Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 726-08745-123 Instructor Manual
Published: 2013-07-02 SWD-20130702091645092
Contents Advance preparation...7 Required materials...7 Topics covered...7 Materials and resources used in this course...8 Course resources... 8 Product documentation... 8 Chapter 1: BlackBerry Enterprise Service 10 version 10.1.1 architecture...11 Discussion: Understanding BlackBerry Enterprise Service 10 architecture...12 Architecture: BlackBerry Enterprise Service 10... 13 Components used to manage BlackBerry 10 devices and BlackBerry PlayBook tablets... 14 Components used to manage ios devices and Android devices...16 Discussion: Ports used by the BlackBerry Enterprise Service 10 components...18 Key components of BlackBerry Enterprise Service 10... 19 Key components used to manage BlackBerry 10 devices and BlackBerry PlayBook tablets... 21 Key components used to manage ios devices and Android devices...24 Additional key ports to consider...27 Installing BlackBerry Enterprise Service 10...28 Installing BlackBerry Enterprise Service 10 on a single computer... 29 Installing BlackBerry Enterprise Service 10 on multiple computers...30 Installing BlackBerry Enterprise Service 10 for high availability... 31 Troubleshooting tips in a distributed environment...34 Discussion: Deploying BlackBerry Enterprise Service 10 in your environment...35 Review: BlackBerry Enterprise Service 10 version 10.1.1 architecture... 36 Chapter 2: Troubleshooting tools for BlackBerry Enterprise Service 10...39 BES10 Configuration Tool...40 Discussion: Troubleshooting with the BES10 Configuration Tool...40 BES10 Configuration Tool...41 Discussion: Why use log files for troubleshooting?... 43 Log Files... 44 Component identifiers for BlackBerry Enterprise Service 10 log files... 44 Log files for components used to manage BlackBerry 10 devices and BlackBerry PlayBook tablets... 46
Log files for components used to manage ios devices and Android devices...50 Activity: Looking at log files...52 Resources for support... 54 Activity: Explore the resources available for support... 55 Review: Troubleshooting tools for BlackBerry Enterprise Service 10... 56 Chapter 3: Troubleshooting issues with device activation... 59 Activity: Information for troubleshooting activation issues... 60 Licensing and wireless activation settings... 61 BlackBerry Licensing Service... 61 BlackBerry Enterprise Service 10 wireless activation settings...70 Activation types... 73 All about spaces...73 Troubleshooting BlackBerry device activation...75 Activation methods... 75 Requirements: Wireless activation for BlackBerry 10 OS... 75 Requirements: Wireless activation for BlackBerry PlayBook OS...76 Data flow: Activating a BlackBerry device over the wireless network... 77 Discussion: Device activation information... 81 Scenario: User cannot activate a device over the wireless network... 82 Scenario: Unable to activate any BlackBerry devices over the wireless network... 83 Common issues for wireless activation... 84 Troubleshooting work space only activations... 85 Troubleshooting ios and Android device activation...86 Requirements: Wireless activation for ios devices...86 Data flow: Activating an ios device over the wireless network...86 Requirements: Wireless activation for Android devices...93 Data flow: Activating an Android device over the wireless network... 93 Deactivating ios and Android devices...98 Common issues for ios device and Android device activation and deactivation...98 Troubleshooting Secure Work Space activations... 101 Scenario: BlackBerry 10 devices are failing to activate...103 Discussion: Activation... 104 Review: Troubleshooting issues with device activation... 105 Chapter 4: Troubleshooting data flow issues... 107 Email and organizer data synchronization using Microsoft ActiveSync... 108 Requirements: Synchronizing email and organizer data using Microsoft ActiveSync... 108 Data flow: Receiving email and organizer data on a BlackBerry device... 109
Scenario: Unable to send or receive email messages after activating a BlackBerry 10 device with BlackBerry Enterprise Service 10... 111 Data flow: Receiving email and organizer data on ios devices and Android devices using Microsoft ActiveSync...112 Data flow: Receiving email and organizer data on ios devices with a work space and Android devices with a work space... 113 Scenario: ios device user can receive email, but cannot send email...115 Common issues with email and organizer data synchronization...116 Troubleshooting policy and profile updates on BlackBerry devices... 118 Requirements: Policy and profile updates for BlackBerry devices...118 Data flow: Sending policy and profile updates to BlackBerry devices... 119 Troubleshooting app updates for BlackBerry devices...121 Requirements: App updates for BlackBerry devices...121 Data flow: Sending app updates to BlackBerry devices... 122 Scenario: BlackBerry device users cannot download an optional work app from BlackBerry World for Work... 124 About actions and commands sent to Android devices and ios devices...125 Requirements: Sending actions and commands to ios devices and Android devices... 126 About the BES10 Client and the ios MDM Daemon... 126 Data flow: Executing actions and commands that use the BES10 Client on Android devices and ios devices... 127 Data flow: Executing actions and commands that use the MDM Daemon on ios devices... 128 Troubleshooting tips for actions and commands sent to ios devices and Android devices... 129 Creating a work space app... 129 Troubleshooting work space apps on ios devices and Android devices...129 Scenario: Actions and commands sent to ios and Android devices... 131 Discussion: Issues that can happen after you activate a device... 132 Review: Troubleshooting data flows... 133 Chapter 5: Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen...135 Preventing issues before they happen... 136 Back up the BlackBerry Enterprise Service 10 data regularly... 137 Backing up the BlackBerry Configuration Database and the Management Database... 137 Back up the shared network folder... 137 Restore BlackBerry Enterprise Service 10...137 Distribute users across multiple instances... 139 Analyze reports regularly... 140
Monitor license usage... 142 Review: Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen... 143 Chapter 6: Additional resources... 145 Troubleshooting SCEP issues... 146 Requirements: SCEP profiles for devices managed by BlackBerry Enterprise Service 10...146 Data flow: Enrolling a client certificate to a BlackBerry device using SCEP... 147 Data flow: Enrolling a client certificate to an ios device using SCEP...148 Scenario: "The SCEP server returned an invalid response" is displayed when attempting to activate an ios device...149 Common SCEP issues... 150 Scenario: Users are not receiving certificates...152 Troubleshooting proxy issues... 153 Requirements: Proxy configuration...153 Activity: Proxy issues... 154 Troubleshooting APNs... 156 About APNs... 156 Requirements: APNs for ios devices... 156 Common issues with APNs... 157 Discussion: APNs in the BlackBerry Enterprise Service 10 environment... 167 Review: Additional resources...168 Answers...169 Review: BlackBerry Enterprise Service 10 version 10.1.1 architecture... 169 Review: Troubleshooting tools for BlackBerry Enterprise Service 10... 169 Review: Troubleshooting issues with device activation... 170 Review: Troubleshooting data flows... 170 Review: Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen... 171 Review: Additional resources...171 Glossary...173 Legal notice... 175
Advance preparation Advance preparation Required materials Lab requirements Computer for each participant Windows Internet Explorer 8 or later installed on each computer Access to the virtual machines provided for the labs Instructor materials Instructor manual Presentation Activity manual Activity presentations Whiteboard Markers Projector and remote control Participant materials Participant Manual Paper Pen or pencil Highlighter Topics covered Module title BlackBerry Enterprise Service 10 architecture Troubleshooting tools for BlackBerry Enterprise Service 10 Troubleshooting issues with device activation Troubleshooting data flow issues Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen Additional resources Time 1.5 hours 30 minutes 2 hours 2 hours 30 minutes 30 minutes 7 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Advance preparation Materials and resources used in this course Course resources Resource Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 Description 726-08745 -Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 Syllabus 726-08745 - Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 Manual 726-08745 - Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 Presentation 721-08741 - Troubleshooting common issues Job Aid Product documentation To read the following guides or additional related materials, visit blackberry.com/go/serverdocs. Resource Introducing BlackBerry Enterprise Service 10 Description Quick, visual introduction to BlackBerry Enterprise Service 10 at a high level What's New in BlackBerry Enterprise Service 10 Quick Reference BlackBerry Enterprise Service 10 Product Overview Summary of new features, enhancements, and updates in BlackBerry Enterprise Service 10 Introduction to BlackBerry Enterprise Service 10 and its features Finding your way through the documentation Architecture BlackBerry Enterprise Service 10 Release Notes BlackBerry Enterprise Service 10 Installation Guide Descriptions of known issues and potential workarounds System requirements Installation instructions Capacity Calculator for BlackBerry Enterprise Service 10 Tool to estimate the hardware required to support a given workload for BlackBerry Enterprise Service 10 version 10.1.1 BlackBerry Enterprise Service 10 Compatibility Matrix Software that is compatible with BlackBerry Enterprise Service 10 version 10.1.1 8 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Advance preparation Resource BlackBerry Enterprise Service 10 Upgrade Guide Description System requirements Upgrade instructions BlackBerry Enterprise Service 10 Licensing Guide Descriptions of different types of licenses Instructions for activating licenses BlackBerry Enterprise Service 10 Configuration Guide Instructions for how to configure server components before you start administering users and their devices BlackBerry Device Service Advanced Administration Guide Advanced administration for BlackBerry 10 devices and BlackBerry PlayBook tablets Instructions for creating user accounts, groups, roles, and administrator accounts Instructions for activating devices Instructions for creating and sending IT policies and profiles Instructions for managing apps on devices Universal Device Service Advanced Administration Guide Advanced administration for ios devices and Android devices Instructions for creating user accounts, groups, and administrator accounts Instructions for activating devices Instructions for creating and sending IT policies and profiles Instructions for managing apps on devices Descriptions of IT policy rules for ios devices and Android devices BlackBerry Management Studio Basic Administration Guide Basic administration for all supported device types, including BlackBerry 10 devices, BlackBerry PlayBook tablets, ios devices, Android devices, and BlackBerry 7.1 and earlier devices Instructions for creating and managing user accounts in multiple Services Instructions for managing multiple devices for each user account BlackBerry Device Service Policy and Profile Reference Guide Descriptions of IT policy rules and profile settings for BlackBerry 10 devices and BlackBerry PlayBook tablets BlackBerry Device Service Solution Security Technical Overview Description of the security maintained by the BlackBerry Device Service, BlackBerry Infrastructure, and BlackBerry 10 devices and BlackBerry PlayBook tablets to protect data and connections Description of the BlackBerry 10 OS Description of the BlackBerry PlayBook OS 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 9
Advance preparation Resource Description Description of how work data is protected on BlackBerry 10 devices and BlackBerry PlayBook tablets when you use the BlackBerry Device Service Secure Work Space for ios and Android Security Note Description of the security maintained by the Universal Device Service, BlackBerry Infrastructure, and work space-enabled devices to protect work space data at rest and in transit Description of how work space apps are protected on work spaceenabled devices when you use the Universal Device Service BlackBerry Bridge App Security Technical Overview Description of how work data is protected on devices when you use the BlackBerry Bridge app Description of how work data is protected when it is in transit between a BlackBerry PlayBook tablet and a BlackBerry smartphone Description of attacks that the BlackBerry Bridge pairing process is designed to prevent 10 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture Objectives By the end of this module, you should be able to: Describe BlackBerry Enterprise Service 10 architecture Describe the role of BlackBerry Enterprise Service 10 services and components Describe how the BlackBerry Enterprise Service 10 solution can be installed on a single computer Describe how the BlackBerry Enterprise Service 10 solution can be installed on multiple computers Describe high availability for BlackBerry Enterprise Service 10
BlackBerry Enterprise Service 10 version 10.1.1 architecture Discussion: Understanding BlackBerry Enterprise Service 10 architecture Ian Dundas is a senior director of the sales force in the organization and he often travels from Toronto to New York to promote a product. Answer the following questions: How many different ways can Ian travel to New York city? How many stops does Ian have to make if he chooses to travel in any of the following ways: If he chooses to travel by plane? If he chooses to travel by train? If he chooses to rent a car and drive himself there? Can Ian fix the plane, train or rental car if something goes wrong with them or does he need the help of someone else? Because he is traveling to a different country, do you think Ian needs to worry about anything else other than his method of transportation? Now imagine this: Canada represents the organization's network including all the different content and application servers Toronto is the only BlackBerry Enterprise Service 10 in the organization's network New York city is the device Ian is valuable data traveling from a server in the organization's network and the device. Consider the following questions: In how many different ways can data travel from the BlackBerry Enterprise Service 10 to the device? How would you associate the following types of connection with the methods of transportation discussed before (plane, train, rental car): Work Wi-Fi network? Wireless connection through the BlackBerry Infrastructure? Wireless connection using VPN? What is the equivalent of a passport or visa in the BlackBerry solution? 12 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture Architecture: BlackBerry Enterprise Service 10 Component BlackBerry Enterprise Service 10 BlackBerry Enterprise Service 10 databases BlackBerry Infrastructure Microsoft Active Directory Description BlackBerry Enterprise Service 10 is a suite of services used to manage BlackBerry devices, ios devices, and Android devices in an enterprise environment. The BlackBerry Enterprise Service 10 databases are a set of relational databases that contain user account information and configuration information (such as connection details) used by the components that manage BlackBerry devices, ios devices and Android devices. The BlackBerry Enterprise Service 10 databases consist of the following databases: The BlackBerry Configuration Database contains data used for managing BlackBerry 10 and BlackBerry PlayBook devices The Management Database contains data used for managing ios and Android devices The BlackBerry Infrastructure validates SRP and licensing information for BlackBerry Enterprise Service 10. In addition, the BlackBerry Infrastructure provides a secure connection between your organization and BlackBerry devices, work space-enabled Android devices, and work space-enabled ios devices. User account information is obtained from Microsoft Active Directory. This information is required to create user accounts. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 13
BlackBerry Enterprise Service 10 version 10.1.1 architecture Components used to manage BlackBerry 10 devices and BlackBerry PlayBook tablets Component BlackBerry Controller BlackBerry Device Service console BlackBerry Dispatcher BlackBerry Licensing Service BlackBerry Management Studio Description The BlackBerry Controller monitors the BlackBerry Dispatcher, BlackBerry MDS Connection Service, and the Enterprise Management Web Service, and restarts them if they stop responding. The BlackBerry Device Service console, also known as the BlackBerry Administration Service, is used to manage user accounts and the BlackBerry devices that are associated with them. The BlackBerry Device Service console connects to the BlackBerry Configuration Database and to Microsoft Active Directory. The BlackBerry Dispatcher maintains an SRP connection with the BlackBerry Infrastructure over the Internet. The BlackBerry Dispatcher is responsible for compressing and encrypting and for decrypting and decompressing data that travels over the Internet to and from the devices. The BlackBerry Licensing Service, installed with the BlackBerry Enterprise Service 10 management consoles, communicates with the licensing infrastructure within the BlackBerry Infrastructure to validate licenses and enforce license compliance. BlackBerry Management Studio is the main console where you can perform common management tasks for users and devices, view report 14 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture Component BlackBerry MDS Connection Service BlackBerry Router BlackBerry Web Desktop Manager Enterprise Management Web Service Description information, and manage licenses. You can also access the other management consoles from BlackBerry Management Studio for advanced administration tasks. The BlackBerry MDS Connection Service provides a secure connection between the Enterprise Management Agent on BlackBerry devices and the Enterprise Management Web Service. The connection is used when the device is not connected to your organization's Wi-Fi network or using a VPN connection. The BlackBerry MDS Connection Service is also responsible for providing enterprise push functionality. The BlackBerry Router is an optional component that can be deployed in a DMZ if required. The BlackBerry Router connects to the BlackBerry Infrastructure which sends data to BlackBerry devices over mobile networks or the Internet. The BlackBerry Web Desktop Manager is a web application that permits users to activate and manage devices. The Enterprise Management Web Service is a set of web services that communicates commands, configuration information, IT policies, VPN profiles, Wi-Fi profiles, SCEP profiles, and email profiles, between the BlackBerry Device Service console and the Enterprise Management Agent on BlackBerry devices. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 15
BlackBerry Enterprise Service 10 version 10.1.1 architecture Components used to manage ios devices and Android devices Component APNs BES10 Client BlackBerry Licensing Service BlackBerry Management Studio Description The APNs is a service for ios devices that Apple provides. BlackBerry Enterprise Service 10 uses APNs to inform the ios devices to contact BlackBerry Enterprise Service 10 for configuration updates and to provide information for your organization s device inventory. The BES10 Client is installed on ios devices and Android devices. The BES10 Client communicates with BlackBerry Enterprise Service 10. The BES10 Client can be obtained from the App Store for ios devices or Google Play for Android devices. The BlackBerry Licensing Service, installed with the BlackBerry Enterprise Service 10 management consoles, communicates with the licensing infrastructure within the BlackBerry Infrastructure to validate licenses and enforce license compliance. BlackBerry Management Studio is the main console where you can perform common management tasks for users and devices, view report 16 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture Component BlackBerry Secure Connect Service BlackBerry Work Connect Notification Service Communication Module Core Module Scheduler TCP proxy Universal Device Service console Description information, and manage licenses. You can also access the other management consoles from BlackBerry Management Studio for advanced administration tasks. The BlackBerry Secure Connect Service is a service responsible for providing a single access port for activation and management traffic of ios devices and Android devices. The BlackBerry Work Connect Notification Service is a web service responsible for providing new or changed mail and organizer notifications to the Work Connect app within the work space on ios devices. The Communication Module is a gateway between ios devices and Android devices and BlackBerry Enterprise Service 10. It is responsible for the conversion of the proprietary protocols supported on the devices to and from the device-agnostic format used by the Core Module. The Core Module is a device-agnostic module that manages all the configuration data used to manage ios devices and Android devices and stores it in the Management Database. The Core Module is the only component that accesses the Management Database. The Core Module is responsible for communicating with Microsoft Active Directory, the APNs, the messaging server, the database server and the SCEP server. The Scheduler is responsible for initiating scheduled device management tasks, such as making available new or updated IT policy profiles, new applications, new or updated Wi-Fi or VPN profiles to ios devices and Android devices, or retrieving device information. The TCP proxy is an optional, third-party software component that can be deployed in a DMZ if required. A TCP proxy connects to the BlackBerry Infrastructure, which sends data to mobile networks or the Internet. You can use the Universal Device Service console, also known as the Administration Console, to manage user accounts, IT policies, profiles, and apps for ios devices and Android devices. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 17
BlackBerry Enterprise Service 10 version 10.1.1 architecture Discussion: Ports used by the BlackBerry Enterprise Service 10 components Consider the following questions: Why is it important to make sure that all of the ports for the BlackBerry Enterprise Service 10 are open and not in use by other applications? When you consider your environment, do you think you might have to change default ports to accommodate software that you already have installed? 18 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture Key components of BlackBerry Enterprise Service 10 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 19
