Architecture and Data Flows Reference Guide
Size: px
Start display at page:

Download "Architecture and Data Flows Reference Guide"

Transcription

1 Arhiteture nd Dt Flows Referene Guide BES12 Version 12.3

2 Pulished: SWD

3 Contents Aout this guide... 5 Arhiteture: BES12 EMM solution... 6 Components used to mnge BlkBerry 10, ios, Android, nd Windows devies... 8 Components used to mnge BlkBerry OS devies Ativting devies...15 Dt flow: Ativting BlkBerry 10 devie Dt flow: Ativting n Android devie...18 Dt flow: Ativting devie to use KNOX Workspe Dt flow: Ativting devie to use Android for Work Dt flow: Ativting devie to use Android for Work with work spe only Dt flow: Ativting n ios devie...26 Dt flow: Ativting Windows 10 devie Dt flow: Ativting Windows Phone 8.1 devie...31 Dt flow: Ativting BlkBerry OS devie...33 Reeiving onfigurtion updtes Dt flow: Reeiving onfigurtion updtes on BlkBerry 10 devie...36 Dt flow: Reeiving onfigurtion updtes on n Android devie Dt flow: Reeiving onfigurtion updtes on n ios devie Dt flow: Reeiving onfigurtion updtes on Windows devie...40 Dt flow: Reeiving onfigurtion updtes on Windows Phone 8.0 devie Sending nd reeiving work dt...43 Using enterprise onnetivity Dt flow: Aessing n pplition or ontent server using BlkBerry Seure Connet Plus Dt flow: Aessing n pplition or ontent server using enterprise onnetivity Dt flow: Sending emil from BlkBerry 10, ios, or Android devie...47 Dt flow: Reeiving emil on BlkBerry 10 or Android devie...48 Dt flow: Reeiving emil on n ios devie Dt flow: Reeiving enterprise push updtes on BlkBerry 10 devie...50 Dt flow: Sending n instnt messge from the BlkBerry Enterprise IM pp... 51

4 Using your orgniztion's VPN or work Wi-Fi network Dt flow: Sending emil from devie Dt flow: Reeiving emil on devie Dt flow: Aessing n pplition or ontent server...55 Glossry Legl notie...59

5 Aout this guide Aout this guide 1 BES12 helps you mnge ios, Android, Windows, BlkBerry 10, nd BlkBerry OS (version 5.0 to 7.1) devies for your orgniztion. This guide explins the BES12 rhiteture nd how dt flows etween the devies mnged y BES12 nd your orgniztion's network. This guide is intended for senior IT professionls who re responsile for evluting the produt nd plnning its deployment, s well s nyone who's interested in lerning more out BES12. After you red this guide, you should understnd the the funtion of eh omponent used in the BES12 EMM solution. 5

6 Arhiteture: BES12 EMM solution Arhiteture: BES12 EMM solution 2 Component BES12 BlkBerry Infrstruture Devies Notifition servies Desription BES12 is servie tht llows you to mnge BlkBerry 10, BlkBerry OS (version 5.0 to 7.1), ios, Android, nd Windows devies in your orgniztion's environment. The BlkBerry Infrstruture registers user informtion for devie tivtion nd vlidtes liensing informtion for BES12. All the dt tht trvels etween the BlkBerry Infrstruture nd BES12 is uthentited nd enrypted to provide seure ommunition hnnel into your orgniztion for devies outside the firewll. BES12 supports BlkBerry 10, BlkBerry OS (version 5.0 to 7.1), ios, Android, nd Windows devies. BES12 sends notifitions to devies to ontt BES12 for updtes nd to report informtion for your orgniztion s devie inventory. These notifitions re sent to the BlkBerry Infrstruture, where they re sent to the devies using the pproprite notifition servie: APNs is servie tht Apple provides to send notifitions to ios devies. GCM is servie tht Google provides to send notifitions to Android devies. Windows Push Notifition Servies (WNS) is servie tht Mirosoft provides to send notifitions to Windows devies. Routing omponents By defult, BES12 mkes diret onnetion to the BlkBerry Infrstruture over port 3101, nd you do not need to instll more routing omponents. However, if your orgniztion's seurity poliy requires tht internl systems nnot mke onnetions diretly to the Internet, you n instll the BlkBerry Router or TCP proxy server. The BlkBerry Router ts s proxy server for onnetions over the BlkBerry Infrstruture etween BES12 nd ll devies. The BlkBerry Router n support SOCKs v5 with no uthentition. 6

7 Arhiteture: BES12 EMM solution Component Desription If your orgniztion lredy hs TCP proxy server instlled or requires one to meet networking requirements, you n use TCP proxy server insted of the BlkBerry Router. The TCP proxy server n support SOCKs v5 with no uthentition. Third-prty pplition nd ontent servers Additionl ontent server or pplition servers in your orgniztion's environment, inluding the ompny diretory, mil server, ertifite uthorities, nd so on. 7

8 Components used to mnge BlkBerry 10, ios, Android, nd Windows devies Components used to mnge BlkBerry 10, ios, Android, nd Windows devies 3 Component nme BES12 Core Desription The BES12 Core is the entrl omponent of BES12 rhiteture nd onsists of severl suomponents tht re responsile for: Logging, monitoring, reporting, nd mngement funtions Authentition nd uthoriztion servies for the BES12 Core lol diretory nd ompny diretories Sheduling nd sending ommnds, IT poliies, nd profiles to devies If there re multiple BES12 instnes in the domin, ll the BES12 Core instnes re tive nd eh of them n onnet to the BlkBerry Infrstruture nd proesses trffi. After you instll BES12 on omputer, you n instll the BES12 Core on nother omputer. BES12 dtse The BES12 dtse is reltionl dtse tht ontins user ount informtion nd onfigurtion informtion tht BES12 uses to mnge devies. You n instll the BES12 8

