Architecture and Data Flows Reference Guide

Transcription

1 Arhiteture nd Dt Flows Referene Guide BES12 Version 12.3

2 Pulished: SWD

3 Contents Aout this guide... 5 Arhiteture: BES12 EMM solution... 6 Components used to mnge BlkBerry 10, ios, Android, nd Windows devies... 8 Components used to mnge BlkBerry OS devies Ativting devies...15 Dt flow: Ativting BlkBerry 10 devie Dt flow: Ativting n Android devie...18 Dt flow: Ativting devie to use KNOX Workspe Dt flow: Ativting devie to use Android for Work Dt flow: Ativting devie to use Android for Work with work spe only Dt flow: Ativting n ios devie...26 Dt flow: Ativting Windows 10 devie Dt flow: Ativting Windows Phone 8.1 devie...31 Dt flow: Ativting BlkBerry OS devie...33 Reeiving onfigurtion updtes Dt flow: Reeiving onfigurtion updtes on BlkBerry 10 devie...36 Dt flow: Reeiving onfigurtion updtes on n Android devie Dt flow: Reeiving onfigurtion updtes on n ios devie Dt flow: Reeiving onfigurtion updtes on Windows devie...40 Dt flow: Reeiving onfigurtion updtes on Windows Phone 8.0 devie Sending nd reeiving work dt...43 Using enterprise onnetivity Dt flow: Aessing n pplition or ontent server using BlkBerry Seure Connet Plus Dt flow: Aessing n pplition or ontent server using enterprise onnetivity Dt flow: Sending emil from BlkBerry 10, ios, or Android devie...47 Dt flow: Reeiving emil on BlkBerry 10 or Android devie...48 Dt flow: Reeiving emil on n ios devie Dt flow: Reeiving enterprise push updtes on BlkBerry 10 devie...50 Dt flow: Sending n instnt messge from the BlkBerry Enterprise IM pp... 51

4 Using your orgniztion's VPN or work Wi-Fi network Dt flow: Sending emil from devie Dt flow: Reeiving emil on devie Dt flow: Aessing n pplition or ontent server...55 Glossry Legl notie...59

5 Aout this guide Aout this guide 1 BES12 helps you mnge ios, Android, Windows, BlkBerry 10, nd BlkBerry OS (version 5.0 to 7.1) devies for your orgniztion. This guide explins the BES12 rhiteture nd how dt flows etween the devies mnged y BES12 nd your orgniztion's network. This guide is intended for senior IT professionls who re responsile for evluting the produt nd plnning its deployment, s well s nyone who's interested in lerning more out BES12. After you red this guide, you should understnd the the funtion of eh omponent used in the BES12 EMM solution. 5

6 Arhiteture: BES12 EMM solution Arhiteture: BES12 EMM solution 2 Component BES12 BlkBerry Infrstruture Devies Notifition servies Desription BES12 is servie tht llows you to mnge BlkBerry 10, BlkBerry OS (version 5.0 to 7.1), ios, Android, nd Windows devies in your orgniztion's environment. The BlkBerry Infrstruture registers user informtion for devie tivtion nd vlidtes liensing informtion for BES12. All the dt tht trvels etween the BlkBerry Infrstruture nd BES12 is uthentited nd enrypted to provide seure ommunition hnnel into your orgniztion for devies outside the firewll. BES12 supports BlkBerry 10, BlkBerry OS (version 5.0 to 7.1), ios, Android, nd Windows devies. BES12 sends notifitions to devies to ontt BES12 for updtes nd to report informtion for your orgniztion s devie inventory. These notifitions re sent to the BlkBerry Infrstruture, where they re sent to the devies using the pproprite notifition servie: APNs is servie tht Apple provides to send notifitions to ios devies. GCM is servie tht Google provides to send notifitions to Android devies. Windows Push Notifition Servies (WNS) is servie tht Mirosoft provides to send notifitions to Windows devies. Routing omponents By defult, BES12 mkes diret onnetion to the BlkBerry Infrstruture over port 3101, nd you do not need to instll more routing omponents. However, if your orgniztion's seurity poliy requires tht internl systems nnot mke onnetions diretly to the Internet, you n instll the BlkBerry Router or TCP proxy server. The BlkBerry Router ts s proxy server for onnetions over the BlkBerry Infrstruture etween BES12 nd ll devies. The BlkBerry Router n support SOCKs v5 with no uthentition. 6

7 Arhiteture: BES12 EMM solution Component Desription If your orgniztion lredy hs TCP proxy server instlled or requires one to meet networking requirements, you n use TCP proxy server insted of the BlkBerry Router. The TCP proxy server n support SOCKs v5 with no uthentition. Third-prty pplition nd ontent servers Additionl ontent server or pplition servers in your orgniztion's environment, inluding the ompny diretory, mil server, ertifite uthorities, nd so on. 7

8 Components used to mnge BlkBerry 10, ios, Android, nd Windows devies Components used to mnge BlkBerry 10, ios, Android, nd Windows devies 3 Component nme BES12 Core Desription The BES12 Core is the entrl omponent of BES12 rhiteture nd onsists of severl suomponents tht re responsile for: Logging, monitoring, reporting, nd mngement funtions Authentition nd uthoriztion servies for the BES12 Core lol diretory nd ompny diretories Sheduling nd sending ommnds, IT poliies, nd profiles to devies If there re multiple BES12 instnes in the domin, ll the BES12 Core instnes re tive nd eh of them n onnet to the BlkBerry Infrstruture nd proesses trffi. After you instll BES12 on omputer, you n instll the BES12 Core on nother omputer. BES12 dtse The BES12 dtse is reltionl dtse tht ontins user ount informtion nd onfigurtion informtion tht BES12 uses to mnge devies. You n instll the BES12 8

9 Components used to mnge BlkBerry 10, ios, Android, nd Windows devies Component nme Desription dtse on the sme omputer s BES12 instne, or on seprte omputer. For redundny or usiness ontinuity, you n onfigure dtse mirroring. BES12 Self-Servie BlkBerry Affinity Mnger Users n ess BES12 Self-Servie to set n tivtion pssword nd send devie ommnds, suh s set pssword, lok devie, nd delete devie dt to their BlkBerry 10, ios, Android, or Windows devies. Users n lso delete devie dt from their BlkBerry OS (version 5.0 to 7.1) devies. The BlkBerry Affinity Mnger is responsile for mintining n tive SRP onnetion to the BlkBerry Infrstruture. If there re multiple BES12 instnes in the domin, the BlkBerry Affinity Mnger runs on ll instnes ut only one BlkBerry Affinity Mnger instne is tive nd responsile for mintining onnetion to the BlkBerry Infrstruture nd proessing trffi. The BlkBerry Affinity Mnger onfigures the Exhnge AtiveSyn onnetivity nd logging settings for the BlkBerry Work Connet Notifition Servie. It lso ssigns BlkBerry 10 devies to the BlkBerry Dispther using the informtion in the BES12 dtse. If BlkBerry 10 devie is moved to different BES12 instne, the BlkBerry Affinity Mnger performs ll of the steps required to move the user to the new instne so tht the user does not hve to do nything for the devie to mintin BES12 servies. BlkBerry Collortion Servie The BlkBerry Collortion Servie provides n enrypted onnetion etween your orgniztion's instnt messging server nd the Enterprise IM pp on BlkBerry 10 devies so tht users n strt nd mnge instnt messging onverstions on their devies. The BlkBerry Collortion Servie is n optionl omponent nd is ville s seprte instlltion. BlkBerry Dispther The BlkBerry Dispther provides seure onnetivity using IPPP for BlkBerry 10 devies. The BlkBerry Dispther dynmilly updtes the devies tht it hndles sed on the list it reeives from the tive BlkBerry Affinity Mnger. BlkBerry Gtekeeping Servie BlkBerry MDS Connetion Servie The BlkBerry Gtekeeping Servie sends ommnds to Exhnge AtiveSyn to dd devies to n llowed list when devies re tivted on BES12. Unmnged devies tht try to onnet to n orgniztion's mil server n e reviewed, verified, nd loked or llowed through the BES12 mngement onsole y n dministrtor. The BlkBerry MDS Connetion Servie provides seure onnetion etween BlkBerry 10 devies nd your orgniztion's network when the devie is not onneted to your work Wi-Fi network or using VPN onnetion. It is lso responsile for providing enterprise dt push servies for BlkBerry 10 devies. 9

10 Components used to mnge BlkBerry 10, ios, Android, nd Windows devies Component nme BlkBerry Seure Connet Plus BlkBerry Work Connet Notifition Servie Desription BlkBerry Seure Connet Plus provides seure IP tunnel etween work pps on devies nd your orgniztion's network. One tunnel tht supports stndrd IPv4 (TCP nd UDP) dt is estlished for eh devie through the BlkBerry Infrstruture. The BlkBerry Work Connet Notifition Servie is we servie responsile for providing new nd hnged emil nd orgnizer notifitions to ios devies tht re using Seure Work Spe. ios devies re restrited from running pplitions in the kground, with speifi exeptions suh s the defult mil pplition. This mens Seure Work Spe pplitions nnot reeive new dt suh s emil notifitions unless the pplition is open or unless the notifition omes from the APNs. The BlkBerry Work Connet Notifition Servie sends the emil nd orgnizer notifitions to the BlkBerry Infrstruture, where they re sent to the devie using the APNs. If there re multiple BES12 instnes in the domin, only one instne of the BlkBerry Work Connet Notifition Servie is tive nd proessing notifitions. The BlkBerry Affinity Mnger is responsile for strting other BlkBerry Work Connet Notifition Servie instne if the tive one stops. Mngement onsole The mngement onsole is we-sed onsole tht is used to: Complete postinstlltion onfigurtion settings View nd mnge users, devies, poliies, profiles, nd pps View nd mnge system settings, inluding ustomizing the tivtion emil messge nd dding n APNs ertifite Move IT poliies, profiles, groups, nd users to BES12 The mngement onsole lso provides ess to BES12 Self-Servie nd llows ios devie users to mnge pps using the Work Apps ion. After you instll BES12 on omputer, you n instll the mngement onsole on nother omputer. 10