BlackBerry Enterprise Service 10 version 10.1.1 architecture BlackBerry Management Studio The BlackBerry Management Studio is a web application that you can use to do the following: Administer licenses for the BlackBerry Enterprise Service 10 domain Administer BlackBerry 10 devices, BlackBerry 7.1 or earlier devices, and BlackBerry PlayBook tablets in your organization Administer ios devices and Android devices in your organization Allow users to activate devices Assign user accounts to groups based on common criteria, such as user location, organizational group, or device model, and manage the user accounts Assign IT policies to user accounts and groups to customize and control what actions users can perform on their devices View various reports related to the BlackBerry Enterprise Service 10 domain Access the BlackBerry Device Service console and the Universal Device Service console to perform advanced administration tasks The following are the key ports that the BlackBerry Management Studio uses. BlackBerry Management Studio Connection type Default port number Where to configure Inbound and outbound connection between browsers and the BlackBerry Management Studio HTTPS 7443 BES10 Configuration Tool BlackBerry Infrastructure The BlackBerry Infrastructure validates SRP and licensing information for BlackBerry Enterprise Service 10. In addition, the BlackBerry Infrastructure provides a secure connection between your organization and BlackBerry devices, work space enabled Android devices, and work space enabled ios devices. The BlackBerry Infrastructure also provides a secure communication channel for activation and management traffic for all devices. The following are the key ports that the BlackBerry Infrastructure uses. BlackBerry Infrastructure Connection type Default port number Where to configure Registration of activation information and request a signed CSR from Research In Motion when you configure the APNs certificate BlackBerry Enterprise Service 10 outbound initiated, bi-directional TCP traffic HTTPS 443 TCP 3101 BES10 Configuration Tool (for the BlackBerry Router) or the BlackBerry 20 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture BlackBerry Infrastructure Connection type Default port number Where to configure Device Service console (for the BlackBerry Dispatcher) For more information about the range of IP addresses for the BlackBerry Infrastructure, visit www.blackberry.com/go/kbhelp to read article KB03735. Key components used to manage BlackBerry 10 devices and BlackBerry PlayBook tablets BlackBerry Device Service console The BlackBerry Device Service console, also known as the BlackBerry Administration Service, is used to manage BlackBerry devices and configure BlackBerry Enterprise Service 10 components. You can manage user accounts and assign groups, administrative roles, software configurations, email profiles, and IT policies to user accounts. The BlackBerry Device Service console connects to the BlackBerry Configuration Database and to Microsoft Active Directory. User information updated in Microsoft Active Directory can be synchronized manually with the BlackBerry Device Service console. For example, if a user changes their name, you can immediately update their name in both Microsoft Active Directory and the BlackBerry Device Service console. The following are the key ports that the BlackBerry Device Service console uses. BlackBerry Device Service console Connection type Default port number Where to configure Outbound connections to the BlackBerry Infrastructure to register activation information for BlackBerry devices HTTPS 443 Inbound and outbound connections to the BlackBerry Configuration Database TCP 1433 (for static port) BES10 Configuration Tool Inbound and outbound connection between browsers and the BlackBerry Device Service console HTTPS HTTP 38443 38180 BES10 Configuration Tool Enterprise Management Web Service The Enterprise Management Web Service is a set of web services that communicates commands, configuration information, IT policies, VPN profiles, Wi-Fi profiles, SCP profiles, and email profiles between the BlackBerry Administration Service and the Enterprise Management Agent on BlackBerry devices. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 21
BlackBerry Enterprise Service 10 version 10.1.1 architecture The following are the key ports that the Enterprise Management Web Service uses. Enterprise Management Web Service Connection type Default port number Where to configure Inbound and outbound connections to the BlackBerry Configuration Database TCP 1433 (for static port) BES10 Configuration Tool Inbound connections from BlackBerry devices for activation (used if you are not activating devices through the BlackBerry Infrastructure) HTTP HTTPS 38084 38444 BlackBerry Device Service console BlackBerry MDS Connection Service The BlackBerry MDS Connection Service provides a secure connection between the Enterprise Management Agent on BlackBerry devices and the Enterprise Management Web Service in BlackBerry Enterprise Service 10. The connection is used when the device is not connected to your organization's Wi-Fi network or VPN. The BlackBerry MDS Connection Service is also responsible for providing enterprise push functionality. The following are the key ports that the BlackBerry MDS Connection Service uses. BlackBerry MDS Connection Service Connection type Default port number Where to configure Inbound and outbound connections to the BlackBerry Configuration Database TCP 1433 (for static port) BES10 Configuration Tool Inbound and outbound connection to the BlackBerry Dispatcher TCP 3201 Inbound connection from server-side push applications to BlackBerry MDS Connection Service using web servers (used if you do not set up a proxy server) HTTP HTTPS 9080 9443 BlackBerry Device Service console BlackBerry Dispatcher The BlackBerry Dispatcher maintains an SRP connection with the BlackBerry Infrastructure over the Internet. The BlackBerry Dispatcher also routes traffic between BlackBerry devices and the BlackBerry MDS Connection Service service when users are not connected to a work Wi-Fi access point or using a VPN connection. The following are the key ports that the BlackBerry Dispatcher uses. BlackBerry Dispatcher Connection type Default port number Where to configure Inbound and outbound connections to the BlackBerry Configuration Database TCP 1433 (for static port) BES10 Configuration Tool 22 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture BlackBerry Dispatcher Connection type Default port number Where to configure Inbound and outbound connection to the BlackBerry Router or the BlackBerry Infrastructure Inbound and outbound connections from the BlackBerry MDS Connection Service TCP 3101 BES10 Configuration Tool (for the BlackBerry Router) or the BlackBerry Device Service console (for the BlackBerry Dispatcher) TCP 3201 BlackBerry Router The BlackBerry Router connects to the BlackBerry Infrastructure which sends data to BlackBerry devices over mobile networks or the Internet. If BlackBerry Enterprise Service 10 is installed on a computer that hosts BlackBerry Enterprise Server 5.0 SP4, the BlackBerry Router associated with it is only used by the BlackBerry Enterprise Server. If you install the BlackBerry Router in the DMZ, you can configure the BlackBerry Router to work with BlackBerry Enterprise Service 10 and the BlackBerry Enterprise Server. The following are the key ports that the BlackBerry Router uses. BlackBerry Router Connection type Default port number Where to configure Inbound and outbound connections to the BlackBerry Dispatcher and the BlackBerry Infrastructure TCP 3101 BES10 Configuration Tool (for the BlackBerry Router) or the BlackBerry Device Service console (for the BlackBerry Dispatcher) BlackBerry Configuration Database The BlackBerry Configuration Database is a relational database that contains user account information and configuration information that are used to manage BlackBerry 10 devices and BlackBerry PlayBook tablets. Note: The Management Database and the BlackBerry Configuration Database must be installed on the same database server. If they are not, issues can arise with functionality, including issues with single sign-on functionality and the reporting services. The following are the key ports that the BlackBerry Configuration Database uses. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 23
BlackBerry Enterprise Service 10 version 10.1.1 architecture BlackBerry Configuration Database Connection type Default port number Where to configure Inbound and outbound connections to the BlackBerry Administration Service, BlackBerry Dispatcher, BlackBerry MDS Connection Service, and Enterprise Management Web Service TCP 1433 (for static port) BES10 Configuration Tool Key components used to manage ios devices and Android devices Universal Device Service console The Universal Device Service console, also known as the Administration Console, provides a web-based interface that you can use to manage user accounts, IT policies, profiles, apps, and ios devices and Android devices. The following are the key ports that the Universal Device Service console uses. Universal Device Service console Connection type Default port number Where to configure Outbound connection from the Administration Console to the BlackBerry Infrastructure to request a signed CSR from Research In Motion when you configure the APNs certificate HTTPS 443 Outbound connections to the Management Database TCP 1433 (for static port) BES10 Configuration Tool Inbound and outbound connection between browsers and the Universal Device Service console HTTPS HTTP 6443 9440 Core Module The Core Module is a device-agnostic module that is installed behind the organization s firewall. The Core Module performs the following functions: Manages all the configuration data used to manage ios devices and Android devices (for example, user configuration, group configuration, device configuration, policy enforcement checks, and so on) and stores it in the Management Database. The Core Module is the only component that accesses the Management Database. The Core Module connects to the following external components: Microsoft Active Directory, using LDAP, to retrieve user account information that BlackBerry Enterprise Service 10 needs to search for and create user accounts. APNs to inform ios devices to contact the Communication Module when the configuration assigned to the device is updated (for example, a new or updated IT policy or VPN profile is applied to it). 24 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture Messaging server, using SMTP, to send activation emails and policy enforcement breach emails. Database server, using ADO.NET, to make database connections and execute queries or commands. SCEP server, using HTTP, to obtain a challenge code the device can use for certificate enrollment. The following are the key ports that the Core Module uses. Core Module Connection type Default port number Where to configure Outbound connections from the Core Module to the Apple Root Certification Authority to check the certificate revocation list (used if you do not set up an APNs proxy server) HTTP HTTPS 80 443 Outbound connection to the BlackBerry Secure Connect Service to send APNs notifications Inbound and outbound connections to the Communication Module, Scheduler, and BlackBerry Web Services Inbound and outbound connections to the BlackBerry Secure Connect Service HTTP 2195 HTTPS 9081 HTTPS 38081 Communication Module The Communication Module is a gateway between ios devices and Android devices and BlackBerry Enterprise Service 10. It is responsible for conversion of the proprietary protocols supported on the devices to and from the device-agnostic format used by the Core Module. The Communication Module should be accessible from any internal Wi-Fi networks used by ios devices and Android devices. The following are the key ports that the Communication Module uses. Communication Module Connection type Default port number Where to configure Inbound and outbound connections to the Core Module Inbound and outbound connections to the BlackBerry Secure Connect Service HTTPS 9081 HTTPS 33443 BlackBerry Secure Connect Service The BlackBerry Secure Connect Service is a web service responsible for providing connectivity to ios devices and Android devices from behind the firewall. The BlackBerry Secure Connect Service eliminates the need for your organization to open multiple inbound ports for BlackBerry Enterprise Service 10 and enables all of the ios device and Android device activation and management communications to be channeled through a single access port. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 25
BlackBerry Enterprise Service 10 version 10.1.1 architecture There is a single BlackBerry Secure Connect Service instance controlling all management traffic for ios devices and Android devices. Similar to the Core Module and Scheduler, which can only have one instance in control at a time, the first BlackBerry Secure Connect Service installed subscribes to the BlackBerry Infrastructure to provide connectivity for device management traffic. The following are the key ports that the BlackBerry Secure Connect Service uses. BlackBerry Secure Connect Service Connection type Default port number Where to configure BlackBerry Infrastructure TCP 3101 Inbound and outbound connections to the Communication Module Inbound and outbound connections to the Core Module HTTPS 33443 HTTPS 38081 APNs The APNs is a service for ios devices provided by Apple that BlackBerry Enterprise Service 10 uses to inform ios devices to contact the Communication Module for configuration updates (such as Wi-Fi profile, VPN profile, or Microsoft ActiveSync profile updates) and to provide information for your organization s device inventory. The following are the key ports that the APNs uses. APNs Connection type Default port number Where to configure Outbound connections from ios devices that use a work Wi-Fi network to APNs TCP 5223 Outbound connections to the Core Module HTTPS 9081 Management Database The Management Database is a relational database that contains user account information and configuration information (such as connection details) that BlackBerry Enterprise Service 10 components use to manage ios devices and Android devices. Note: The Management Database and the BlackBerry Configuration Database must be installed on the same database server. If they are not, issues can arise with functionality, including such as issues with single sign-on functionality and the reporting services. The following are the key ports that the Management Database uses. Management Database Connection type Default port number Where to configure Inbound and outbound connections to the Universal Device Service console TCP 1433 (for static port) BES10 Configuration Tool 26 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture BlackBerry Work Connect Notification Service The BlackBerry Work Connect Notification Service is a web service responsible for providing new or changed email and organizer notifications to ios devices that are using Secure Work Space. ios devices are restricted from running applications in the background, with specific exceptions such as the default messaging application. This means Secure Work Space applications cannot receive new data such as email message notifications unless the application is open or unless the notification comes from the APNs. The BlackBerry Work Connect Notification Service receives notifications of new data from third-party applications such as messaging servers, web servers, or other content servers, and sends a notification through the BlackBerry Infrastructure to the APNs. The APNs can then notify the Work Connect application on the device of the new data. The following are the key ports that the BlackBerry Work Connect Notification Service uses. BlackBerry Work Connect Notification Service Connection type Default port number Where to configure Outbound connections to the BlackBerry Infrastructure Inbound and outbound connections to the BlackBerry Secure Connect Service Inbound connections from Microsoft Exchange Web Services for email notifications HTTPS 443 HTTPS 2195 HTTP 8088 During installation only TCP proxy The TCP proxy is an optional, customer provided, component that is used to meet installation specific networking requirements. The TCP proxy acts as an intermediary for requests that allows the BlackBerry Secure Connect Service to route TCP traffic from port 3101 to the BlackBerry Infrastructure, providing connectivity to ios devices and Android devices. The proxy must be a transparent TCP proxy that is configured so that it will allow the BlackBerry Secure Connect Service to connect with the BlackBerry Infrastructure. The following are the key ports that the TCP proxy uses. TCP proxy Connection type Default port number Where to configure Inbound and outbound connections to the BlackBerry Infrastructure TCP 3101 Additional key ports to consider Additional key ports used by BlackBerry Enterprise Service 10 Connection type Default port number Ports required to use BlackBerry World apps in the work space HTTP 80 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 27
BlackBerry Enterprise Service 10 version 10.1.1 architecture Installing BlackBerry Enterprise Service 10 BlackBerry Enterprise Service 10 allows you to make choices about how you install the BlackBerry Enterprise Service 10 components in your environment. When installing BlackBerry Enterprise Service 10, you can choose the following options in the setup application: BlackBerry Enterprise Service 10 consoles BlackBerry Router BlackBerry Enterprise Service 10 databases Note: Installing the BlackBerry Enterprise Service 10 databases on separate computers may cause unexpected issues. The BlackBerry Enterprise Service 10 databases are installed on the same computer by default. Standby BlackBerry Enterprise Service 10 core components There are benefits and limitations to each type of deployment. 28 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture Installing BlackBerry Enterprise Service 10 on a single computer You can install BlackBerry Enterprise Service 10 version 10.1.1 on a single computer, or on a computer that hosts BlackBerry Enterprise Server 5.0 SP4. This reduces the amount of hardware required. However, in larger environments, you can choose to install components on separate computers to balance the work load. There are both benefits and limitations to this type of deployment. Benefits Simplified installation with minimal user intervention Quick installation or upgrade Reduced hardware, software, and maintenance costs Limitations May cause performance issues when deploying a large number of devices If you want to deploy a BlackBerry Router or a Proxy server, you will require an additional computer. If your organization requires the additional security of deploying the BlackBerry Router or Proxy server in a DMZ, you will also need an internal firewall. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 29
BlackBerry Enterprise Service 10 version 10.1.1 architecture Installing BlackBerry Enterprise Service 10 on multiple computers If your organization exceeds the maximum number of users that a single computer installation can support, you can deploy BlackBerry Enterprise Service 10 on multiple computers. To do this, you require: One, or more, computers to host the management consoles One, or more, computers to host the core components Optionally, you can install the BlackBerry Enterprise Service 10 databases on a separate computer as well There are both benefits and limitations to this type of installation. Benefits Improves BlackBerry Enterprise Service 10 performance Balances the workload across the computers that host the BlackBerry Enterprise Service 10 components Limitations Requires additional hardware Is susceptible to network latency issues Requires more administrator involvement to complete the configuration of the BlackBerry Enterprise Service 10 domain All user interfaces are installed on every management console computer. All core services are installed on every core components computer. 30 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture Installing BlackBerry Enterprise Service 10 for high availability High availability uses redundant hardware and software to maintain functionality when elements of a system stop responding. High availability helps you to minimize downtime by providing redundant BlackBerry Enterprise Service 10 components with an integrated health management system. Incorporating high availability into the BlackBerry Enterprise Service 10 is the fastest way for you to restore BlackBerry Enterprise Service 10 functionality in the event of a critical component failure. High availability of the BlackBerry Enterprise Service 10 consists of, at a minimum, two BlackBerry Enterprise Service 10 instances and the BlackBerry Enterprise Service 10 databases mirrored across two database servers. The primary BlackBerry Enterprise Service 10 connects to the principal BlackBerry Enterprise Service 10 databases and accesses data from them. The name of the mirror BlackBerry Enterprise Service 10 databases is stored in the Windows registry of the computers that host the primary and standby BlackBerry Enterprise Service 10 instances. BlackBerry Enterprise Service 10 instances do not connect to the mirror BlackBerry Enterprise Service 10 databases until after the principal BlackBerry Enterprise Service 10 databases stop responding. The standby BlackBerry Enterprise Service 10 opens standby connections to the principal BlackBerry Enterprise Service 10 databases. There are both benefits and limitations to this type of deployment. Benefits Ensures connectivity between the devices and the organization's network at all times without administrator or user intervention Limitations Requires additional hardware 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 31
BlackBerry Enterprise Service 10 version 10.1.1 architecture Primary and standby components The computer hosting the primary BlackBerry Enterprise Service 10 contains the following components: BlackBerry Controller BlackBerry Dispatcher BlackBerry MDS Connection Service BlackBerry Secure Connect Service BlackBerry Work Connect Notification Service Communication Module Core Module Enterprise Management Web Service Scheduler The primary computer may also host the management consoles and the BlackBerry Licensing Service, or they may be installed on a separate computer. The following components are installed: BlackBerry Management Studio BlackBerry Licensing Service BlackBerry Device Service console Universal Device Service console BlackBerry Web Desktop Manager (optional component) While the standby computer may also host the management consoles as well as the BlackBerry Licensing Service, they do not fail over. 32 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture When a failover is triggered (by a change in the health metrics or a manual failover performed by you), the core components on the primary instance fail over to the core components on the standby instance. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 33
