Architecture nd Dt Flows Reference Guide BlckBerry Enterprise Service 12 Version 12.0
Pulished: 2014-11-10 SWD-20141110103011848
Contents Components used in the BES12 solution... 5 Components used to mnge BlckBerry 10, ios, Android, nd Windows Phone devices... 8 Components used to mnge BlckBerry OS devices... 10 Activting devices...13 Dt flow: Activting BlckBerry 10 device... 13 Dt flow: Activting n Android device... 15 Dt flow: Activting n ios device...17 Dt flow: Activting Windows Phone device...20 Dt flow: Activting BlckBerry OS device...22 Receiving configurtion updtes... 25 Dt flow: Receiving configurtion updtes on BlckBerry 10 device...25 Dt flow: Receiving configurtion updtes on n Android device... 26 Dt flow: Receiving configurtion updtes on n ios device... 27 Dt flow: Receiving configurtion updtes on Windows Phone device... 28 Sending nd receiving work dt...30 Using enterprise connectivity... 31 Dt flow: Sending emil nd clendr dt from BlckBerry 10, ios, or Android device using enterprise connectivity...31 Dt flow: Receiving emil nd clendr dt on BlckBerry 10 or Android device using enterprise connectivity... 32 Dt flow: Receiving emil nd clendr dt on n ios device using enterprise connectivity...33 Dt flow: Sending n emil from BlckBerry OS device...35 Dt flow: Receiving n emil on BlckBerry OS device... 36 Dt flow: Receiving enterprise push updtes on BlckBerry 10 device...37 Dt flow: Accessing n ppliction or content server from work pp on BlckBerry 10, ios, or Android device using enterprise connectivity... 37 Using your orgniztion's VPN or work Wi-Fi network...39 Dt flow: Sending emil or clendr dt from BlckBerry 10, ios, Android, or Windows Phone device using your orgniztion's VPN or work Wi-Fi network... 40 Dt flow: Receiving emil nd clendr dt on BlckBerry 10, ios, Android, or Windows Phone device using your orgniztion's VPN or work Wi-Fi network... 41
Dt flow: Accessing n ppliction or content server from BlckBerry 10, ios, Android, or Windows Phone device using your orgniztion's VPN or work Wi-Fi network... 42 Legl notice...43
Components used in the BES12 solution Components used in the BES12 solution 1 BES12 Core The BES12 Core is the centrl component of BES12 rchitecture nd consists of severl sucomponents tht re responsile for: Logging, monitoring, reporting, nd mngement functions Authentiction nd uthoriztion services for the BES12 Core locl directory nd compny directories Scheduling nd sending commnds, IT policies, nd profiles to devices If there re multiple BES12 instnces in the domin, ll the BES12 Core instnces re ctive nd ech of them cn connect to the BlckBerry Infrstructure nd processes trffic. 5
Components used in the BES12 solution BES12 dtse The BES12 dtse is reltionl dtse tht contins user ccount informtion nd configurtion informtion used y BES12 to mnge devices. The BES12 dtse cn e instlled on the sme computer s BES12 instnce, or on seprte computer. For redundncy or usiness continuity, you cn configure dtse mirroring. BlckBerry Infrstructure The BlckBerry Infrstructure registers user informtion for device ctivtion nd vlidtes licensing informtion for BES12. All the dt tht trvels etween the BlckBerry Infrstructure nd BES12 is uthenticted nd encrypted to provide secure communiction chnnel into your orgniztion for devices outside the firewll. BlckBerry Router By defult, BES12 mkes direct connection to the BlckBerry Infrstructure over port 3101. You do not need to instll more routing components. However, if your orgniztion's security policy requires tht internl systems cnnot mke connections directly to the Internet, or tht ll systems must connect through nother system in the DMZ, you cn instll the BlckBerry Router. The BlckBerry Router cts s proxy server for connections over the BlckBerry Infrstructure etween BES12 nd ll devices. The BlckBerry Router cn support SOCKs v5 with no uthentiction. For more informtion, see the BlckBerry Enterprise Service 12 Configurtion Guide. For BlckBerry OS (version 5.0 to 7.1) devices, the BlckBerry Router lso sends dt directly to nd receives dt from devices tht re connected to work Wi-Fi network or to computer tht hs the BlckBerry Device Mnger. If you upgrde from BES5.0.4 MR10 to BES12, the BlckBerry Router you originlly instlled with your BES5 continues to work only for the components used to mnge BlckBerry OS devices. If you instll new instnce of the BlckBerry Router with BES12, you cn configure it to work with ll components. Mngement console The mngement console is we-sed UI tht is used to: Complete postinstlltion configurtion settings View nd mnge users, devices, policies, profiles, nd pps View nd mnge system settings, including customizing the ctivtion emil messge nd dding n APNs certificte Move IT policies, profiles, groups, nd users to BES12 The mngement console lso provides ccess to BES12 Self-Service nd llows ios device users to mnge pps using the Work Apps icon. TCP proxy If your orgniztion lredy hs TCP proxy server instlled or requires one to meet networking requirements, you cn use TCP proxy server insted of the BlckBerry Router. The TCP proxy server cn support SOCKs v5 with no uthentiction. For more informtion, see the BlckBerry Enterprise Service 12 Configurtion Guide. 6
Components used in the BES12 solution If you use n existing TCP proxy server insted of the BlckBerry Router, BlckBerry OS devices tht re connected to work Wi-Fi network or to computer tht hs BlckBerry Device Mnger instlled cnnot ypss the BlckBerry Infrstructure to connect to your orgniztion's network. 7
