Configuration Guide. BES12 Cloud

Transcription

1 Configuration Guide BES12 Cloud

2 Published: SWD

3 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need to configure BES Obtaining and activating licenses... 8 Establishing a secure connection between your resources and BES12 Cloud... 9 Architecture: BlackBerry Cloud Connector... 9 Steps to establish a secure connection between your resources and BES12 Cloud Prerequisites: Installing the BlackBerry Cloud Connector...11 Installing and upgrading the BlackBerry Cloud Connector...11 Download the installation and activation files Install and configure the BlackBerry Cloud Connector Upgrade the BlackBerry Cloud Connector View the status of the BlackBerry Cloud Connector...16 Configuring BES12 to use the BlackBerry Router or a TCP proxy server Installing a standalone BlackBerry Router Configuring a proxy server when logging in to BES12 for the first time Comparing TCP proxies...18 Configuring a TCP proxy server...19 Configuring the BlackBerry Router Enabling directory-linked groups...21 Enable directory-linked groups Synchronize a company directory connection View a directory synchronization report Adding a synchronization schedule Troubleshooting BlackBerry Cloud Connector issues The BlackBerry Cloud Connector does not activate with BES12 Cloud The BlackBerry Cloud Connector does not connect with the company directory...26 The BlackBerry Cloud Connector does not connect with BES12 Cloud Obtaining an APNs certificate to manage ios and OS X devices...28 Steps to obtain an APNs certificate... 28

4 Obtain a signed CSR from BlackBerry...28 Request an APNs certificate from Apple Register the APNs certificate...29 Renew the APNs certificate...30 Troubleshooting APNs...30 The APNs certificate does not match the CSR. Provide the correct APNs file (.pem) or submit a new CSR I cannot activate ios or OS X devices...31 Controlling which devices can access Exchange ActiveSync Steps to configure Exchange ActiveSync and the BlackBerry Gatekeeping Service...32 Configure permissions for gatekeeping...33 Allow only authorized devices to access Exchange ActiveSync Configure Microsoft Exchange to allow only authorized devices to access Exchange ActiveSync...34 Configure the mobile device access policy in Microsoft Office Configure Microsoft IIS permissions for gatekeeping Create a gatekeeping configuration Configuring BES12 to support Android for Work...37 Configuring BES12 for DEP Steps to configure BES12 for DEP Create a DEP account Download a public key Generate a server token Register the server token with BES Add an enrollment configuration Update the server token...41 Remove the DEP connection Setting up BES12 Self-Service for users Set up BES12 Self-Service Configuring BES12 to synchronize with the Windows Store for Business...43 Steps to configure BES12 to synchronize with the Windows Store for Business...43 Create and configure a Microsoft Azure account...44 Get the Client ID, Client key, and OAuth 2.0 token endpoint Create an administrator for the Windows Store for Business...45 Glossary... 47

5 Legal notice...48

6 About this guide About this guide 1 BES12 Cloud helps you manage BlackBerry 10, ios, OS X, Android, and Windows devices for your organization. This guide provides instructions for configuring BES12 Cloud to meet your organization's needs. This guide is intended for senior IT professionals who are responsible for setting up and deploying the product. Before you can complete the tasks in this guide, you need to activate licenses. For more information about activating licenses, see the Licensing content. After you complete the tasks in this guide, see the Administration content to learn how to manage the BES12 domain. 6

7 Getting started Getting started 2 Configuring BES12 for the first time The following table summarizes the configuration tasks covered in this guide. The tasks are optional based on your organization's needs. Use this table to determine which configuration tasks you should complete. After you complete the appropriate tasks, you are ready to set up administrators, set up device controls, create users and groups, and activate devices. Task Establish a secure connection between your organization's resources and BES12 Cloud Obtain and register an APNs certificate Control which devices can access Exchange ActiveSync Configure BES12 to support Android for Work Configure BES12 for Apple's Device Enrollment Program Required or Optional Optional Optional Optional Optional Optional Description You can install, activate, and configure the BlackBerry Cloud Connector to establish a secure connection between your organization's resources, such as Microsoft Active Directory or an LDAP directory, and BES12 Cloud. If you want to manage and send data to ios or OS X devices, you must obtain a signed CSR from BlackBerry, use it to obtain an APNs certificate from Apple, and register the APNs certificate with the BES12 domain. If you configured Microsoft Exchange to block devices from accessing work and organizer data unless the devices are added to an allowed list, you must create a Microsoft Exchange configuration in BES12. To support Android for Work, you need to configure your Google Apps for Work or Google for Work domain to support third-party mobile device management providers and configure BES12 to communicate with your Google Apps for Work or Google for Work domain. If you want to use the BES12 management console to manage ios devices that your organization purchased from Apple for DEP, you must configure BES12. Set up BES12 Self-Service Optional If you want to allow users to perform certain management tasks such as changing their passwords, you can set up and distribute the BES12 Self-Service web application. 7