BlackBerry Enterprise Service 10 version 10.1.1 architecture Troubleshooting tips in a distributed environment When troubleshooting issues in a multiple instance BlackBerry Enterprise Service 10 domain identify how many devices are affected and if affected devices are on the same instances. If you determine the issue seems to affect multiple users on one instance but not another, consider the following tips: If the issue is affecting only one instance of a component, but not another instance, check that the respective service is running If the issue affects only communication through the BlackBerry Infrastructure, check that the BlackBerry Dispatcher, the BlackBerry MDS Connection Service, or the BlackBerry Secure Connect Service for that instance are running, that all ports are correctly configured and that there are no port conflicts. If the issue is affecting only work Wi-Fi or VPN communication between BlackBerry devices and BlackBerry Enterprise Service 10, then check that the Enterprise Management Web Service is running. Consider moving users to a BlackBerry Enterprise Service 10 instance that is working properly while you work to identify and resolve the cause of the issue. High availability The high availability model for the BlackBerry Administration Service in BlackBerry Enterprise Server 5.0 SPx remains the same in BlackBerry Enterprise Service 10. If a fail over occurs for the Core Module, the console will not function until either a fail back to the original Core Module occurs, or the console is configured for the new Core Module. 34 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture Discussion: Deploying BlackBerry Enterprise Service 10 in your environment There are a lot of considerations when you deploy a new installation of BlackBerry Enterprise Service 10. These considerations become especially complex if you decide to configure BlackBerry Enterprise Service 10 for high availability as well. Looking at your environment, consider the following questions: Would you deploy BlackBerry Enterprise Service 10 on a single computer or on multiple computers? Why? If you deployed BlackBerry Enterprise Service 10 on the same computer as a supported BlackBerry Enterprise Server installation, what things would you need to keep in mind? Would you deploy BlackBerry Enterprise Service 10 with high availability? Why or why not? When BlackBerry Enterprise Service 10 configured for high availability fails over, the management consoles do not. How will you manage your environment if this happens? 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 35
BlackBerry Enterprise Service 10 version 10.1.1 architecture Review: BlackBerry Enterprise Service 10 version 10.1.1 architecture 1. By default, the browser connection for the BlackBerry Administration Service uses port for HTTPS connections and port for HTTP connections. 2. The contains user information and the configuration information that the components used for managing BlackBerry 10 devices and BlackBerry PlayBook tablets use, such as connection details. 3. In a standard installation of the BlackBerry Enterprise Service 10, what port do you need open for the BlackBerry Dispatcher and the BlackBerry MDS Connection Service to communicate with each other? 4. What components of a BlackBerry Enterprise Service 10 installation are used to manage ios devices and Android devices? 5. What type of connection is required for a BlackBerry 10 device or a BlackBerry PlayBook tablet to connect directly to the Enterprise Management Web Service? 6. The is a hosted web service responsible for providing connectivity to ios devices and Android devices from behind the firewall. 36 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
BlackBerry Enterprise Service 10 version 10.1.1 architecture 7. The is a service for ios devices provided by Apple that BlackBerry Enterprise Service 10 uses to inform the ios devices to contact the Communication Module for configuration updates 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 37
Troubleshooting tools for BlackBerry Enterprise Service 10 Objectives By the end of this module, you should be able to: Identify the troubleshooting tools available to you Identify the different types of log files available for BlackBerry Enterprise Service 10 Change log file settings Access the resources available for support
Troubleshooting tools for BlackBerry Enterprise Service 10 BES10 Configuration Tool The BES10 Configuration Tool displays data, such as database settings, that the BlackBerry Enterprise Service 10 setup application detected during the installation process. The BES10 Configuration Tool is found on the computer that BlackBerry Enterprise Service 10 is installed on. You can access the tool at Start > All Programs > BlackBerry Enterprise Service 10 > Configuration Tool for BlackBerry Enterprise Service 10. Discussion: Troubleshooting with the BES10 Configuration Tool What do you think you could use the BES10 Configuration Tool for when you troubleshoot issues? 40 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting tools for BlackBerry Enterprise Service 10 BES10 Configuration Tool Tab Administration Service - Cacerts Keystore Description Change the Cacerts Keystore password. The Cacerts Keystore is a file used to store the root certificates of signing authorities. BlackBerry Administration Service Pool View the pool name View the port name and settings for the specified pool Synchronize local property files and registry entries with the BlackBerry Configuration Database BlackBerry MDS Generate a certificate for the BlackBerry MDS Connection Service Specify information for your organization View the storage location for the keystore file Create a new password for the keystore file that stores the keystore certificate View the keystore generation information, which includes the user name, organization name, and country or region information BlackBerry Management Studio Add or remove a Service from BlackBerry Management Studio Communication Module Specify the location and password for the SSL certificate that was obtained from a certification authority Communication Password Change the current communication password Configuration Settings Change the listening port for BlackBerry Management Studio Regenerate a self-signed certificate 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 41
Troubleshooting tools for BlackBerry Enterprise Service 10 Tab Description Console Address View the console address for BlackBerry Management Studio Core Module Password Change the password for the Core Module Database Connectivity Test connectivity to the available databases View the database server information such as Microsoft SQL Server name, the database name, and the port configuration View the database server authentication information, such as Windows or Microsoft SQL Server authentication and the Microsoft SQL Server username (if applicable) Directory Support Create users in BlackBerry Management Studio Configure company directory support or configure local user support options Enterprise Management Web Service View the Enterprise Management Web Service URL and port View the Enterprise Management Web Service activation URL and port MDM Domains Add an MDM domain Add the pool name for high availability Microsoft Active Directory Settings View the username and domain name for Microsoft Active Directory Change the username and password for Microsoft Active Directory Port Settings Enter or change port connection information for BlackBerry Management Studio Search Settings Search settings for BlackBerry Management Studio Set the maximum number of user accounts displayed when you perform a search Set the quick login feature, which determines whether a list of user accounts is displayed when you log in Web Keystore Change the web keystore password for the BlackBerry Administration Service 42 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting tools for BlackBerry Enterprise Service 10 Discussion: Why use log files for troubleshooting? The value of log files when troubleshooting issues is immense, but only if you understand what you're looking at and how the log files work. When you look at the following log file: What information can you gather from the following log file? Does any particular item stand out to you? [INFO ] (09/20 19:29:10:841):{http-8444-exec-5} MWSHandler:{500E1C4E.CN CA. 17}:Start processing: GET /62d7722a-67da-4da8-8d5f-c3752ef181bd/config [INFO ] (09/20 19:29:10:903):{http-8444-exec-3} MWSHandler:{2A2DF6C7.CN CA. 18}:Complete processing: Status=200 [WARN ] (09/20 19:29:10:935):{http-8444-exec-5} MWSHandler:{500E1C4E.CN CA. 17}:parseAcp: ACP blob modulecount is 0 [INFO ] (09/20 19:29:11:091):{http-8444-exec-5} MWSHandler:{500E1C4E.CN CA. 17}:Complete processing: Status=200 [DEBUG] (09/20 19:29:12:217):{http-8444-exec-4} SynchronousDispatcher:PathInfo: /8bf05dfa-d928-431a-9e97-49330bc4de5d/ config [DEBUG] (09/20 19:29:12:217):{http-8444-exec-4} MWSHandler:attempting lookup based on perimeter id 8bf05dfa-d928-431a-9e97-49330bc4de5d [INFO ] (09/20 19:29:12:248):{http-8444-exec-4} MWSHandler:{2A2DF6C7.CN CA. 18}:Start processing: GET /8bf05dfa-d928-431a-9e97-49330bc4de5d/config [WARN ] (09/20 19:29:12:342):{http-8444-exec-4} MWSHandler:{2A2DF6C7.CN CA. 18}:parseAcp: ACP blob modulecount is 0 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 43
Troubleshooting tools for BlackBerry Enterprise Service 10 Log Files Log files are used to record the activity of BlackBerry Enterprise Service 10 components and troubleshoot issues with those components. BlackBerry Enterprise Service 10 creates a log file for each component and saves the log files on the computer that hosts BlackBerry Enterprise Service 10. By default, the log files are saved in C:\Program Files (x86)\research In Motion\BlackBerry Enterprise Service 10\Logs\. If you've installed BlackBerry Enterprise Service 10 on multiple computers, then each computer makes its own log files for its components. Each BlackBerry Enterprise Service 10 instance saves the log files in folders that it creates daily and organizes by date. Component identifiers for BlackBerry Enterprise Service 10 log files You can identify the different BlackBerry Enterprise Service 10 log files by their component identifiers. The component identifier appears after the server name at the beginning of the log file name. Component identifier Logging component Description BBMFS BlackBerry Management Studio A text file that lists the activity for BlackBerry Management Studio, including a list of who access the console and from where Log files for components used to manage BlackBerry 10 devices and BlackBerry PlayBook tablets Component identifier BBAS-AS BBAS-NCC Logging component BlackBerry Administration Service Application Server BlackBerry Administration Service Native Code Container Description A text file that lists information on SQL queries, Java exceptions, and events related to the BlackBerry Administration Service Application Service A test file that lists failures when accessing native components and data sources (BlackBerry Configuration Database, authentication, and so on.) BWS BlackBerry Web Services A text file that lists activity information for BlackBerry Web Services CTRL BlackBerry Controller A text file that lists information on the health of the various BlackBerry Device Service components that it is monitoring 44 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting tools for BlackBerry Enterprise Service 10 Component identifier Logging component Description DISP BlackBerry Dispatcher A text file that lists traffic between the various BlackBerry Device Service services, SRP connectivity, content type, and encryption type EMWS MDAT MDS-CS Enterprise Management Web Service BlackBerry MDS Connection Service BlackBerry MDS Connection Service A text file that lists activity information for the Enterprise Management Web Service A text file that lists activity information for the BlackBerry MDS Connection Service. If you configure additional logging for the component, this log provides further details about HTTP, HTTPS, and other device transactions A CSV file that lists additional activity information for the BlackBerry MDS Connection Service Log files for components used to manage ios devices and Android devices Component identifier Logging component Description UCOM Communication Module A CSV file that lists activity information and errors for the Communication Module UCOR Core Module A CSV file that lists activity information an errors for the Core Module USRV Scheduler A set of CSV files that lists the activities for the Scheduler including EAS Synchronize, EAS Whitelist, LDAP Synchronize, Nagging, and Poke records BWS BlackBerry Web Services List activity information for the BlackBerry Web Services UCOR_Audit Audit log files Audit logs record requests that you make to create, update, and delete user accounts or groups, send IT administration commands to ios devices and Android devices, add user accounts to groups or remove user accounts from groups, and create or assign profiles, software configurations and IT policies to ios devices and Android devices UCOR_EAS Microsoft ActiveSync gatekeeping A CSV file that contains a log of activity when Microsoft ActiveSync gatekeeping is in use BlackBerryAdmi nistrationconsol e Administration Console log files A text file that maintains a log of the activity for the Administration Console, including a record of who logs in and from what IP address 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 45
Troubleshooting tools for BlackBerry Enterprise Service 10 Log files for components used to manage BlackBerry 10 devices and BlackBerry PlayBook tablets BlackBerry Enterprise Service 10 creates a log file for each component and saves the log files on the computer that hosts BlackBerry Enterprise Service 10. By default, the BlackBerry Enterprise Service 10 saves the log files in C:\Program Files (x86)\research In Motion\BlackBerry Enterprise Service 10\Logs\. Each instance saves the log files in folders that it creates daily and organizes by date. To prevent the log files from taking up too much disk space, you can change how components create and delete log files. The size of log files varies based on the number of users in your environment and the level of user activity. It is a best practice to monitor and control the amount of disk space taken up by log files. By default, log files are named: <server_name>_<component_identifier>_<instance>_<yyyymmdd>_<log_number>.txt For example, if you were looking for the log files for the Enterprise Management Web Service you would look for a file name like the following: BDS01_EMWS_01_20120830_0001.txt Work space only log files You can use the following IT policy rules to generate log files for BlackBerry 10 devices with a work space only: BlackBerry Messenger Log Wireless Synchronization rule: This rule specifies whether a BlackBerry 10 device synchronizes logs for the BlackBerry Messenger app with your organization's BlackBerry Enterprise Service 10. Phone Log Wireless Synchronization rule: This rule specifies whether a BlackBerry 10 device synchronizes the call log for the Phone app with your organization's BlackBerry Enterprise Service 10. PIN to PIN Log Wireless Synchronization rule: This rule specifies whether a BlackBerry 10 device synchronizes logs for PIN messages with your organization's BlackBerry Enterprise Service 10. SMS/MMS Log Wireless Synchronization rule: This rule specifies whether a BlackBerry 10 device synchronizes logs for SMS text messages and MMS messages with your organization's BlackBerry Enterprise Service 10. Video Chat Log Wireless Synchronization rule: This rule specifies whether a BlackBerry 10 device synchronizes the call log for the BBM Video feature with your organization's BlackBerry Enterprise Service 10. The default directory for the log files is: C:\Program Files (x86)\research In Motion\BlackBerry Enterprise Service 10\Logs\<today s date>.csv. If you configure an audit root directory, you can store the log files there. 46 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting tools for BlackBerry Enterprise Service 10 Reading the contents of log files for components used to manage BlackBerry 10 devices and BlackBerry PlayBook tablets The entries in the BlackBerry Controller or BlackBerry Dispatcher log file have the following format: [50097] (08/30 09:52:39.062):{0xE04} [SRP] Dispatcher\SRP Connection dropped, Error=0, Reason=-6 Session stopping Item Event ID [50097] Event IDs appear in the following log files: BlackBerry Controller BlackBerry Dispatcher Date/Time (08/30 09:52:39.062) Description The Event ID indicates the type of log entry. Common Event IDs fit into one of the following five categories: [10000] = Error [20000] = Warning [30000] = Informational [40000] = Debug [50000] = Other The Date/Time indicates the date and time of a particular event. Note: The date and time stamp are in the local server time. Thread ID The Thread ID specifies which thread performed an event. {0xE04} Description [SRP] Dispatcher\SRP Connection dropped, Error=0, Reason=-6 Session stopping The description indicates the thread activity and describes the nature of the event. Other BlackBerry Device Service log files are in HTTP format. One example of this is the BlackBerry MDS Connection Service: <2013-04-08 00:01:32.152 EDT>:[6]:<MDS-CS_ADMIN_MDS-CS_1>:<INFO >:<LAYER = SCM, Loaded network provider: 0/Windows/Native> <2013-04-08 00:01:32.152 EDT>:[7]:<MDS-CS_ADMIN_MDS-CS_1>:<INFO >:<LAYER = SCM, Default network provider : Windows/Native> <2013-04-08 00:01:32.152 EDT>:[8]:<MDS-CS_ADMIN_MDS-CS_1>:<INFO >:<LAYER = SCM, Initializing network connection cache connperprincipal=2 conntimetolive=300000> <2013-04-08 00:01:32.152 EDT>:[9]:<MDS-CS_ADMIN_MDS-CS_1>:<DEBUG>:<LAYER = SRP, Initializing srpservers :[EXAMPLETEST0007[ADMIN:3201]]> <2013-04-08 00:01:32.152 EDT>:[10]:<MDS-CS_ADMIN_MDS-CS_1>:<DEBUG>:<LAYER 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 47
Troubleshooting tools for BlackBerry Enterprise Service 10 = SCM, Admin. Task- Configuration data> <2013-04-08 00:01:32.152 EDT>:[11]:<MDS-CS_ADMIN_MDS-CS_1>:<DEBUG>:<LAYER = SCM, Admin. Task- Retrieve all server hosts values> <2013-04-08 00:01:32.152 EDT>:[12]:<MDS-CS_ADMIN_MDS-CS_1>:<DEBUG>:<LAYER = SCM, Admin. Task- refresh group> <2013-04-08 00:01:32.152 EDT>:[13]:<MDS-CS_ADMIN_MDS-CS_1>:<DEBUG>:<LAYER = SCM, Admin. Task- PIN-Email mapping rows changed: 0> <2013-04-08 00:01:32.152 EDT>:[14]:<MDS-CS_ADMIN_MDS-CS_1>:<DEBUG>:<LAYER = SCM, Admin. Task- refresh user group membership> <2013-04-08 00:01:32.152 EDT>:[15]:<MDS-CS_ADMIN_MDS-CS_1>:<DEBUG>:<LAYER = SCM, Admin. Task- HTTP Proxy Mappings> <2013-04-08 00:01:32.167 EDT>:[16]:<MDS-CS_ADMIN_MDS-CS_1>:<DEBUG>:<LAYER = SCM, Admin. Task- refresh EMWS Configuration> <2013-04-08 00:01:32.167 EDT>:[17]:<MDS-CS_ADMIN_MDS-CS_1>:<DEBUG>:<LAYER = SCM, Admin. Task- refresh application configuration> <2013-04-08 00:01:32.167 EDT>:[18]:<MDS-CS_ADMIN_MDS-CS_1>:<DEBUG>:<LAYER = SCM, Admin. Task- Access Control data> <2013-04-08 00:01:32.183 EDT>:[19]:<MDS-CS_ADMIN_MDS-CS_1>:<DEBUG>:<LAYER = SCM, Admin. Task- refresh IT policy> Item Date/Time <2013-04-08 00:01:32.245 EDT> Description The Date/Time indicates the date and time of a particular event. Note: The date and time stamp are in the local server time. Event ID [DEBUG] Description <LAYER = SCM, Admin. Task- Retrieve all server hosts values> The Event ID indicates the type of log entry. Common Event IDs fit into one of the following five categories: Error Warning Informational Debug Other The description indicates the activity and describes the nature of the event. 48 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting tools for BlackBerry Enterprise Service 10 Changing log file settings It is important to know how to modify the settings of your log files. The ability to change the logging level of a log file helps with gathering the information you need to troubleshoot an issue. There are four levels to log files: Note: Error: Only error messages are written to the log file Warning: Error messages and warning messages are written to the log file Informational: Activities messages, warning messages, and error messages are written to the log file Debug: All messages are written to the log file [50000] = Other level log file entries appear in all log file levels. For troubleshooting an issue, the debug level would provide the most information. Change the logging level of a log file 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Logging. 2. Click the BlackBerry Device Service instance. 3. On the Logging details tab, click Edit instance. 4. In each section, in the Log level drop-down list, perform one of the following actions: To write error messages to the log file, click Error. To write warning messages and error messages to the log file, click Warning. To write daily activities messages, warning messages, and error messages to the log file, click Informational. To write all messages to the log file, click Debug. 5. Click Save all. 6. Restart the affected BlackBerry Device Service services. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 49
Troubleshooting tools for BlackBerry Enterprise Service 10 Log files for components used to manage ios devices and Android devices BlackBerry Enterprise Service 10 creates log files for each component used to manage ios devices and Android devices, and audit logs that record administrator requests (for example, to create, update, or delete user accounts or groups). Log files and audit logs can be used to determine the cause of an issue. BlackBerry Enterprise Service 10 saves the log files on the computer that hosts BlackBerry Enterprise Service 10. You can configure the location where the log files are stored when you install BlackBerry Enterprise Service 10. By default, log files are saved in C:\Program Files (x86)\research in Motion\BlackBerry Enterprise Service 10\Logs. Log files are organized in the following folders: Audit BWS Communication Core EAS Installer RIM.UDS.GUI RIM.BUDS.BWCN Scheduler The Installer logs files are named Setup<yyyymmdd><log_number>.log. The GUI log files are named BlackBerryAdministrationConsole.log.<yyyymmdd>. The BlackBerry Work Connect Notification Service log files are named stderr.txt, stdout.txt and localhost_access_log.<date>.txt. Other log files are named <server_name>_<component_identifier>_<instance>_<yyyymmdd>_log _number>.csv. View device communication logs You can view the device communication logs to find out the history of communication between a device and the Universal Device Service. Each device has its own communication log. Entries older than 14 days are cleared from the logs. 1. Search for a user account. 2. In the search results, click the name of a user account. 3. In the Manage Device window, click the Communications Log icon. Troubleshooting tips To find the logs for the Communication Module, you can open the IIS Manager, click on the UDS.CommunicationModule site and on the Actions panel, click Explore. This will open the installation folder for the Communication Module, where you can find the logs folder. 50 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting tools for BlackBerry Enterprise Service 10 To find the logs for the Core Module you can open the IIS Manager, click on the UDS.CoreModule site and on the Actions panel, click Explore. This will open the installation folder for the Core Module, where you can find the logs folder. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 51