11 Components used to mnge BlkBerry OS devies Components used to mnge BlkBerry OS devies 4 Component nme BES12 Core Desription The BES12 Core is the entrl omponent of BES12 rhiteture nd onsists of severl suomponents tht re responsile for: Logging, monitoring, reporting, nd mngement funtions Authentition nd uthoriztion servies for the BES12 Core lol diretory nd ompny diretories Sheduling nd sending ommnds, IT poliies, nd profiles to devies If there re multiple BES12 instnes in the domin, ll the BES12 Core instnes re tive nd eh of them n onnet to the BlkBerry Infrstruture nd proesses trffi. After you instll BES12 on omputer, you n instll the BES12 Core on nother omputer. BES12 dtse The BES12 dtse is reltionl dtse tht ontins user ount informtion nd onfigurtion informtion tht BES12 uses to mnge devies. You n instll the BES12 11

12 Components used to mnge BlkBerry OS devies Component nme Desription dtse on the sme omputer s BES12 instne, or on seprte omputer. For redundny or usiness ontinuity, you n onfigure dtse mirroring. BlkBerry Administrtion Servie You n use the BlkBerry Administrtion Servie to onfigure BlkBerry OS devie softwre updtes, nd VPN nd Wi-Fi profiles for BlkBerry OS (versions 5.0 to 7.1) devies. The BlkBerry Administrtion Servie onnets to the BES12 dtse. It lso provides onnetion servies for the mngement onsole so tht you n mnge BlkBerry OS devies. BlkBerry Atthment Servie BlkBerry Collortion Servie for BlkBerry OS BlkBerry Controller BlkBerry Dispther for BlkBerry OS The BlkBerry Atthment Servie onverts supported tthments into formt tht n e viewed on BlkBerry OS devies. The BlkBerry Atthment Servie onverts tthments for the BlkBerry Messging Agent, the BlkBerry MDS Connetion Servie for BlkBerry OS, nd the BlkBerry Collortion Servie. The BlkBerry Collortion Servie for BlkBerry OS is n optionl omponent tht provides onnetion etween your orgniztion's instnt messging server nd the ollortion lient on BlkBerry OS devies. The BlkBerry Controller monitors omponents used to mnge BlkBerry OS devies nd restrts these omponents when they stop responding. The BlkBerry Dispther for BlkBerry OS performs the following funtions: Trnsfers dt etween omponents used to mnge BlkBerry OS devies Compresses nd enrypts dt tht is sent to BlkBerry OS devies Derypts nd deompresses dt tht is reeived from BlkBerry OS devies Monitors nd ommunites the helth of BlkBerry OS mngement omponents Strts the proessing of BlkBerry OS devie users on the BlkBerry Messging Agent BlkBerry Mil Store Servie BlkBerry MDS Connetion Servie for BlkBerry OS BlkBerry Messging Agent The BlkBerry Mil Store Servie onnets to the mil servers in your orgniztion's environment nd retrieves the ontt informtion tht the BlkBerry Administrtion Servie requires to serh for user ounts on the mil servers. The BlkBerry MDS Connetion Servie for BlkBerry OS permits pplitions on BlkBerry OS devies to onnet to your orgniztion's pplition or ontent servers for pplition dt nd updtes. The BlkBerry Messging Agent performs the following funtions: 12

13 Components used to mnge BlkBerry OS devies Component nme Desription Connets to the mil server to provide messging servies, lendr mngement, ontt lookups, tthment viewing, nd tthment retrievl for BlkBerry OS devies Allows the BlkBerry Synhroniztion Servie to ess orgnizer dt on the mil server Synhronizes onfigurtion dt etween the BES12 dtse nd BlkBerry OS devie user miloxes on the mil server BlkBerry Poliy Servie BlkBerry Router The BlkBerry Poliy Servie performs dministrtion servies for BlkBerry OS devies over the wireless network, suh s sending IT poliies, devie ommnds, nd servie ooks. The BlkBerry Router ts s proxy server for onnetions over the BlkBerry Infrstruture etween BES12 nd ll devies. For BlkBerry OS (version 5.0 to 7.1) devies, the BlkBerry Router lso sends dt diretly to nd reeives dt from devies tht re onneted to work Wi-Fi network or to omputer tht hs the BlkBerry Devie Mnger. If you upgrde from BES5 version MR10 to BES12, the BlkBerry Router you originlly instlled with your BES5 ontinues to work only for the omponents used to mnge BlkBerry OS devies. If you instll new instne of the BlkBerry Router with BES12, you n onfigure it to work with ll omponents If you use n existing TCP proxy server insted of the BlkBerry Router, BlkBerry OS devies tht re onneted to work Wi-Fi network or to omputer tht hs BlkBerry Devie Mnger instlled nnot ypss the BlkBerry Infrstruture to onnet to your orgniztion's network. BlkBerry Synhroniztion Servie BlkBerry We Desktop Mnger Mngement onsole The BlkBerry Synhroniztion Servie synhronizes orgnizer dt etween BlkBerry OS devies nd your orgniztion's mil server using the BlkBerry Messging Agent. The BlkBerry Synhroniztion Servie lso synhronizes BlkBerry OS devie user dt with the BES12 dtse. BlkBerry OS devie users n ess BlkBerry We Desktop Mnger to set n tivtion pssword, tivte their devies y onneting them to the omputer, nd perform other devie mngement funtions for their BlkBerry OS devies, suh s updting the devie softwre or sending devie ommnds. The mngement onsole is we-sed onsole tht is used to: Complete postinstlltion onfigurtion settings View nd mnge users, devies, poliies, profiles, nd pps View nd mnge system settings, inluding ustomizing the tivtion emil messge nd dding n APNs ertifite 13

14 Components used to mnge BlkBerry OS devies Component nme Desription Move IT poliies, profiles, groups, nd users to BES12 The mngement onsole lso provides ess to BES12 Self-Servie nd llows ios devie users to mnge pps using the Work Apps ion. After you instll BES12 on omputer, you n instll the mngement onsole on nother omputer. 14

15 Ativting devies Ativting devies 5 Depending on the devie type nd the tivtion type tht you speify for it, the devie nd BES12 must omplete severl steps during the tivtion proess to uthentite to eh other, seure ommunition hnnel nd, if needed, rete work spe or enrypt the devie efore ny onfigurtion nd work dt is sent to the devie. Ativtion types give you different degrees of ontrol over the work nd personl dt on devies, rnging from full ontrol over ll dt to speifi ontrol over work dt only. For more informtion out tivtion types, see the Administrtion ontent. Dt flow: Ativting BlkBerry 10 devie 1. You perform the following tions: Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory Assign n tivtion profile to the user Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil 15

16 Ativting devies Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword 2. The user performs the following tions: Types the usernme nd tivtion pssword on the devie For "Work nd personl - Regulted" or "Work spe only" tivtion, epts the orgniztion notie, whih outlines the terms nd onditions tht the user must gree to 3. If the tivtion is "Work spe only" tivtion, the devie deletes ll existing dt nd restrts. For other tivtion types, the Enterprise Mngement Agent on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user Sends the ddress to the Enterprise Mngement Agent 5. The devie performs the following tions: Estlishes onnetion with BES12 Genertes shred symmetri key tht is used to protet the CSR nd response BES12 using the tivtion pssword nd EC-SPEKE. Cretes n enrypted CSR nd HMAC s follows: Genertes key pir for the ertifite Cretes PKCS#10 CSR tht inludes the puli key of the key pir Enrypts the CSR using the shred symmetri key nd AES-256 in CBC mode with PKCS#5 pdding Computes n HMAC of the enrypted CSR using SHA-256 nd ppends it to the CSR d Sends the enrypted CSR nd HMAC to BES12 6. BES12 performs the following tions: d e f g Verifies the HMAC of the enrypted CSR nd derypts the CSR using the shred symmetri key Retrieves the usernme, work spe ID, nd your orgniztion s nme from the BES12 dtse Pkges lient ertifite using the informtion it retrieved nd the CSR tht the devie sent Signs the lient ertifite using the enterprise mngement root ertifite Enrypts the lient ertifite, enterprise mngement root ertifite, nd the BES12 URL using the shred symmetri key nd AES-256 in CBC mode with PKCS#5 pdding Computes n HMAC of the enrypted lient ertifite, enterprise mngement root ertifite, nd the BES12 URL nd ppends it to the enrypted dt Sends the enrypted dt nd HMAC to the devie 16