8 Getting started Task Configure BES12 to synchronize with the Windows Store for Business Required or Optional Optional Description If you want to manage Windows 10 apps, you must configure BES12 to synchronize with the Windows Store for Business. Administrator permissions you need to configure BES12 When you perform the configuration tasks in this guide, log in to the management console using the administrator account that you created when you installed BES12. If you want more than one person to complete configuration tasks, you can create additional administrator accounts. For more information about creating administrator accounts, see the Administration content. If you create additional administrator accounts to configure BES12, you should assign the Security Administrator role to the accounts. The default Security Administrator role has the necessary permissions to complete any configuration task. Obtaining and activating licenses To activate devices in your organization's BES12 domain, you must obtain and activate the necessary licenses. You should activate licenses before you follow the configuration instructions in this guide, and before you add user accounts. For more information about the different types of licenses and how to activate licenses, see the Licensing content. 8

9 Establishing a secure connection between your resources and BES12 Cloud Establishing a secure connection between your resources and BES12 Cloud 2 You can install, activate, and configure the BlackBerry Cloud Connector to establish a secure connection between your organization's resources and BES12 Cloud. If you install the BlackBerry Cloud Connector, your organization can take advantage of the following features: BES12 Cloud can access your organization's company directory. You can create directory user accounts by searching for and importing user data from the company directory. Directory user accounts are different from local user accounts, which you create by manually adding user information in the management console. BES12 Cloud synchronizes user data with the company directory daily. You can configure when the automatic synchronization begins. You can also start the synchronization process manually for an individual. Directory users can use their directory credentials to access BES12 Self-Service. You can assign an administrative role to directory users to make them administrators. The users can then log in to the management console using their directory credentials. The BlackBerry Cloud Connector is a Java process. The installation and activation files for the BlackBerry Cloud Connector are available from the management console. Architecture: BlackBerry Cloud Connector The diagram above shows the components that the BlackBerry Cloud Connector interacts with. For more information about the BES12 Cloud architecture, see the Overview and what s new content. 9

10 Establishing a secure connection between your resources and BES12 Cloud Component BlackBerry Cloud Connector Company directory Description The BlackBerry Cloud Connector is a Java process that provides a secure connection through your firewall for communication between BES12 Cloud and your company directory. You install the BlackBerry Cloud Connector behind your organization's firewall. Using the management console, you activate the BlackBerry Cloud Connector with BES12 Cloud and you connect it to the company directory. The company directory is any service that your organization uses to manage user accounts for employees. BES12 Cloud supports: Microsoft Active Directory LDAP Proxy server (optional) BES12 Cloud You can configure the BlackBerry Cloud Connector to send data to and from BES12 Cloud through a proxy server that is behind your organization s firewall. BES12 Cloud is a cloud-based service hosted in the BlackBerry Infrastructure that you can use to manage BlackBerry 10, ios, Android, and Windows Phone devices. You access the management console, which is hosted in the cloud, to manage users devices. Steps to establish a secure connection between your resources and BES12 Cloud To allow BES12 Cloud to establish a secure connection with your organization's resources, perform the following actions: Verify that your organization meets the requirements to install the BlackBerry Cloud Connector. Download the installation and activation file for the BlackBerry Cloud Connector from the management console. Install, activate, and configure the BlackBerry Cloud Connector. If necessary, configure proxy settings for the BlackBerry Cloud Connector. Test the connection between the BlackBerry Cloud Connector and BES12 Cloud. 10

11 Establishing a secure connection between your resources and BES12 Cloud Note: You cannot install the BlackBerry Cloud Connector on a computer that has BES12 installed on it. Prerequisites: Installing the BlackBerry Cloud Connector To verify that your environment meets the requirements for installing the BlackBerry Cloud Connector, see the Compatibility matrix. Verify that the BlackBerry Cloud Connector will be installed on a computer that is reserved for technical purposes, instead of a computer that is used for everyday work. The computer must be able to access the Internet and your company directory. Verify that your computer is running Windows PowerShell 2.0 or later for RRAS for BlackBerry Secure Connect Plus set up during the installation, and optionally Exchange ActiveSync Gatekeeping. Note: If the setup application cannot install RRAS on your computer you must stop the installation, install it manually, and restart the installation. Windows PowerShell 2.0 or later is required to run RRAS when installing BES12 Cloud. For more information about installing RRAS manually, visit technet.microsoft.com. Choose a directory account with read permissions that the BlackBerry Cloud Connector can use to access the company directory. Use a BES12 Cloud account with sufficient permissions to download the BlackBerry Cloud Connector software and activation file. Use a Windows account with sufficient permissions to install and configure software on the computer designated for the installation of the BlackBerry Cloud Connector. Verify that the following outbound ports are open in your organization's firewall so that the BlackBerry Cloud Connector (and any proxy servers that you want it to use) can communicate with BES12 Cloud: 3101 (TCP) 443 (HTTPS) Note: You can access the BlackBerry Cloud Connector only from a browser on the same computer that the BlackBerry Cloud Connector is installed on. Installing and upgrading the BlackBerry Cloud Connector Follow the instructions in this section to install or upgrade the BlackBerry Cloud Connector. 11