Components used in the BES12 solution Components used to mnge BlckBerry 10, ios, Android, nd Windows Phone devices BES12 Self-Service Users cn ccess BES12 Self-Service to set n ctivtion pssword nd send device commnds, such s set pssword, lock device, nd delete device dt to their BlckBerry 10, ios, Android, or Windows Phone devices. Users cn lso delete device dt from their BlckBerry OS (version 5.0 to 7.1) devices. BlckBerry Affinity Mnger The BlckBerry Affinity Mnger is responsile for mintining n ctive SRP connection to the BlckBerry Infrstructure. If there re multiple BES12 instnces in the domin, the BlckBerry Affinity Mnger runs on ll instnces ut only one BlckBerry Affinity Mnger instnce is ctive nd responsile for mintining connection to the BlckBerry Infrstructure nd processing trffic. The pssive BlckBerry Affinity Mnger instnces monitor the helth of the ctive instnce nd when the helth goes under specific threshold, n election process is initited to determine which pssive BlckBerry Affinity Mnger ecomes ctive. The ctive BlckBerry Affinity Mnger instnce cn mintin more thn one SRP connection with the BlckBerry Infrstructure for sclility resons only. To dd more thn one SRP, you must use the BES12 Configurtion Tool. The BlckBerry Affinity Mnger configures the Exchnge ActiveSync connectivity nd logging settings for the BlckBerry Work Connect Notifiction Service. It lso ssigns BlckBerry 10 devices to the BlckBerry Disptcher using the informtion in the BES12 dtse. If BlckBerry 10 device is moved to different BES12 instnce, the BlckBerry Affinity Mnger performs ll of the steps required to move the user to the new instnce so tht the user does not hve to do nything for the device to mintin BES12 services. 8
Components used in the BES12 solution BlckBerry Disptcher The BlckBerry Disptcher provides secure connectivity for BlckBerry 10 devices. The BlckBerry Disptcher dynmiclly updtes the devices tht it hndles sed on the list it receives from the ctive BlckBerry Affinity Mnger. BlckBerry Gtekeeping Service The BlckBerry Gtekeeping Service sends commnds to Exchnge ActiveSync to dd devices to n llowed list when devices re ctivted on BES12. Unmnged devices tht try to connect to n orgniztion's mil server cn e reviewed, verified, nd locked or llowed through the BES12 mngement console y n dministrtor. BlckBerry MDS Connection Service The BlckBerry MDS Connection Service provides secure connection etween BlckBerry 10 devices nd your orgniztion's network when the device is not connected to your work Wi-Fi network or using VPN connection. The BlckBerry MDS Connection Service is lso responsile for providing enterprise dt push services for BlckBerry 10 devices. BlckBerry Work Connect Notifiction Service The BlckBerry Work Connect Notifiction Service is we service responsile for providing new nd chnged emil nd orgnizer notifictions to ios devices tht re using Secure Work Spce. ios devices re restricted from running pplictions in the ckground, with specific exceptions such s the defult mil ppliction. This mens Secure Work Spce pplictions cnnot receive new dt such s emil notifictions unless the ppliction is open or unless the notifiction comes from the APNs. The BlckBerry Work Connect Notifiction Service sends the emil nd orgnizer notifictions to the BlckBerry Infrstructure, where they re sent to the device using the APNs. If there re multiple BES12 instnces in the domin, only one instnce of the BlckBerry Work Connect Notifiction Service is ctive nd processing notifictions. The BlckBerry Affinity Mnger is responsile for strting other BlckBerry Work Connect Notifiction Service instnce if the ctive one stops. APNs The APNs is service tht Apple provides tht sends notifictions to ios devices. BES12 sends notifictions to ios devices to contct BES12 for updtes nd to report informtion for your orgniztion s device inventory. These notifictions re sent to the BlckBerry Infrstructure, where they re sent to the device using the APNs. GCM GCM is service tht Google provides for Android devices. BES12 sends notifictions to Android devices to contct BES12 for updtes nd to report informtion for your orgniztion s device inventory. These notifictions re sent to the BlckBerry Infrstructure, where they re sent to the device using the GCM. 9
Components used in the BES12 solution Components used to mnge BlckBerry OS devices BlckBerry Administrtion Service You cn use the BlckBerry Administrtion Service to configure BlckBerry OS device softwre updtes, nd VPN nd Wi-Fi profiles for BlckBerry OS (versions 5.0 to 7.1) devices. The BlckBerry Administrtion Service connects to the BES12 dtse. It lso provides connection services for the mngement console so tht you cn mnge BlckBerry OS devices. BlckBerry Attchment Service The BlckBerry Attchment Service converts supported ttchments into formt tht cn e viewed on BlckBerry OS devices. The BlckBerry Attchment Service converts ttchments for the BlckBerry Messging Agent, the BlckBerry MDS Connection Service for BlckBerry OS, nd the BlckBerry Collortion Service. BlckBerry Collortion Service The BlckBerry Collortion Service is n optionl component tht provides connection etween your orgniztion's instnt messging server nd the collortion client on BlckBerry OS devices. 10
Components used in the BES12 solution BlckBerry Controller The BlckBerry Controller monitors components used to mnge BlckBerry OS devices nd restrts these components when they stop responding. BlckBerry Disptcher for BlckBerry OS The BlckBerry Disptcher for BlckBerry OS performs the following functions: Trnsfers dt etween components used to mnge BlckBerry OS devices Compresses nd encrypts dt tht is sent to BlckBerry OS devices Decrypts nd decompresses dt tht is received from BlckBerry OS devices Monitors nd communictes the helth of BlckBerry OS mngement components Strts the processing of BlckBerry OS device users on the BlckBerry Messging Agent BlckBerry Mil Store Service The BlckBerry Mil Store Service connects to the mil servers in your orgniztion's environment nd retrieves the contct informtion tht the BlckBerry Administrtion Service requires to serch for user ccounts on the mil servers. BlckBerry MDS Connection Service for BlckBerry OS The BlckBerry MDS Connection Service for BlckBerry OS permits pplictions on BlckBerry OS devices to connect to your orgniztion's ppliction or content servers for ppliction dt nd updtes. BlckBerry Messging Agent The BlckBerry Messging Agent performs the following functions: Connects to the mil server to provide messging services, clendr mngement, contct lookups, ttchment viewing, nd ttchment retrievl for BlckBerry OS devices Allows the BlckBerry Synchroniztion Service to ccess orgnizer dt on the mil server Synchronizes configurtion dt etween the BES12 dtse nd BlckBerry OS device user miloxes on the mil server BlckBerry Policy Service The BlckBerry Policy Service performs dministrtion services for BlckBerry OS devices over the wireless network, such s sending IT policies, device commnds, nd service ooks. BlckBerry Synchroniztion Service The BlckBerry Synchroniztion Service synchronizes orgnizer dt etween BlckBerry OS devices nd your orgniztion's mil server using the BlckBerry Messging Agent. The BlckBerry Synchroniztion Service lso synchronizes BlckBerry OS device user dt with the BES12 dtse. 11
