Server earlier, you should now see the below.
In addition, you will also receive a welcome email from Blackberry UEM similar to the one below:
Whether you click Launch UEM earlier or Log in within the welcome email, it will take you to the login screen. Use the same login from myAccount. Notice the URL contains the SRPID which is unique to your instance in the Blackberry UEM cloud. However, future admins will need their accounts pre-created within the tenant first before they themselves can log in. Check out the links below for further details.
- Error “Couldn’t find your username” appears when logging in to BlackBerry UEM Cloud
- “An unknown error has occurred” when logging in to the BlackBerry UEM Cloud console
- How to bypass the IDP login page for BlackBerry UEM Cloud
Here’s additional detail on the login mechanism per my support ticket with Blackberry:
“Regarding your questions about the authentication with UEM Cloud, 2-factor authentication has been introduced in this latest version of the UEM. That is, the UEM Cloud server does not directly authenticate the users anymore. Instead, it is our BlackBerry Enterprise ID (or IDP) servers that authenticate the administrators logging into UEM. Thus you now authenticate to https://idp.blackberry.com/tenant/<SRP>/idp/auth/unified/login website of the IDP, instead of the actual UEM Cloud tenant URL.
When you create a new administrator or you assign administrator roles to Active Directory accounts, the Enterprise Identity servers must generate a new ID, the ECOID, which is the actual user identification that will be validated. Hence, a new administrator enabled user accounts will be unable to login to the UEM Cloud console until after the ECOID is generated for them. Our standard recommendation is that it may take up to 72 hours for any changes to be synchronized to every service assigned to an organization.
To bypass the use of Enterprise ID to login to the UEM console, you may log in directly using the actual URL of your UEM Cloud tenant and use traditional methods of logging in, such as using local (direct) authentication or Active Directory authentication.
Please refer to this KB article on bypassing the IDP login page: http://support.blackberry.com/kb/articleDetail?articleNumber=000048703“
I know most admins, myself included, will click Continue without reading through the EULA. In this case, however, you must scroll to the bottom of the page and click Accept before clicking Continue.
If you access your tenant at a later time either through myaccount or directly through the URL, your login screen may appear like the one below instead. For some reason, I’m not able to log in with the same online credential.
If you continue with the above, the screens that appear will depend on which option(s) you check off. For instance, you will be prompted to set up APNs certificate which is required to manage iOS and macOS devices. You can skip these steps and go back to them later within the console. You can also check out my blog post on the steps needed to set this up properly.
Your answer to the remaining questions depends on the requirement set forth in your organization.
The info required for the below may be the same as the account used in Good Control for user impersonation when accessing email.
The last screen below will always appear whenever you log onto the web console. If you prefer, you can click Do not show this again
And voila! The instance is ready without having to install any server or software. That’s a fine example of what cloud computing can do for us!
If you wish to delete the cloud instance you just created at a later time, go back to Servers. Under UNIFIED ENDPOINT MANAGER (UEM) -> Blackberry Cloud, identify the instance and move your mouse over to the garbage can icon (it appears dim by default). You should then be able to delete it.
However, you will not be able to delete the associated Blackberry Cloud under BLACKBERRY DYNAMICS SERVERS (GC/GP) -> Blackberry Cloud. Per Blackberry technical support, this is because doing so would affect multiple customers as they are tied to the same database. The only alternative is to rename it by clicking on the pencil icon on the far right of the page.
Last but not least, I did come across a few issues during my transition from Good Control cloud to Blackberry UEM cloud. Below was my list of issues as a result:
- Paid/entitled apps didn’t get transferred (not visible within UEM cloud)
- Synchronization status under Settings -> Blackberry Dynamics kept stating Not ready (this could contribute to the issue above)
- Quite a few Blackberry Dynamic features are missing
After some troubleshooting with Blackberry technical support, they believed it was related to having a special character in the company / org name (i.e &)
While Blackberry technical support was able to rename it without any special character, the cloud I created previously wouldn’t be impacted by the name change. Thus, the solution is to create yet another tenant in UEM cloud by following the same steps above. As a reminder and to avoid any confusion, do delete the original tenant under UNIFIED ENDPOINT MANAGER (UEM) -> Blackberry Cloud and rename the associated Blackberry Cloud under BLACKBERRY DYNAMICS SERVERS (GC/GP) -> Blackberry Cloud.
If you will be managing iOS or macOS devices and you didn’t setup APNs certificate earlier, you may do so by following the steps below.
First, browse to Settings -> External integration -> Apple Push Notification. Then click on Get APNs certificate.
In the next screen, download the certificate and then visit the Apple Push Certificate Portal. Upload the signed CSR and download the APNs certificate. Finally, return to the same section in UEM cloud to register the certificate.
I was curious about how to determine the version of my cloud tenant. Per support, the version is actually very different from the on-premises setup.
“All the versions of UEM Cloud are automatically updated once our Development team has had time to test the builds and okay’ed them to be released. There is no direct correlation to the build numbers of the UEM on-prem server versions. The two are treated as 2 separate products and each has its own build numbers. The current version of UEM Cloud that is deployed is “UEM Cloud PU5 QF1″ which contains features/fixes from the on-prem 12.8 and 12.9.”
Be sure to check out part 2 which describes the set up of Blackberry Connectivity Node and AD sync.