Troubleshooting tools for BlackBerry Enterprise Service 10 Activity: Looking at log files 1. Given the following log sample, what user information can you determine from it? <#03>[30181] (11/27 00:02:52.978):{0x560} Performing system health check (BlackBerry Dispatcher Version 6.2.0.417) <#03>[30490] (11/27 00:02:52.978):{0x560} Health score: Health=0x0000000770000000 <#03>[30450] (11/27 00:10:23.500):{0xBBC} {Ian Dundas} User unchanged (disp): id=2, email=idundas@example.com, device=2g919h74;47230137-9db2-458e-894d-39f1b6748cb8, routing=exampletest0001, agent=<none>, time=50ae5b59, ext=1, wl=0, keys=(0:a:0) <#03>[30450] (11/27 00:11:52.954):{0x808} {Leticia Lopez Tovar} User unchanged (disp): id=13, email=lltovar@example.com, device=2g919h74;5e7c2ec0-84d7-4df8-9369-5708e2141ce2, routing=exampletest0001, agent=<none>, time=50af8c93, ext=1, wl=0, keys=(0:a:0) 2. What is the source of the following log file sample: (02/13 00:02:56.492):{Thread-11} [com.blackberry.bes.bas.bws.bwshealthcheck] [INFO] [BWS-1000] {SystemUser} {run} BWS BWSHealthCheck (02/13 00:12:58.523):{Thread-11} [com.blackberry.bes.bas.bws.bwshealthcheck] [INFO] [BWS-1000] {SystemUser} {run} BWS BWSHealthCheck 3. What is the source of the following log file sample: [DEBUG] (11/27 15:56:33:017):{AsynchronousPushServiceThread} EMWS:X-Rim- Push-Id: 85E85BC7-D438-E211-8ADB-005056B5572B 52 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting tools for BlackBerry Enterprise Service 10 [DEBUG] (11/27 15:56:33:017):{AsynchronousPushServiceThread} EMWS:Status Code was: 200 4. What device information can you gather from the following log file sample: DEBUG,"2013-02-11 17:03:09,041",6,0,"b4bd2642-68eb-4cfd-b425- dc666884b5a5","defaultroutehandler (mdm/{perimeter}/device/ enrolmentstate): GET https://ottawauds01.example.com/mdm/ ff45d6b0-1962-46a7-a65f-a1c9279eff6a/device/enrolmentstate", DEBUG,"2013-02-11 17:03:09,041",6,0,"b4bd2642-68eb-4cfd-b425- dc666884b5a5","request User-Agent: BES10 10.0.31 rv 68 (ipad; iphone OS 5.1.1; en_ca)" 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 53
Troubleshooting tools for BlackBerry Enterprise Service 10 Resources for support The following resources are available to help you find answers to your troubleshooting questions. Resource BlackBerry documentation (www.blackberry.com/go/ serverdocs) BlackBerry Technical Solution Center Knowledge Base (www.blackberry.com/support) BlackBerry Expert Support Center (www.blackberry.com/besc) BlackBerry Management Studio online help BlackBerry Administration Service online help Administration Console online help BlackBerry Troubleshooting Toolkit (www.blackberry.com/ troubleshootingtoolkit) Description Access to product documentation, technical and security advisories, and tutorials Access to support content including product documentation, technical and security advisories, and tutorials Access to enterprise grade tools and resources, including the following: Enterprise Activation Readiness: a self-diagnostic tool to see if a BlackBerry device is ready to begin the activation process. BlackBerry Server Connection Status and other self-service tools: for diagnosing, troubleshooting, and resolving issues. Subscription Management: where you can manage and leverage features and services of your BlackBerry Technical Support Services contract. Expert advice: with relevant guides, articles, webcasts and other resources. The BlackBerry Management Studio Help contains descriptions and instructions on all of the tasks you can perform in the BlackBerry Management Studio and is accessible directly from the BlackBerry Management Studio interface. The BlackBerry Administration Service Help contains descriptions and instructions on all of the tasks you can perform in the BlackBerry Administration Service and is accessible directly from the BlackBerry Administration Service interface. The Administration Console Help contains descriptions and instructions on all of the tasks you can perform in the Administration Console and is accessible directly from the Administration Console interface. Access to tools and resources that you can use to identify and resolve the top BlackBerry device issues. 54 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting tools for BlackBerry Enterprise Service 10 Activity: Explore the resources available for support 1. Using the BlackBerry Technical Solution Center Knowledge Base, find an article that will help you resolve an Error 3007 issue. 2. Using the BlackBerry Technical Solution Center Knowledge Base, find an article that will help you activate an ios or Android device. 3. What is the name of the document used for the advanced management of components used in managing ios and Android devices? 4. Using the BlackBerry Technical Solution Center Knowledge Base, find an article that will help you identify and troubleshoot activation issues with the BlackBerry PlayBook tablet. 5. In which guides would you find information on policies and profiles for BlackBerry Enterprise Service 10? 6. Using the BlackBerry Technical Solution Center Knowledge Base, find an article about Microsoft ActiveSync policy behavior when a device is activated. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 55
Troubleshooting tools for BlackBerry Enterprise Service 10 Review: Troubleshooting tools for BlackBerry Enterprise Service 10 1. Identify what component the following log files is for: Admin_UCOR_Audit_01_20130403_001.csv 2. What information can you get from Audit log files? 3. Identify what component the following log files is for: BDS01_MDAT_01_20121130_0001.txt 4. Each ios device and Android device has its own communication log. Entries in these logs are kept for 14 days. How would you find this log? 5. Identify the event ID on the following log entry: [50097] (08/30 09:52:39.062):{0xE04} [SRP] Dispatcher\SRPConnection dropped, Error=0, Reason=-6 Session stopping 56 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting tools for BlackBerry Enterprise Service 10 6. Where do you configure log file settings in the BlackBerry solution topology in the BlackBerry Administration Service? 7. Where do you access the BES10 Configuration Tool? 8. List three places you can look for help with a BlackBerry Enterprise Service 10 problem. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 57
Troubleshooting issues with device activation Objectives By the end of this module, you should be able to: Troubleshoot issues with activating BlackBerry 10 devices Troubleshoot issues with activating BlackBerry PlayBook tablets Troubleshoot issues with activating ios devices Troubleshoot issues with activating Android devices Describe common device activation issues
Troubleshooting issues with device activation Activity: Information for troubleshooting activation issues Before you begin troubleshooting activation issues, consider the following questions: What information do you need? What things do you think you need to understand about your environment or configuration? 60 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Licensing and wireless activation settings Before a user can activate a device, you need to make sure the following items are configured: The BlackBerry Licensing Service Must be installed and active Licenses must be activated on the BlackBerry Licensing Service Licenses must be available for devices to activate with If you use wireless activation, settings in the BlackBerry Device Service console must be configured: To send activation emails, SMTP configuration settings must be specified Service configuration, activation configuration, and activation messages must be specified A connection to the BlackBerry Infrastructure must be available BlackBerry Licensing Service When you install BlackBerry Enterprise Service 10, the BlackBerry Licensing Service is with the management consoles. The BlackBerry Licensing Service communicates with the licensing infrastructure within the BlackBerry Infrastructure to validate licenses and enforce compliance. Customers have access to a licensing portal where they can manage their licenses. In BlackBerry Management Studio, you can configure licensing settings to manage communication between the licensing server and the licensing infrastructure. You can change how often the licensing server polls the licensing infrastructure to retrieve assigned licenses. The default polling interval is 1 day. You can also poll the licensing infrastructure before the next scheduled communication. If necessary, you can switch to a new licensing server (for example, in a disaster recovery scenario). Activating licenses for BlackBerry Enterprise Service 10 In order to activate devices with BlackBerry Enterprise Service 10, you require the appropriate licenses. Your license entitlement can be registered in three different ways: 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 61
Troubleshooting issues with device activation Activate licenses using a license activation ID When you use a license activation ID, you assign all available licenses associated with it to a BlackBerry Enterprise Service 10 domain. If you already assigned some licenses to a domain (for example, using the host ID), only the remaining licenses are available. For example, if 100 licenses are associated with a license activation ID and 20 licenses are already assigned to a domain, the 80 available licenses are automatically assigned to the next domain where you use the license activation ID. Activate licenses using the host ID of your BlackBerry Enterprise Service 10 computer If you want to distribute the licenses associated with a license activation ID across multiple BlackBerry Enterprise Service 10 domains, you can use the host ID to register a domain and specify the number of licenses to assign to it. Activate licenses using file-based activation If the computer that hosts the licensing server does not have access to the Internet to communicate with the licensing infrastructure, you can use a license challenge file and license response file to manually register licenses and assign them to a BlackBerry Enterprise Service 10 domain. Licensing the domain and devices Licenses control how many BlackBerry devices, ios devices, and Android devices can exist in a BlackBerry Enterprise Service 10 domain at the same time. The license types that your organization uses determine the devices and features that you can manage using BlackBerry Enterprise Service 10. A license is used when you or a user activates a device. A device uses only one type of license at a time. You must use BlackBerry Management Studio to manage licenses. Depending on the licensing activation method that you choose, you can activate licenses in BlackBerry Management Studio or in the BlackBerry Account Center. The BlackBerry Device Service console accepts only BlackBerry Mobile Voice System CAL keys. License types Unless otherwise indicated, you can activate devices that have a service plan or a Wi-Fi connection. BlackBerry Enterprise Service 10 version 10.1.1 supports the following license types: License type EMM Corporate for BlackBerry EMM Corporate Description You can activate the following devices and features: BlackBerry 10 devices and BlackBerry PlayBook tablets that use BlackBerry Balance technology Devices that run BlackBerry 10 OS version 10.1 or later and have a service plan that supports work space only devices You can activate the following devices and features: BlackBerry 10 devices and BlackBerry PlayBook tablets that use BlackBerry Balance technology 62 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation License type Description Devices that run BlackBerry 10 OS version 10.1 or later and have a service plan that supports work space only devices ios devices and Android devices without a work space Secure Work Space You can activate the following devices and features: ios devices and Android devices with a work space ios devices and Android devices without a work space License information You can view the following license information for the BlackBerry Enterprise Service 10 domain: Item License type License usage Expiration Description The license type is the category of license that your organization uses. EMM Corporate for BlackBerry and EMM Corporate are always displayed, even if your organization does not use these license types. You can view the number of total licenses, available licenses, and used licenses for each license type. The information displayed is for all license activation IDs. You can view the number of total licenses and, if applicable, the date that licenses expire. The information displayed is for each license activation ID. For licenses that expire, the information is no longer displayed after the expiration date. How the licensing server determines usage for license types When the licensing server checks the available licenses for each license type, it determines what license type to use. If more than one license type supports the devices and features that you want to manage, the following priorities apply to license usage: Device type BlackBerry License usage priority 1. EMM Corporate for BlackBerry 2. EMM Corporate ios and Android 1. EMM Corporate 2. Secure Work Space When the licensing server checks the available licenses The licensing server checks the available licenses each time a licensing request is made. A licensing request is made when you perform any of the following actions: Activate or reactivate a device 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 63
Troubleshooting issues with device activation Assign a work space profile to a user or group (ios devices and Android devices only) Activate licenses View license information on the Licensing summary tab License usage for some or all license types might change after you perform any of these actions. The licensing server automatically optimizes usage by evaluating the available licenses for each license type and the activated devices in the BlackBerry Enterprise Service 10 domain. For example, when you activate ios devices and Android devices without a work space, Secure Work Space licenses are used if no EMM Corporate licenses are available. When EMM Corporate licenses become available (for example, after you activate licenses), activated ios devices and Android devices without a work space use EMM Corporate licenses instead. License usage and compliance The BlackBerry Licensing Service on the licensing server stores the licenses assigned to the BlackBerry Enterprise Service 10 domain. The BlackBerry Licensing Service tracks usage for each license type that your organization uses and detects when the licensing requirements are not met. You can continue to manage activated devices and switch BlackBerry devices even if the domain is out of compliance. For a device switch, you or a user must activate the replacement device and select the replace device option on the device or in BlackBerry Web Desktop Manager. License usage All licenses are consumed for one or more license types. Used licenses exceed total licenses for any license type (for example, if all licenses are consumed and then some licenses expire). Compliance state The domain is in compliance with the following conditions: You can reactivate existing devices. If licenses are available for other license types, you can activate new devices. The license type must support the devices and features that you want to manage. For example, if licenses are available only for EMM Corporate for BlackBerry, you cannot activate ios devices or Android devices. The domain is out of compliance with the following conditions: You cannot activate new devices or reactivate existing devices even if licenses are available for other license types. 64 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Discussion: BlackBerry Licensing Service With the new BlackBerry Licensing Service and associated licensing types, consider the impacts that this can have on planning device deployment, as well as computer deployment, in your environment. Consider the following questions: Do you think it is necessary to have a best practice for licensing devices in order to maximize usage and minimize problems? If so, what do you think it should be? Keeping BlackBerry Enterprise Service 10 in licensing compliance is important to maintaining device management functionality. While the BlackBerry Licensing Service does not support high availability, you can deploy more than one computer running the BlackBerry Enterprise Service 10 management consoles, which includes the BlackBerry Licensing Service. In your environment, do you think you would deploy a second computer with these services installed, in case of failure of the primary computer? 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 65
Troubleshooting issues with device activation Common licensing issues Licensing server is not available In BlackBerry Management Studio, if Licenses on the menu bar is grayed out, this tooltip appears when you hover the pointer over Licenses. Possible solution Perform the following actions: In the Windows Services, verify that the BlackBerry Administration Service services are running for at least one BlackBerry Administration Service instance in the BlackBerry Enterprise Service 10 domain. Verify that you have an administrator account for the BlackBerry Device Service and the Universal Device Service. Verify that you can log in to the BlackBerry Device Service console. Log in to BlackBerry Management Studio using a normalized account or a BlackBerry Device Service administrator account. You cannot activate licenses Possible cause There is no connection to the licensing infrastructure. The BlackBerry Licensing Service on the licensing server is not running. The license activation ID is linked to the licensing server for another BlackBerry Enterprise Service 10 domain. You did not release the licenses stored by the BlackBerry Licensing Service on the active server before you switched to a new server for the BlackBerry Enterprise Service 10 domain. Possible solution On the external firewall, verify that port number 443 is open and the firewall rules permit an outgoing connection to license.blackberry.com. If the licensing server does not have access to the Internet, you can use the file-based activation method to activate licenses. In BlackBerry Management Studio, on the Licensing settings tab, check the server status and click Test connection to verify that the BlackBerry Licensing Service is running. If the server status displays "Not connected", log in to the licensing server and restart the BES10 - BlackBerry Licensing Service in the Windows Services. In the BlackBerry Account Center, verify your organization's license activation IDs and the host IDs that they are linked to. If necessary, release licenses. To release licenses assigned to a domain, the BlackBerry Licensing Service must be running on the licensing server for the domain. In the BlackBerry Account Center, verify your organization's license activation IDs and the host IDs that they are linked to. If necessary, contact BlackBerry support to release licenses. 66 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation You or a user cannot activate a device Possible cause The BlackBerry Enterprise Service 10 services are not running. Licenses are not available. Possible solution In the Windows Services, verify that all BlackBerry Enterprise Service 10 services are running, including the BES10 - BlackBerry Licensing Service on the licensing server. In BlackBerry Management Studio, perform the following actions: Verify that licenses are available to support the device and features that you want to activate. An appropriate service plan may also be required. If necessary, activate licenses. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 67
Troubleshooting issues with device activation Scenario: Android devices and ios devices are failing to activate Issue: You have recently added two new employees, who brought their own devices. One is an ios tablet, the other is an Android device. You have added them as users in BlackBerry Enterprise Service 10 and sent them the information they need to activate their devices. However, both have reported that they cannot activate their devices. 68 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Switching the active server after you activate licenses In BlackBerry Management Studio, on the Licensing settings tab, you can check the server address to verify the FQDN of the active server (the computer that hosts the active BlackBerry Licensing Service instance). After you activate licenses, the active server is registered as the licensing server for the BlackBerry Enterprise Service 10 domain. When the BlackBerry Licensing Service is not available (for example, the service on the active server is stopped or the active server is temporarily unavailable), you do not need to switch to a new server. You can continue to manage activated devices and switch BlackBerry devices. For a device switch, you or a user must activate the replacement device and select the replace device option on the device or in BlackBerry Web Desktop Manager. You cannot activate new devices or reactivate existing devices until the licensing server is available or you switch to a new server. To switch to a new server, you must release any licenses stored by the BlackBerry Licensing Service on the active server and then register a new server as the active server. You can register only one licensing server as the active server for the domain. You might want to switch to a new server for the following reasons: If you plan to replace the hardware for the active server. If the active server is not available and you cannot restore it (for example, in a disaster recovery scenario). Switch the active server You should perform this task when the BlackBerry Licensing Service on the active server is running. If the active server is not available and you cannot restore it, after you switch the active server you must either contact BlackBerry support to release any licenses stored by the BlackBerry Licensing Service on the active server or log in to the BlackBerry Account Center to release the licenses manually. For more information about the actions that you must perform outside BlackBerry Management Studio, visit www.blackberry.com/go/ kbhelp to read article KB34147. If you switch the active server before you activate licenses, you do not need to release licenses or perform the actions documented in article KB34147. Before you begin: Verify that at least two instances of the BlackBerry Licensing Service are installed in the BlackBerry Enterprise Service 10 domain. On the server that you want to switch to, in the Windows Services, start the BES10 - BlackBerry Licensing Service and change the startup type to Automatic. In the BlackBerry Account Center, release any licenses stored by the BlackBerry Licensing Service on the active server. The BlackBerry Licensing Service must be running. Verify that you performed the required actions documented in article KB34147. 1. Log in to BlackBerry Management Studio using an administrator account with the Security Administrator role. 2. On the menu bar, click Licenses. 3. If you released licenses, perform the following actions: a. Click the Licensing settings tab. b. Click Poll now. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 69