9 Components used to mnge BlkBerry 10, ios, Android, nd Windows devies Component nme Desription dtse on the sme omputer s BES12 instne, or on seprte omputer. For redundny or usiness ontinuity, you n onfigure dtse mirroring. BES12 Self-Servie BlkBerry Affinity Mnger Users n ess BES12 Self-Servie to set n tivtion pssword nd send devie ommnds, suh s set pssword, lok devie, nd delete devie dt to their BlkBerry 10, ios, Android, or Windows devies. Users n lso delete devie dt from their BlkBerry OS (version 5.0 to 7.1) devies. The BlkBerry Affinity Mnger is responsile for mintining n tive SRP onnetion to the BlkBerry Infrstruture. If there re multiple BES12 instnes in the domin, the BlkBerry Affinity Mnger runs on ll instnes ut only one BlkBerry Affinity Mnger instne is tive nd responsile for mintining onnetion to the BlkBerry Infrstruture nd proessing trffi. The BlkBerry Affinity Mnger onfigures the Exhnge AtiveSyn onnetivity nd logging settings for the BlkBerry Work Connet Notifition Servie. It lso ssigns BlkBerry 10 devies to the BlkBerry Dispther using the informtion in the BES12 dtse. If BlkBerry 10 devie is moved to different BES12 instne, the BlkBerry Affinity Mnger performs ll of the steps required to move the user to the new instne so tht the user does not hve to do nything for the devie to mintin BES12 servies. BlkBerry Collortion Servie The BlkBerry Collortion Servie provides n enrypted onnetion etween your orgniztion's instnt messging server nd the Enterprise IM pp on BlkBerry 10 devies so tht users n strt nd mnge instnt messging onverstions on their devies. The BlkBerry Collortion Servie is n optionl omponent nd is ville s seprte instlltion. BlkBerry Dispther The BlkBerry Dispther provides seure onnetivity using IPPP for BlkBerry 10 devies. The BlkBerry Dispther dynmilly updtes the devies tht it hndles sed on the list it reeives from the tive BlkBerry Affinity Mnger. BlkBerry Gtekeeping Servie BlkBerry MDS Connetion Servie The BlkBerry Gtekeeping Servie sends ommnds to Exhnge AtiveSyn to dd devies to n llowed list when devies re tivted on BES12. Unmnged devies tht try to onnet to n orgniztion's mil server n e reviewed, verified, nd loked or llowed through the BES12 mngement onsole y n dministrtor. The BlkBerry MDS Connetion Servie provides seure onnetion etween BlkBerry 10 devies nd your orgniztion's network when the devie is not onneted to your work Wi-Fi network or using VPN onnetion. It is lso responsile for providing enterprise dt push servies for BlkBerry 10 devies. 9

10 Components used to mnge BlkBerry 10, ios, Android, nd Windows devies Component nme BlkBerry Seure Connet Plus BlkBerry Work Connet Notifition Servie Desription BlkBerry Seure Connet Plus provides seure IP tunnel etween work pps on devies nd your orgniztion's network. One tunnel tht supports stndrd IPv4 (TCP nd UDP) dt is estlished for eh devie through the BlkBerry Infrstruture. The BlkBerry Work Connet Notifition Servie is we servie responsile for providing new nd hnged emil nd orgnizer notifitions to ios devies tht re using Seure Work Spe. ios devies re restrited from running pplitions in the kground, with speifi exeptions suh s the defult mil pplition. This mens Seure Work Spe pplitions nnot reeive new dt suh s emil notifitions unless the pplition is open or unless the notifition omes from the APNs. The BlkBerry Work Connet Notifition Servie sends the emil nd orgnizer notifitions to the BlkBerry Infrstruture, where they re sent to the devie using the APNs. If there re multiple BES12 instnes in the domin, only one instne of the BlkBerry Work Connet Notifition Servie is tive nd proessing notifitions. The BlkBerry Affinity Mnger is responsile for strting other BlkBerry Work Connet Notifition Servie instne if the tive one stops. Mngement onsole The mngement onsole is we-sed onsole tht is used to: Complete postinstlltion onfigurtion settings View nd mnge users, devies, poliies, profiles, nd pps View nd mnge system settings, inluding ustomizing the tivtion emil messge nd dding n APNs ertifite Move IT poliies, profiles, groups, nd users to BES12 The mngement onsole lso provides ess to BES12 Self-Servie nd llows ios devie users to mnge pps using the Work Apps ion. After you instll BES12 on omputer, you n instll the mngement onsole on nother omputer. 10

11 Components used to mnge BlkBerry OS devies Components used to mnge BlkBerry OS devies 4 Component nme BES12 Core Desription The BES12 Core is the entrl omponent of BES12 rhiteture nd onsists of severl suomponents tht re responsile for: Logging, monitoring, reporting, nd mngement funtions Authentition nd uthoriztion servies for the BES12 Core lol diretory nd ompny diretories Sheduling nd sending ommnds, IT poliies, nd profiles to devies If there re multiple BES12 instnes in the domin, ll the BES12 Core instnes re tive nd eh of them n onnet to the BlkBerry Infrstruture nd proesses trffi. After you instll BES12 on omputer, you n instll the BES12 Core on nother omputer. BES12 dtse The BES12 dtse is reltionl dtse tht ontins user ount informtion nd onfigurtion informtion tht BES12 uses to mnge devies. You n instll the BES12 11