17 Ativting devies 7. The devie performs the following tions: Verifies the HMAC Derypts the dt it reeived from BES12 Stores the lient ertifite nd the enterprise mngement root ertifite in its keystore 8. BES12 performs the following tions: d BES12 Core ssigns the new devie to BES12 instne in the domin BES12 Core notifies the tive BlkBerry Affinity Mnger tht new devie is ssigned to the BES12 instne The tive BlkBerry Affinity Mnger notifies the BlkBerry Dispther on tht BES12 instne tht there is new devie The BES12 Core sends onfigurtion informtion, inluding enterprise onnetivity settings to the devie 9. BES12 Core nd the devie generte the devie trnsport key using ECMQV nd the uthentited long-term puli keys from the lient ertifite nd the server ertifite for BES12. This key is used to push IPPP dt nd to initite ommunition using BlkBerry Seure Connet Plus. 10. The devie sends n knowledgment over TLS to BES12 to onfirm tht it reeived nd pplied the IT poliy nd other dt nd reted the work spe. The tivtion proess is omplete. The ellipti urve protools used during the tivtion proess use the NIST-reommended 521-it urve. 17

18 Ativting devies Dt flow: Ativting n Android devie 1. You perform the following tions: Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory Mke sure the tivtion profile "MDM ontrols," "Work nd personl - full ontrol (Seure Work Spe)," or "Work nd personl - user privy (Seure Work Spe)" is ssigned to the user Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword 2. The user downlods nd instlls the BES12 Client on the devie. After it is instlled, the user opens the BES12 Client nd enters the emil ddress nd tivtion pssword on the devie. 3. The BES12 Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user 18

19 Ativting devies Retrieves the BES12 ddress for the user Sends the ddress to the BES12 Client 5. The BES12 Client estlishes onnetion with BES BES12 prompts the user to ept the BES12 ertifite. This prompt inludes informtion out the SSL ertifite, inluding the Common Nme, fingerprint, nd whether the ertifite is trusted or untrusted. If the ertifite hs een preinstlled on the devie, it is trusted. Otherwise, it is untrusted. 7. The user epts the ertifite. 8. The BES12 Client sends n tivtion request to BES12. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 9. BES12 performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BES12 dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 10. The BES12 Client retes CSR using the informtion reeived from BES12 nd sends lient ertifite request to BES12 over HTTPS. 11. BES12 performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BES12 Client A mutully uthentited TLS session is estlished etween the BES12 Client nd BES The BES12 Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BES BES12 stores the devie informtion in the dtse nd sends the requested onfigurtion informtion to the devie. 14. The BES12 Client determines if the devie uses KNOX MDM nd is running supported MDM version. If the devie uses KNOX MDM, the devie onnets to the Smsung infrstruture nd tivtes the KNOX mngement liense. After it is tivted, the BES12 Client pplies the KNOX MDM IT poliy rules from BES The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. If the tivtion type for the devie is"work nd personl - full ontrol (Seure Work Spe)," or "Work nd personl - user privy (Seure Work Spe," fter the tivtion is ompleted, the user is prompted to rete work spe pssword. Additionlly, the user my e prompted to instll or my need to mnully instll some or ll of the following pps: Seure Work Spe Work Spe Mnger Douments To Go 19

20 Ativting devies Dt flow: Ativting devie to use KNOX Workspe 1. You perform the following tions: Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory Mke sure the "Work nd personl - full ontrol (Smsung KNOX)", "Work nd personl - user privy (Smsung KNOX)", or "Work spe only - (Smsung KNOX)" tivtion type is ssigned to the user Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword 2. The user downlods nd instlls the BES12 Client on the devie. After it is instlled, the user opens the BES12 Client nd enters the emil ddress nd tivtion pssword on the devie. 3. The BES12 Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: 20

21 Ativting devies Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user Sends the ddress to the BES12 Client 5. The BES12 Client estlishes onnetion with BES BES12 prompts the user to ept the BES12 ertifite. This prompt inludes informtion out the SSL ertifite, inluding the Common Nme, fingerprint, nd whether the ertifite is trusted or untrusted. If the ertifite hs een preinstlled on the devie, it is trusted. Otherwise, it is untrusted. 7. The user epts the ertifite. 8. The BES12 Client sends n tivtion request to BES12. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 9. BES12 performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BES12 dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 10. The BES12 Client retes CSR using the informtion reeived from BES12 nd sends lient ertifite request to BES12 over HTTPS. 11. BES12 performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BES12 Client A mutully uthentited TLS session is estlished etween the BES12 Client nd BES The BES12 Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BES BES12 stores the devie informtion in the dtse nd sends the requested onfigurtion informtion to the devie. 14. The BES12 Client determines if the devie uses KNOX Workspe nd is running supported version. If the devie uses KNOX Workspe, the devie onnets to the Smsung infrstruture nd tivtes the KNOX mngement liense. After it is tivted, the BES12 Client pplies the KNOX MDM nd KNOX Workspe IT poliy rules. 15. The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. After the tivtion is omplete, the user is prompted to rete work spe pssword tht is used to set up nd protet the KNOX Workspe. Dt in the KNOX Workspe is proteted using enryption nd method of uthentition suh s pssword, PIN, pttern, or fingerprint. Note: If the devie is tivted with the "Work spe only - (Smsung KNOX)" tivtion type, the personl spe is removed when the KNOX Workspe is set up. 21

22 Ativting devies Dt flow: Ativting devie to use Android for Work 1. You perform the following tions: Verify tht the user hs Google ount tht is ssoited with the user s work emil ddress Note: Optionlly, you n onfigure BES12 to rete the Google ount for the user during the tivtion proess. When BES12 retes the ount for the user in Google, the user reeives n emil from the Google domin with their Google ount pssword. d Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory. When you speify the emil ddress, use the emil ddress tht is ssoited with the user's Google ount. Mke sure the "Work nd personl - user privy (Android for Work) or the "Work nd personl - user privy (Android for Work - Premium) tivtion type is ssigned to the user. Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword 2. The user downlods BES12 Client from Google Ply nd instlls it on the devie. After it is instlled, the user opens the BES12 Client nd enters their emil ddress nd tivtion pssword. 3. The BES12 Client on the devie performs the following tions: 22

23 Ativting devies Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user Sends the ddress to the BES12 Client 5. The BES12 Client estlishes onnetion with BES BES12 prompts the user to ept the BES12 ertifite. This prompt inludes informtion out the SSL ertifite, inluding the Common Nme, fingerprint, nd whether the ertifite is trusted or untrusted. If the ertifite hs een preinstlled on the devie, it is trusted. Otherwise, it is untrusted. 7. The user epts the ertifite. 8. The BES12 Client sends n tivtion request to BES12. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 9. BES12 performs the following tions: d e f Determines the tivtion type ssigned to the user ount Connets to the mnged Google domin to verify the user informtion Cretes devie instne Assoites the devie instne with the speified user ount Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 10. If the devie is not enrypted, the user is prompted to enrypt the devie. 11. The BES12 Client performs the following tions: Prompts the user for the user's Google ount informtion Connets to the mnged Google domin to uthentite the user Cretes CSR using the informtion reeived from BES12 nd sends lient ertifite request to BES12 over HTTPS. 12. BES12 performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BES12 Client A mutully uthentited TLS session is estlished etween the BES12 Client nd BES The BES12 Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BES BES12 stores the devie informtion nd sends the requested onfigurtion informtion to the devie. 23

24 Ativting devies 15. The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. Dt flow: Ativting devie to use Android for Work with work spe only 1. You perform the following tions: d Verify tht the user hs Google ount tht is ssoited with the user s work emil ddress. Optionlly, you n onfigure BES12 to rete the Google ount for the user during the tivtion proess. When BES12 retes the ount for the user in Google, the user reeives n emil from the Google domin with their Google ount pssword. Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory. When you speify the emil ddress, use the emil ddress tht is ssoited with the user's Google ount. Mke sure tht the "Work spe only (Android for Work) or "Work spe only (Android for Work - Premium) tivtion type is ssigned to the user. Set the user's tivtion pssword. 2. BES12 ommunites with the Google domin to generte n tivtion token for the user. The tivtion token nd the user's tivtion pssword re inluded in the tivtion emil tht is sent to the user's work emil ddress. 3. The user resets their devie to the ftory defult settings. 4. The devie restrts nd prompts the user to selet Wi-Fi network nd to dd n ount. 24

25 Ativting devies 5. The user tps the more utton, tps Setup work devie, nd enters their emil ddress nd the tivtion token they reeived in their tivtion emil. 6. The devie ommunites with the Google domin to vlidte the tivtion token. When the token is vlidted, the devie performs the following tions: If the devie is not enrypted, prompts the user to enrypt the devie nd restrts Downlods the BES12 Client from Google Ply nd instlls it 7. The BES12 Client on the devie prompts the user to type their emil ddress nd tivtion pssword. 8. The user types their emil ddress nd tivtion pssword. 9. The BES12 Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 10. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BES12 server ddress for the user Sends the server ddress to the BES12 Client 11. The BES12 Client estlishes onnetion with BES BES12 prompts the user to ept the BES12 ertifite. This prompt inludes informtion out the SSL ertifite, inluding the Common Nme, fingerprint, nd whether the ertifite is trusted or untrusted. 13. The user epts the ertifite. 14. The BES12 Client sends n tivtion request to BES12. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 15. BES12 performs the following tions: d e f Determines the tivtion type ssigned to the user ount Connets to the Google domin to verify the user informtion Cretes devie instne Assoites the devie instne with the speified user ount Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 16. The BES12 Client performs the following tions: Prompts the user for the user's Google ount informtion Connets to the Google domin to uthentite the user Cretes CSR using the informtion reeived from BES12 nd sends lient ertifite request to BES12 over HTTPS. 17. BES12 performs the following tions: 25