12 Establishing a secure connection between your resources and BES12 Cloud You can install two instances of the BlackBerry Cloud Connector to provide redundancy. BES12 Cloud does not support more than two BlackBerry Cloud Connector instances. You must install each instance on a different computer that is reserved for technical use. Do not use a computer that is used for daily tasks such as . Use the same company directory configuration for both instances. Download the installation and activation files Before you begin: Use an administrator account with sufficient permissions to perform installation and configuration tasks. 1. In the BES12 Cloud management console, on the menu bar, click Settings. 2. In the left pane, click External integration > BlackBerry Cloud Connector. 3. Click Add BlackBerry Cloud Connector. 4. In the Step 1: Download BlackBerry Cloud Connector section, click Download. 5. On the software download page, answer the required questions and click Download. Save the BlackBerry Cloud Connector installation file (.exe). 6. In the Step 2: Generate and download activation file section, click Generate and download activation file. 7. Save the activation file (.txt). The activation file is valid for 60 minutes. If you wait longer than 60 minutes before you use the activation file, repeat steps 6 and 7 to generate a new activation file. Only the latest activation file is valid. After you finish: Install and configure the BlackBerry Cloud Connector. Install and configure the BlackBerry Cloud Connector Before you begin: Download the installation and activation files. Use an administrator account with sufficient permissions to install and configure software. Note: You cannot install the BlackBerry Cloud Connector on a computer that has BES12 installed on it. 1. Open the BlackBerry Cloud Connector installation file (.exe) that you downloaded from the management console. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. Choose your language. Click OK. 3. On the splash screen, click Next. 4. Select your country or region. Read and accept the license agreement. Click Next. 5. The installation program verifies that your computer meets the installation requirements. Click Next. 6. To change the installation file path, click... and navigate to the file path that you want to use (optional). Click Install. 12

13 Establishing a secure connection between your resources and BES12 Cloud 7. When the installation completes, click Next. A console addresses panel for the BlackBerry Cloud Connector opens. 8. To open the BlackBerry Cloud Connector management console, click the link on the console addresses panel before you close the setup application, or manually enter the address in your browser. Click Close to close the setup application. 9. Select your language. Click Next. 10. When you activate the BlackBerry Cloud Connector, it sends data over HTTPS to enroll with BES12. After it is activated, the BlackBerry Cloud Connector sends and receives data over TCP. If you want to send data through a proxy behind your organization's firewall, see Configure BES12 to use a transparent TCP proxy server. 11. In the Friendly name field, type a name for the BlackBerry Cloud Connector. Click Next. 12. Click Browse. Select the activation file that you downloaded from the management console. 13. Click Activate. 14. In the drop-down list, click the type of company directory that your organization uses. 15. Click Configure. 16. Follow the steps for your organization s directory type: Directory type Microsoft Active Directory Steps 1. In the Username field, type the username of the Microsoft Active Directory account. 2. In the Domain field, type the FQDN of the domain that hosts Microsoft Active Directory. For example: domain.example.com. 3. In the Password field, type the password of the Microsoft Active Directory account. 4. In the Domain controller discovery drop-down list, click one of the following: If you want automatic discovery, click Automatic. If you want to specify the domain controller computer, click Select from list below. Click + and type the FQDN of the computer. Repeat this step to add more computers. 5. In the Global catalog search base field, type the search base that you want to access (for example, OU=Users,DC=example,DC=com). To search the entire Global Catalog, leave the field blank. 6. In the Global catalog discovery drop-down list, click one of the following: 7. Click Save. If you want automatic catalog discovery, click Automatic. If you want to specify the catalog computer, click Select from list below. Click + and type the FQDN of the computer. If necessary, repeat this step to specify more computers. 13

14 Establishing a secure connection between your resources and BES12 Cloud Directory type Steps LDAP directory 1. In the LDAP computer discovery drop-down list, click one of the following: If you want automatic discovery, click Automatic. In the DNS domain name field, type the DNS domain name. If you want to specify the LDAP computer, click Select from list below. Click + and type the FQDN of the computer. Repeat this step to add more computers. 2. In the Enable SSL drop-down list, select whether you want to enable SSL authentication for LDAP traffic. If you click Yes, click Browse and select the SSL certificate for the LDAP computer. 3. In the LDAP port field, type the port number of the LDAP computer. 4. In the Authorization required drop-down list, select whether BES12 Cloud must authenticate with the LDAP computer. If you click Yes, type the username and password of the LDAP account. The username must be in DN format (for example, CN=Megan Ball,OU=Sales,DC=example,DC=com). 5. In the Search base field, type the search base that you want to access (for example, OU=Users,DC=example,DC=com). 6. In the LDAP user search filter field, type the filter that you want to use for LDAP users. For example: (&(objectcategory=person)(objectclass=user) (memberof=cn=local,ou=users,dc=example,dc=com)). 7. In the LDAP user search scope drop-down list, click one of the following: If you want user searches to apply to all levels below the base DN, click All levels. If you want to limit user searches to one level below the base DN, click One level. 8. In the Unique identifier field, type the attribute for each user s unique identifier (for example, uid). The attribute must be immutable and globally unique for every user. 9. In the First name field, type the attribute for each user s first name (for example, givenname). 10. In the Last name field, type the attribute for each user s last name (for example, sn). 11. In the Login attribute field, type the attribute for each user s login attribute (for example, cn). This attribute is used for the value that users type to log in to BES12 Self-Service with their directory credentials. 12. In the field, type the attribute for each user s (for example, mail). 13. In the Display name field, type the attribute for each user s display name (for example, displayname). 14