12 Components used to mnge BlkBerry OS devies Component nme Desription dtse on the sme omputer s BES12 instne, or on seprte omputer. For redundny or usiness ontinuity, you n onfigure dtse mirroring. BlkBerry Administrtion Servie You n use the BlkBerry Administrtion Servie to onfigure BlkBerry OS devie softwre updtes, nd VPN nd Wi-Fi profiles for BlkBerry OS (versions 5.0 to 7.1) devies. The BlkBerry Administrtion Servie onnets to the BES12 dtse. It lso provides onnetion servies for the mngement onsole so tht you n mnge BlkBerry OS devies. BlkBerry Atthment Servie BlkBerry Collortion Servie for BlkBerry OS BlkBerry Controller BlkBerry Dispther for BlkBerry OS The BlkBerry Atthment Servie onverts supported tthments into formt tht n e viewed on BlkBerry OS devies. The BlkBerry Atthment Servie onverts tthments for the BlkBerry Messging Agent, the BlkBerry MDS Connetion Servie for BlkBerry OS, nd the BlkBerry Collortion Servie. The BlkBerry Collortion Servie for BlkBerry OS is n optionl omponent tht provides onnetion etween your orgniztion's instnt messging server nd the ollortion lient on BlkBerry OS devies. The BlkBerry Controller monitors omponents used to mnge BlkBerry OS devies nd restrts these omponents when they stop responding. The BlkBerry Dispther for BlkBerry OS performs the following funtions: Trnsfers dt etween omponents used to mnge BlkBerry OS devies Compresses nd enrypts dt tht is sent to BlkBerry OS devies Derypts nd deompresses dt tht is reeived from BlkBerry OS devies Monitors nd ommunites the helth of BlkBerry OS mngement omponents Strts the proessing of BlkBerry OS devie users on the BlkBerry Messging Agent BlkBerry Mil Store Servie BlkBerry MDS Connetion Servie for BlkBerry OS BlkBerry Messging Agent The BlkBerry Mil Store Servie onnets to the mil servers in your orgniztion's environment nd retrieves the ontt informtion tht the BlkBerry Administrtion Servie requires to serh for user ounts on the mil servers. The BlkBerry MDS Connetion Servie for BlkBerry OS permits pplitions on BlkBerry OS devies to onnet to your orgniztion's pplition or ontent servers for pplition dt nd updtes. The BlkBerry Messging Agent performs the following funtions: 12

13 Components used to mnge BlkBerry OS devies Component nme Desription Connets to the mil server to provide messging servies, lendr mngement, ontt lookups, tthment viewing, nd tthment retrievl for BlkBerry OS devies Allows the BlkBerry Synhroniztion Servie to ess orgnizer dt on the mil server Synhronizes onfigurtion dt etween the BES12 dtse nd BlkBerry OS devie user miloxes on the mil server BlkBerry Poliy Servie BlkBerry Router The BlkBerry Poliy Servie performs dministrtion servies for BlkBerry OS devies over the wireless network, suh s sending IT poliies, devie ommnds, nd servie ooks. The BlkBerry Router ts s proxy server for onnetions over the BlkBerry Infrstruture etween BES12 nd ll devies. For BlkBerry OS (version 5.0 to 7.1) devies, the BlkBerry Router lso sends dt diretly to nd reeives dt from devies tht re onneted to work Wi-Fi network or to omputer tht hs the BlkBerry Devie Mnger. If you upgrde from BES5 version MR10 to BES12, the BlkBerry Router you originlly instlled with your BES5 ontinues to work only for the omponents used to mnge BlkBerry OS devies. If you instll new instne of the BlkBerry Router with BES12, you n onfigure it to work with ll omponents If you use n existing TCP proxy server insted of the BlkBerry Router, BlkBerry OS devies tht re onneted to work Wi-Fi network or to omputer tht hs BlkBerry Devie Mnger instlled nnot ypss the BlkBerry Infrstruture to onnet to your orgniztion's network. BlkBerry Synhroniztion Servie BlkBerry We Desktop Mnger Mngement onsole The BlkBerry Synhroniztion Servie synhronizes orgnizer dt etween BlkBerry OS devies nd your orgniztion's mil server using the BlkBerry Messging Agent. The BlkBerry Synhroniztion Servie lso synhronizes BlkBerry OS devie user dt with the BES12 dtse. BlkBerry OS devie users n ess BlkBerry We Desktop Mnger to set n tivtion pssword, tivte their devies y onneting them to the omputer, nd perform other devie mngement funtions for their BlkBerry OS devies, suh s updting the devie softwre or sending devie ommnds. The mngement onsole is we-sed onsole tht is used to: Complete postinstlltion onfigurtion settings View nd mnge users, devies, poliies, profiles, nd pps View nd mnge system settings, inluding ustomizing the tivtion emil messge nd dding n APNs ertifite 13

14 Components used to mnge BlkBerry OS devies Component nme Desription Move IT poliies, profiles, groups, nd users to BES12 The mngement onsole lso provides ess to BES12 Self-Servie nd llows ios devie users to mnge pps using the Work Apps ion. After you instll BES12 on omputer, you n instll the mngement onsole on nother omputer. 14