26 Ativting devies Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BES12 Client A mutully uthentited TLS session is estlished etween the BES12 Client nd BES The BES12 Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BES BES12 stores the devie informtion nd sends the requested onfigurtion informtion to the devie. 20. The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. Dt flow: Ativting n ios devie 1. If you pln to use Apple's Devie Enrollment Progrm, you perform the following tions: Mke sure tht BES12 is onfigured to synhronize with DEP Register the devie in DEP nd ssign it to n MDM server Assign n enrollment onfigurtion to the devie 2. You perform the following tions: Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory Assign n tivtion profile to the user Use one of the following options to provide the user with tivtion detils: 26

27 Ativting devies Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword 3. If the devie is registered in the Apple DEP, the devie ommunites with the Apple DEP we servie during its initil setup. If you onfigured the devie to instll the BES12 Client, the devie utomtilly downlods nd instlls it. 4. If the devie is not registered in the Apple DEP or if you did not onfigure the devie to instll the BES12 Client, the user mnully downlods nd instlls the BES12 Client on the devie. After it is instlled, the user opens the BES12 Client nd enters the emil ddress nd tivtion pssword on the devie. 5. The BES12 Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 6. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user Sends the ddress to the BES12 Client 7. The BES12 Client estlishes onnetion with BES BES12 prompts the user to ept the BES12 ertifite. This prompt inludes informtion out the SSL ertifite, inluding the Common Nme, fingerprint, nd whether the ertifite is trusted or untrusted. If the ertifite hs een preinstlled on the devie, it is trusted. Otherwise, it is untrusted. 9. The BES12 Client sends n tivtion request to BES12. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 10. BES12 performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BES12 dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 11. The BES12 Client retes CSR using the informtion reeived from BES12 nd sends lient ertifite request over HTTPS. 12. BES12 performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BES12 Client 27

28 Ativting devies A mutully uthentited TLS session is estlished etween the BES12 Client nd BES The BES12 Client displys messge to inform the user tht ertifite must e instlled to omplete the tivtion. The user liks OK nd is redireted to the link for the ntive MDM Demon tivtion. The BES12 Client estlishes onnetion to BES BES12 provides the MDM profile to the BES12 Client. This profile ontins the MDM tivtion URL nd the hllenge. The MDM profile is wrpped s PKCS#7 signed messge tht inludes the full ertifite hin of the signer, whih llows the devie to vlidte the profile. This triggers the enrollment proess. 15. The ntive MDM Demon on the devie sends the devie profile, inluding the ustomer ID, lnguge, nd OS version, to BES BES12 vlidtes tht the request is signed y CA nd responds to the ntive MDM Demon with suessful uthentition notifition. 17. The ntive MDM Demon sends request to BES12 sking for the CA ertifite, CA pilities informtion, nd devie issued ertifite. 18. BES12 sends the CA ertifite, CA pilities informtion, nd the devie issued ertifite to the ntive MDM Demon. 19. The ntive MDM Demon instlls the MDM profile on the devie. The BES12 Client notifies BES12 of the suessful instlltion of the MDM profile nd ertifite nd polls BES12 periodilly until it knowledges tht the MDM tivtion is omplete. 20. BES12 knowledges tht the MDM tivtion is omplete. 21. The BES12 Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BES BES12 stores the devie informtion in the dtse nd sends onfigurtion informtion to the devie. 23. The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion updtes. The tivtion proess is omplete. If the tivtion type for the devie is "Work nd personl - user privy" or "Work nd personl - full ontrol," fter the tivtion is ompleted, the user is prompted to rete work spe pssword. Additionlly, the user my e prompted to instll some or ll of the following pps: Work Connet Work Browser Douments To Go Note: If the devie is tivted with the "Work nd personl - user privy" tivtion type, the users re not prompted to instll the seure pps nd must mnully downlod nd instll them. 28

29 Ativting devies Dt flow: Ativting Windows 10 devie 1. You perform the following tions: Configure the disovery servie to simplify Windows 10 tivtions Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory Use one of the following options to provide the user with tivtion detils: d Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user. Set devie tivtion pssword nd selet the option to send the tivtion informtion to the user y emil. Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword nd view their server ddress. Provide the user CA ertifite generted y BES12 to instll on their devie 2. The user ompletes the following tions on their devie: Cheks tht the devie hs Internet onnetivity on port 443 d Opens nd instlls the ertifite Nvigtes to Settings > Aounts > Work ess nd tps Connet When prompted, enters their emil ddress nd tivtion pssword they reeived on the tivtion emil 3. The devie estlishes onnetion to the disovery servie tht you onfigured to simplify Windows 10 tivtions in your orgniztion. 29

30 Ativting devies 4. The disovery servie heks tht the SRP ID for the BES12 server is vlid nd redirets the devie to BES The devie sends n tivtion request to BES12 on port 443. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 6. BES12 performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BES12 dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 7. The devie retes CSR nd sends it to BES12 over HTTPS. The CSR ontins the usernme nd tivtion pssword. 8. BES12 vlidtes the usernme nd pssword, vlidtes the CSR, nd returns the lient ertifite nd the CA ertifite to the devie. All ommunition etween the devie nd BES12 is now mutully uthentited end to end using these ertifites. 9. The devie requests ll onfigurtion informtion. 10. BES12 stores the devie informtion in the dtse nd sends onfigurtion informtion to the devie. 11. The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. 30

31 Ativting devies Dt flow: Ativting Windows Phone 8.1 devie 1. You perform the following tions: Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory Assign n tivtion profile to the user Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword 2. The user downlods nd instlls the BES12 Client on the Windows Phone 8.1 devie. After it is instlled, the user opens the BES12 Client nd enters the emil ddress nd tivtion pssword on the devie. 3. The BES12 Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: 31

32 Ativting devies Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user Sends the ddress to the BES12 Client 5. The BES12 Client estlishes onnetion with BES BES12 prompts the user to ept the BES12 ertifite. This prompt inludes informtion out the SSL ertifite, inluding the Common Nme nd fingerprint. 7. The user epts the ertifite. 8. The BES12 Client sends n tivtion request to BES12. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 9. BES12 performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BES12 dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 10. The BES12 Client retes CSR using the informtion reeived from BES12 nd sends lient ertifite request over HTTPS. 11. BES12 performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BES12 Client A mutully uthentited TLS session is estlished etween the BES12 Client nd BES The BES12 Client displys messge nd video to show the user the steps the user must tke to omplete the tivtion. The BES12 Client sends the devie informtion to BES The user opies the server ddress nd nvigtes to the Windows Phone settings to omplete the tivtion. The user dds n ount using their usernme nd tivtion pssword nd pstes the server ddress. 14. The ntive MDM Demon on the Windows Phone devie sends CSR to BES12 tht ontins the usernme nd tivtion pssword. 15. BES12 vlidtes the usernme nd pssword, vlidtes the CSR nd returns the lient ertifite nd the CA ertifite to the devie. All ommunition etween the ntive MDM Demon nd BES12 is now mutully uthentited end to end using these ertifites. 16. The BES12 Client polls BES12 periodilly until it knowledges tht the MDM tivtion is omplete. 17. BES12 knowledges tht the MDM tivtion is omplete. 18. The BES12 Client requests ll onfigurtion informtion. 32

33 Ativting devies 19. BES12 stores the devie informtion in the dtse nd sends onfigurtion informtion to the devie. 20. The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion updtes. The tivtion proess is omplete. Dt flow: Ativting BlkBerry OS devie 1. You use the mngement onsole to rete new user ount nd use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BlkBerry We Desktop Mnger ddress to the user so tht they n set their own tivtion pssword The devie user list stored in the BES12 dtse is updted with the new devie user nme, emil ddress, milox informtion, tivtion pssword, tivtion sttus, nd other informtion. 2. The BlkBerry Dispther for BlkBerry OS ssigns the new user to BlkBerry Messging Agent. The BlkBerry Messging Agent strts to monitor the user's milox on the mil server for new emil. An emil ontining n etp.dt file tthment is required to ontinue the tivtion proess. 3. The devie user nvigtes to the Enterprise Ativtion sreen on the BlkBerry OS (version 5.0 to 7.1) devie nd types the emil ddress nd tivtion pssword. The devie user opens the menu nd liks Ativte. The devie displys "Ativting." 33