15 Establishing a secure connection between your resources and BES12 Cloud Directory type Steps 14. In the profile account name field, type the attribute for each user s profile account name (for example, mail). 15. Click Save. 17. In the management console, click Settings. 18. In the left pane, click External integration > BlackBerry Cloud Connector. 19. In the Step 4: Test connection section, click Next. After you finish: To install a second BlackBerry Cloud Connector instance for redundancy, download another set of installation and activation files and repeat this task on a different computer. When you configure a second instance, use the same directory configuration. This should be done after the first instance has been installed and activated. If necessary, configure proxy settings for the BlackBerry Cloud Connector. To change the directory settings that you configured, in the BlackBerry Cloud Connector management console, click General settings > Company directory, then click for the directory connection. To delete a directory configuration, in the BlackBerry Cloud Connector management console, click General settings > Company directory, then click for the directory connection. Upgrade the BlackBerry Cloud Connector Before you begin: Use an administrator account with sufficient permissions to install and configure software. 1. Log in to the BlackBerry Cloud Connector management console. 2. Record all of your directory configuration settings. 3. Log in to the BES12 Cloud management console. 4. Download the BlackBerry Cloud Connector installation and activation files. For instructions, see Download the installation and activation files. 5. Install and configure the BlackBerry Cloud Connector using the information you recorded in step 2. For instructions, see Install and configure the BlackBerry Cloud Connector. Note: If you changed the BlackBerry Cloud Connector port and you are using Google Chrome as your default browser, the desktop shortcut may not be updated with the new port until you restart the computer. The BlackBerry Cloud Connector management console is still accessible by manually typing in the address with the new port number. 15

16 Establishing a secure connection between your resources and BES12 Cloud View the status of the BlackBerry Cloud Connector 1. In the BES12 Cloud management console, on the menu bar, click Settings. 2. In the left pane, click External integration > BlackBerry Cloud Connector. Configuring BES12 to use the BlackBerry Router or a TCP proxy server To use a proxy server with BES12, you can install the BlackBerry Router to act as a proxy server, or use a TCP proxy server that is already installed in your environment. You can install the BlackBerry Router or a proxy server outside your organization s firewall in a DMZ. Installing the BlackBerry Router or a TCP proxy server in a DMZ provides an extra level of security for BES12. Only the BlackBerry Router or the proxy server connects to BES12 from outside the firewall. All connections to the BlackBerry Infrastructure between BES12 and devices go through the BlackBerry Router or the proxy server. By default, BES12 connects directly to the BlackBerry Infrastructure using port However, if your organization's security policy requires that internal systems cannot connect directly to the Internet, you can install the BlackBerry Router or a TCP proxy server. The BlackBerry Router or TCP proxy server acts as an intermediary between BES12 and the BlackBerry Infrastructure. This image shows the following options for configuring BES12 to use a proxy server: no proxy server, a TCP proxy server deployed in a DMZ, and the BlackBerry Router deployed in a DMZ. 16

17 Establishing a secure connection between your resources and BES12 Cloud Installing a standalone BlackBerry Router The BlackBerry Router is an optional component that you can install in a DMZ outside your organization's firewall. The BlackBerry Router connects to the Internet to send data between BES12 and devices that use the BlackBerry Infrastructure. The BlackBerry Router functions as a proxy server and can support SOCKS v5 (no authentication). Note: If your current environment contains a TCP proxy server, you do not need to install the BlackBerry Router for BES12. Install a standalone BlackBerry Router Before you begin: Make sure that you have the name of the SRP host. The SRP host name is usually <country code>.srp.blackberry.com (for example, us.srp.blackberry.com). To verify the SRP host name for your country, visit the SRP Address Lookup page. Install a standalone BlackBerry Router instance on a computer that does not host any other BES12 components. Note: You cannot install the BlackBerry Router on a computer that hosts the BlackBerry Cloud Connector. 1. Download and extract the BES12 Installation.zip file on your computer. 2. From the extracted BES12 installation files, open the router folder. 3. Extract the setupinstaller.zip file from the router folder. This.zip file contains an Installer folder that has the Setup.exe file that you use to install the BlackBerry Router using the command prompt window. 4. Go to Start > All Programs > Accessories > Command Prompt. 17