Troubleshooting issues with device activation c. Click the Licensing summary tab and verify that the licenses are removed. 4. Click the Licensing settings tab. 5. Click Switch server. 6. In the New server drop-down list, click the server that you want to switch to. 7. Click Test connection to verify that the BlackBerry Licensing Service on the new server is running. 8. If the test connection was successful, click Switch server. 9. In the Switch server window, click Yes. 10. On the Licensing settings tab, verify that the Server address field displays the FQDN of the new server and the Server status field displays Connected. Activate licenses to assign them to the new server. On the server that you switched from, stop the BES10 - BlackBerry Licensing Service and change the startup type to Disabled. BlackBerry Enterprise Service 10 wireless activation settings Wireless activation requirements for BlackBerry devices on BlackBerry Enterprise Service 10 You can allow users that are located outside of your organization's firewall to activate BlackBerry devices over the wireless network. You can configure the following settings according to your organization's network and policies: Configuration item SMTP configuration settings Device activation settings Requirement If you want to send activation emails to the user's email address, the following settings must be properly configured: Sender address SMTP server URL of the mail server User name and password SMTP server port and the supported encryption method Service configuration, activation configuration and activation messages should be configured. These settings include: Service configuration: Whether to register activation information with the BlackBerry Infrastructure, by default this is allowed Service URL for the BlackBerry Infrastructure if specifically provided to you 70 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Configuration item Requirement Activation configuration: Whether to allow activation over the BlackBerry Infrastructure, by default this is allowed Whether to allow activation information to be emailed First activation message Second activation message Password settings: Auto-generated password length Auto-generated password lifespan (hours) Allowed user operations: Maximum device activation attempts Network connection BlackBerry Enterprise Service 10 must have network connectivity to the BlackBerry Infrastructure and the SRP must be connected If activations using a connection to the BlackBerry Infrastructure are not allowed, make sure that the BlackBerry devices can connect directly to BlackBerry Enterprise Service 10 using your work Wi-Fi or your organization's VPN About registration of user accounts with the BlackBerry Infrastructure Registering a user account with the BlackBerry Infrastructure is optional, however, it provides the best experience for the user that is trying to activate a BlackBerry 10 device. When you decide whether to register user accounts or when you troubleshoot activation issues, you should consider the following: Account registration with the BlackBerry Infrastructure is enabled by default, but you can change this, at the domain level, at any time When the BlackBerry Enterprise Service 10 registers the activation information for an email address, SRP ID, and email domain name with the BlackBerry Infrastructure, the registration request includes an expiration timestamp which ranges from 60 minutes to 30 days. When you add a user account, if the registration fails, you can retry a second time. If it fails a second time, you can choose to add the user and create an activation password without registering the account with the BlackBerry Infrastructure. In this case, the user will have to specify server information on the device when initiating the activation. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 71
Troubleshooting issues with device activation Scenario: User registration with the BlackBerry Infrastructure is failing When you add multiple users to the BlackBerry Enterprise Service 10 using the BlackBerry Administration Service and register them with the BlackBerry Infrastructure for activation, you receive the following error: 1. What do you think could be causing this issue? 2. What would you check to try to resolve it? 3. What do you think will happen if you select Cancel? If you select Generate activation email? 4. Do you think you'd get the same error with BlackBerry Management Studio? 72 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Activation types There are several different options for activating a device with BlackBerry Enterprise Service 10. These activation types can impact how you troubleshoot an issue. BlackBerry Balance activation: BlackBerry Balance technology permits users to use devices that are activated with BlackBerry Enterprise Service 10 for both work use and personal use. Devices using BlackBerry Balance have a work space and a personal space with different rules for data storage, app permission, and network routing. Work space only activation - The work space only activation option gives your organization full control over BlackBerry 10 devices that are activated with BlackBerry Enterprise Service 10. There are additional IT policies that you can use to control how the device accesses network resources. Secure Work Space activation for ios devices and Android devices - Provides security to email and apps that are deployed in the work space. All about spaces Devices activated on BlackBerry Enterprise Service 10 can operate using both personal and work spaces. Each device organizes these spaces differently. The work space is created: By default on BlackBerry devices When a work space profile is assigned to an ios device or Android device user account Device BlackBerry 10 BlackBerry 10 Android Description If the device is operating using BlackBerry Balance: There are distinct spaces with different wallpaper Users must swipe down and enter a password to access the work space Administrators cannot control the personal space on the device If the device is operating with a work space only: Only a work space is available Organizations have complete control over these devices If the device is operating using a work space: Distinct areas with different wallpaper Work space and accompanying apps are installed in the Business mode Users must either swipe and choose Switch to business mode or double tap the Home icon and type a password to access the work space Experiences might vary between different Android devices. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 73
Troubleshooting issues with device activation Device ios Description If the device is operating using a work space: No distinction between work and personal space. Work space apps appear on the device beside regular apps Work space apps display a lock on the app icon Users must type a work space PIN to access the work space apps 74 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Troubleshooting BlackBerry device activation When you troubleshoot activation issues, you should know what the device requirements are, as well as the server requirements for wireless activations so you can properly identify the cause of an issue and resolve it. For example, some of the server requirements you should know include whether BlackBerry Enterprise Service 10 allows activations over the BlackBerry Infrastructure or not, and whether BlackBerry Enterprise Service 10 has been configured to send activation email messages to users or not. You can use this information to make sure the users have the correct activation information they need to enter on the device. Activation methods To activate a device on the BlackBerry Enterprise Service 10, you can use any of the following methods: Over the wireless network using a connection through the BlackBerry Infrastructure Over the wireless network using a direct connection to the BlackBerry Device Service Using the BlackBerry Administration Service and a USB connection to the computer Using the BlackBerry Web Desktop Manager on a user's computer and a USB connection to the computer Requirements: Wireless activation for BlackBerry 10 OS Requirements BlackBerry 10 OS (version 10.1 or later for work space only activations) A service plan that supports devices with work spaces only and an EMM- Corporate license to activate devices to operate using a work space only EMM-Corporate license to activate devices to operate using BlackBerry Balance To activate a device over the wireless network using a connection through the BlackBerry Infrastructure: A working wireless connection If the user account and activation password are registered in the BlackBerry Infrastructure, the user's email address and activation password If the user account and activation password are not registered in the BlackBerry Infrastructure, the user's email address or domain/ username, activation password, and SRP ID of BlackBerry Enterprise Service 10 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 75
Troubleshooting issues with device activation Requirements To activate a device over the wireless network using a direct connection to BlackBerry Enterprise Service 10: A working wireless connection using a work Wi-Fi network, VPN over an external Wi-Fi network or VPN connection User email address, activation password, and FQDN of BlackBerry Enterprise Service 10 Requirements: Wireless activation for BlackBerry PlayBook OS Requirements BlackBerry PlayBook OS 2.1 or later To activate a tablet over the wireless network using a connection through the BlackBerry Infrastructure. A working wireless connection The user email address, activation password, and SRP ID of BlackBerry Enterprise Service 10 To activate a tablet over the wireless network using a direct connection to BlackBerry Enterprise Service 10: A working wireless connection using a work Wi-Fi network, VPN over an external Wi-Fi network or VPN connection User email address, activation password, and FQDN of BlackBerry Enterprise Service 10 Note: Not all BlackBerry PlayBook tablets support connectivity over the mobile network. 76 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Data flow: Activating a BlackBerry device over the wireless network Adding and registering the user 1. In BlackBerry Management Studio, or the BlackBerry Device Service console, the administrator creates a local or a directory user account. Note: If creating a local user account, the account must be created in the BlackBerry Device Service console. 2. The administrator creates an activation password for the user account. The BlackBerry Administration Service stores the activation password in the BlackBerry Configuration Database. 3. The BlackBerry Administration Service sends the email address or username information to the BlackBerry Infrastructure to register the user account. 4. The BlackBerry Infrastructure notifies the BlackBerry Administration Service whether the account registration is successful or not. 5. If the option to email the activation information to the user is selected, the BlackBerry Administration Service sends the activation information to the user's email address. If the option is not selected, the administrator must communicate the information to the user directly. The activation information includes the account information (email address or domain\username), account activation password, and server information (SRP ID of the BlackBerry Device Service) that the user needs to type on the BlackBerry device. Note: The user is registered with the BlackBerry Infrastructure, whether the device they are activating is a BlackBerry 10 device or a BlackBerry PlayBook tablet if your BlackBerry Enterprise Service 10 is set to register activation information. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 77
Troubleshooting issues with device activation Establishing the connection When activating a device using a wireless connection through the BlackBerry Infrastructure Note: This is the most common data path and it occurs when you use the mobile network or an external Wi-Fi network. 1. The user types the activation information on the BlackBerry device. If the user is activating a BlackBerry PlayBook tablet, then they must use the advanced setup option and enter the SRP ID as well as the username and account activation password. If the user is activating a BlackBerry 10 device, they must specify the SRP ID of the BlackBerry Device Service only if the registration to the BlackBerry Infrastructure was not successful. When activating a device using a direct connection to the Enterprise Management Web Service Note: This data path is used only if communication over the BlackBerry Infrastructure is not allowed. In this scenario, the device requires a direct connection to the organization using a work Wi-Fi or VPN connection. 1. The user types the activation information on the BlackBerry device. The user must specify the FQDN of the BlackBerry Device Service. 2. If the device is connected to the work Wi-Fi network or using a VPN connection, the Enterprise Management Agent on the device uses the connections information to establish a direct connection to the Enterprise Management Web Service using ports 8081 and 8444, by default (shown on the green path on the diagram). 2. The Enterprise Management Agent on the device sends the account information to the BlackBerry Infrastructure. 3. The BlackBerry Infrastructure looks up the account information and sends an acknowledgment to the Enterprise Management 78 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation When activating a device using a wireless connection through the BlackBerry Infrastructure When activating a device using a direct connection to the Enterprise Management Web Service Agent providing the connection information for BlackBerry Enterprise Service 10. 4. The Enterprise Management Agent uses the connection information to establish a connection to BlackBerry Enterprise Service 10 through the BlackBerry Infrastructure. 5. If there is a BlackBerry Router installed, the BlackBerry Router receives the activation request on port 3101 and forwards to the BlackBerry Dispatcher. If there is no BlackBerry Router installed, the BlackBerry Dispatcher receives the activation request. 6. The BlackBerry Dispatcher forwards the request to the BlackBerry MDS Connection Service through port 3201. 7. The BlackBerry MDS Connection Service returns the Enterprise Management Web Service host and port information to the Enterprise Management Agent through the BlackBerry Dispatcher. 8. The Enterprise Management Agent uses this information to establish a secure connection through the BlackBerry Infrastructure to the Enterprise Management Web Service. Completing the activation 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 79
Troubleshooting issues with device activation 1. The Enterprise Management Agent on the device sends a message requesting activation details to the Enterprise Management Web Service. 2. The Enterprise Management Agent receives the activation details from the Enterprise Management Web Service. If the activation details specify that the user account is configured for a work space only activation, the device displays a notification requesting user acceptance to proceed with the activation. If the user does not accept, the activation process ends and the device is not activated. If the user accepts, or if the activation is not a work space only activation, the Enterprise Management Agent creates the work space. 3. The Enterprise Management Agent sends a message back to the Enterprise Management Web Service to confirm the Enterprise Management Agent has completed the activation and created the work space. 4. The Enterprise Management Web Service and the Enterprise Management Agent configure IT policies, software configurations, and more, on the device. 80 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Discussion: Device activation information Consider the following questions when activating a device: What information would you require in order to activate a device with the following activation methods: Activate a BlackBerry 10 device over the BlackBerry Infrastructure when the user is registered Activate a BlackBerry 10 device over the BlackBerry Infrastructure when the user is not registered Activating a BlackBerry PlayBook tablet over the BlackBerry Infrastructure Activate a device over the work Wi-Fi network or using an external wireless connection with a VPN without using the BlackBerry Infrastructure 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 81
Troubleshooting issues with device activation Scenario: User cannot activate a device over the wireless network Using what you have learned about the BlackBerry Enterprise Service 10, troubleshoot the following issue. Issue: You have assigned Ian Dundas a new BlackBerry 10 device and sent him the activation information he requires to get started. A few hours after he received the device, Ian lets you know that he cannot get the device to activate. As the administrator of the BlackBerry Enterprise Service 10, you know that you have turned off registration of users with the BlackBerry Infrastructure. 82 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Scenario: Unable to activate any BlackBerry devices over the wireless network Issue: Your organization's network administrator just finished installing BlackBerry Enterprise Service 10. Because you are issuing new BlackBerry 10 devices to all employees, you are activating a batch of test devices for your admin group to make sure you ve sorted out any issues. You know this will make things easier for your users to transition to their new devices. All wireless activations are failing. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 83
Troubleshooting issues with device activation Common issues for wireless activation Before looking at other issues, you should verify that: BlackBerry device has wireless connectivity Device user has an account in BlackBerry Enterprise Service 10 BlackBerry Enterprise Service 10 has been configured for activation over the wireless network Device user has received their username, password and connectivity information from the administrator and that this information is correct Please check your username and password and try again Possible cause User ID was entered incorrectly Activation password was entered incorrectly Possible solution Enter the correct user ID and password. Check the activation password and re-enter it. Unable to contact server, please check connectivity or server address Possible cause User ID was entered incorrectly. SRP ID or FQDN of the Enterprise Management Web Service was entered incorrectly. No activation password has been set. Activation password has expired. Services are not running. Possible solution Verify that you are entering the correct User ID. Verify that you have the correct SRP ID or FQDN and are entering it correctly. Check with your administrator, or set a new activation password using the BlackBerry Web Desktop Manager. Check with your administrator, or set a new activation password using the BlackBerry Web Desktop Manager. Check to make sure that the BlackBerry Dispatcher and BlackBerry MDS Connection Service are running. 84 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Troubleshooting work space only activations When you troubleshoot issues activating work space only devices, you should check the following: Has the device been provisioned correctly for a work space only activation? Check with the service provider that the device has a data plan that allows a work space only activation. Does your BlackBerry Enterprise Service 10 have the required licenses? Check that your have sufficient licenses and that the licenses you have work for the type of devices you have and the type of activations you want. Has the user accepted the notifications and installed all required certificates during activation? Make sure the user accepts the prompts to installs the required certificates during the activation. Has the device been previously activated with a work space? If so, did the user perform a security wipe before activating with a work space only activation? If the device was previously active in another BlackBerry Enterprise Service 10 or by another user, make sure the user performs a security wipe prior to the activation, or accepts the prompt to delete the existing workspace during activation. Did the user create a work space password when prompted? If BlackBerry Enterprise Service 10 requires a password set on the device and the user does not set a password, the activation can not continue. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 85
Troubleshooting issues with device activation Troubleshooting ios and Android device activation Requirements: Wireless activation for ios devices Requirements SIM card provisioned and inserted in the ios device EMM-Corporate license, or Secure Work Space license to activate an ios device with a work space A working wireless connection Data flow: Activating an ios device over the wireless network Adding the user 86 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation 1. In BlackBerry Management Studio, or the Universal Device Service console, the administrator creates a local or a directory user account, and does one of the following: If the account is a local account, the administrator specifies an activation password (the local account password cannot be used for device activation). If the account is a directory account, the administrator can choose whether to specify an activation password or use the login information for the account instead. The administrator can select the option to send an activation email to the user, assign group membership, and specify other device activation settings such as activation expiry date and time, maximum number of activations per device, device platform and device version. Optionally, the administrator assigns a work space profile to the account. Note: If the option to send an activation email to the user is chosen, the administrator can customize the email message to reflect company specific details. 2. The Core Module performs one of the following actions: If the account is a local account, the Core Module generates a hash of the user account password and stores it along with the account information in the Management Database. If the account is a directory account, the Core Module accesses Microsoft Active Directory, using LDAP, to retrieve the user account information and keeps a copy of the user account information in the Management Database. The Scheduler and Management Database periodically retrieve this information and keep it up to date. 3. If the option to send an activation email was selected, the Core Module generates the activation email and sends it to the user using the SMTP settings configured by the administrator. The email message describes how to obtain the BES10 Client from the App Store and additional information the user needs to enter on the client, such as the domain name and SRP ID, the username, and the activation password for the user account if one was specified. Starting the activation process 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 87