34 Ativting devies 4. The devie retes n tivtion request emil tht ontins the emil ddress, devie PIN, nd puli key uthentition informtion, sed on the enterprise tivtion pssword the user typed. The devie enrypts the emil using SPEKE nd sends it to the BlkBerry Infrstruture. 5. The BlkBerry Infrstruture reeives the tivtion request emil nd identifies it s n tivtion request. The BlkBerry Infrstruture forwrds the emil using SMTP to the emil ddress tht the user typed on the Enterprise Ativtion sreen. 6. When the tivtion request emil rrives in the user's milox, the BlkBerry Messging Agent identifies it nd removes it from the user's milox. The BlkBerry Messging Agent reognizes the etp.dt tthment in the tivtion request emil nd egins n uthentition proess. 7. The BlkBerry Messging Agent ompres the uthentition key reeived in the tivtion request emil with the uthentition key generted from the tivtion pssword nd stored in the BES12 dtse. If the uthentition keys mth, the BlkBerry Messging Agent notifies the BlkBerry OS devie tht the tivtion request ws reeived. 8. BES12 nd the BlkBerry OS devie estlish n enryption key nd verify their knowledge of the enryption key to eh other. The BlkBerry OS devie displys "Enryption Verified. Witing for Servies." All the dt sent etween the BlkBerry OS devie nd BES12 from now on is ompressed nd enrypted using this enryption key nd the devie n now e mnged from the mngement onsole. 9. The BlkBerry Messging Agent forwrds request to the BlkBerry Poliy Servie to generte servie ooks. The BlkBerry Poliy Servie reeives nd queues the request. The BlkBerry Poliy Servie dds the unique uthentition key tht the BES12 domin uses to sign IT poliy dt nd then forwrds the IT poliy dt through the BlkBerry Dispther for BlkBerry OS to the devie. The BlkBerry Poliy Servie wits for onfirmtion from the devie tht the IT poliy hs een pplied suessfully. 10. The BlkBerry OS devie pplies the IT poliy nd sends onfirmtion to BES12. The IT poliy pplied to the BlkBerry OS devie is now in red-only stte nd n e modified only y updtes sent from the sme BES12 domin. 11. One the BlkBerry Poliy Servie reeives onfirmtion tht the IT poliy ws pplied suessfully, the BlkBerry Poliy Servie genertes nd sends the servie ooks to the BlkBerry OS devie. 12. The BlkBerry OS devie reeives the servie ooks. The devie user is notified tht the emil ddress hs een tivted. The BlkBerry OS devie displys "Servies Reeived. Your emil ddress, <usernme>@<domin>.om is now enled." The devie user n now send nd reeive emil messges on the BlkBerry OS devie. 13. The slow synhroniztion proess egins. The BlkBerry OS devie requests the synhroniztion onfigurtion informtion from the BlkBerry Synhroniztion Servie. The onfigurtion informtion indites whether wireless dt synhroniztion on BES12 is turned on nd whih orgnizer dtses n e synhronized. The onfigurtion informtion lso provides dtse synhroniztion types (unidiretionl or idiretionl) nd onflit resolution settings. 14. The BlkBerry Synhroniztion Servie returns the onfigurtion informtion nd synhronizes the dtses on the BlkBerry OS devie using tht informtion. The BlkBerry OS devie nd BES12 do not delete reords during the initil synhroniztion proess. 34

35 Ativting devies 15. The slow synhroniztion proess is omplete when ll dtses re synhronized etween the BlkBerry OS devie nd BES12. The tivtion proess is omplete when the BlkBerry OS devie displys Ativtion Complete nd the devie user ount sttus displys Completed in the mngement onsole or BlkBerry Administrtion Servie. 35

36 Reeiving onfigurtion updtes Reeiving onfigurtion updtes 6 When you use the mngement onsole to send devie ommnds, suh s lok devie or delete the work dt, or when you perform other devie mngement tsks, suh s updtes to poliy, profile, nd pp settings or ssignments, you trigger onfigurtion updte for the devie. When onfigurtion updte needs to e sent to devie, BES12 notifies the devies, exept Windows Phone 8.0 devies, tht onfigurtion updte is pending. Windows Phone8.0 devies poll BES12 every hour to request pending updtes. Other devies poll BES12 regulrly to sk for ny tions tht need to e run on the devie to prevent ny onfigurtion updte from eing missed if notifition is not reeived on the devie. On BlkBerry 10 devies, the Enterprise Mngement Agent reeives nd ompletes ll onfigurtion updtes. On Android devies, the BES12 Client reeives nd ompletes ll onfigurtion updtes. On ios nd Windows Phone devies, the BES12 Client displys ompline sttus nd onfigurtion informtion for the devie, suh s pps or poliies ssigned to it. However, the ntive MDM Demon on ios nd Windows devies omplements the BES12 Client nd reeives nd ompletes ll onfigurtion updtes sent to the devie. Dt flow: Reeiving onfigurtion updtes on BlkBerry 10 devie 36

37 Reeiving onfigurtion updtes 1. An tion is tken in the mngement onsole tht triggers onfigurtion updte for the devie. For exmple, you updte the IT poliy or ssign new profile or pp to the user ount. 2. Updtes re pplied in BES12, nd ojets tht must e shred with the devie re identified. 3. The BES12 Core notifies the BlkBerry Infrstruture tht there is n updte for devie. The notifition psses through the BlkBerry Router or TCP proxy server, if instlled, nd the externl firewll, over port The BlkBerry Infrstruture notifies the Enterprise Mngement Agent on the devie tht there is n updte. 5. The Enterprise Mngement Agent on the devie polls the BES12 Core to request ny pending tions nd ommnds tht must e performed on the devie. This poll psses through the BlkBerry Infrstruture nd the BlkBerry Router, if instlled, to the BES12 Core. 6. The BES12 Core replies, through the BlkBerry Infrstruture nd BlkBerry Router or TCP proxy server, if instlled, with the highest priority tion. Priority is given to IT dministrtion ommnds, suh s Delete devie dt nd Lok devie, followed y requests for devie informtion, instlled pps, nd so on. The BES12 Core sends only one ommnd t time. If neessry, dditionl informtion is inluded in the response. 7. The Enterprise Mngement Agent on the devie reeives the onfigurtion updtes nd pplies the new or updted onfigurtion on the devie. The Enterprise Mngement Agent sends response to the BES12 Core, through the BlkBerry Infrstruture, to updte the ommnd sttus. The sttus indites whether the ommnd rn suessfully nd provides n error messge in the event of filure. 8. If more tions or ommnds re pending for the devie, the BES12 Core replies, through the BlkBerry Infrstruture, with the highest priority tion. If no tions or ommnds re pending for the devie, the BES12 Core replies with n idle ommnd. Steps 6 to 8 re repeted until no more pending tions or ommnds must e performed on the devie. 37

38 Reeiving onfigurtion updtes Dt flow: Reeiving onfigurtion updtes on n Android devie 1. An tion is tken in the mngement onsole tht triggers onfigurtion updte for n Android devie or devie using Android for Work or Smsung KNOX. 2. Updtes re pplied in BES12, nd ojets tht must e shred with the devie re identified. 3. The BES12 Core ontts the BlkBerry Infrstruture, through the BlkBerry Router or TCP proxy server, if instlled, nd the externl firewll over port The BlkBerry Infrstruture uses the GCM to notify Android devies tht n updte is pending. 5. The GCM sends notifition to the BES12 Client on the Android devie to ontt the BES12 Core. 6. The BES12 Client ontts the BES12 Core, on port 3101 on the externl firewll, to request ny pending tions nd ommnds tht must e performed on the devie. 7. The BES12 Core replies, through the BlkBerry Infrstruture nd BlkBerry Router or TCP proxy server, if instlled, with the highest priority tion. Priority is given to IT dministrtion ommnds, suh s Delete devie dt nd Lok devie, followed y requests for devie informtion, instlled pps, nd so on. The BES12 Core sends only one ommnd t time. If neessry, dditionl informtion is inluded in the response. 8. The BES12 Client inspets the response, shedules the ommnd to e proessed, nd wits for the ommnd to e run. The BES12 Client sends response to the BES12 Core, through the BlkBerry Infrstruture, to updte the ommnd sttus. The sttus indites whether the ommnd rn suessfully nd provides n error messge in the event of filure. 38

39 Reeiving onfigurtion updtes 9. If more tions or ommnds re pending for the devie, the BES12 Core replies, through the BlkBerry Infrstruture, with the highest priority tion. If no tions or ommnds re pending for the devie, the BES12 Core replies with n idle ommnd. Steps 7 to 9 re repeted until no more pending tions or ommnds must e performed on the devie. Dt flow: Reeiving onfigurtion updtes on n ios devie 1. An tion is tken in the mngement onsole tht triggers onfigurtion updte for n ios devie. For exmple, you updte the IT poliy or ssign new profile or pp to the user ount. 2. Updtes re pplied in BES12. nd ojets tht must e shred with the devie re identified. 3. The BES12 Core ontts the BlkBerry Infrstruture, through the BlkBerry Router or TCP proxy server, if instlled, nd the externl firewll over port The BlkBerry Infrstruture uses the APNs to notify the devie tht n updte is pending. 5. The APNs sends notifition to the ntive MDM Demon on the ios devie to ontt the BES12 Core. 6. When the ntive MDM Demon on the ios devie reeives the notifition, it ontts the BES12 Core, on port 3101 on the externl firewll, pssing through the BlkBerry Router or TCP proxy server, if instlled, to retrieve ny pending tions. 7. The BES12 Core replies with the highest priority tion. Priority is given to devie tions, suh s Delete devie dt nd Lok devie. The BES12 Core sends only one ommnd t time. If neessry, dditionl informtion is inluded in the 39

40 Reeiving onfigurtion updtes response. If no tions or ommnds re pending for the devie, the BES12 Core replies to the devie with n idle ommnd. 8. The ntive MDM Demon on the ios devie inspets the response, shedules the ommnd to e proessed, nd wits for the ommnd to e run. 9. The ntive MDM Demon sends response to the BES12 Core to updte the ommnd sttus. The sttus indites whether the ommnd rn suessfully nd provides n error messge in the event of filure. Steps 7 to 9 re repeted until no more pending tions or ommnds must e performed on the devie. Dt flow: Reeiving onfigurtion updtes on Windows devie 1. An tion is tken in the mngement onsole tht triggers onfigurtion updte for Windows Phone 8.1 or Windows 10 devie. For exmple, you updte the IT poliy or ssign new profile or pp to the user ount. 2. Updtes re pplied in BES12, nd ojets tht must e shred with the devie re identified. 3. The BES12 Core ontts the BlkBerry Infrstruture, through the BlkBerry Router or TCP proxy server, if instlled, nd the externl firewll over port The BlkBerry Infrstruture uses the WNS to notify the devie tht n updte is pending. 5. The WNS sends notifition to the devie to ontt the BES12 Core. 6. When the devie reeives the notifition, it ontts the BES12 Core, on port 3101 on the externl firewll, pssing through the BlkBerry Router or TCP proxy server, if instlled, to retrieve ny pending tions. 40