18 Establishing a secure connection between your resources and BES12 Cloud 5. In the command prompt window, right-click and select Run as administrator. 6. In the command prompt window, navigate to the location of the BlackBerry Router Setup.exe file. 7. Type Setup.exe -srphost <srphostname> (for example, Setup.exe -srphost ca.srp.blackberry.com). Configuring a proxy server when logging in to BES12 for the first time You may be prompted to configure your initial BlackBerry Router instance or TCP proxy server when you log in to the BlackBerry Cloud Connector console for the first time. If you configure the proxy server, you may need to perform extra configuration for the BlackBerry Router or TCP proxy server in the management console. You can configure more BlackBerry Router or TCP proxy server instances after you have logged in to the BlackBerry Cloud Connector console. Comparing TCP proxies Proxy Description Transparent TCP proxy Intercepts normal communication at the network layer without requiring any special client configuration Requires no client browser configuration Usually located between the client and the Internet Performs some of the functions of a gateway or router Often used to enforce acceptable use policy Commonly used by ISPs in some countries to save upstream bandwidth and improve customer response times through caching SOCKS v5 proxy An Internet protocol for handling Internet traffic through a proxy server Can be handled with virtually any TCP/UDP application, including browsers and FTP clients that support SOCKS Can be a good solution for Internet anonymity and security Routes network packets between a client and server through a proxy server Can provide authentication so only authorized users can access a server Proxies TCP connections to an arbitrary IP address Can anonymize UDP protocols and TCP protocols like HTTP 18

19 Establishing a secure connection between your resources and BES12 Cloud Configuring a TCP proxy server When you activate the BlackBerry Cloud Connector, it sends data over HTTPS to activate with BES12 Cloud. After it is activated, the BlackBerry Cloud Connector sends and receives data over TCP. You can configure the BlackBerry Cloud Connector to route HTTPS or TCP data through a proxy server that is behind your organization s firewall. The BlackBerry Cloud Connector does not support authentication with a proxy server. You can configure multiple TCP proxy servers configured with SOCKS v5 (no authentication) to connect to BES12. Multiple TCP proxy servers configured with SOCKS v5 (no authentication) can provide support if one of the active proxy server instances is not functioning correctly. You configure only a single port that all SOCKS v5 (no authentication) service instances must listen on. If you are configuring more than one TCP proxy server with SOCKS v5 (no authentication), each server with SOCKS v5 must share the proxy listening port. Configure BES12 to use a transparent TCP proxy server Before you begin: Install a compatible transparent TCP proxy server in the BES12 domain. Use an administrator account with sufficient permissions to configure the BlackBerry Cloud Connector settings. 1. In the BlackBerry Cloud Connector management console, click General settings > Proxy. 2. Select the Proxy server option. 3. Perform any of the following tasks: Task Route HTTPS activation data through a proxy server Route TCP data through a TCP proxy server Steps In the Enrollment proxy fields, type the FQDN or IP address and the port number of the proxy server. In the BlackBerry Cloud Connector fields, type the FQDN or IP address and the port number of the proxy server. 4. Click Save. Enable SOCKS v5 on a TCP proxy server Before you begin: Install a compatible TCP proxy server with SOCKS v5 (no authentication) in the BES12 domain. 1. In the BlackBerry Cloud Connector management console, click General settings > Proxy. 2. Select the Proxy server option. 3. Select the Enable SOCKS v5 check box. 19

20 Establishing a secure connection between your resources and BES12 Cloud 4. Click. 5. In the Server address field, type the IP address or host name of the SOCKS v5 proxy server. 6. Click Add. 7. Repeat steps 1 to 6 for each SOCKS v5 proxy server that you want to configure. 8. In the Port field, type the port number. 9. Click Save. Configuring the BlackBerry Router You can configure multiple BlackBerry Router instances to connect to BES12 to provide high availability for the BlackBerry Router. You configure only one port for BlackBerry Router instances to listen on. By default, BES12 connects to the BlackBerry Router using port 3102 to connect to BES12 services. If you connect BES12 services to the BlackBerry Router, the BlackBerry Router supports all outbound traffic from the BES12 services. Note: If you want to use a port other than the default port for the BlackBerry Router, visit to read article KB Configure BES12 to use the BlackBerry Router Before you begin: Install the BlackBerry Router in the BES12 domain. 1. In the BlackBerry Cloud Connector management console, click General settings > Proxy. 2. Select the BlackBerry Router option. 3. Click. 4. In the Router address field, type the IP address or host name of the BlackBerry Router instance that you want to connect to BES Click Add. 6. Repeat steps 1 to 5 for each BlackBerry Router instance that you want to configure. 7. In the Port field, type the port number that all BlackBerry Router instances listen on. The default value is Click Save. 20