Components used in the BES12 solution BlckBerry We Desktop Mnger BlckBerry OS device users cn ccess BlckBerry We Desktop Mnger to set n ctivtion pssword, ctivte their devices y connecting them to the computer, nd perform other device mngement functions for their BlckBerry OS devices, such s updting the device softwre or sending device commnds. 12
Activting devices Activting devices 2 Dt flow: Activting BlckBerry 10 device 1. You perform the following ctions: c Add user to BES12 s locl user ccount, or y using the ccount informtion retrieved from your compny directory Assign n ctivtion profile to the user Use one of the following options to provide the user with ctivtion detils: Automticlly generte device ctivtion pssword nd send n emil with ctivtion instructions for the user Set device ctivtion pssword nd communicte the usernme nd pssword to the user directly or y emil Don't set device ctivtion pssword nd communicte the BES12 Self-Service ddress to the user so tht they cn set their own ctivtion pssword 2. The user performs the following ctions: Types the usernme nd ctivtion pssword on the device For "Work nd personl - Regulted" or "Work spce only" ctivtion, ccepts the orgniztion notice, which outlines the terms nd conditions tht the user must gree to 3. If the ctivtion is "Work spce only" ctivtion, the device deletes ll existing dt nd restrts. 4. The Enterprise Mngement Agent on the device performs the following ctions: 13
Activting devices Estlishes connection to the BlckBerry Infrstructure Sends request for ctivtion informtion to the BlckBerry Infrstructure 5. The BlckBerry Infrstructure performs the following ctions: Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user c Sends the ddress to the Enterprise Mngement Agent 6. The device performs the following ctions: c Estlishes connection with BES12 Genertes shred symmetric key with BES12, using the ctivtion pssword nd EC-SPEKE. The shred symmetric key protects the CSR nd response. Cretes n encrypted CSR nd HMAC s follows: d Genertes key pir for the certificte Cretes PKCS#10 CSR tht includes the pulic key of the key pir Encrypts the CSR using the shred symmetric key nd AES-256 in CBC mode with PKCS#5 pdding Computes n HMAC of the encrypted CSR using SHA-256 nd ppends it to the CSR Sends the encrypted CSR nd HMAC to BES12 7. BES12 performs the following ctions: c d e f g Verifies the HMAC of the encrypted CSR nd decrypts the CSR using the shred symmetric key Retrieves the usernme, work spce ID, nd your orgniztion s nme from the BES12 dtse Pckges client certificte using the informtion it retrieved nd the CSR tht the device sent Signs the client certificte using the enterprise mngement root certificte Encrypts the client certificte, enterprise mngement root certificte, nd the BES12 URL using the shred symmetric key nd AES-256 in CBC mode with PKCS#5 pdding Computes n HMAC of the encrypted client certificte, enterprise mngement root certificte, nd the BES12 URL nd ppends it to the encrypted dt Sends the encrypted dt nd HMAC to the device 8. The device performs the following ctions: c Verifies the HMAC Decrypts the dt it received from BES12 Stores the client certificte nd the enterprise mngement root certificte in its keystore 9. BES12 performs the following ctions: BES12 Core ssigns the new device to BES12 instnce in the domin BES12 Core notifies the ctive BlckBerry Affinity Mnger tht new device is ssigned to the BES12 instnce 14
Activting devices c d The ctive BlckBerry Affinity Mnger notifies the BlckBerry Disptcher on tht BES12 instnce tht there is new device The BlckBerry Disptcher strts processing configurtion dt for the device 10. The device nd the BlckBerry Disptcher perform the following ctions: Estlish mutully uthenticted TLS connection y verifying oth the client certificte nd the server certificte for BES12 using the enterprise mngement root certificte Generte the device trnsport key using ECMQV nd the uthenticted long-term pulic keys from the client certificte nd the server certificte for BES12 11. The device stores the device trnsport key in its keystore. 12. The BlckBerry Disptcher stores the device trnsport key in the dtse nd sends the IT policy, SRP informtion, profiles, nd required pps to the device over TLS. 13. The device sends n cknowledgment over TLS to BES12, tht it received nd pplied the IT policy nd other dt nd hs creted the work spce. The ctivtion process is complete. The elliptic curve protocols used during the ctivtion process use the NIST-recommended 521-it curve. Dt flow: Activting n Android device 1. You perform the following ctions: c Add user to BES12 s locl user ccount, or y using the ccount informtion retrieved from your compny directory Assign n ctivtion profile to the user Use one of the following options to provide the user with ctivtion detils: 15
Activting devices Automticlly generte device ctivtion pssword nd send n emil with ctivtion instructions for the user Set device ctivtion pssword nd communicte the usernme nd pssword to the user directly or y emil Don't set device ctivtion pssword nd communicte the BES12 Self-Service ddress to the user so tht they cn set their own ctivtion pssword 2. The user downlods nd instlls the BES12 Client on the device. Once instlled, the user opens the BES12 Client nd enters the emil ddress nd ctivtion pssword on the device. 3. The BES12 Client on the device performs the following ctions: Estlishes connection to the BlckBerry Infrstructure Sends request for ctivtion informtion to the BlckBerry Infrstructure 4. The BlckBerry Infrstructure performs the following ctions: c Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user Sends the ddress to the BES12 Client 5. The BES12 Client estlishes connection with BES12. 6. BES12 prompts the user to ccept the BES12 certificte. This prompt includes informtion out the SSL certificte, including the Common Nme, fingerprint, nd whether the certificte is trusted or untrusted. If the certificte hs een preinstlled on the device, it is trusted; otherwise, it is untrusted. 