41 Reeiving onfigurtion updtes 7. When n updte is pending for the devie, the BES12 Core replies with the highest priority tion. Priority is given to devie tions, suh s Delete devie dt nd Lok devie. If neessry, dditionl informtion is inluded in the response. If no tions or ommnds re pending for the devie, the BES12 Core replies to the devie with n empty messge. 8. The devie inspets the response, shedules the ommnd to e proessed, nd wits for the ommnd to e run. The devie sends response to the BES12 Core to updte the ommnd sttus. The sttus indites whether the ommnd rn suessfully nd provides n error messge in the event of filure. Steps 7 nd 8 re repeted until no more tions or ommnds re pending for the devie. Dt flow: Reeiving onfigurtion updtes on Windows Phone 8.0 devie 1. An tion is tken in the mngement onsole tht triggers onfigurtion updte for Windows Phone 8.0 devie. For exmple, you updte the IT poliy or ssign new profile or pp to the user ount. 2. Updtes re pplied in BES12, nd ojets tht must e shred with the devie re identified. 3. The ntive MDM Demon on the Windows Phone devie polls BES12 for updtes t regulr intervls. 4. When n updte is pending for the devie, the BES12 Core replies with the highest priority tion. Priority is given to devie tions, suh s Delete devie dt nd Lok devie. If neessry, dditionl informtion is inluded in the response. If no tions or ommnds re pending for the devie, the BES12 Core replies to the devie with n empty messge. 41

42 Reeiving onfigurtion updtes 5. The ntive MDM Demon on the Windows Phone devie inspets the response, shedules the ommnd to e proessed, nd wits for the ommnd to e run. The ntive MDM Demon on the Windows Phone devie sends response to the BES12 Core to updte the ommnd sttus. The sttus indites whether the ommnd rn suessfully nd provides n error messge in the event of filure. Steps 4 nd 5 re repeted until no more tions or ommnds re pending for the devie. 42

43 Sending nd reeiving work dt Sending nd reeiving work dt 7 When BlkBerry 10, ios, Android, nd Windows devies tht re tive on BES12 send nd reeive work dt, they onnet to your orgniztion's mil, pplition, or ontent servers. For exmple, when they use the work emil or lendr pps, devies estlish onnetion to the mil server. When they use the work rowser to nvigte the intrnet, devies estlish onnetion to the we server in your orgniztion, nd so on. Depending on the type of devie nd how it is onfigured, devie my estlish these onnetions using one of the following: Communiting over your orgniztion's work Wi-Fi network: You n use BES12 to onfigure Wi-Fi profiles for devies so tht devies n onnet to your orgniztion's resoures using your work Wi-Fi network. Communiting over your orgniztion's VPN: You n use BES12 to onfigure VPN profiles for devies or users my onfigure VPN profiles on their devies so tht devies n onnet to your orgniztion's resoures using VPN. To use your orgniztion's VPN, users with Windows Phone 8.1 devie or n Android devie tht does not use Android for Work or KNOX Workspe must onfigure VPN profile on their devies mnully. Communiting through the BlkBerry Infrstruture: When devies use this ommunition hnnel, they use enterprise onnetivity. When devies use enterprise onnetivity, ll the trffi etween the devies nd BES12 is uthentited nd enrypted nd trvels through the BlkBerry Infrstruture. Enterprise onnetivity limits the numer of ports tht you need to open on your orgniztion's externl firewll to single port, Additionlly, for BlkBerry 10 devies nd devies tivted to use Android for Work or KNOX Workspe, you n onfigure the enterprise onnetivity profile to use BlkBerry Seure Connet Plus. When these devies use BlkBerry Seure Connet Plus, ll the trffi flows in seure IP tunnel estlished etween the work spe pps on the devie nd your orgniztion's network through the BlkBerry Infrstruture. When BlkBerry OS (version 5.0 to 7.1) devies send or reeive work dt, they onnet to BES12. BES12 then estlishes onnetion to your orgniztion's mil, pplition, or ontent servers to send nd reeive work dt on ehlf of the BlkBerry OS devies. For more informtion out dt flows for BlkBerry OS (version 5.0 to 7.1) devies, visit help.lkerry.om/ to see the BES5 Feture nd Tehnil Overview. 43

44 Sending nd reeiving work dt Using enterprise onnetivity The following digrm shows how devies ess your orgniztion's resoures when they use enterprise onnetivity. The following tle list the devies tht n onnet to your orgniztion's network using enterprise onnetivy nd when they use it. Devie type All devies ios nd Android devies with Seure Work Spe BlkBerry 10 devies Desription All devies use this ommunition pth to send nd reeive onfigurtion dt, suh s devie ommnds, poliy nd profile updtes, nd sending devie informtion nd tivity reports. ios nd Android devies with Seure Work Spe lwys use this pth to send nd reeive Exhnge AtiveSyn dt nd other work pp dt when they hve enterprise onnetivity enled. Enterprise onnetivity is enled y defult for ios nd Android devies with Seure Work Spe. BlkBerry 10 devies use this ommunition pth to send nd reeive work dt when this is the most diret, ost-effiient route ville. BlkBerry 10 devies nd devies tht use Android for Work or KNOX Workspe tht re onfigured to use BlkBerry Seure Connet Plus Devies tht hve n enterprise onnetivity profile onfigured to use BlkBerry Seure Connet Plus, use seure IP tunnel through the BlkBerry Infrstruture to trnsfer dt etween work pps nd your orgniztion's network when this is the most diret, ost effiient route ville. One tunnel is estlished for eh devie, nd the tunnel supports stndrd IPv4 protools (TCP nd UDP). As long s the tunnel is open, ny pps in the work spe n ess network resoures. When the tunnel is no longer required (for exmple, the user is in rnge of the work Wi-Fi network), it is terminted. BlkBerry OS (version 5.0 to 7.1) devies BlkBerry OS (version 5.0 to 7.1) devies use this ommunition pth to send nd reeive emil, orgnizer, nd pp dt updtes when this is the most diret, ost-effiient route ville. 44

45 Sending nd reeiving work dt For more informtion on how to onfigure n enterprise onnetivity profile, see the Administrtion ontent. Dt flow: Aessing n pplition or ontent server using BlkBerry Seure Connet Plus This dt flow desries how dt trvels when work pp on devie tht is onfigured to use BlkBerry Seure Connet Plus esses n pplition or ontent server in your orgniztion. 1. The user opens work pp to ess work dt from ontent or pplition server ehind your orgniztion's firewll. For exmple, the user opens the work rowser to nvigte the intrnet. 2. The devie determines tht seure IP tunnel is the most diret, ost effiient method ville to onnet to the pplition or ontent server to retrieve the dt nd it sends requests through TLS tunnel, over port 443, to the BlkBerry Infrstruture to request seure tunnel to the work network. The signl is enrypted y defult using FIPS-140 ertified Certiom lirries. The signling tunnel is enrypted end-to-end. 3. BlkBerry Seure Connet Plus reeives the request from the BlkBerry Infrstruture through port The devie nd BlkBerry Seure Connet Plus negotite the tunnel prmeters nd estlish seure tunnel for the devie through the BlkBerry Infrstruture. The tunnel is uthentited nd enrypted end-to-end with DTLS. 5. The work pp uses the tunnel to onnet to the pplition or ontent server using stndrd IPv4 protools (TCP nd UDP). 6. BlkBerry Seure Connet Plus trnsfers the IP dt to nd from your orgniztion's network. BlkBerry Seure Connet Plus enrypts nd derypts trffi using FIPS-140 ertified Certiom lirries. 7. The pp reeives nd displys the dt on the devie. 45

46 Sending nd reeiving work dt 8. As long s the tunnel is open, ny pps in the work spe n ess network resoures. When the tunnel is no longer the est ville method to onnet to your orgniztion's network, BlkBerry Seure Connet Plus termintes it. Dt flow: Aessing n pplition or ontent server using enterprise onnetivity This dt flow desries how dt trvels when work pp on devie esses n pplition or ontent server in your orgniztion using enterprise onnetivity when BlkBerry Seure Connet Plus is disled. 1. The user opens work pp to view work dt. For exmple, the user opens the work rowser to nvigte the intrnet or uses BlkBerry Work Drives to ess file on network drive. 2. The pp estlishes onnetion to the pplition or ontent server to retrieve the dt. The request trvels through the seure hnnel estlished etween the BlkBerry Infrstruture nd BES12 to the pplition or ontent server: If the devie is n ios or Android devie, the request trvels through the BlkBerry Infrstruture nd the BES12 Core to the pplition or ontent server. If the devie is BlkBerry 10 devie, the request trvels through the BlkBerry Infrstruture, BlkBerry Affinity Mnger, BlkBerry Dispther, nd BlkBerry MDS Connetion Servie to the pplition or ontent server. 3. The pplition or ontent server replies with the work dt. The work dt trvels through the seure hnnel estlished etween BES12 nd the BlkBerry Infrstruture to the pp on the work spe of the devie: If the devie is n ios or Android devie, the dt trvels through the BES12 Core nd the BlkBerry Infrstruture to the devie. If the devie is BlkBerry 10 devie, the dt trvels through the BlkBerry MDS Connetion Servie, BlkBerry Dispther, BlkBerry Affinity Mnger, nd BlkBerry Infrstruture to devie. 46