15 Ativting devies Ativting devies 5 Depending on the devie type nd the tivtion type tht you speify for it, the devie nd BES12 must omplete severl steps during the tivtion proess to uthentite to eh other, seure ommunition hnnel nd, if needed, rete work spe or enrypt the devie efore ny onfigurtion nd work dt is sent to the devie. Ativtion types give you different degrees of ontrol over the work nd personl dt on devies, rnging from full ontrol over ll dt to speifi ontrol over work dt only. For more informtion out tivtion types, see the Administrtion ontent. Dt flow: Ativting BlkBerry 10 devie 1. You perform the following tions: Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory Assign n tivtion profile to the user Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil 15

16 Ativting devies Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword 2. The user performs the following tions: Types the usernme nd tivtion pssword on the devie For "Work nd personl - Regulted" or "Work spe only" tivtion, epts the orgniztion notie, whih outlines the terms nd onditions tht the user must gree to 3. If the tivtion is "Work spe only" tivtion, the devie deletes ll existing dt nd restrts. For other tivtion types, the Enterprise Mngement Agent on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user Sends the ddress to the Enterprise Mngement Agent 5. The devie performs the following tions: Estlishes onnetion with BES12 Genertes shred symmetri key tht is used to protet the CSR nd response BES12 using the tivtion pssword nd EC-SPEKE. Cretes n enrypted CSR nd HMAC s follows: Genertes key pir for the ertifite Cretes PKCS#10 CSR tht inludes the puli key of the key pir Enrypts the CSR using the shred symmetri key nd AES-256 in CBC mode with PKCS#5 pdding Computes n HMAC of the enrypted CSR using SHA-256 nd ppends it to the CSR d Sends the enrypted CSR nd HMAC to BES12 6. BES12 performs the following tions: d e f g Verifies the HMAC of the enrypted CSR nd derypts the CSR using the shred symmetri key Retrieves the usernme, work spe ID, nd your orgniztion s nme from the BES12 dtse Pkges lient ertifite using the informtion it retrieved nd the CSR tht the devie sent Signs the lient ertifite using the enterprise mngement root ertifite Enrypts the lient ertifite, enterprise mngement root ertifite, nd the BES12 URL using the shred symmetri key nd AES-256 in CBC mode with PKCS#5 pdding Computes n HMAC of the enrypted lient ertifite, enterprise mngement root ertifite, nd the BES12 URL nd ppends it to the enrypted dt Sends the enrypted dt nd HMAC to the devie 16

17 Ativting devies 7. The devie performs the following tions: Verifies the HMAC Derypts the dt it reeived from BES12 Stores the lient ertifite nd the enterprise mngement root ertifite in its keystore 8. BES12 performs the following tions: d BES12 Core ssigns the new devie to BES12 instne in the domin BES12 Core notifies the tive BlkBerry Affinity Mnger tht new devie is ssigned to the BES12 instne The tive BlkBerry Affinity Mnger notifies the BlkBerry Dispther on tht BES12 instne tht there is new devie The BES12 Core sends onfigurtion informtion, inluding enterprise onnetivity settings to the devie 9. BES12 Core nd the devie generte the devie trnsport key using ECMQV nd the uthentited long-term puli keys from the lient ertifite nd the server ertifite for BES12. This key is used to push IPPP dt nd to initite ommunition using BlkBerry Seure Connet Plus. 10. The devie sends n knowledgment over TLS to BES12 to onfirm tht it reeived nd pplied the IT poliy nd other dt nd reted the work spe. The tivtion proess is omplete. The ellipti urve protools used during the tivtion proess use the NIST-reommended 521-it urve. 17

18 Ativting devies Dt flow: Ativting n Android devie 1. You perform the following tions: Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory Mke sure the tivtion profile "MDM ontrols," "Work nd personl - full ontrol (Seure Work Spe)," or "Work nd personl - user privy (Seure Work Spe)" is ssigned to the user Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword 2. The user downlods nd instlls the BES12 Client on the devie. After it is instlled, the user opens the BES12 Client nd enters the emil ddress nd tivtion pssword on the devie. 3. The BES12 Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user 18

19 Ativting devies Retrieves the BES12 ddress for the user Sends the ddress to the BES12 Client 5. The BES12 Client estlishes onnetion with BES BES12 prompts the user to ept the BES12 ertifite. This prompt inludes informtion out the SSL ertifite, inluding the Common Nme, fingerprint, nd whether the ertifite is trusted or untrusted. If the ertifite hs een preinstlled on the devie, it is trusted. Otherwise, it is untrusted. 7. The user epts the ertifite. 8. The BES12 Client sends n tivtion request to BES12. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 9. BES12 performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BES12 dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 10. The BES12 Client retes CSR using the informtion reeived from BES12 nd sends lient ertifite request to BES12 over HTTPS. 11. BES12 performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BES12 Client A mutully uthentited TLS session is estlished etween the BES12 Client nd BES The BES12 Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BES BES12 stores the devie informtion in the dtse nd sends the requested onfigurtion informtion to the devie. 14. The BES12 Client determines if the devie uses KNOX MDM nd is running supported MDM version. If the devie uses KNOX MDM, the devie onnets to the Smsung infrstruture nd tivtes the KNOX mngement liense. After it is tivted, the BES12 Client pplies the KNOX MDM IT poliy rules from BES The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. If the tivtion type for the devie is"work nd personl - full ontrol (Seure Work Spe)," or "Work nd personl - user privy (Seure Work Spe," fter the tivtion is ompleted, the user is prompted to rete work spe pssword. Additionlly, the user my e prompted to instll or my need to mnully instll some or ll of the following pps: Seure Work Spe Work Spe Mnger Douments To Go 19