7. The user ccepts the certificte. 8. The BES12 Client sends n ctivtion request to BES12. The ctivtion request includes the usernme, pssword, device operting system, nd unique device identifier. 9. BES12 performs following ctions: c d e Inspects the credentils for vlidity Cretes device instnce Assocites the device instnce with the specified user ccount in the BES12 dtse Adds the enrollment session ID to n HTTP session Sends successful uthentiction messge to the device 10. The BES12 Client cretes CSR using the informtion received from BES12 nd sends client certificte request to BES12 over HTTPS. 11. BES12 performs the following ctions: c Vlidtes the client certificte request ginst the enrollment session ID in the HTTP session Signs the client certificte request with the root certificte Sends the signed client certificte nd root certificte ck to the BES12 Client 12. A mutully uthenticted TLS session is estlished etween the BES12 Client nd BES12. 16
Activting devices 13. The BES12 Client requests ll configurtion informtion nd sends the device nd softwre informtion to BES12. 14. BES12 stores the device informtion in the dtse nd sends the requested configurtion informtion to the device. 15. The device sends n cknowledgment to BES12 tht it received nd pplied the configurtion informtion. The ctivtion process is complete. If the ctivtion type for the device is "Work nd personl - user privcy" or "Work nd personl - full control", fter the ctivtion is completed, the user is prompted to crete work spce pssword. Additionlly, the user my e prompted to instll some or ll of the following pps: Secure Work Spce Work Spce Mnger Documents To Go Note: If the device is ctivted with the "Work nd personl - user privcy" ctivtion type, the users re not prompted to instll the secure pps nd must mnully downlod nd instll them. Dt flow: Activting n ios device 1. You perform the following ctions: c Add user to BES12 s locl user ccount, or y using the ccount informtion retrieved from your compny directory Assign n ctivtion profile to the user Use one of the following options to provide the user with ctivtion detils: Automticlly generte device ctivtion pssword nd send n emil with ctivtion instructions for the user 17
Activting devices Set device ctivtion pssword nd communicte the usernme nd pssword to the user directly or y emil Don't set device ctivtion pssword nd communicte the BES12 Self-Service ddress to the user so tht they cn set their own ctivtion pssword 2. The user downlods nd instlls the BES12 Client on the device. Once instlled, the user opens the BES12 Client nd enters the emil ddress nd ctivtion pssword on the device. 3. The BES12 Client on the device performs the following ctions: Estlishes connection to the BlckBerry Infrstructure Sends request for ctivtion informtion to the BlckBerry Infrstructure 4. The BlckBerry Infrstructure performs the following ctions: c Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user Sends the ddress to the BES12 Client 5. The BES12 Client estlishes connection with BES12. 6. BES12 prompts the user to ccept the BES12 certificte. This prompt includes informtion out the SSL certificte, including the Common Nme, fingerprint, nd whether the certificte is trusted or untrusted. If the certificte hs een preinstlled on the device, it is trusted; otherwise it is untrusted. 7. The user ccepts the certificte. 8. The BES12 Client sends n ctivtion request to BES12. The ctivtion request includes the usernme, pssword, device operting system, nd unique device identifier. 9. BES12 performs following ctions: c d e Inspects the credentils for vlidity Cretes device instnce Assocites the device instnce with the specified user ccount in the BES12 dtse Adds the enrollment session ID to n HTTP session Sends successful uthentiction messge to the device 10. The BES12 Client cretes CSR using the informtion received from BES12 nd sends client certificte request over HTTPS. 11. BES12 performs the following ctions: c Vlidtes the client certificte request ginst the enrollment session ID in the HTTP session Signs the client certificte request with the root certificte Sends the signed client certificte nd root certificte ck to the BES12 Client 12. A mutully uthenticted TLS session is estlished etween the BES12 Client nd BES12. 13. The BES12 Client displys messge to inform the user tht certificte must e instlled to complete the ctivtion. 14. The user clicks OK nd is redirected to the link for the ntive MDM Demon ctivtion. 18
Activting devices 15. The BES12 Client estlishes connection to BES12. 16. BES12 provides the MDM profile to the BES12 Client. This profile contins the MDM ctivtion URL nd the chllenge. The MDM profile is wrpped s PKCS#7 signed messge tht includes the full certificte chin of the signer, which llows the device to vlidte the profile. This triggers the enrollment process. 17. The ntive MDM Demon on the device sends the device profile, including the customer ID, lnguge, nd OS version, to BES12. 18. BES12 vlidtes tht the request is signed y CA nd responds to the ntive MDM Demon with successful uthentiction notifiction. 19. The ntive MDM Demon sends request to BES12 sking for the CA certificte, CA cpilities informtion, nd device issued certificte. 20. BES12 sends the CA certificte, CA cpilities informtion, nd the device issued certificte to the ntive MDM Demon. 21. The ntive MDM Demon instlls the MDM profile on the device. 22. The BES12 Client notifies BES12 of the successful instlltion of the MDM profile nd certificte nd polls BES12 periodiclly until it cknowledges tht the MDM ctivtion is complete. 23. BES12 cknowledges tht the MDM ctivtion is complete. 24. The BES12 Client requests ll configurtion informtion nd sends the device nd softwre informtion to BES12. 25. BES12 stores the device informtion in the dtse nd sends configurtion informtion to the device. 26. The device sends n cknowledgment to BES12 tht it received nd pplied the configurtion updtes. The ctivtion process is complete. If the ctivtion type for the device is "Work nd personl - user privcy" or "Work nd personl - full control", fter the ctivtion is completed, the user is prompted to crete work spce pssword. Additionlly, the user my e prompted to instll some or ll of the following pps: Work Connect Work Browser Documents To Go Note: If the device is ctivted with the "Work nd personl - user privcy" ctivtion type, the users re not prompted to instll the secure pps nd must mnully downlod nd instll them. 19