47 Sending nd reeiving work dt 4. The pp reeives nd displys the dt on the devie. Dt flow: Sending emil from BlkBerry 10, ios, or Android devie This dt flow desries how work emil nd lendr dt trvels from BlkBerry 10 or Android devies tht re using enterprise onnetivity nd hve BlkBerry Seure Connet Plus disled to the Exhnge AtiveSyn server. 1. A user retes n emil or updtes n orgnizer item in the work spe. 2. The devie sends the new or hnged item through the seure hnnel estlished etween the BlkBerry Infrstruture nd BES12 to the mil server: If the devie is n ios or Android devie, the new or hnged item trvels through the BlkBerry Infrstruture nd the BES12 Core to the mil server. If the devie is BlkBerry 10 devie, the new or hnged item trvels through the BlkBerry Infrstruture, BlkBerry Affinity Mnger, BlkBerry Dispther, nd BlkBerry MDS Connetion Servie to the mil server. 3. The mil server updtes the orgnizer dt on the user's milox or sends the mil item to the reipient nd sends onfirmtion to the devie. 47

48 Sending nd reeiving work dt Dt flow: Reeiving emil on BlkBerry 10 or Android devie This dt flow desries how work emil nd lendr dt trvels etween the Exhnge AtiveSyn server nd the BlkBerry 10 or Android devies tht re using enterprise onnetivity when BlkBerry Seure Connet Plus is disled. 1. The devie issues n HTTPS request to the mil server nd requests tht the mil server notifies the devie when ny items hnge in the folders tht re onfigured to synhronize. The request trvels through the seure hnnel estlished etween the BlkBerry Infrstruture nd BES12 to the mil server: If the devie is n Android devie, the request trvels through the BlkBerry Infrstruture nd the BES12 Core to the mil server. If the devie is BlkBerry 10 devie, the request trvels through the BlkBerry Infrstruture, BlkBerry Affinity Mnger, BlkBerry Dispther, nd BlkBerry MDS Connetion Servie to the mil server. 2. The devie stnds y. 3. When there re new or hnged items for the devie, suh s new emil or updted lendr entry, the mil server sends the updtes to devie. The new or hnged items trvel through the seure hnnel estlished etween BES12 nd the BlkBerry Infrstruture to the emil or orgnizer dt pp on the work spe of the devie: If the devie is n Android devie, the new or hnged item trvels through the BES12 Core nd the BlkBerry Infrstruture to the devie. If the devie is BlkBerry 10 devie, the request trvels through the BlkBerry MDS Connetion Servie, BlkBerry Dispther, BlkBerry Affinity Mnger, nd BlkBerry Infrstruture to devie. 4. When the synhroniztion is omplete, the devie issues nother request to restrt the proess. 48

49 Sending nd reeiving work dt 5. If there re no new or hnged items during this intervl, the mil server sends "HTTP 200 OK" messge to the devie through the seure hnnel estlished etween BES12 nd the BlkBerry Infrstruture. 6. The devie issues new request nd the proess strts over. Dt flow: Reeiving emil on n ios devie This dt flow desries how work emil nd lendr dt trvels etween the Exhnge AtiveSyn mil server nd ios devies using enterprise onnetivity. 1. If the emil or orgnizer pp is open or the devie OS llows it to run in the kground, d e The devie issues n HTTPS request to the mil server nd requests tht the mil server notifies the devie when ny items hnge in the folders tht re onfigured to synhronize. The request trvels through the enrypted nd uthentited hnnel estlished etween the BlkBerry Infrstruture nd BES12 Core to the mil server. The devie stnds y. If there re no new or hnged items during this intervl, the mil server sends "HTTP 200 OK" messge to the devie. The devie issues new request nd the proess strts over. When there re new or hnged items for the devie, suh s new emil or updted lendr entry, the mil server sends the updtes to the devie through the seure hnnel estlished etween BES12 Core nd the BlkBerry Infrstruture to the emil or orgnizer pp on the work spe of the devie. When the synhroniztion is omplete, the devie issues nother request to restrt the proess. 2. If the emil or orgnizer pp is not open nd is not running in the kground, The BlkBerry Work Connet Notifition Servie listens for new or updted items for the devie. 49

50 Sending nd reeiving work dt d e f When there is new or updted item, the BlkBerry Work Connet Notifition Servie sends the notifition to the BlkBerry Infrstruture using the seure hnnel estlished etween BES12 Core nd the BlkBerry Infrstruture. The BlkBerry Infrstruture sends the notifition to the pp on the ios devie using the APNs. The devie shows there is new emil or orgnizer item ville. When the user opens the pp, the devie issues n HTTPS request to the mil server nd requests the mil server sends ny new or hnged items to the devie. The request trvels through the seure hnnel estlished etween the BlkBerry Infrstruture nd BES12 Core to the mil server. The mil server sends the new or hnged items to the devie through the seure hnnel estlished etween BES12 Core nd the BlkBerry Infrstruture to the emil or orgnizer pp on the work spe of the devie. When the synhroniztion is omplete, the proess strts over. Dt flow: Reeiving enterprise push updtes on BlkBerry 10 devie This dt flow desries how work dt trvels from n pplition server to BlkBerry 10 devie tht is using enterprise onnetivity when BlkBerry Seure Connet Plus is disled. 1. When there is new or updted dt for work pp on BlkBerry 10 devie, the pplition or ontent server pushes the dt to the BlkBerry MDS Connetion Servie using n HTTP or HTTPS request. 2. The BlkBerry MDS Connetion Servie sends the pushed dt through the BlkBerry Dispther, BlkBerry Affinity Mnger, nd TCP proxy server or BlkBerry Router if instlled, to the BlkBerry Infrstruture over port 3101 on the firewll. 3. The BlkBerry Infrstruture sends the dt to the BlkBerry 10 devie. 50

51 Sending nd reeiving work dt 4. The BlkBerry 10 devie sends n delivery onfirmtion to the BlkBerry Infrstruture. The devie pp detets the inoming ontent nd displys the ontent when the user opens the pp. 5. The BlkBerry Infrstruture sends delivery onfirmtion through the BlkBerry Router or TCP proxy server, if instlled, the BlkBerry Affinity Mnger, nd the BlkBerry Dispther to the BlkBerry MDS Connetion Servie. 6. If onfigured to do so, the BlkBerry MDS Connetion Servie sends the delivery onfirmtion to the push inititor using n HTTP request. Dt flow: Sending n instnt messge from the BlkBerry Enterprise IM pp 1. A user logs in to the BlkBerry Enterprise IM pp on BlkBerry 10 devie tht is running BlkBerry 10 OS version or lter. The BlkBerry 10 devie ompresses nd enrypts the user ID nd pssword. 2. The Enterprise IM pp request on the devie opens n SSL onnetion through the BlkBerry Infrstruture, BlkBerry Affinity Mnger, BlkBerry Dispther, nd BlkBerry MDS Connetion Servie to the BlkBerry Collortion Servie over port The BlkBerry Collortion Servie heks the BES12 dtse to hek whether the mximum numer of ville sessions hs een rehed. 4. The BlkBerry Collortion Servie onnets to Mirosoft Ative Diretory to vlidte the user's login informtion. 5. The BlkBerry Collortion Servie onnets to the instnt messging server nd registers n tive endpoint for the user using UCMA, over n MTLS onnetion over port The instnt messging server sends the registrtion informtion k to the BlkBerry Collortion Servie. 51

52 Sending nd reeiving work dt 7. The BlkBerry Collortion Servie sends the registrtion response to the devie using the SSL onnetion through the BlkBerry MDS Connetion Servie, BlkBerry Dispther, BlkBerry Affinity Mnger, nd BlkBerry Infrstruture. 8. The session is reted etween the BlkBerry 10 devie nd the BlkBerry Collortion Servie nd etween the BlkBerry Collortion Servie nd the Mirosoft Lyn Server. For more informtion out BlkBerry Enterprise IM, visit help.lkerry.om/detetlng/enterprise-im-for-es12/. 52

53 Sending nd reeiving work dt Using your orgniztion's VPN or work Wi-Fi network Devies tht hve VPN or Wi-Fi profiles onfigured y you or y the users, my e le to ess your orgniztion's resoures using your orgniztion's VPN or work Wi-Fi network. To use your orgniztion's VPN, users with Windows Phone 8.1 devie or n Android devie tht does not use Android for Work or Smsung KNOX Workspe must mnully onfigure VPN profile on their devies. This digrm shows how dt n trvel when BlkBerry 10, ios, Android, or Windows devie onnets to your orgniztion's resoures using your orgniztion's VPN or work Wi-Fi network. This digrm shows how dt n trvel when BlkBerry OS (version 5.0 to 7.1) devie onnets to your orgniztion's resoures using your orgniztion's VPN or work Wi-Fi network. The following tle desries wht devies use your orgniztion's VPN or work Wi-Fi network to onnet to your orgniztion's network nd when. 53