20 Ativting devies Dt flow: Ativting devie to use KNOX Workspe 1. You perform the following tions: Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory Mke sure the "Work nd personl - full ontrol (Smsung KNOX)", "Work nd personl - user privy (Smsung KNOX)", or "Work spe only - (Smsung KNOX)" tivtion type is ssigned to the user Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword 2. The user downlods nd instlls the BES12 Client on the devie. After it is instlled, the user opens the BES12 Client nd enters the emil ddress nd tivtion pssword on the devie. 3. The BES12 Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: 20

21 Ativting devies Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user Sends the ddress to the BES12 Client 5. The BES12 Client estlishes onnetion with BES BES12 prompts the user to ept the BES12 ertifite. This prompt inludes informtion out the SSL ertifite, inluding the Common Nme, fingerprint, nd whether the ertifite is trusted or untrusted. If the ertifite hs een preinstlled on the devie, it is trusted. Otherwise, it is untrusted. 7. The user epts the ertifite. 8. The BES12 Client sends n tivtion request to BES12. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 9. BES12 performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BES12 dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 10. The BES12 Client retes CSR using the informtion reeived from BES12 nd sends lient ertifite request to BES12 over HTTPS. 11. BES12 performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BES12 Client A mutully uthentited TLS session is estlished etween the BES12 Client nd BES The BES12 Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BES BES12 stores the devie informtion in the dtse nd sends the requested onfigurtion informtion to the devie. 14. The BES12 Client determines if the devie uses KNOX Workspe nd is running supported version. If the devie uses KNOX Workspe, the devie onnets to the Smsung infrstruture nd tivtes the KNOX mngement liense. After it is tivted, the BES12 Client pplies the KNOX MDM nd KNOX Workspe IT poliy rules. 15. The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. After the tivtion is omplete, the user is prompted to rete work spe pssword tht is used to set up nd protet the KNOX Workspe. Dt in the KNOX Workspe is proteted using enryption nd method of uthentition suh s pssword, PIN, pttern, or fingerprint. Note: If the devie is tivted with the "Work spe only - (Smsung KNOX)" tivtion type, the personl spe is removed when the KNOX Workspe is set up. 21

22 Ativting devies Dt flow: Ativting devie to use Android for Work 1. You perform the following tions: Verify tht the user hs Google ount tht is ssoited with the user s work emil ddress Note: Optionlly, you n onfigure BES12 to rete the Google ount for the user during the tivtion proess. When BES12 retes the ount for the user in Google, the user reeives n emil from the Google domin with their Google ount pssword. d Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory. When you speify the emil ddress, use the emil ddress tht is ssoited with the user's Google ount. Mke sure the "Work nd personl - user privy (Android for Work) or the "Work nd personl - user privy (Android for Work - Premium) tivtion type is ssigned to the user. Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword 2. The user downlods BES12 Client from Google Ply nd instlls it on the devie. After it is instlled, the user opens the BES12 Client nd enters their emil ddress nd tivtion pssword. 3. The BES12 Client on the devie performs the following tions: 22

23 Ativting devies Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user Sends the ddress to the BES12 Client 5. The BES12 Client estlishes onnetion with BES BES12 prompts the user to ept the BES12 ertifite. This prompt inludes informtion out the SSL ertifite, inluding the Common Nme, fingerprint, nd whether the ertifite is trusted or untrusted. If the ertifite hs een preinstlled on the devie, it is trusted. Otherwise, it is untrusted. 7. The user epts the ertifite. 8. The BES12 Client sends n tivtion request to BES12. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 9. BES12 performs the following tions: d e f Determines the tivtion type ssigned to the user ount Connets to the mnged Google domin to verify the user informtion Cretes devie instne Assoites the devie instne with the speified user ount Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 10. If the devie is not enrypted, the user is prompted to enrypt the devie. 11. The BES12 Client performs the following tions: Prompts the user for the user's Google ount informtion Connets to the mnged Google domin to uthentite the user Cretes CSR using the informtion reeived from BES12 nd sends lient ertifite request to BES12 over HTTPS. 12. BES12 performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BES12 Client A mutully uthentited TLS session is estlished etween the BES12 Client nd BES The BES12 Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BES BES12 stores the devie informtion nd sends the requested onfigurtion informtion to the devie. 23

24 Ativting devies 15. The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. Dt flow: Ativting devie to use Android for Work with work spe only 1. You perform the following tions: d Verify tht the user hs Google ount tht is ssoited with the user s work emil ddress. Optionlly, you n onfigure BES12 to rete the Google ount for the user during the tivtion proess. When BES12 retes the ount for the user in Google, the user reeives n emil from the Google domin with their Google ount pssword. Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory. When you speify the emil ddress, use the emil ddress tht is ssoited with the user's Google ount. Mke sure tht the "Work spe only (Android for Work) or "Work spe only (Android for Work - Premium) tivtion type is ssigned to the user. Set the user's tivtion pssword. 2. BES12 ommunites with the Google domin to generte n tivtion token for the user. The tivtion token nd the user's tivtion pssword re inluded in the tivtion emil tht is sent to the user's work emil ddress. 3. The user resets their devie to the ftory defult settings. 4. The devie restrts nd prompts the user to selet Wi-Fi network nd to dd n ount. 24