Activting devices Dt flow: Activting Windows Phone device 1. You perform the following ctions: c Add user to BES12 s locl user ccount, or y using the ccount informtion retrieved from your compny directory Assign n ctivtion profile to the user Use one of the following options to provide the user with ctivtion detils: Automticlly generte device ctivtion pssword nd send n emil with ctivtion instructions for the user Set device ctivtion pssword nd communicte the usernme nd pssword to the user directly or y emil Don't set device ctivtion pssword nd communicte the BES12 Self-Service ddress to the user so tht they cn set their own ctivtion pssword 2. The user downlods nd instlls the BES12 Client on the device. After it is instlled, the user opens the BES12 Client nd enters the emil ddress nd ctivtion pssword on the device. 3. The BES12 Client on the device performs the following ctions: Estlishes connection to the BlckBerry Infrstructure Sends request for ctivtion informtion to the BlckBerry Infrstructure 4. The BlckBerry Infrstructure performs the following ctions: c Verifies tht the user is vlid, registered user Retrieves the BES12 ddress for the user Sends the ddress to the BES12 Client 5. The BES12 Client estlishes connection with BES12. 20
Activting devices 6. BES12 prompts the user to ccept the BES12 certificte. This prompt includes informtion out the SSL certificte, including the Common Nme nd fingerprint. 7. The BES12 Client sends n ctivtion request to BES12. The ctivtion request includes the usernme, pssword, device operting system, nd unique device identifier. 8. BES12 performs following ctions: c d e Inspects the credentils for vlidity Cretes device instnce Assocites the device instnce with the specified user ccount in the BES12 dtse Adds the enrollment session ID to n HTTP session Sends successful uthentiction messge to the device 9. The BES12 Client cretes CSR using the informtion received from BES12 nd sends client certificte request over HTTPS. 10. BES12 performs the following ctions: c Vlidtes the client certificte request ginst the enrollment session ID in the HTTP session Signs the client certificte request with the root certificte Sends the signed client certificte nd root certificte ck to the BES12 Client 11. A mutully uthenticted TLS session is estlished etween the BES12 Client nd BES12. 12. The BES12 Client displys messge nd video to show the user the steps the user must tke to complete the ctivtion. 13. The BES12 Client sends the device informtion to BES12. 14. The user copies the server ddress nd nvigtes to the Windows Phone settings to complete the ctivtion. 15. The user dds n ccount using their usernme nd ctivtion pssword nd pstes the server ddress. 16. The ntive MDM Demon on the Windows Phone device sends CSR to BES12 tht contins the usernme nd ctivtion pssword. 17. BES12 vlidtes the usernme nd pssword, vlidtes the CSR nd returns the client certificte nd the CA certificte to the device. 18. All comuniction etween the ntive MDM Demon nd BES12 is now mutully uthenticted end to end using these certifictes. 19. The BES12 Client polls BES12 periodiclly until it cknowledges tht the MDM ctivtion is complete. 20. BES12 cknowledges tht the MDM ctivtion is complete. 21. The BES12 Client requests ll configurtion informtion. 22. BES12 stores the device informtion in the dtse nd sends configurtion informtion to the device. 23. The device sends n cknowledgment to BES12 tht it received nd pplied the configurtion updtes. The ctivtion process is complete. 21
Activting devices Dt flow: Activting BlckBerry OS device 1. You crete new user ccount nd use one of the following options to provide the user with ctivtion detils: Automticlly generte device ctivtion pssword nd send n emil with ctivtion instructions for the user Set device ctivtion pssword nd communicte the usernme nd pssword to the user directly or y emil Don't set device ctivtion pssword nd communicte the BlckBerry We Desktop Mnger ddress to the user so tht they cn set their own ctivtion pssword The device user list stored in the BES12 dtse is updted with the new device user nme, emil ddress, milox informtion, ctivtion pssword, ctivtion sttus, nd other informtion. 2. The BlckBerry Disptcher for BlckBerry OS ssigns the new user to BlckBerry Messging Agent. The BlckBerry Messging Agent strts to monitor the user's milox on the mil server for new emil. An emil contining n etp.dt file ttchment is required to continue the ctivtion process. 3. The device user nvigtes to the Enterprise Activtion screen on the BlckBerry OS (version 5.0 to 7.1) device nd types the emil ddress nd ctivtion pssword. The device user opens the menu nd clicks Activte. The device displys "Activting." 4. The device cretes n ctivtion request emil tht contins the emil ddress, device PIN, nd pulic key uthentiction informtion, sed on the enterprise ctivtion pssword the user typed. The device encrypts the emil using SPEKE nd sends it to the BlckBerry Infrstructure. 5. The BlckBerry Infrstructure receives the ctivtion request emil nd identifies it s n ctivtion request. The BlckBerry Infrstructure forwrds the emil using SMTP to the emil ddress tht the user typed on the Enterprise Activtion screen. 22