21 Establishing a secure connection between your resources and BES12 Cloud Enabling directory-linked groups You can create groups that are linked to groups in your company directory. You can configure BES12 to automatically synchronize the membership of a directory-linked group to its associated company directory groups. When you enable directory-linked groups, you can enable onboarding and offboarding, force the synchronization process, set the maximum number of changes per synchronization, and set the number of nested levels for the linked groups. Item Enable onboarding Description Onboarding allows you to automatically add user accounts to BES12 based on user membership in a company directory group. You must add company directory groups to the Onboarding directory groups section. User accounts from those company directory groups are automatically added to BES12 during the synchronization process. You can configure onboarded users to either receive an with an autogenerated device activation password or you can choose to not set a device activation password Offboarding Optionally, you can set up offboarding. Offboarding occurs when a user is removed from all company directory groups in the Onboarding directory groups list and offboarding is enabled. You can select the following the enforcement action options you want BES12 to take when a user is offboarded: Delete device data when the user is removed from all onboarding directory groups Delete only work data Delete all device data Delete all device data for corporate owned/delete only work data for individually owned Delete user when the user is removed from all onboarding directory groups Depending on the offboarding settings, company directory users, their devices, or both, they are automatically deleted from BES12 when they are deleted from all company directory groups configured for onboarding. They will be removed from BES12 if they do not belong to a company directory group configured for onboarding. The offboarding settings also apply to existing directory users in 21

22 Establishing a secure connection between your resources and BES12 Cloud Item Description BES12. It is recommended that you click the preview icon to generate the directory synchronization report to verify the changes. Force synchronization Force synchronization determines the synchronization behavior when a company directory group is deleted from the company directory. If a company directory group no longer exists when force synchronization is enabled, the company directory group is removed from the onboarding directory groups list and from any directory-linked groups during the synchronization process. When force synchronization is enabled, and if all the company directory groups linked to it are no longer in your company directory, a directory-linked group is converted to a local group. When force synchronization is disabled and a company directory group is not found in your company directory, the synchronization process is canceled. Sync limit If the number of changes exceeds the maximum number of changes for each synchronization, you can prevent the synchronization process from running. Before the synchronization process begins, the total number of changes that will occur are calculated by adding together the number of users onboarded, the number of users offboarded, the number of users added to groups, and the number of users removed from groups. The default value is 5. If you want no limit to the number of changes, you must enter a value of 0. Maximum nesting level of directory groups You can configure the maximum number of levels in a company directory group that you want directory-linked groups to link to. You can link to an unlimited number of nested levels. Examples: The default is -1. Returns all levels. Entering 0 returns the top level only. Entering 1 returns the top level and the first nested level. For example, if a company directory group has 5 levels and you want to link to all the levels you type -1 in the field provided. If you want to link to the top level only you enter 0, or if you wanted to link to the top level and the first 4 levels, you type 4. For more information about creating directory-linked groups, see the Administration content. 22

23 Establishing a secure connection between your resources and BES12 Cloud Enable directory-linked groups Before you begin: Verify that a company directory synchronization is not in progress. You cannot save the changes you make to the company directory connection until the synchronization is complete. 1. On the menu bar, click Settings > External integration > Company directory. 2. Click Sync settings. 3. To enable directory-linked groups, select Enable directory-linked groups. 4. To enable onboarding, select Enable onboarding and perform the following actions for each group you want to onboard: Option Description Enable onboarding 1. In the Onboarding directory groups section, click. 2. In the Search group from directory field, type the company directory group name. 3. Click. 4. Select the company directory group in the search results list. 5. Click Add. 6. If necessary, select Link nested groups. 5. In the Device activation section, choose one of the following: To send users an with an automatically generated activation password, click Auto-generate device activation password and send with activation instructions. Enter the time an activation password remains valid and choose an activation template. To not set a device activation password, select Do not set device activation password. 6. To delete device data when a user if offboarded, select Delete device data when the user is removed from all onboarding directory groups and choose from the following options: Option To delete all the data on a users device when they are removed from a group Description 1. Select one of the following options: a b c Delete only work data Delete all device data Delete all device data for corporate owned/delete only work data for individually owed 23

24 Establishing a secure connection between your resources and BES12 Cloud Option To delete a user account from BES12 when a user is removed from all onboarding groups Description Select Delete user when the user is removed from all onboarding directory groups. 7. To force the synchronization of directory-linked groups, select Force synchronization. 8. In the Sync limit field, type the maximum number of changes you want to allow in one directory synchronization. Note: The default value is 5. This means that the synchronization will not be performed if there are more than 5 changes. For example, if you leave this value at five and there are more than 5 changes, the synchronization will not run. If you enter a value of 0, this means there is no limit on the number of changes that a synchronization will complete. 9. In the Maximum nesting level of directory groups field, enter the number of nested levels for company directory groups. The default is -1, which means all levels. If you want the top level, type 0; if you want the top level and the first level, type 1, and so on. 10. Click Save. After you finish: For information about creating directory-linked groups, see the Administration content. Synchronize a company directory connection 1. On the menu bar, click Settings > External integration > Company directory. 2. In the Sync column, click. View a directory synchronization report 1. On the menu bar, click Settings > External integration > Company directory. 2. In the Last report column, click the date. Adding a synchronization schedule BES12 lets you set up synchronization schedules that automatically synchronize BES12 and your company directory. There are three types of synchronization schedules that you can add: 24