Troubleshooting issues with device activation 1. The user installs the BES10 Client on the ios device. After launching the BES10 client, the user is prompted to enter the URL provided by the administrator (which consists of the BlackBerry Infrastructure URL followed by the SRP ID of the customer, for example <cc>.bbsecure.com/s1234567, where <cc> is the country code), and accept the BlackBerry Enterprise Service 10 certificate. This prompt includes information about the SSL certificate, including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. Once the user accepts the certificate, they enter the username specified in the activation email and their password, and clicks Activate My Device. If the user clicks Decline, they are returned to the previous activation screen and the activation process stops. If the user clicks Accept, the certificate is installed on the device and the activation process continues. 2. The client sends an activation request over a secured channel, to the BlackBerry Infrastructure, which sends it to the server name specified by the user. The activation request includes the username, password, device operating system, and unique device identifier. 3. The BlackBerry Secure Connect Service receives the activation request from the BlackBerry Infrastructure and nds it to the Communication Module. 4. The Communication Module receives the activation request and queries the Core Module to validate the activation request. 5. The Core Module checks if the activation request is valid and performs one of the following actions: If the activation request does not meet the criteria defined in the activation settings (for example, the username is not valid, the password has expired, or the device type or version is not allowed for the user account), the Core Module responds with an error message. If the activation request meets all the activation criteria, the Core Module creates a device instance, associates it with the specified user account in the Management Database, sets the activation status for the device as unknown, and responds with a successful authentication to the Communication Module. 6. The Communication Module performs one of the following actions: If the response from the Core Module is an error, the Communication Module sends the error message to the BlackBerry Secure Connect Service to send to the BlackBerry Infrastructure. The BlackBerry Infrastructure passes the error message to the device and the activation stops. If the response from the Core Module is a successful authentication, the Communication Module generates a unique identifier for the device. This identifier is used to verify the authenticity of the device in every subsequent communication. The Communication Module sends a response to the BlackBerry Secure Connect Service that includes the identifier, the MDM profile of the device (these are the specific permissions that the BES10 Client can request to manage on the device such as Wi-Fi, VPN, Microsoft ActiveSync profile configuration, IT policy configuration, activation type and so on), a command to provide device information and configuration, and a link to the BlackBerry Secure Connect Service to initiate the MDM Daemon enrollment process. The BlackBerry Secure Connect Service sends this information to the BlackBerry Infrastructure, which sends it to the device. 88 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Installing the certificate and completing the activation 1. After receiving a successful response, the client displays a message to inform the user that a certificate must be installed to complete the activation. The user clicks OK and is redirected to the BlackBerry Secure Connect Service link for the MDM Daemon enrollment. 2. The BlackBerry Secure Connect Service connects to the Communication Module for the MDM Daemon enrollment. 3. A certificate is provided by the Communication Module and the user is presented with the option to install it. The user clicks Install Now and Done. 4. The client communicates with the BlackBerry Secure Connect Service to notify the successful installation of the MDM profile and certificate. 5. The BlackBerry Secure Connect Service informs the Communication Module of the successful installation of the MDM profile and certificate. 6. The Communication Module informs the Core Module of this success. 7. After successfully confirming the MDM enrollment of the device, the Core Module sets the device activation status to active on the Management Database. 8. The client continually checks with the Communication Module through the BlackBerry Secure Connect Service to verify the activation status. When the activation is set to active, the device requests all IT policy and configuration information from, and sends device information to, BlackBerry Enterprise Service 10. 9. The BlackBerry Secure Connect Service receives the device information and sends it to the Communication Module. 10.The Communication Module receives the information, converts it to a device-agnostic format and forwards it to the Core Module. 11.The Core Module stores the device information in the Management Database and sends the IT policy and configuration information back to the device. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 89
Troubleshooting issues with device activation If the activation type for the device is Secure Work Space, after the activation is complete, the user is prompted to create a work space password and install some, or all, of the following apps: Work Connect Work Browser Documents To Go 90 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Scenario: ios device activation fails to complete Andrew has installed the BES10 Client on his ios device successfully. He entered the proper server name and receives the username and password prompt. When he enters his username and password and taps Activate My Device he receives a pop-up message prompting him to install a certificate. He selects OK to allow the certificate to be installed and receives the following error message: Your device cannot be activated at this time. Please try again later or contact your administrator. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 91
Troubleshooting issues with device activation Scenario: ios activation fails with an AutoMDMCert.pfx error Elliot is trying to activate an ios device on BlackBerry Enterprise Service 10. Every time he starts the process, he receives an error stating: Profile failed to install. The certificate "AutoMDMCert.pfx" could not be imported. 92 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Requirements: Wireless activation for Android devices Requirements SIM card provisioned and inserted in the Android device EMM-Corporate license, or Secure Work Space license to activate an Android device with a work space A working wireless connection Data flow: Activating an Android device over the wireless network Adding the user 1. In BlackBerry Management Studio, or the Universal Device Service console, the administrator creates a local or a directory user account, and does one of the following: If the account is a local account, the administrator specifies an activation password (the local account password cannot be used for device activation). 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 93
Troubleshooting issues with device activation If the account is a directory account, the administrator can choose whether to specify an activation password or use the login information for the account instead. The administrator can select the option to send an activation email to the user, assign group membership, and specify other device activation settings such as activation expiry date and time, maximum number of activations per device, device platform and device version. Optionally, the administrator assigns a work space profile to the account. Note: If the option to send an activation email to the user is chosen, the administrator can customize the email message to reflect company specific details. 2. The Core Module performs one of the following actions: If the account is a local account, the Core Module generates a hash of the user account password and stores it along with the account information in the Management Database. If the account is a directory account, the Core Module accesses Microsoft Active Directory, using LDAP, to retrieve the user account information and keeps a copy of the user account information in the Management Database. The Scheduler and Management Database periodically retrieve this information and keep it up to date. 3. If the option to send an activation email was selected, the Core Module sends the activation email using the SMTP settings configured by the administrator. The email message describes how to obtain the BES10 Client from Google Play and additional information the user needs to type in the client, such as the company server name, the username, and the activation password for the user account if one was specified. Starting the activation process 1. The user installs the BES10 Client on the Android device. After launching the BES10 Client, the user is prompted to enter the URL provided by the administrator (which consists of the BlackBerry Infrastructure URL followed by the SRP ID of the customer, for example <cc>.bbsecure.com/s1234567, where <cc> is the country code), and accept the BlackBerry Enterprise Service 10 certificate. This prompt includes 94 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation information about the SSL certificate, including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. Once the user accepts the certificate, they enter the username specified in the activation email and their password, and clicks Activate My Device. If the user clicks Decline, they are returned to the previous activation screen and the activation process stops. If the user clicks Accept, the certificate is installed on the device and the activation process continues. 2. The client sends an activation request over a secured channel, to the BlackBerry Infrastructure, which sends it to the server name specified by the user. The activation request includes the username, password, device operating system, and unique device identifier. 3. The BlackBerry Secure Connect Service receives the activation request from the BlackBerry Infrastructure and sends it to the Communication Module. 4. The Communication Module receives the activation request and queries the Core Module to validate the activation request. 5. The Core Module checks if the activation request is valid and performs one of the following actions: If the activation request does not meet the criteria defined in the activation settings, for example, the username is not valid, the password has expired, or the device type or version is not allowed for the user account, the Core Module responds with an error message. If the activation request meets all the activation criteria, the Core Module creates a device instance, associates it to the specified user account in the Management Database, sets the activation status for the device as unknown, and responds with a successful authentication to the Communication Module. 6. The Communication Module performs one of the following actions: If the response from the Core Module is an error, the Communication Module sends the error message to the BlackBerry Secure Connect Service to send to the BlackBerry Infrastructure. The BlackBerry Infrastructure sends the error message and the activation stops. If the response from the Core Module is a successful authentication, the Communication Module generates a unique identifier for the device. This identifier is used to verify the authenticity of the device in every subsequent communication. The Communication Module sends a response to the BlackBerry Secure Connect Service that includes the identifier, the MDM profile of the device (these are the specific permissions that the BES10 Client requests to manage on the device such as, Wi-Fi, VPN, IT policy configuration, and so on), and a command to provide device information and configuration. The BlackBerry Secure Connect Service sends this information through the BlackBerry Infrastructure to the device. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 95
Troubleshooting issues with device activation Completing the activation 1. After receiving a successful response, the BES10 Client requests all IT policy and configuration information and sends the device information and software information through the BlackBerry Infrastructure to the BlackBerry Secure Connect Service, which sends this information to the Communication Module. 2. The Communication Module receives the information, converts it to a device-agnostic format and sends it to the Core Module. 3. The Core Module stores the device information in the Management Database and sends the IT policy and configuration information back to the device. If the activation type for the device is Secure Work Space, after the activation is completed, the user is prompted to create a work space password and install some, or all, of the following apps: Work Connect Work Browser Documents To Go 96 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Scenario: Android device activation fails Marco Cacciacarro has been issued an Android device for testing purposes. When he tries to activate his device, he encountered the following error message: Activate Error. Unable to activate device. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 97
Troubleshooting issues with device activation Deactivating ios and Android devices When you or a user deactivates a devices, the connection between the device and the user account in the Universal Device Service is removed. You cannot manage the device, and the device is not displayed in the Administration Console. You can deactivate a device using the Delete only work data IT administration command. A user can deactivate a device by selecting Deactivate My Device on the About screen in the BES10 Client. Common issues for ios device and Android device activation and deactivation "Certificate not trusted" warning received during Android device activation Possible cause During Android device activation on BlackBerry Enterprise Service 10 a warning is received stating: Certificate not trusted. The security certificate for this server is not trusted. Do you want to continue? Yes/No. During the installation of BlackBerry Enterprise Service 10 an administrator must supply an SSL certificate to be used by the Communication Module. If the administrator chooses to use an internal Certificate Authority to issue the certificate, or an external Certificate Authority which is not trusted by Android, additional steps will need to be taken in order to successfully activate the devices. Possible solution Use a external Certificate Authority that is trusted by default on Android devices. For more information about the certificates that are trusted by Android devices, check the "Trusted CA" section of the Android device. Workaround: Click Yes for the warning during activation. Error 3007: Server is not available A pop-up displaying "Error 3007: Server is not available. Please try again later or contact your administrator" appears when a user attempts to activate with BES10BlackBerry Enterprise Service 10 using the BES10 Client. Possible cause This error is displayed if the SSL certificate used by the Communication Module service is not trusted by the ios device. Possible solution The Certification Authority certificate of the server which was used to create the SSL certificate for the Communication Module service needs to be installed on the ios device. Please refer to the Universal Device Service - Advanced Administration Guide in the "Activate ios device" section for more details on how to install the Certification Authority certificate on the device. 98 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Possible cause The hostname of the Communication Module is not correctly entered in the Company Server Name field in the BES10 Client. The Application Pool in IIS for the Communication Module will not stay started. When browsing to https://commmoduleurl/enrol/2 an HTTP code 503 is returned. Possible solution Verify that the hostname is reachable from the ios device and it is accurately typed in the Company Server Name field. Ensure the Application Pool Identity is the same as the account used during installation. To change it: 1. Open IIS Manager 2. Click Application Pools 3. Select the UDS.CommunicationModule 4. Click Advanced Settings 5. Under Process Model enter in the account credentials that were used during the installation into the Identity field Profile Failed to Install Possible cause When trying to activate an ios device, you see the following error "Profile failed to install. The certificate "AutoMDMCert.pfx" could not be imported". A profile already exists on the device. Looking at the device logs we can see the following: Jan 20 16:46:34 unknown profiled[361] <Notice>: (Note ) MC: Profile com.default.mdm is replacing an existing profile having the same identifier. Jan 20 16:46:34 unknown SpringBoard[15] <Warning>: Reloading and rendering all application icons. Jan 20 16:46:41 unknown profiled[361] <Notice>: (Error) MC: Rolling back installation of profile com.default.mdm... Jan 20 16:46:41 unknown profiled[361] <Notice>: (Error) MC: Installation of profile com.default.mdm failed with error: NSError: Desc : The profile BUDS (MDM) could not be installed. Possible solution Go into Settings > General > Profiles on the device and verify that a profile already exists. Remove the old profile and reactivate. If issues persists, you might have to reset the device as data might be cached. Users cannot deactivate a device Possible cause You recently restored a backup of the Management Database and the user activated the device after you created the backup version. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 99
Troubleshooting issues with device activation Possible solution To deactivate the device, you or the user must delete the BES10 Client from the device. The Work Apps icon remains on ios device after the device is deactivated Possible cause If a user has an ios device that is running ios 5 or later, a blank Work Apps icon might remain on the device after the device is deactivated. Possible solution The user can delete the blank Work Apps icon manually. BlackBerry Secure Connect Service cannot connect to <cc>.bbsecure.com Possible cause A local firewall or security policy in your organization's environment is preventing the BlackBerry Secure Connect Service from making a connection to <cc>.bbsecure.com, where <cc> is the country code. The following log lines are seen in the BlackBerry Secure Connect Service logs: 2013-04-11 09:19:46,349 WARN [pool-10-thread-1] [,] ApplicationEndpoint - Discovered that we're not connected to endpoint EndpointInfo[host=<cc>.bbsecure.com,port=3101,tls=false,mode=<null>]. Submitting ConnectJob. 2013-04-11 09:19:46,349 DEBUG [pool-10-thread-1] [,] ApplicationEndpoint - Executing ConnectJob to EndpointInfo[host=**.bbsecure.com,port=3101,tls=false,mode=<null>] 2013-04-11 09:19:46,357 INFO [pool-10-thread-1] [,] TcpClientConnector - Attempting to connect (with TLS=true) to endpoint address **.bbsecure.com/ 123.9.231.111:3101 2013-04-11 09:19:46,361 DEBUG [pool-10-thread-1] [,] TcpClientChannelHandler - [id: 0x2417b5da] OPEN 2013-04-11 09:19:47,377 WARN [New I/O boss #15] [,] TcpClientChannelHandler - Unexpected exception from downstream. Connection refused: no further information java.net.connectexception: Connection refused: no further information at sun.nio.ch.socketchannelimpl.checkconnect(native Method) at sun.nio.ch.socketchannelimpl.finishconnect(unknown Source) at org.jboss.netty.channel.socket.nio.nioclientboss.connect(nioclientboss.java :148) at org.jboss.netty.channel.socket.nio.nioclientboss.processselectedkeys(niocli entboss.java:104) at org.jboss.netty.channel.socket.nio.nioclientboss.process(nioclientboss.java :78) at 100 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation org.jboss.netty.channel.socket.nio.abstractnioselector.run(abstractnioselec tor.java:312) at org.jboss.netty.channel.socket.nio.nioclientboss.run(nioclientboss.java:41) at java.util.concurrent.threadpoolexecutor.runworker(unknown Source) at java.util.concurrent.threadpoolexecutor$worker.run(unknown Source) at java.lang.thread.run(unknown Source) 2013-04-11 09:19:47,377 WARN [pool-10-thread-1] [,] TcpClientConnector - Connection attempt failed to complete in 15 secs 2013-04-11 09:19:47,378 DEBUG [pool-10-thread-1] [,] ApplicationEndpoint - Done executing ConnectJob to EndpointInfo[host=sg.bbsecure.com,port=3101,tls=false,mode=<null>] 2013-04-11 09:19:47,378 WARN [pool-10-thread-1] [,] ApplicationEndpoint - Unable to connect to EndpointInfo[host=<cc>.bbsecure.com,port=3101,tls=false,mode=<null>], failurestreak is 7. Possible solution Verify that all ports required for the BlackBerry Secure Connect Service to communicate with the BlackBerry Infrastructure are open. Troubleshooting Secure Work Space activations When you troubleshoot issues activating a device with Secure Work Space, you should check the following: Does your environment meet the requirements for Secure Work Space? Before configuring Secure Work Space for ios devices and Android devices for your organization, you must have BlackBerry Enterprise Service 10 version 10.1.1 installed and working. You will also need the following: A Secure Work Space license in BlackBerry Enterprise Service 10 for each device you intend to install a work space on One of the following versions of Microsoft Exchange Server: Microsoft Exchange Server 2007 SP3 with Microsoft ActiveSync 12.1 or later Microsoft Exchange Server 2010 with Microsoft ActiveSync 14.0 or later Microsoft Exchange Server 2010 SP1 with Microsoft ActiveSync 14.1 or later Microsoft Exchange Server 2013 with Microsoft ActiveSync 14.1 or later Basic authentication enabled on Microsoft Exchange A Microsoft Exchange account with the ms-exch-epi-impersonation permission to allow Microsoft Exchange Impersonation of all users on the Microsoft Exchange Server Have you edited your Microsoft ActiveSync configuration in the Universal Device Service console? Before you can activate any Android devices or ios devices with a workspace, you must edit your Microsoft ActiveSync configuration in the Universal Device Service console. Make sure the following information and settings are configured: Provide the credentials of the account with impersonation permissions on the Microsoft Exchange Server 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 101
Troubleshooting issues with device activation Set BlackBerry Enterprise Service 10 to monitor Microsoft Exchange Web Services for notifications Type the FQDN of your Microsoft Exchange Web Services address Do you have Secure Work Space licenses available? Make sure that you have Secure Work Space licenses available in BlackBerry Management Studio. Adding this type of licenses for the first time will allow you to see the workspace menu items in the Universal Device Service console. Have you enabled and tested the workspace for your BlackBerry Enterprise Service 10? To enable the work space for your organization, you must click the Work Space item in the Settings page. Accessing this item notifies the BlackBerry Infrastructure that your organization may use work space for ios devices and Android devices and makes the Work Space IT policy profile available to you. Have you configured the default work space IT policy or any additional work space IT policies? In the Universal Device Service console, you can configure the default work space IT policy profile or create additional work space IT policies in the Libraries page to reflect your organization's security requirements. Have you assigned a work space IT policy profile to the user account? When you assign the work space profile to a user account, the default work space IT policy is automatically assigned. If you created additional work space IT policies, you must drag and drop the work space IT policy onto the user accounts you want to apply it to. Has the user accepted the notifications and installed all required apps and certificates? This includes: 1. Install the Work Connect app: The Work Connect app creates and manages the work space. 2. Install the Work Browser app: The Work Browser app lets the user browse the Internet and access content servers in your organization's network. 3. Install the Documents To Go app The Documents To Go app lets the user view and edit Microsoft Office documents from the content servers in your organization's network. Note: The user may be prompted to install the Work Connect, Work Browser, and Documents To Go apps in any order. 4. Set a password for the work space. After the user sets a password, they are redirected to the Work Connect app where they always have to use the password to log in. 102 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Scenario: BlackBerry 10 devices are failing to activate Issue: It has been a very busy day in the Manufacturing Co. IT department. You have successfully activated several BlackBerry devices, BlackBerry PlayBook tablets, ios devices, and Android devices. You have added new users who have activated their devices wirelessly. The last four devices, which are BlackBerry 10 devices, but there is an issue causing the activations to fail. The users have tried activating their devices using a wired connection to the BlackBerry Web Desktop Manager as well as setting a wireless activation password and attempting activation over the wireless network. Both methods have failed. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 103