Activting devices 6. When the ctivtion request emil rrives in the user's milox, the BlckBerry Messging Agent identifies it nd removes it from the user's milox. The BlckBerry Messging Agent recognizes the etp.dt ttchment in the ctivtion request emil nd egins n uthentiction process. 7. The BlckBerry Messging Agent compres the uthentiction key received in the ctivtion request emil with the uthentiction key generted from the ctivtion pssword nd stored in the BES12 dtse. If the uthentiction keys mtch, the BlckBerry Messging Agent notifies the BlckBerry OS device tht the ctivtion request ws received. 8. The BlckBerry Messging Agent nd the BlckBerry OS device then generte their own encryption keys tht will e used to encrypt nd decrypt ll dt. 9. BES12 nd the BlckBerry OS device estlish n encryption key nd verify their knowledge of the encryption key to ech other. The BlckBerry OS device displys "Encryption Verified. Witing for Services." All the dt sent etween the BlckBerry OS device nd BES12 from now on is compressed nd encrypted using this encryption key nd the device cn now e mnged from the mngement console. 10. The BlckBerry Messging Agent forwrds request to the BlckBerry Policy Service to generte service ooks. The BlckBerry Policy Service receives nd queues the request. The BlckBerry Policy Service dds the unique uthentiction key tht the BES12 domin uses to sign IT policy dt nd then forwrds the IT policy dt through the BlckBerry Disptcher for BlckBerry OS to the device. The BlckBerry Policy Service wits for confirmtion from the device tht the IT policy hs een pplied successfully. 11. The BlckBerry OS device pplies the IT policy nd sends confirmtion to BES12. The IT policy pplied to the BlckBerry OS device is now in red-only stte nd cn e modified only y updtes sent from the sme BES12 domin. 12. Once the BlckBerry Policy Service receives confirmtion tht the IT policy ws pplied successfully, the BlckBerry Policy Service genertes nd sends the service ooks to the BlckBerry OS device. 13. The BlckBerry OS device receives the service ooks. The device user is notified tht the emil ddress hs een ctivted. The BlckBerry OS device displys "Services Received. Your emil ddress, <usernme>@<domin>.com is now enled." The device user cn now send nd receive emil messges on the BlckBerry OS device. 14. The slow synchroniztion process egins. The BlckBerry OS device requests the synchroniztion configurtion informtion from the BlckBerry Synchroniztion Service. The configurtion informtion indictes whether wireless dt synchroniztion on BES12 is turned on nd which orgnizer dtses cn e synchronized. The configurtion informtion lso provides dtse synchroniztion types (unidirectionl or idirectionl) nd conflict resolution settings. 15. The BlckBerry Synchroniztion Service returns the configurtion informtion nd synchronizes the dtses on the BlckBerry OS device using tht informtion. The BlckBerry OS device nd BES12 do not delete records during the initil synchroniztion process. 16. The slow synchroniztion process is complete when ll dtses re synchronized etween the BlckBerry OS device nd BES12. 23
Activting devices The ctivtion process is complete when the BlckBerry OS device displys Activtion Complete nd the device user ccount sttus displys Completed in the mngement console or BlckBerry Administrtion Service. 24
Receiving configurtion updtes Receiving configurtion updtes 3 When you use the mngement console to send device commnds, such s lock device or delete the work dt, or when you perform other device mngement tsks, such s updtes to policy, profile, nd pp settings or ssignments, you trigger configurtion updte for the device. When configurtion updte needs to e sent to device, BES12 notifies the devices, except Windows Phone devices, tht configurtion updte is pending. Windows Phone devices poll BES12 every hour to request pending updtes. Other devices poll BES12 every 8 hours to sk for ny ctions tht need to e run on the device to prevent ny configurtion updte from eing missed if notifiction is not received on the device. On BlckBerry 10 devices, the Enterprise Mngement Agent receives nd completes ll configurtion updtes. On Android devices, the BES12 Client receives nd completes ll configurtion updtes. On ios nd Windows Phone devices, the BES12 Client displys complince sttus nd configurtion informtion for the device, such s pps or policies ssigned to it. However, the ntive MDM Demon on ios nd Windows Phone devices complements the BES12 Client nd receives nd completes ll configurtion updtes sent to the device. Dt flow: Receiving configurtion updtes on BlckBerry 10 device 1. An ction is tken in the mngement console tht triggers configurtion updte for the device. For exmple, you updte the IT policy or ssign new profile or pp to the user ccount. 2. Updtes re pplied in BES12 nd ojects tht must e shred with the device re identified. 25
Receiving configurtion updtes 3. The BES12 Core notifies the BlckBerry Infrstructure tht there is n updte for device. The notifiction psses through the BlckBerry Router or TCP proxy server, if instlled, nd the externl firewll, over port 3101. 4. The BlckBerry Infrstructure notifies the Enterprise Mngement Agent on the device tht there is n updte. 5. The device polls the BES12 Core for the updte. This poll psses through the BlckBerry Infrstructure nd the BlckBerry Router, if instlled, to the BES12 Core. 6. The BES12 Core sends the configurtion updtes to the Enterprise Mngement Agent on the device. The updtes pss through the BlckBerry Router or TCP proxy server, if instlled, nd the BlckBerry Infrstructure. 7. The Enterprise Mngement Agent on the device receives the configurtion updtes nd pplies the new or updted configurtion on the device. Dt flow: Receiving configurtion updtes on n Android device 1. An ction is tken in the mngement console tht triggers configurtion updte for n Android device. 2. Updtes re pplied in BES12 nd ojects tht must e shred with the device re identified. 3. The BES12 Core contcts the BlckBerry Infrstructure, through the BlckBerry Router or TCP proxy server, if instlled, nd the externl firewll over port 3101. 4. The BlckBerry Infrstructure uses the GCM to notify Android devices tht there is n updte pending. 5. The BES12 Client contcts the BES12 Core, on port 3101 of the externl firewll, to request ny pending ctions nd commnds tht need to e performed on the device. 6. The BES12 Core replies, through the BlckBerry Infrstructure nd BlckBerry Router or TCP proxy server, if instlled, with the highest priority ction. 26