25 Ativting devies 5. The user tps the more utton, tps Setup work devie, nd enters their emil ddress nd the tivtion token they reeived in their tivtion emil. 6. The devie ommunites with the Google domin to vlidte the tivtion token. When the token is vlidted, the devie performs the following tions: If the devie is not enrypted, prompts the user to enrypt the devie nd restrts Downlods the BES12 Client from Google Ply nd instlls it 7. The BES12 Client on the devie prompts the user to type their emil ddress nd tivtion pssword. 8. The user types their emil ddress nd tivtion pssword. 9. The BES12 Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 10. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BES12 server ddress for the user Sends the server ddress to the BES12 Client 11. The BES12 Client estlishes onnetion with BES BES12 prompts the user to ept the BES12 ertifite. This prompt inludes informtion out the SSL ertifite, inluding the Common Nme, fingerprint, nd whether the ertifite is trusted or untrusted. 13. The user epts the ertifite. 14. The BES12 Client sends n tivtion request to BES12. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 15. BES12 performs the following tions: d e f Determines the tivtion type ssigned to the user ount Connets to the Google domin to verify the user informtion Cretes devie instne Assoites the devie instne with the speified user ount Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 16. The BES12 Client performs the following tions: Prompts the user for the user's Google ount informtion Connets to the Google domin to uthentite the user Cretes CSR using the informtion reeived from BES12 nd sends lient ertifite request to BES12 over HTTPS. 17. BES12 performs the following tions: 25

26 Ativting devies Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BES12 Client A mutully uthentited TLS session is estlished etween the BES12 Client nd BES The BES12 Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BES BES12 stores the devie informtion nd sends the requested onfigurtion informtion to the devie. 20. The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. Dt flow: Ativting n ios devie 1. If you pln to use Apple's Devie Enrollment Progrm, you perform the following tions: Mke sure tht BES12 is onfigured to synhronize with DEP Register the devie in DEP nd ssign it to n MDM server Assign n enrollment onfigurtion to the devie 2. You perform the following tions: Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory Assign n tivtion profile to the user Use one of the following options to provide the user with tivtion detils: 26

27 Ativting devies Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword 3. If the devie is registered in the Apple DEP, the devie ommunites with the Apple DEP we servie during its initil setup. If you onfigured the devie to instll the BES12 Client, the devie utomtilly downlods nd instlls it. 4. If the devie is not registered in the Apple DEP or if you did not onfigure the devie to instll the BES12 Client, the user mnully downlods nd instlls the BES12 Client on the devie. After it is instlled, the user opens the BES12 Client nd enters the emil ddress nd tivtion pssword on the devie. 5. The BES12 Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 6. The BlkBerry Infrstruture performs the following tions: Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user Sends the ddress to the BES12 Client 7. The BES12 Client estlishes onnetion with BES BES12 prompts the user to ept the BES12 ertifite. This prompt inludes informtion out the SSL ertifite, inluding the Common Nme, fingerprint, nd whether the ertifite is trusted or untrusted. If the ertifite hs een preinstlled on the devie, it is trusted. Otherwise, it is untrusted. 9. The BES12 Client sends n tivtion request to BES12. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 10. BES12 performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BES12 dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 11. The BES12 Client retes CSR using the informtion reeived from BES12 nd sends lient ertifite request over HTTPS. 12. BES12 performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BES12 Client 27

28 Ativting devies A mutully uthentited TLS session is estlished etween the BES12 Client nd BES The BES12 Client displys messge to inform the user tht ertifite must e instlled to omplete the tivtion. The user liks OK nd is redireted to the link for the ntive MDM Demon tivtion. The BES12 Client estlishes onnetion to BES BES12 provides the MDM profile to the BES12 Client. This profile ontins the MDM tivtion URL nd the hllenge. The MDM profile is wrpped s PKCS#7 signed messge tht inludes the full ertifite hin of the signer, whih llows the devie to vlidte the profile. This triggers the enrollment proess. 15. The ntive MDM Demon on the devie sends the devie profile, inluding the ustomer ID, lnguge, nd OS version, to BES BES12 vlidtes tht the request is signed y CA nd responds to the ntive MDM Demon with suessful uthentition notifition. 17. The ntive MDM Demon sends request to BES12 sking for the CA ertifite, CA pilities informtion, nd devie issued ertifite. 18. BES12 sends the CA ertifite, CA pilities informtion, nd the devie issued ertifite to the ntive MDM Demon. 19. The ntive MDM Demon instlls the MDM profile on the devie. The BES12 Client notifies BES12 of the suessful instlltion of the MDM profile nd ertifite nd polls BES12 periodilly until it knowledges tht the MDM tivtion is omplete. 20. BES12 knowledges tht the MDM tivtion is omplete. 21. The BES12 Client requests ll onfigurtion informtion nd sends the devie nd softwre informtion to BES BES12 stores the devie informtion in the dtse nd sends onfigurtion informtion to the devie. 23. The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion updtes. The tivtion proess is omplete. If the tivtion type for the devie is "Work nd personl - user privy" or "Work nd personl - full ontrol," fter the tivtion is ompleted, the user is prompted to rete work spe pssword. Additionlly, the user my e prompted to instll some or ll of the following pps: Work Connet Work Browser Douments To Go Note: If the devie is tivted with the "Work nd personl - user privy" tivtion type, the users re not prompted to instll the seure pps nd must mnully downlod nd instll them. 28