54 Sending nd reeiving work dt Devie type ios nd Android devies with Seure Work Spe Devies tht use Android for Work or KNOX Workspe Windows devies nd ios nd Android devies without Seure Work Spe BlkBerry 10 BlkBerry OS Desription ios nd Android devies with Seure Work Spe lwys use this ommunition pth to send nd reeive Exhnge AtiveSyn dt nd other work dt updtes when they hve enterprise onnetivity disled. To use your orgniztion's VPN, Android devie users must mnully onfigure VPN profile on their devies. Devies tht use Android for Work or KNOX Workspe use this ommunition pth when BlkBerry Seure Connet Plus is not enled in their enterprise onnetivity profile. Windows devies nd ios nd Android devies without Seure Work Spe use this ommunition pth to send nd reeive Exhnge AtiveSyn dt nd other work dt updtes. To use your orgniztion's VPN, Android nd Windows Phone 8.1 devie users must mnully onfigure VPN profile on their devies. BlkBerry 10 devies use this ommunition pth to send nd reeive Exhnge AtiveSyn dt updtes nd other work dt updtes when this is the most diret, ost-effiient route ville. BlkBerry 10 devies only use VPN or Wi-Fi profiles onfigured y you, not y the user, when essing work dt. BlkBerry OS (version 5.0 to 7.1) devies use this ommunition pth to send nd reeive ll emil, orgnizer, nd pp dt updtes when this is the most diret, ost-effiient route ville. Dt flow: Sending emil from devie This dt flow desries how work emil nd lendr dt trvels from the devie to the mil server over your orgniztion's VPN or work Wi-Fi network using Exhnge AtiveSyn. 1. A user retes n emil or updtes n orgnizer item in the work spe. 54

55 Sending nd reeiving work dt 2. The devie sends the new or hnged item to the mil server over your orgniztion's VPN or work Wi-Fi network. 3. The mil server updtes the orgnizer dt on the user's milox or sends the mil item to the reipient nd sends onfirmtion to the devie. Dt flow: Reeiving emil on devie This dt flow desries how work emil nd lendr dt trvels from the devie to the mil server over your orgniztion's VPN or work Wi-Fi network using Exhnge AtiveSyn. 1. The devie issues n HTTPS request to the mil server nd requests tht the mil server notifies the devie when ny items hnge in the folders tht re onfigured to synhronize. The request trvels through your orgniztion's VPN or work Wi-Fi network to the mil server. 2. The devie stnds y. 3. When there re new or hnged items for the devie, suh s new emil or updted lendr entry, the mil server sends the updtes to the devie. The new or hnged items trvel through your orgniztion's VPN or work Wi-Fi network to the emil or orgnizer dt pp on the devie. 4. When the synhroniztion is omplete, the devie issues nother request to restrt the proess. 5. If there re no new or hnged items during this intervl, the mil or pplition server sends "HTTP 200 OK" messge to the devie. 6. The devie issues new request nd the proess strts over. Dt flow: Aessing n pplition or ontent server This dt flow desries how dt trvels etween n pplition or ontent server in your orgniztion nd work pp in devie using VPN onnetion or work Wi-Fi network. 55

56 Sending nd reeiving work dt 1. The user opens work pp to view work dt. For exmple, the user opens the work rowser to nvigte the intrnet or uses BlkBerry Work Drives to ess file on network drive. 2. The pp estlishes onnetion to the pplition or ontent server to retrieve the dt. The request trvels through your VPN or work Wi-Fi network to the pplition or ontent server. 3. The pplition or ontent server replies with the work dt. The work dt trvels through your VPN or work Wi-Fi network to the pp on the work spe of the devie. 4. The pp reeives nd displys the dt on the devie. 56

57 Glossry Glossry 8 AES APNs Advned Enryption Stndrd Apple Push Notifition servie BES5 BlkBerry Enterprise Server 5 BES12 BlkBerry Enterprise Servie 12 CA CBC CSR DMZ ECMQV EMM GCM HMAC HTTP HTTPS IT poliy MDM PKCS SMTP SRP SSL TCP TCP/IP UDP VPN ertifition uthority ipher lok hining ertifite signing request A demilitrized zone (DMZ) is neutrl sunetwork outside of n orgniztion's firewll. It exists etween the trusted LAN of the orgniztion nd the untrusted externl wireless network nd puli Internet. Ellipti Curve Menezes-Qu-Vnstone Enterprise Moility Mngement Google Cloud Messging keyed-hsh messge uthentition ode Hypertext Trnsfer Protool Hypertext Trnsfer Protool over Seure Sokets Lyer An IT poliy onsists of vrious IT poliy rules tht ontrol the seurity fetures nd ehvior of BlkBerry smrtphones, BlkBerry PlyBook tlets, the BlkBerry Desktop Softwre, nd the BlkBerry We Desktop Mnger. moile devie mngement Puli-Key Cryptogrphy Stndrds Simple Mil Trnsfer Protool Server Routing Protool Seure Sokets Lyer Trnsmission Control Protool Trnsmission Control Protool/Internet Protool (TCP/IP) is set of ommunition protools tht is used to trnsmit dt over networks, suh s the Internet. User Dtgrm Protool virtul privte network 57

58 Glossry WNS Windows Push Notifition Servies 58

59 Legl notie Legl notie BlkBerry. Trdemrks, inluding ut not limited to BLACKBERRY, EMBLEM Design, BBM, BES, MANYME, VIRTUAL SIM PLATFORM, WORKLIFE, MOVIRTU, SECUSMART, SECUSMART & Design, SECUSUITE, WATCHDOX, WATCHDOX & Design nd WATCHDOX & EMBLEM Design re the trdemrks or registered trdemrks of BlkBerry Limited, its susidiries nd/or ffilites, used under liense, the exlusive rights to whih re expressly reserved. Android, Google nd Google Apps re trdemrks of Google In. ios is trdemrk of Ciso Systems, In. nd/or its ffilites in the U.S. nd ertin other ountries. ios is used under liense y Apple In. KNOX nd Smsung KNOX re trdemrks of Smsung Eletronis Co., Ltd. Mirosoft, Ative Diretory, AtiveSyn, Windows, nd Windows Phone re either registered trdemrks or trdemrks of Mirosoft Corportion in the United Sttes nd/or other ountries. Wi-Fi is trdemrk of the Wi-Fi Alline. All other trdemrks re the property of their respetive owners. This doumenttion inluding ll doumenttion inorported y referene herein suh s doumenttion provided or mde ville on the BlkBerry wesite provided or mde essile "AS IS" nd "AS AVAILABLE" nd without ondition, endorsement, gurntee, representtion, or wrrnty of ny kind y BlkBerry Limited nd its ffilited ompnies ("BlkBerry") nd BlkBerry ssumes no responsiility for ny typogrphil, tehnil, or other inuries, errors, or omissions in this doumenttion. In order to protet BlkBerry proprietry nd onfidentil informtion nd/or trde serets, this doumenttion my desrie some spets of BlkBerry tehnology in generlized terms. BlkBerry reserves the right to periodilly hnge informtion tht is ontined in this doumenttion; however, BlkBerry mkes no ommitment to provide ny suh hnges, updtes, enhnements, or other dditions to this doumenttion to you in timely mnner or t ll. This doumenttion might ontin referenes to third-prty soures of informtion, hrdwre or softwre, produts or servies inluding omponents nd ontent suh s ontent proteted y opyright nd/or third-prty wesites (olletively the "Third Prty Produts nd Servies"). BlkBerry does not ontrol, nd is not responsile for, ny Third Prty Produts nd Servies inluding, without limittion the ontent, ury, opyright ompline, omptiility, performne, trustworthiness, leglity, deeny, links, or ny other spet of Third Prty Produts nd Servies. The inlusion of referene to Third Prty Produts nd Servies in this doumenttion does not imply endorsement y BlkBerry of the Third Prty Produts nd Servies or the third prty in ny wy. EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON- INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM. 59

60 Legl notie TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON- PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY. THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS. IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION. Prior to susriing for, instlling, or using ny Third Prty Produts nd Servies, it is your responsiility to ensure tht your irtime servie provider hs greed to support ll of their fetures. Some irtime servie providers might not offer Internet rowsing funtionlity with susription to the BlkBerry Internet Servie. Chek with your servie provider for vilility, roming rrngements, servie plns nd fetures. Instlltion or use of Third Prty Produts nd Servies with BlkBerry's produts nd servies my require one or more ptent, trdemrk, opyright, or other lienses in order to void infringement or violtion of third prty rights. You re solely responsile for determining whether to use Third Prty Produts nd Servies nd if ny third prty lienses re required to do so. If required you re responsile for quiring them. You should not instll or use Third Prty Produts nd Servies until ll neessry lienses hve een quired. Any Third Prty Produts nd Servies tht re provided with BlkBerry's produts nd servies re provided s onveniene to you nd re provided "AS IS" with no express or implied onditions, endorsements, gurntees, representtions, or wrrnties of ny kind y BlkBerry nd BlkBerry ssumes no liility whtsoever, in reltion thereto. Your use of Third Prty Produts nd Servies shll e governed y nd sujet to you greeing to the terms of seprte lienses nd other greements pplile thereto with third prties, exept to the extent expressly overed y liense or other greement with BlkBerry. The terms of use of ny BlkBerry produt or servie re set out in seprte liense or other greement with BlkBerry pplile thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION. 60

61 Legl notie BlkBerry Enterprise Softwre inorportes ertin third-prty softwre. The liense nd opyright informtion ssoited with this softwre is ville t BlkBerry Limited 2200 University Avenue Est Wterloo, Ontrio Cnd N2K 0A7 BlkBerry UK Limited 200 Bth Rod Slough, Berkshire SL1 3XE United Kingdom Pulished in Cnd 61