Receiving configurtion updtes Priority is given to IT dministrtion commnds, such s Delete device dt nd Lock device, followed y request for device informtion, instlled pps, nd so on. The BES12 Core sends only one commnd t time. If necessry, dditionl informtion is included in the response. 7. The BES12 Client inspects the response, schedules the commnd to e processed, nd wits for the commnd to e run. 8. The BES12 Client sends response to the BES12 Core, through the BlckBerry Infrstructure to updte the commnd sttus. The sttus indictes whether the commnd rn successfully nd provides n error messge in the event of filure. 9. If there re more ctions or commnds pending for the device, the BES12 Core replies, through the BlckBerry Infrstructure, with the highest priority ction. If there re no pending ctions or commnds for the device, the BES12 Core replies with n idle commnd. 10. Steps 7 to 9 re repeted until there re no more pending ctions or commnds tht need to e performed on the device. Dt flow: Receiving configurtion updtes on n ios device 1. An ction is tken in the BES12 mngement console tht triggers configurtion updte for n ios device. For exmple, you updte the IT policy or ssign new profile or pp to the user ccount. 2. Updtes re pplied in BES12 nd ojects tht must e shred with the device re identified. 3. The BES12 Core contcts the BlckBerry Infrstructure, through the BlckBerry Router or TCP proxy server, if instlled, nd the externl firewll over port 3101. 4. The BlckBerry Infrstructure uses the APNs to notify the device tht there is n updte pending. 5. The APNs sends notifiction to the ntive MDM Demon on the ios device to contct the BES12 Core. 6. When the ntive MDM Demon on the ios device receives the notifiction, it contcts the BES12 Core, on port 3101 of the externl firewll, pssing through the BlckBerry Router or TCP proxy server, if instlled, to retrieve ny pending ctions. 27
Receiving configurtion updtes 7. The BES12 Core replies with the highest priority ction. Priority is given to device ctions, such s Delete device dt nd Lock device. The BES12 Core sends only one commnd t time. If necessry, dditionl informtion is included in the response. If there re no pending ctions or commnds for the device, the BES12 Core replies to the device with n idle commnd. 8. The ntive MDM Demon on the ios device inspects the response, schedules the commnd to e processed, nd wits for the commnd to e run. 9. The ntive MDM Demon sends response to the BES12 Core to updte the commnd sttus. The sttus indictes whether the commnd rn successfully nd provides n error messge in the event of filure. 10. Steps 7 to 9 re repeted until there re no more pending ctions or commnds tht need to e performed on the device. Dt flow: Receiving configurtion updtes on Windows Phone device 1. An ction is tken in the BES12 mngement console tht triggers configurtion updte for Windows Phone device. For exmple, you updte the IT policy or ssign new profile or pp to the user ccount. 2. Updtes re pplied in BES12 nd ojects tht must e shred with the device re identified. 3. The ntive MDM Demon on the Windows Phone polls BES12 for updtes t regulr intervls. 4. When there is n updte pending for the device, the BES12 Core replies with the highest priority ction. Priority is given to device ctions, such s Delete device dt nd Lock device. If necessry, dditionl informtion is included in the response. If there re no pending ctions or commnds for the device, the BES12 Core replies to the device with n idle commnd. 5. The ntive MDM Demon on the Windows Phone device inspects the response, schedules the commnd to e processed, nd wits for the commnd to e run. 28
Receiving configurtion updtes 6. The ntive MDM Demon on the Windows Phone device sends response to the BES12 Core to updte the commnd sttus. The sttus indictes whether the commnd rn successfully nd provides n error messge in the event of filure. 7. Steps 4 to 6 re repeted until there re no more pending ctions or commnds tht need to e performed on the device. 29
Sending nd receiving work dt Sending nd receiving work dt 4 When sending nd receiving work dt, BlckBerry 10, ios, Android, nd Windows Phone devices ctive in BES12 connect to your orgniztion's mil, ppliction, or content servers using different communiction methods. For exmple, when they use the work emil or clendr pps, devices estlish connection to the mil server. When they use the work rowser to nvigte the intrnet, devices estlish connection to the we server in your orgniztion, nd so on. When BlckBerry OS (version 5.0 to 7.1) devices send or receive work dt, they connect to BES12. BES12 then estlishes connection to your orgniztion's mil, ppliction, or content servers sending nd receiving work dt on ehlf of the BlckBerry OS devices. Communiction methods tht devices my use include: Communiction through the BlckBerry Infrstructure (enterprise connectivity): All the trffic tht flows etween the devices nd BES12 through the BlckBerry Infrstructure is uthenticted nd encrypted. When devices use this communiction chnnel, they use enterprise connectivity. Enterprise connectivity limits the numer of ports tht you need to open on your orgniztion's externl firewll to single port, 3101. Communiction over your orgniztion's VPN or work Wi-Fi network: You cn use BES12 to configure profiles for devices or users my configure VPN or work Wi-Fi profiles on their devices so tht devices cn connect to your orgniztion's resources using VPN or work Wi-Fi network, For more informtion out how dt in trnsit is protected using these communiction methods, see the BlckBerry Enterprise Service 12 Security Overview, the BlckBerry Enterprise Service 12 Security Guide for BlckBerry, nd the BlckBerry Enterprise Service 12 Security Guide for ios, Android, nd Windows Phone. 30
Sending nd receiving work dt Using enterprise connectivity Devices connect to your orgniztion's network using enterprise connectivy in the following cses: All devices use this communiction pth to send nd receive configurtion dt, such s device commnds, policy nd profile updtes, nd sending device informtion nd ctivity reports. BlckBerry OS (version 5.0 to 7.1) devices use this communiction pth to send nd receive emil, orgnizer, nd pp dt updtes when this is the most direct, cost-efficient route ville. BlckBerry 10 devices use this communiction pth to send nd receive Exchnge ActiveSync updtes nd other work pp dt updtes when this is the most direct, cost-efficient route ville. ios nd Android devices with Secure Work Spce lwys use this pth to send nd receive Exchnge ActiveSync dt updtes when they hve enterprise connectivity enled. Enterprise connectivity is enled y defult for ios nd Android devices with Secure Work Spce. For more informtion on how to configure n enterprise connectivity profile, see the BlckBerry Enterprise Service 12 Administrtion Guide. This digrm shows how devices ccess your orgniztion's resources when using enterprise connectivity. Dt flow: Sending emil nd clendr dt from BlckBerry 10, ios, or Android device using enterprise connectivity This dt flow descries how work emil nd clendr dt trvels from the device to the mil server through the BlckBerry Infrstructure using Exchnge ActiveSync. This communiction pth is used when: The device is BlckBerry 10 device nd it determines tht this is the most direct, cost-efficient pth. The device is n ios or Android device with Secure Work Spce nd enterprise connectivity enled. Enterprise connectivity is enled y defult for ios nd Android devices with Secure Work Spce. 31