29 Ativting devies Dt flow: Ativting Windows 10 devie 1. You perform the following tions: Configure the disovery servie to simplify Windows 10 tivtions Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory Use one of the following options to provide the user with tivtion detils: d Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user. Set devie tivtion pssword nd selet the option to send the tivtion informtion to the user y emil. Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword nd view their server ddress. Provide the user CA ertifite generted y BES12 to instll on their devie 2. The user ompletes the following tions on their devie: Cheks tht the devie hs Internet onnetivity on port 443 d Opens nd instlls the ertifite Nvigtes to Settings > Aounts > Work ess nd tps Connet When prompted, enters their emil ddress nd tivtion pssword they reeived on the tivtion emil 3. The devie estlishes onnetion to the disovery servie tht you onfigured to simplify Windows 10 tivtions in your orgniztion. 29

30 Ativting devies 4. The disovery servie heks tht the SRP ID for the BES12 server is vlid nd redirets the devie to BES The devie sends n tivtion request to BES12 on port 443. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 6. BES12 performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BES12 dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 7. The devie retes CSR nd sends it to BES12 over HTTPS. The CSR ontins the usernme nd tivtion pssword. 8. BES12 vlidtes the usernme nd pssword, vlidtes the CSR, nd returns the lient ertifite nd the CA ertifite to the devie. All ommunition etween the devie nd BES12 is now mutully uthentited end to end using these ertifites. 9. The devie requests ll onfigurtion informtion. 10. BES12 stores the devie informtion in the dtse nd sends onfigurtion informtion to the devie. 11. The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion informtion. The tivtion proess is omplete. 30

31 Ativting devies Dt flow: Ativting Windows Phone 8.1 devie 1. You perform the following tions: Add user to BES12 s lol user ount or using the ount informtion retrieved from your ompny diretory Assign n tivtion profile to the user Use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BES12 Self-Servie ddress to the user so tht they n set their own tivtion pssword 2. The user downlods nd instlls the BES12 Client on the Windows Phone 8.1 devie. After it is instlled, the user opens the BES12 Client nd enters the emil ddress nd tivtion pssword on the devie. 3. The BES12 Client on the devie performs the following tions: Estlishes onnetion to the BlkBerry Infrstruture Sends request for tivtion informtion to the BlkBerry Infrstruture 4. The BlkBerry Infrstruture performs the following tions: 31

32 Ativting devies Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user Sends the ddress to the BES12 Client 5. The BES12 Client estlishes onnetion with BES BES12 prompts the user to ept the BES12 ertifite. This prompt inludes informtion out the SSL ertifite, inluding the Common Nme nd fingerprint. 7. The user epts the ertifite. 8. The BES12 Client sends n tivtion request to BES12. The tivtion request inludes the usernme, pssword, devie operting system, nd unique devie identifier. 9. BES12 performs following tions: d e Inspets the redentils for vlidity Cretes devie instne Assoites the devie instne with the speified user ount in the BES12 dtse Adds the enrollment session ID to n HTTP session Sends suessful uthentition messge to the devie 10. The BES12 Client retes CSR using the informtion reeived from BES12 nd sends lient ertifite request over HTTPS. 11. BES12 performs the following tions: Vlidtes the lient ertifite request ginst the enrollment session ID in the HTTP session Signs the lient ertifite request with the root ertifite Sends the signed lient ertifite nd root ertifite k to the BES12 Client A mutully uthentited TLS session is estlished etween the BES12 Client nd BES The BES12 Client displys messge nd video to show the user the steps the user must tke to omplete the tivtion. The BES12 Client sends the devie informtion to BES The user opies the server ddress nd nvigtes to the Windows Phone settings to omplete the tivtion. The user dds n ount using their usernme nd tivtion pssword nd pstes the server ddress. 14. The ntive MDM Demon on the Windows Phone devie sends CSR to BES12 tht ontins the usernme nd tivtion pssword. 15. BES12 vlidtes the usernme nd pssword, vlidtes the CSR nd returns the lient ertifite nd the CA ertifite to the devie. All ommunition etween the ntive MDM Demon nd BES12 is now mutully uthentited end to end using these ertifites. 16. The BES12 Client polls BES12 periodilly until it knowledges tht the MDM tivtion is omplete. 17. BES12 knowledges tht the MDM tivtion is omplete. 18. The BES12 Client requests ll onfigurtion informtion. 32

33 Ativting devies 19. BES12 stores the devie informtion in the dtse nd sends onfigurtion informtion to the devie. 20. The devie sends n knowledgment to BES12 tht it reeived nd pplied the onfigurtion updtes. The tivtion proess is omplete. Dt flow: Ativting BlkBerry OS devie 1. You use the mngement onsole to rete new user ount nd use one of the following options to provide the user with tivtion detils: Automtilly generte devie tivtion pssword nd send n emil with tivtion instrutions for the user Set devie tivtion pssword nd ommunite the usernme nd pssword to the user diretly or y emil Don't set devie tivtion pssword nd ommunite the BlkBerry We Desktop Mnger ddress to the user so tht they n set their own tivtion pssword The devie user list stored in the BES12 dtse is updted with the new devie user nme, emil ddress, milox informtion, tivtion pssword, tivtion sttus, nd other informtion. 2. The BlkBerry Dispther for BlkBerry OS ssigns the new user to BlkBerry Messging Agent. The BlkBerry Messging Agent strts to monitor the user's milox on the mil server for new emil. An emil ontining n etp.dt file tthment is required to ontinue the tivtion proess. 3. The devie user nvigtes to the Enterprise Ativtion sreen on the BlkBerry OS (version 5.0 to 7.1) devie nd types the emil ddress nd tivtion pssword. The devie user opens the menu nd liks Ativte. The devie displys "Ativting." 33