25 Establishing a secure connection between your resources and BES12 Cloud Schedule type Interval Once a day No recurrence Description Interval lets you choose the length of time between each synchronization and the time frame you want the synchronization to occur. You can select the days of the week that you want synchronizations to occur. You can select more than one day. Once a day lets you choose the time of day the synchronization starts and the days of the week that you want the synchronizations to occur. You can select more than one day. No recurrence lets you configure a one time synchronization that starts on a time and day you select. On the Company directory screen, you can manually synchronize BES12 and your company directory at any time. Add a synchronization schedule 1. On the menu bar, click Settings > External integration > Company directory. 2. On the Sync schedule tab, click. 3. In the Recurrence field, perform one of the following actions: Option Description Interval 1. Select Interval. 2. Type the time in minutes between synchronizations. 3. In the Synchronize between (UTC) field, select the time to start the synchronizations and the time to stop the synchronizations. 4. Select the days of the week when you want synchronizations to occur. Once a day 1. Select Once a day. 2. Select the time when you want the synchronization to start. 3. Select the days of the week when you want the synchronizations to occur. No recurrence 1. Select No recurrence. 2. Select the time when you want the synchronization to start. 3. Select the day when you want the synchronization to occur. 4. Click Add. 25

26 Establishing a secure connection between your resources and BES12 Cloud Troubleshooting BlackBerry Cloud Connector issues When you troubleshoot issues with the BlackBerry Cloud Connector, consider the following common issues. The BlackBerry Cloud Connector does not activate with BES12 Cloud Description After you upload the activation file and click Activate, you receive an error message that the activation was not successful. Possible solutions Try any of the following: Verify that you uploaded the latest activation file that you generated in the management console. Only the latest activation file is valid. Activation files expire after 60 minutes. Generate and upload a new activation file, then try to activate again. The BlackBerry Cloud Connector does not connect with the company directory Description After you specify the information for your company directory and click Save, you receive an error message that the BlackBerry Cloud Connector cannot connect with the company directory. Possible solutions Try any of the following: Verify that you specified the correct settings for the company directory. Verify that you specified the correct login information for the directory account, and that the account has the necessary permissions to access the company directory. Verify that the correct ports are open in your organization's firewall. 26

27 Establishing a secure connection between your resources and BES12 Cloud Verify that you did not use the same activation file for two different installations. Verify that you are using the most recent activation file. Review the most recent log file for details about why the BlackBerry Cloud Connector cannot access the company directory. By default, the log files for the BlackBerry Cloud Connector are located in <drive:>:\program Files \BlackBerry\BlackBerry Cloud Connector\logs. The BlackBerry Cloud Connector does not connect with BES12 Cloud Description When you test the connection between the BlackBerry Cloud Connector and BES12 Cloud, you receive an error message that the test was not successful. Possible solutions Try any of the following: Verify that the following outbound ports are open in your organization's firewall so that the BlackBerry Cloud Connector and any proxy servers that you want it to use can communicate with BES12 Cloud: 3101 (TCP) 443 (HTTPS) Review the most recent log file for information about why the BlackBerry Cloud Connector cannot connect with BES12 Cloud. By default, the log files for the BlackBerry Cloud Connector are located in <drive:>:\program Files\BlackBerry Cloud Connector\logs. 27

28 Obtaining an APNs certificate to manage ios and OS X devices Obtaining an APNs certificate to manage ios and OS X devices 3 APNs is the Apple Push Notification Service. You must obtain and register an APNs certificate if you want to use BES12 to manage ios or OS X devices. You can obtain and register the APNs certificate using the first login wizard or by using the external integration section of the administration console. Note: Each APNs certificate is valid for one year. The administration console displays the expiry date. You must renew the APNs certificate before the expiry date, using the same Apple ID that you used to obtain the certificate. If the certificate expires, devices do not receive data from BES12. If you register a new APNs certificate, device users must reactivate their devices to receive data. For more information, visit to read Issues with Sending Push Notifications in article TN2265. It is a best practice to access the administration console and the Apple Push Certificates Portal using the Google Chrome browser or the Safari browser. These browsers provide optimal support for requesting and registering an APNs certificate. Steps to obtain an APNs certificate To obtain and register an APNs certificate, perform the following actions: Step Action Obtain a signed CSR from BlackBerry. Use the signed CSR to request an APNs certificate from Apple. Register the APNs certificate. Obtain a signed CSR from BlackBerry You must obtain a signed CSR from BlackBerry before you can obtain an APNs certificate. 1. On the menu bar, click Settings > External integration > Apple Push Notification. 28