Troubleshooting issues with device activation Discussion: Activation Consider all of the activation information and scenarios that you've done in this module. What things will you keep in mind when you troubleshoot activation issues? 104 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting issues with device activation Review: Troubleshooting issues with device activation 1. True or false. You must configure SMTP settings in the BlackBerry Device Service notification settings in order to send activation information to BlackBerry device users from BlackBerry Enterprise Service 10 by email. 2. To activate a BlackBerry PlayBook tablet over the BlackBerry Infrastructure, you need to enter your,, and the of BlackBerry Enterprise Service 10. 3. True or false. You can activate an ios and Android device using a wired connection to your computer and BlackBerry Management Studio. 4. To activate a BlackBerry 10 device when the user is registered with the BlackBerry Infrastructure, what information are you required to enter? a. Username b. Password c. SRP ID of the BlackBerry Enterprise Service 10 d. FQDN of the BlackBerry Enterprise Service 10 5. True or false. To activate an ios device or Android device users must download and install the BES10 Client. 6. True or false. You can activate an ios device or Android device using BlackBerry Web Desktop Manager. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 105
Troubleshooting issues with device activation 7. List the information users must type to activate an ios device or Android device. 106 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues Objectives By the end of this module, you should be able to: Troubleshoot the email and organizer data synchronization data flow for BlackBerry 10 devices, BlackBerry PlayBook tablets, ios devices, and Android devices Troubleshoot BlackBerry IT policy and profile updates Troubleshoot app updates for BlackBerry devices Troubleshoot actions and commands sent to ios devices and Android devices
Troubleshooting data flow issues Email and organizer data synchronization using Microsoft ActiveSync To synchronize your organization's email accounts and organizer data with your users' devices, you must create profiles and assign them to the user accounts: Email profiles specify how BlackBerry devices connect to your organization's messaging server and synchronize email messages and organizer data using Microsoft ActiveSync. Microsoft ActiveSync profiles specify how ios devices and Android devices connect to your organization's messaging server and synchronize email messages and organizer data using Microsoft ActiveSync. Microsoft ActiveSync is supported by multiple email messaging servers, including Microsoft Exchange, IBM Notes Traveler, and Novell GroupWise. Requirements: Synchronizing email and organizer data using Microsoft ActiveSync Synchronization requirements Requirement Microsoft ActiveSync is installed and running in your environment before you install BlackBerry Enterprise Service 10 If you are using Microsoft Exchange, no additional software needs to be installed for Microsoft ActiveSync. If you are using Domino, IBM Notes Traveler for Domino must be installed in the organization's email environment to support Microsoft ActiveSync. If you are using GroupWise, Novell Data Synchronizer and Mobility Pack for GroupWise must be installed in the organization's email environment to support Microsoft ActiveSync. A properly configured email profile for BlackBerry 10 device users and BlackBerry PlayBook tablet users A properly configured Microsoft ActiveSync profile for ios device users and Android device users A working wireless connection 108 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues Data flow: Receiving email and organizer data on a BlackBerry device When users send and receive email and organizer data on a BlackBerry device, there are two communication paths that can be used: Connectivity through the BlackBerry Infrastructure to the messaging server that is running Microsoft ActiveSync to provide security for devices that are not connected to the organization's internal network or do not have a VPN connection Direct connection from the device to the messaging server that is running Microsoft ActiveSync, through the VPN or over the work Wi-Fi network 1. The device issues an HTTPS request to the messaging server and requests that the messaging server notifies the device if any items change in the folders that are configured to synchronize. 2. The device stands by. You can adjust the synchronization time, depending on your messaging server. 3. The messaging server checks for any new or changed items and notifies the device when items change or new items come into the user's mailbox. The notification contains the name of the folder that has the new or changed item. Changed items include marking an email as read, moving an email into a sub folder, updating organizer data New items include receiving a new email or creating a new organizer data entry 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 109
Troubleshooting data flow issues 4. The device issues a synchronization request for the folder. 5. The messaging server synchronizes the changed files with the device. 6. When the synchronization is complete, the device issues another request to restart the process. 7. If there are no new or changed items during this interval, the messaging server sends a "HTTP 200 OK" message to the device. 8. The device issues a new PING request. 110 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues Scenario: Unable to send or receive email messages after activating a BlackBerry 10 device with BlackBerry Enterprise Service 10 Tanya McPherson recently activated her newly issued BlackBerry 10 device successfully. She quickly noticed that she was unable to send and receive email and her contacts were not syncing. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 111
Troubleshooting data flow issues Data flow: Receiving email and organizer data on ios devices and Android devices using Microsoft ActiveSync 1. The device issues an HTTPS request to the messaging server and requests that the messaging server notify the device if any items change in the folders that are configured to synchronize. 2. The device stands by. You can adjust the synchronization time, depending on your messaging server. 3. The messaging server checks for any new or changed items and notifies the device when items change or new items come into the user's mailbox. The notification contains the name of the folder that has the new or changed item. Changed items include marking an email as read, moving an email into a sub folder, updating organizer data New items include receiving a new email or creating a new organizer data entry 4. The device issues a synchronization request for the folder. 5. The messaging server synchronizes the changed files with the device. 6. When the synchronization is complete, the device issues another request to restart the process. 7. If there are no new or changed items during this interval, the messaging server sends a "HTTP 200 OK" message to the device. 8. The device issues a new PING request. 112 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues Data flow: Receiving email and organizer data on ios devices with a work space and Android devices with a work space 1. At defined intervals, the messaging server checks for any new or changed items and notifies the ios device or Android device, through BlackBerry Enterprise Service 10, when there are new or changed items. If the device is an ios device: The BlackBerry Work Connect Notification Service receives the notification and passes it to the BlackBerry Secure Connect Service for forwarding over port 2195 If the device is an Android device: The notification is received by the BlackBerry Secure Connect Service for forwarding 2. BlackBerry Secure Connect Service notifies the BlackBerry Infrastructure that there are new or changed items in the user's mailbox over port 3101. 3. The BlackBerry Infrastructure passes notification to the device that there are new or changed items in the user's mailbox. If the device is an ios device: The BlackBerry Infrastructure contacts the APNs over port 2195 to notify the user that there is an item waiting to be synchronized. The APNs notifies the device that there is a new or changed item waiting to be synchronized. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 113
Troubleshooting data flow issues When the Work Connect app receives the notification, it displays an icon that indicates that there are new updates available for the user. If the device is an Android device: The BlackBerry Infrastructure contacts the device to notify the user that there is an item waiting to be synchronized. When the Work Connect app receives the notification, it displays an icon that indicates that there are new updates available for the user. 4. The device contacts the BlackBerry Infrastructure to request the new or changed items. 5. The BlackBerry Infrastructure contacts the BlackBerry Secure Connect Service and requests the new or changed items. 6. The BlackBerry Secure Connect Service contacts the messaging server and requests the new or changed items be sent to the device. 7. The messaging server sends the items to the device, through the BlackBerry Secure Connect Service and the BlackBerry Infrastructure. 8. The device sends confirmation back to the messaging server, through the BlackBerry Secure Connect Service and the BlackBerry Infrastructure, that the updates have been received. 9. When the synchronization of all items is complete, the messaging server sends an "HTTP 200 OK" message to the device. 10.The device waits for the next notification from BlackBerry Enterprise Service 10 that there are new or changed items to synchronize. 114 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues Scenario: ios device user can receive email, but cannot send email You recently assigned an ios device to Katya Naydek. The device activated properly. The BES10 Client was installed and the certificate was accepted by the device. Katya reports to you that she's been receiving email all day, however, when she went to send her first email, she received the following error message: Cannot Send Mail: An error occurred while delivering this message. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 115
Troubleshooting data flow issues Common issues with email and organizer data synchronization Email messages, contact entries, calendar entries, and memos fail to synchronize When you try to configure a Microsoft Exchange ActiveSync account on the BlackBerry 10 smartphone or BlackBerry PlayBook tablet, Email messages, contact entries, calendar entries, and memos fail to synchronize. The account appears to be configured but synchronization does not occur. This also affects email accounts configured through an email profile using BlackBerry Enterprise Service 10. When sending an email on the BlackBerry 10 smartphone, a red X is displayed and the Message Status is the following: Protocol layer was unable to send a message The BlackBerry PlayBook tablet may display one of the following error messages when the account is being configured: Service is temporarily unavailable for (user@domain.com - user@domain.com). [Error Code:403]) An unexpected problem occurred with "email address" Some features may not be working correctly Additionally, the following log information is displayed in the Application log on the Microsoft Exchange CAS: Log Name: Application Source: MSExchange ActiveSync Date: Event ID: 1053 Task Category: Configuration Level: Error Keywords: Classic User: N/A Computer: <servername> Description: Exchange ActiveSync doesn t have sufficient permissions to create the CN=<user>,OU=<ou>,DC=<domain>,DC=local container under Active Directory user Active Directory operation failed on <domain controller>. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0. Possible cause Inheritance is disabled on the User Object in Microsoft Active Directory. Possible solution Enable inheritance on the User Object in Microsoft Active Directory. 1. Open Active Directory Users and Computers. 2. On the menu at the top of the console, click View > Advanced Features. 116 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues 3. Locate and right-click the mailbox account in the console, and then click Properties. 4. Click the Security tab. 5. Click Advanced. 6. Make sure that the check box for Allow inheritable permissions from the parent to propagate to this object and all child objects is selected. If the user was or is a member of a protected group inheritance may automatically be disabled. For more information on protected groups, visit the Microsoft TechNet website and search for "AdminSDHolder, Protected Groups, and SDPROP". After inheritance is enabled, you must re-authenticate the configured account. Email messages, contact entries, calendar entries, and memos fail to synchronize after user has activated their device Possible cause An email profile or Microsoft ActiveSync profile has not been created or assigned to the user. Possible solution Create a valid email profile for BlackBerry 10 devices and BlackBerry PlayBook tablet, or a valid Microsoft ActiveSync profile for ios devices and Android devices, and assign it to the user. Calendar entries are not synchronizing for BlackBerry 10 device users Possible cause The email profile setting Calendar synchronization has been set to No on the email profile assigned to all users. Possible solution Change the Calendar synchronization setting in the email profile to Yes. New contacts are not synchronizing to ios devices running ios version 6.0 Possible cause The Microsoft ActiveSync profile is configured incorrectly. The Disable synchronizing new recipients to device address book check box has been selected in the Microsoft ActiveSync profile. This setting applies to ios version 6.0 and later, only. Possible solution Uncheck the Disable synchronizing new recipients to device address book setting in the Microsoft ActiveSync profile. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 117
Troubleshooting data flow issues Troubleshooting policy and profile updates on BlackBerry devices Requirements: Policy and profile updates for BlackBerry devices Requirements In order for policy and profile updates to be sent successfully to user's BlackBerry devices, you need: Deployment schedules that are properly configured Connectivity to the BlackBerry Configuration Database Properly configured and assigned IT policies and profiles All BlackBerry Enterprise Service 10 services used for managing BlackBerry devices must be running Communication between all components of BlackBerry Enterprise Service 10 used for managing BlackBerry devices 118 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues Data flow: Sending policy and profile updates to BlackBerry devices You can configure IT administration commands, app information, IT policies, email profiles, SCEP profiles, Wi- Fi profiles, and VPN profiles for devices using the BlackBerry Device Service console. This configuration information is sent to the Enterprise Management Agent on the device over a secure, preauthenticated connection through the Enterprise Management Web Service. 1. You complete one of the following actions in the BlackBerry Device Service console: Select an IT administration command Remove a device from a user account Assign or change an IT policy Assign or change a VPN profile or Wi-Fi profile Assign or change Microsoft ActiveSync configuration settings Assign or change email configuration settings Assign or change root certificates Assign or change proxy profiles Assign or change SCEP profiles 2. If data conflicts exist, the BlackBerry Device Service console uses predefined reconciliation rules to resolve the conflicts. Updates are applied in the BlackBerry Enterprise Service 10 and the BlackBerry Device Service console identifies objects that must be shared with the device. 3. The Enterprise Management Web Service notifies the Enterprise Management Agent on the device that there is an update. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 119
Troubleshooting data flow issues Note: The Enterprise Management Web Service can only notify the Enterprise Management Agent on the device that there is an update over the IPPP pathway through the BlackBerry Infrastructure. 4. The Enterprise Management Agent polls the Enterprise Management Web Service for the update. 5. The Enterprise Management Web Service sends the configuration updates to the Enterprise Management Agent. 6. The Enterprise Management Agent retrieves the configuration updates and applies the new or updated configuration on the work space of the device. 120 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues Troubleshooting app updates for BlackBerry devices Requirements: App updates for BlackBerry devices Requirements To push out app updates to your users, you require: Deployment schedules that are properly configured Connectivity to the BlackBerry Configuration Database Properly configured and assigned software configurations All BlackBerry Enterprise Service 10 services used for managing BlackBerry devices must be running Communication between all components of BlackBerry Enterprise Service 10 used to manage BlackBerry devices 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 121
Troubleshooting data flow issues Data flow: Sending app updates to BlackBerry devices You use software configurations to specify apps that are required or optional for the work space of the devices. Required apps are installed in the work space after the device receives them. Optional apps can be downloaded and installed in the work space. Apps that are not listed as required or optional can only be installed in the personal space. 1. You complete one of the following actions in the BlackBerry Device Service console: Create a software configuration and assign it to a user account or a group the user account belongs to Update a software configuration that is already assigned to the user account Update app information 2. If data conflicts exist, the BlackBerry Device Service console uses predefined reconciliation rules to resolve the conflicts. Updates are applied in BlackBerry Enterprise Service 10 and the BlackBerry Device Service console identifies objects that must be shared with the device. 3. The Enterprise Management Web Service notifies the Enterprise Management Agent on the device that there is an update. 4. The Enterprise Management Agent on the device polls the Enterprise Management Web Service for updates. 5. The Enterprise Management Web Service sends the update to the Enterprise Management Agent. 6. If a required app was added or updated, the Enterprise Management Agent accesses the URL that is specified in the app information to download and install the required app to the work space. 122 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues 7. If the list of optional apps changed, the Work tab in the BlackBerry World storefront on BlackBerry PlayBook tablets, or the BlackBerry World for Work app for BlackBerry 10 devices, displays the updated list and the user can download and install the optional apps. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 123
Troubleshooting data flow issues Scenario: BlackBerry device users cannot download an optional work app from BlackBerry World for Work Issue: You have a new work app that you've published in BlackBerry Enterprise Service 10. A few days after you publish the app and add it to your organization's software configuration, you start receiving complaints that users cannot download it. There has never been an issue with published apps for users before. Error message: The users receive "Install Error [0005], There was a problem during the installation. Please try again". 124 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues About actions and commands sent to Android devices and ios devices Actions are tasks to be performed on the device, such as lock device, delete work data, and delete all data. Commands are used to configure information on the device, such as VPN, Wi-Fi and Microsoft ActiveSync profiles, or to obtain information about the device such as device information and installed applications. An action or command can be triggered in any of the following ways: Using the Universal Device Service console, the administrator performs any of the following: Lock device Unlock device Delete only work data Delete all device data Specify device password and lock (Android devices only) Update an IT policy Update VPN profile Update Wi-Fi profile Update Microsoft ActiveSync profile Update CA certificate profile Update SCEP profile (ios devices only) Update shared certificate profile Assign or remove a profile to a user account or group Assign a new software configuration to a user account or group Edit a software configuration or associated application definition At defined intervals, the Scheduler contacts the Core Module and requests the list of devices that have an action or command that need to be performed (for example, check jailbroken or rooted status or request the list of installed applications). If an action or command needs to performed, the Scheduler adds it to the list of pending commands or actions for the device. At defined intervals, the BES10 Client contacts the Communication Module and provides device information and the list of installed applications, based on the default polling cycle defined by the administrator. When BlackBerry Enterprise Service 10 receives device information or the list of installed applications, several enforcement checks are performed on the device. The enforcement check may trigger one of the following: Send an enforcement breach email to the user, using SMTP Schedule an enforcement breach action (for example, delete all data, delete only work data, or inform the user they are in breach and that there may be further enforcement action at a later time) 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 125