34 Ativting devies 4. The devie retes n tivtion request emil tht ontins the emil ddress, devie PIN, nd puli key uthentition informtion, sed on the enterprise tivtion pssword the user typed. The devie enrypts the emil using SPEKE nd sends it to the BlkBerry Infrstruture. 5. The BlkBerry Infrstruture reeives the tivtion request emil nd identifies it s n tivtion request. The BlkBerry Infrstruture forwrds the emil using SMTP to the emil ddress tht the user typed on the Enterprise Ativtion sreen. 6. When the tivtion request emil rrives in the user's milox, the BlkBerry Messging Agent identifies it nd removes it from the user's milox. The BlkBerry Messging Agent reognizes the etp.dt tthment in the tivtion request emil nd egins n uthentition proess. 7. The BlkBerry Messging Agent ompres the uthentition key reeived in the tivtion request emil with the uthentition key generted from the tivtion pssword nd stored in the BES12 dtse. If the uthentition keys mth, the BlkBerry Messging Agent notifies the BlkBerry OS devie tht the tivtion request ws reeived. 8. BES12 nd the BlkBerry OS devie estlish n enryption key nd verify their knowledge of the enryption key to eh other. The BlkBerry OS devie displys "Enryption Verified. Witing for Servies." All the dt sent etween the BlkBerry OS devie nd BES12 from now on is ompressed nd enrypted using this enryption key nd the devie n now e mnged from the mngement onsole. 9. The BlkBerry Messging Agent forwrds request to the BlkBerry Poliy Servie to generte servie ooks. The BlkBerry Poliy Servie reeives nd queues the request. The BlkBerry Poliy Servie dds the unique uthentition key tht the BES12 domin uses to sign IT poliy dt nd then forwrds the IT poliy dt through the BlkBerry Dispther for BlkBerry OS to the devie. The BlkBerry Poliy Servie wits for onfirmtion from the devie tht the IT poliy hs een pplied suessfully. 10. The BlkBerry OS devie pplies the IT poliy nd sends onfirmtion to BES12. The IT poliy pplied to the BlkBerry OS devie is now in red-only stte nd n e modified only y updtes sent from the sme BES12 domin. 11. One the BlkBerry Poliy Servie reeives onfirmtion tht the IT poliy ws pplied suessfully, the BlkBerry Poliy Servie genertes nd sends the servie ooks to the BlkBerry OS devie. 12. The BlkBerry OS devie reeives the servie ooks. The devie user is notified tht the emil ddress hs een tivted. The BlkBerry OS devie displys "Servies Reeived. Your emil ddress, <usernme>@<domin>.om is now enled." The devie user n now send nd reeive emil messges on the BlkBerry OS devie. 13. The slow synhroniztion proess egins. The BlkBerry OS devie requests the synhroniztion onfigurtion informtion from the BlkBerry Synhroniztion Servie. The onfigurtion informtion indites whether wireless dt synhroniztion on BES12 is turned on nd whih orgnizer dtses n e synhronized. The onfigurtion informtion lso provides dtse synhroniztion types (unidiretionl or idiretionl) nd onflit resolution settings. 14. The BlkBerry Synhroniztion Servie returns the onfigurtion informtion nd synhronizes the dtses on the BlkBerry OS devie using tht informtion. The BlkBerry OS devie nd BES12 do not delete reords during the initil synhroniztion proess. 34

35 Ativting devies 15. The slow synhroniztion proess is omplete when ll dtses re synhronized etween the BlkBerry OS devie nd BES12. The tivtion proess is omplete when the BlkBerry OS devie displys Ativtion Complete nd the devie user ount sttus displys Completed in the mngement onsole or BlkBerry Administrtion Servie. 35

36 Reeiving onfigurtion updtes Reeiving onfigurtion updtes 6 When you use the mngement onsole to send devie ommnds, suh s lok devie or delete the work dt, or when you perform other devie mngement tsks, suh s updtes to poliy, profile, nd pp settings or ssignments, you trigger onfigurtion updte for the devie. When onfigurtion updte needs to e sent to devie, BES12 notifies the devies, exept Windows Phone 8.0 devies, tht onfigurtion updte is pending. Windows Phone8.0 devies poll BES12 every hour to request pending updtes. Other devies poll BES12 regulrly to sk for ny tions tht need to e run on the devie to prevent ny onfigurtion updte from eing missed if notifition is not reeived on the devie. On BlkBerry 10 devies, the Enterprise Mngement Agent reeives nd ompletes ll onfigurtion updtes. On Android devies, the BES12 Client reeives nd ompletes ll onfigurtion updtes. On ios nd Windows Phone devies, the BES12 Client displys ompline sttus nd onfigurtion informtion for the devie, suh s pps or poliies ssigned to it. However, the ntive MDM Demon on ios nd Windows devies omplements the BES12 Client nd reeives nd ompletes ll onfigurtion updtes sent to the devie. Dt flow: Reeiving onfigurtion updtes on BlkBerry 10 devie 36

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information