29 Obtaining an APNs certificate to manage ios and OS X devices 2. Click Get APNs Certificate. If you want to renew the current APNs certificate, click Renew certificate instead. 3. In the Step 1 of 3 - Download signed CSR certificate from BlackBerry section, click Download certificate. 4. Click Save to save the signed CSR file (.scsr) to your computer. After you finish: Request an APNs certificate from Apple. Request an APNs certificate from Apple Before you begin: Obtain a signed CSR from BlackBerry. 1. On the menu bar, click Settings > External integration > Apple Push Notification. 2. In the Step 2 of 3 - Request APNs certificate from Apple section, click Apple Push Certificate Portal. You are directed to the Apple Push Certificates Portal. 3. Sign in to the Apple Push Certificates Portal using a valid Apple ID. 4. Follow the instructions to upload the signed CSR (.scsr). 5. Download and save the APNs certificate (.pem) on your computer. After you finish: Register the APNs certificate. Register the APNs certificate Before you begin: Request an APNs certificate from Apple. 1. On the menu bar, click Settings > External integration > Apple Push Notification. 2. In the Step 3 of 3 - Register APNs certificate section, click Browse. Navigate to and select the APNs certificate (.pem). 3. Click Submit. After you finish: To test the connection between BES12 and the APNs server, click Test APNS certificate. To view the status and expiry date of the APNs certificate, click Settings > External integration > ios management. For more information about renewing the APNs certificate, see Renew the APNs certificate. 29

30 Obtaining an APNs certificate to manage ios and OS X devices Renew the APNs certificate The APNs certificate is valid for one year. You must renew the APNs certificate each year before it expires. Before you begin: Obtain a signed CSR from BlackBerry. 1. On the menu bar, click Settings > External integration > Apple Push Notification. 2. In the Step 2 of 3 - Request APNs certificate from Apple section, click Apple Push Certificate Portal. You are directed to the Apple Push Certificates Portal. 3. Sign in to the Apple Push Certificates Portal using the same Apple ID that you used to obtain the original APNs certificate. 4. Follow the instructions to renew the APNs certificate (.pem). You will need to upload the new signed CSR. 5. Download and save the renewed APNs certificate on your computer. 6. In the Step 3 of 3 - Register APNs certificate section, click Browse. Navigate to and select the renewed APNs certificate. 7. Click Submit. After you finish: To test the connection between BES12 and the APNs server, click Test APNS certificate. To view the status and expiry date of the APNs certificate, click Settings > External integration > ios management. Troubleshooting APNs This section helps you troubleshoot APNs issues. The APNs certificate does not match the CSR. Provide the correct APNs file (.pem) or submit a new CSR. Description You may receive an error message when you try to register the APNs certificate if you did not upload the most recently signed CSR file from BlackBerry to the Apple Push Certificates Portal. Possible solution If you downloaded multiple CSR files from BlackBerry, only the last one that you downloaded is valid. If you know which CSR is the most recent, return to the Apple Push Certificates Portal and upload it. If you are not sure which CSR is the most recent, obtain a new one from BlackBerry, then return to the Apple Push Certificates Portal and upload it. 30

31 Obtaining an APNs certificate to manage ios and OS X devices I cannot activate ios or OS X devices Possible cause If you are unable to activate ios or OS Xdevices, the APNs certificate may not be registered correctly. Possible solution Perform one or more of the following actions: In the administration console, on the menu bar, click Settings > External integration > Apple Push Notification. Verify that the APNs certificate status is "Installed." If the status is not correct, try to register the APNs certificate again. Click Test APNS certificate to test the connection between BES12 and the APNs server. If necessary, obtain a new signed CSR from BlackBerry and a new APNs certificate. 31

32 Controlling which devices can access Exchange ActiveSync Controlling which devices can access Exchange ActiveSync 4 You can stop unauthorized devices from using Exchange ActiveSync unless they are explicitly added to the allowed list. Devices that are not on the allowed list cannot access work and organizer data. Using the BlackBerry Gatekeeping Service makes it easier to add devices to the allowed list. To use the BlackBerry Gatekeeping Service, you must create a gatekeeping configuration for Microsoft Exchange Server or Microsoft Office 365 and assign an profile to users that has the automatic gatekeeping server selected. After you configure gatekeeping and assign the profile to users, the users' devices are automatically added to the allowed list. If the profile is removed from a user, the user's device is removed from the allowed list and can no longer connect to Microsoft Exchange (unless it is allowed using other means, for example, Windows PowerShell). For more information about adding an automatic gatekeeping server to an profile, viewing the connection status of a device, and allowing or blocking devices that are not automatically added to the allowed list, see the Administration content. Steps to configure Exchange ActiveSync and the BlackBerry Gatekeeping Service When you configure the BlackBerry Gatekeeping Service, you perform the following actions: Step Action Configure permissions for gatekeeping. Allow only authorized devices to access Exchange ActiveSync. Configure Microsoft IIS permissions for gatekeeping. Create a gatekeeping configuration. Create an profile that has an automatic gatekeeping server selected and assign it to user accounts, user groups, or device groups. For instructions, see the Administration content. 32