Sending nd receiving work dt 1. A user cretes n emil or updtes n orgnizer item in the work spce. 2. The device sends the new or chnged item through the secure chnnel estlished etween the BlckBerry Infrstructure nd BES12 to the mil server: If the device is n ios or Android device, the new or chnged item trvels through the BlckBerry Infrstructure nd the BES12 Core to the mil server. If the device is BlckBerry 10 device, the new or chnged item trvels through the BlckBerry Infrstructure, BlckBerry Affinity Mnger, BlckBerry Disptcher, nd BlckBerry MDS Connection Service to the mil server. 3. The mil server updtes the orgnizer dt on the user's milox or sends the mil item to the recipient nd sends confirmtion to the device. Dt flow: Receiving emil nd clendr dt on BlckBerry 10 or Android device using enterprise connectivity This dt flow descries how work emil nd clendr dt trvels etween the mil server nd the BlckBerry 10 or Android devices through the BlckBerry Infrstructure using Exchnge ActiveSync. This communiction pth is used when: The device is n Android device with Secure Work Spce nd enterprise connectivity enled. Enterprise connectivity is enled y defult for ios nd Android devices with Secure Work Spce. The device is BlckBerry 10 device nd it determines tht this is the most direct, cost-efficient pth. 32
Sending nd receiving work dt 1. The device issues n HTTPS request to the mil server nd requests tht the mil server notifies the device when ny items chnge in the folders tht re configured to synchronize. The request trvels through the secure chnnel estlished etween the BlckBerry Infrstructure nd BES12 to the mil server: If the device is n Android device, the request trvels through the BlckBerry Infrstructure nd the BES12 Core to the mil server. If the device is BlckBerry 10 device, the request trvels through the BlckBerry Infrstructure, BlckBerry Affinity Mnger, BlckBerry Disptcher, nd BlckBerry MDS Connection Service to the mil server. 2. The device stnds y. 3. When there re new or chnged items for the device, such s new emil or updted clendr entry, the mil server sends the updtes to device. The new or chnged items trvel through the secure chnnel estlished etween BES12 nd the BlckBerry Infrstructure to the emil or orgnizer dt pp on the work spce of the device: If the device is n Android device, the new or chnged item trvels through the BES12 Core nd the BlckBerry Infrstructure to the device. If the device is BlckBerry 10 device, the request trvels through the BlckBerry MDS Connection Service, BlckBerry Disptcher, BlckBerry Affinity Mnger, nd BlckBerry Infrstructure to device. 4. When the synchroniztion is complete, the device issues nother request to restrt the process. 5. If there re no new or chnged items during this intervl, the mil server sends "HTTP 200 OK" messge to the device through the secure chnnel estlished etween BES12 nd the BlckBerry Infrstructure. 6. The device issues new request nd the process strts over. Dt flow: Receiving emil nd clendr dt on n ios device using enterprise connectivity This dt flow descries how work emil nd clendr dt trvels etween the mil server nd ios devices through the BlckBerry Infrstructure using Exchnge ActiveSync. 33
Sending nd receiving work dt This communiction pth is used when the ios device hs Secure Work Spce nd enterprise connectivy enled. Enterprise connectivity is enled y defult for ios nd Android devices with Secure Work Spce. 1. If the emil or orgnizer pp is open or the device OS llows it to run in the ckground, c d e The device issues n HTTPS request to the mil server nd requests tht the mil server notifies the device when ny items chnge in the folders tht re configured to synchronize. The request trvels through the encrypted nd uthenticted chnnel estlished etween the BlckBerry Infrstructure nd BES12 Core to the mil server. The device stnds y. If there re no new or chnged items during this intervl, the mil server sends "HTTP 200 OK" messge to the device. The device issues new request nd the process strts over. When there re new or chnged items for the device, such s new emil or updted clendr entry, the mil server sends the updtes to the device through the secure chnnel estlished etween BES12 Core nd the BlckBerry Infrstructure to the emil or orgnizer pp on the work spce of the device. When the synchroniztion is complete, the device issues nother request to restrt the process. 2. If the emil or orgnizer pp is not open nd is not running in the ckground, c d e f The BlckBerry Work Connect Notifiction Service listens for new or updted items for the device. When there is new or updted item, the BlckBerry Work Connect Notifiction Service sends the notifiction to the BlckBerry Infrstructure using the secure chnnel estlished etween BES12 Core nd the BlckBerry Infrstructure. The BlckBerry Infrstructure sends the notifiction to the pp on the ios device using the APNs. The device shows there is new emil or orgnizer item ville. When the user opens the pp, the device issues n HTTPS request to the mil server nd requests the mil server sends ny new or chnged items to the device. The request trvels through the secure chnnel estlished etween the BlckBerry Infrstructure nd BES12 Core to the mil server. The mil server sends the new or chnged items to the device through the secure chnnel estlished etween BES12 Core nd the BlckBerry Infrstructure to the emil or orgnizer pp on the work spce of the device. When the synchroniztion is complete, the process strts over. 34