Troubleshooting data flow issues Requirements: Sending actions and commands to ios devices and Android devices Requirements An ios device or Android device with an active wireless network connection An ios device or Android device with the BES10 Client installed, managed by BlackBerry Enterprise Service 10 About the BES10 Client and the ios MDM Daemon At defined intervals, the BES10 Client contacts the Communication Module, through the BlackBerry Secure Connect Service, to ask for any actions that need to be run on the device. Polling occurs every 15 minutes, by default. This setting can be modified in the Universal Device Service console. Android devices use the BES10 Client to perform all actions and commands. ios devices use the BES10 Client to provide device information to BlackBerry Enterprise Service 10 such as jailbroken status and displaying policy enforcement information. The MDM Daemon on ios devices supplements the BES10 Client protocol and performs the rest of the actions and commands on ios devices. 126 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues Data flow: Executing actions and commands that use the BES10 Client on Android devices and ios devices 1. At defined intervals, the BES10 Client contacts the BlackBerry Secure Connect Service, on port 3101 of the external firewall, to check for any pending actions and commands that need to be performed on the device. Polling occurs every 15 minutes, by default, but can be configured by the administrator. 2. The BlackBerry Secure Connect Service contacts the Communication Module, over port internal port 33443 to request any pending actions and commands. 3. The Communication Module contacts the Core Module, over internal port 9081, to verify the device authentication information and get a list of pending actions and commands that need to be run on the device. 4. If there are no pending actions or commands for the device, the Communication Module replies to the device, through the BlackBerry Secure Connect Service, with an idle command. If there are actions or commands pending for the device, the Communication Module replies, through the BlackBerry Secure Connect Service, with the highest priority action. For Android devices, priority is given to IT administration commands, such as Delete device data and Lock device, followed by request for device information, installed applications, and so on. The Communication Module sends only one command at a time. If necessary, additional information is included in the response. 5. The client inspects the response, schedules the command to be processed, and waits for the command to be run. 6. The client sends a response to the Communication Module, through the BlackBerry Secure Connect Service, to update the command status. The status indicates whether the command ran successfully and in the event of failure, it provides an error message. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 127
Troubleshooting data flow issues 7. Steps 2 to 5 are repeated until there are no more pending actions or commands that need to be performed on the device. Note: For secure work apps, the initial notification is sent to the ios device or Android device by the content server, through the APNs for ios devices, using whatever transport method the app developer specified. This may not involve BlackBerry Enterprise Service 10. After the notification is delivered to the device, the device contacts the BlackBerry Secure Connect Service to retrieve updated data. Data flow: Executing actions and commands that use the MDM Daemon on ios devices 1. The Core Module notifies the BlackBerry Secure Connect Service, over port 2195, that there is an update pending for an ios device. 2. The BlackBerry Secure Connect Service, contacts the BlackBerry Infrastructure, over port 3101, to notify the APNs that there is an update pending for an ios device. 3. The BlackBerry Infrastructure, over port 2195, notifies the APNs that there is an update pending for an ios device. 4. The APNs sends a notification to the MDM Daemon on the ios device to contact the Communication Module. 5. When the MDM Daemon on the ios device receives the notification, it contacts the BlackBerry Secure Connect Service, on port 3101 of the external firewall, to retrieve any pending actions. 6. The BlackBerry Secure Connect Service contacts the Communication Module, over internal port 33443, to request the updates. 7. The Communication Module contacts the Core Module, over internal port 9081, to verify the device and get a list of pending actions and commands that need to be run on the device. 8. If there are no pending actions or commands for the device, the Communication Module, through the BlackBerry Secure Connect Service, replies to the device with an idle command. If there are actions or 128 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues commands pending for the device, the Communication Module, through the BlackBerry Secure Connect Service, replies with the highest priority action. Priority is given to actions, such as Delete device data and Lock device, followed by requests for device information, installed applications, etc. The Communication Module sends only one command at a time. If necessary, additional information is included in the response. 9. The MDM Daemon on the ios device inspects the response, schedules the command to be processed, and waits for the command to be run. 10.The MDM Daemon sends a response to the Communication Module, through the BlackBerry Secure Connect Service, to update the command status. The status indicates whether the command ran successfully providing any additional information, and in the event of failure, it provides an error message. 11.Steps 4 to 7 are repeated until there are no more pending actions or commands that need to be performed on the device. Troubleshooting tips for actions and commands sent to ios devices and Android devices When troubleshooting actions and commands sent to ios devices and Android devices, you should: Check that the BES10 Client is installed on the ios device or Android device. Check that the ios device or Android device has been successfully activated. Verify that the ios device or Android device has not been quarantined. Creating a work space app If your organization creates a custom app, you can use the BlackBerry Infrastructure to convert the app into a work space app that can be installed in the work space on devices. Converting the app is an automatic process that you can initiate by uploading the app binary file in the Universal Device Service. After the app is converted and signed, you can make the app available to users by posting the app in the App Store or Google Play, or by creating an app definition and adding the app to a software configuration in the Universal Device Service. For more information about work space apps, see the Secure Work Space for ios and Android Security Technical Note. Troubleshooting work space apps on ios devices and Android devices Creation considerations for work space apps on ios devices and Android devices: Did you create the work space app properly? Directions for creating a work space app can be found in the Universal Device Service Advanced Administration Guide Is the work space app properly signed? To install a work space app for ios devices and Android devices, it must be signed by Apple or Google. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 129
Troubleshooting data flow issues Deployment considerations for work space apps on ios devices and Android devices: Has the user accepted the notifications and installed all required apps and certificates? This includes: 1. Install the Work Connect app: The Work Connect app creates and manages the work space. 2. Install the Work Browser app: The Work Browser app lets the user browse the Internet and access content servers in your organization's network. 3. Install the Documents To Go app The Documents To Go app lets the user view and edit Microsoft Office documents from the content servers in your organization's network. Note: The user may be prompted to install the Work Connect, Work Browser, and Documents To Go apps in any order. 4. Set a password for the work space. After the user sets a password, they are redirected to the Work Connect app where they always have to use the password to log in. Has the work space app been assigned to the user? A software configuration containing the work space app must be assigned to a user or group before it can be deployed to the user. Software configurations and apps can be assigned in the Universal Device Service console or BlackBerry Management Studio. Has the work space app been deployed to the user? You can check if a work space app has been properly deployed to a user in the Universal Device Service console. View whether work apps are installed on a device 1. Search for a user account. 2. In the search results, click the name of a user account. 3. In the Software configurations window, click on a Software configuration name to display the list of work apps. Apps that the user did not install are indicated by a red icon. Apps that the user installed but are not the correct version are indicated by a red and white icon. 130 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues Scenario: Actions and commands sent to ios and Android devices When assigning profiles to ios devices the profiles are not pushed out. IT Policy settings also do not take effect. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 131
Troubleshooting data flow issues Discussion: Issues that can happen after you activate a device What types of problems can you think of that can occur after you activate a device? 132 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Troubleshooting data flow issues Review: Troubleshooting data flows 1. True or false. You must have Microsoft ActiveSync installed in your organization in order to synchronize email and organizer data with BlackBerry Enterprise Service 10. 2. Do you require connectivity from the Enterprise Management Web Service to the Enterprise Management Agent on the BlackBerry device over the IPPP pathway through the BlackBerry Infrastructure in order to send policy updates, profile updates, or app updates, to BlackBerry devices? 3. What type of profile is required to synchronize email and organizer data with an ios device or an Android device? 4. True or false. All policy and profile updates for ios devices and Android pass through the BlackBerry Secure Connect Service. 5. What does a changed item consist of? 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 133
Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen Objectives By the end of this module, you should be able to: Identify the steps that you can take to prevent issues with your BlackBerry Enterprise Service 10 installation before they happen
Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen Preventing issues before they happen While not all problems you encounter will be preventable, there are some basic steps that you can take to reduce the number of incidents you may have, as well as to minimize the impact if something does go wrong. Back up BlackBerry Enterprise Service 10 data regularly: Back up the BlackBerry Enterprise Service 10 databases regularly: You can use the backup and restore tools that are a part of Microsoft SQL Server to back up and, if necessary, restore the databases. For more information, see the Microsoft documentation for Microsoft SQL Server. Export IT policies Export backup encryption keys Back up the shared network folder For more information on how to perform these tasks, see the BlackBerry Device Service Advanced Administration Guide and the Universal Device Service Advanced Administration Guide If you are running multiple instances of BlackBerry Enterprise Service 10, distribute your users across the instances equally for enterprise connectivity and to balance the workload. Analyze the information available on the BlackBerry Management Studio reporting dashboards regularly: Check for devices that have had not contacted BlackBerry Enterprise Service 10 for long period Check for devices that are out of compliance Use the BlackBerry Management Studio licensing interface: Check for licenses that are due to expire soon Maintain enough licenses for new devices to be activated Make sure communication is maintained with the BlackBerry Infrastructure for polling 136 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen Back up the BlackBerry Enterprise Service 10 data regularly Backing up the BlackBerry Configuration Database and the Management Database You should back up the BlackBerry Configuration Database and the Management Database so that you can restore it if the database server is not available. You can use the backup and restore tools that are a part of Microsoft SQL Server to back up and, if necessary, restore these databases. For more information, see the Microsoft documentation for Microsoft SQL Server. Back up the shared network folder The shared network folder contains the application files and certificates that the BlackBerry Administration Service uses. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. 2. Click BlackBerry Administration Service. 3. In the Network drive section, verify the shared network folder that the BlackBerry Administration Service uses. 4. On the computer that hosts the BlackBerry Administration Service, navigate to the location of the shared network folder. 5. Copy the shared network folder and save it to a different location (for example, another computer on your organization's network). Restore BlackBerry Enterprise Service 10 You can restore a BlackBerry Device Service instance to the same computer or a different computer in your organization's environment. 1. If necessary, restore the BlackBerry Configuration Database. You can use the backup and restore tools that are part of Microsoft SQL Server. For more information, see the Microsoft documentation for Microsoft SQL Server. 2. If necessary, restore the shared network folder. If you restore the shared network folder to a different location, you must update the location in the BlackBerry Device Service console. 3. Perform one of the following tasks: 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 137
Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen Task Restore a BlackBerry Enterprise Service 10 instance to the same computer or a computer with the same FQDN as the computer that previously hosted the BlackBerry Enterprise Service 10 instance Restore a BlackBerry Enterprise Service 10 instance to a different computer Steps 1. Install BlackBerry Enterprise Service 10 and specify the same name for the BlackBerry Enterprise Service 10 instance. For more information about installing the BlackBerry Enterprise Service 10, see the BlackBerry Enterprise Service 10 Installation and Configuration Guide. 1. Install BlackBerry Enterprise Service 10 and specify a new name for the BlackBerry Enterprise Service 10 instance. For more information about installing BlackBerry Enterprise Service 10, see the BlackBerry Enterprise Service 10 Installation and Configuration Guide. 2. Move user accounts from the old BlackBerry Enterprise Service 10 instance to the new BlackBerry Enterprise Service 10 instance. 3. To remove the old BlackBerry Enterprise Service 10 component information from the BlackBerry Configuration Database, perform the following actions: a b c d In the BlackBerry Device Service console, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain. Click Component view. Click the Delete icon beside the old BlackBerry Device Service instance. Click Yes - Delete the instance and wait until you are returned to the main page. 138 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen Distribute users across multiple instances Distributing your device user population across multiple BlackBerry Enterprise Service 10 instances helps to efficiently distribute server usage. In the event of a failure, users can be moved from one BlackBerry Enterprise Service 10 instance (nonfunctioning) to another BlackBerry Enterprise Service 10 instance (functioning), while you troubleshoot the problem. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 139
Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen Analyze reports regularly The dashboard reporting graphs allow you to quickly review high-level data by rolling over specific data points in the graphs. If you need a more detailed breakdown of the data, you can click a graph to open a grid view of the individual users or devices. With the dashboard, you can catch issues early by monitoring it on a regular basis. You can see: Devices out of contact Device compliance state Devices by carriers Devices by platform 140 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen Top 5 mobile devices Top 5 apps deployed Device activations 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 141
Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen Monitor license usage BlackBerry Management Studio allows administrators with the Security Administrator role to manage licenses for a BlackBerry Enterprise Service 10 domain. You can check the licensing status for the domain and view detailed information for each license type such as usage and expiration. Licenses control how many BlackBerry devices, ios devices, and Android devices can exist in a BlackBerry Enterprise Service 10 domain at the same time. The license types that your organization uses determine the devices and features that you can manage using the BlackBerry Enterprise Service 10 software. A license is used when you or a user activates a device. A device uses only one type of license at a time. If more than one license type supports the devices and features that you want to manage, the lowest cost license is used. When you have used all of the licenses of one type, you can no longer activate devices of that type, unless you have a higher-level license available. This can lead to activation issues for users. If licenses have expired and can extend to compliance issues. 142 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen Review: Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen List the steps you can perform to prevent issues with your BlackBerry Enterprise Service 10. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 143
Additional resources Objectives By the end of this module, you should be able to: Troubleshoot SCEP issues Troubleshoot proxy issues Troubleshoot APNs for ios devices
Additional resources Troubleshooting SCEP issues SCEP profiles are used to specify settings for sending SCEP certificates to devices. SCEP profiles can be added to Wi-Fi profiles, VPN profiles, and email profiles (for BlackBerry devices) or Microsoft ActiveSync profiles (for ios and Android devices) to use certificate-based authentication for Wi-Fi, VPN, and Microsoft ActiveSync connections. A device can use SCEP to connect to the certification authority in your organization and obtain any required client certificates. Requirements: SCEP profiles for devices managed by BlackBerry Enterprise Service 10 Requirements In order to use SCEP profiles in your environment, you need: A properly configured SCEP server A properly configured Certificate Authority, set to use global challenge passwords A SCEP profile configured and assigned to users, containing the correct SCEP service URL, hash value for the CA certificate and the enrollment challenge password Note: Android devices do not support the use of SCEP. 146 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Additional resources Data flow: Enrolling a client certificate to a BlackBerry device using SCEP 1. The device, using the SCEP profile configured for it, sends security information to the Enterprise Management Web Service. 2. The Enterprise Management Web Service validates the information sent by the device, confirming that the following information matches the information that is in the BlackBerry Configuration Database for the user: Distinguished name Alternative names Email address 3. Once the Enterprise Management Web Service has confirmed the user s information, it sends security information back to the device. 4. The device sends the SCEP profile name to the Enterprise Management Web Service along with the security information. 5. The Enterprise Management Web Service verifies all user and security information and sends an enveloped security packet to the device. 6. The device signs the envelope data and sends the SCEP request to the Certificate Authority. 7. The Certificate Authority issues the certificate and sends it to the device. 8. The Enterprise Management Agent on the device adds the certificate and corresponding private key to the key store on the device. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 147
Additional resources Data flow: Enrolling a client certificate to an ios device using SCEP In the SCEP profile, there is an option to check Proxy SCEP requests through the Universal Device Service: If this box is unchecked, the device connects to the SCEP server directly If this box is checked, the device uses the data flow below 1. The device, using the SCEP profile configured for it, sends security information to the BlackBerry Secure Connect Service. 2. The BlackBerry Secure Connect Service passes this information to the Communication Module. 3. The Communication Module passes the information to the Core Module. 4. The Core Module validates the information sent by the device, and contacts the SCEP server. 5. Once the Core Module has confirmed the user s information, it sends the security information back to the ios device. 6. The device sends the SCEP profile name to the Core Module along with the security information. 7. The Core Module verifies all user and security information with the SCEP server and sends an enveloped security packet to the device. 8. The device signs the envelope data and sends the SCEP request to the Certificate Authority. 9. The Certificate Authority issues the certificate and sends it to the device. 10.The MDM Daemon on the device adds the certificate and corresponding private key to the key store on the device. 148 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Additional resources Scenario: "The SCEP server returned an invalid response" is displayed when attempting to activate an ios device As the administrator for Manufacturing Co., you've set up and configured BlackBerry Enterprise Service 10 in your organization's environment. All the policies and profiles have been configured and users have been activating their devices successfully. However, when you activate your own device, you notice that the SCEP profile was not delivered to your ios device. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 149
Additional resources Common SCEP issues The computer uses an incorrect certificate template for the SCEP Possible cause By default, Windows Server 2008 uses the IPSECIntermediateOffline template to generate a certificate using SCEP. This template does not provide the correct Extended Key Usage (also known as an Application Policy) for the signed certificate. The signed certificate is used for authenticating email connections, VPN connections, and Wi-Fi connections. Possible solution Change the certificate template that the Network Device Enrollment Service in Windows Server 2008 uses to generate the certificate using SCEP. For more information, visit technet.microsoft.com to read the article Administering Certificate Templates. Unable to push SCEP profile to an ios device Possible cause Possible solution The SCEP server returned an invalid response When a user attempts to activate an ios device to the BlackBerry Enterprise Service 10 the following error message is displayed on the device: The SCEP server returned an invalid response. The Communication Module log shows the following: DEBUG,"2012-08-21 07:36:02,701",8,0,"a5934693-81f4-4249-9ef1- e772723eb261","profile: Request is not signed by CA, so send payload for SCEP.", Possible cause This is caused by the "Everyone" group not having the read permission set to access the "RIM UDS SERVER ROOT_XXXXXXXX" certificate private key. Possible solution On the computer that hosts the cm, perform the following: 1. 1.Select Start > Run. 2. Type MMC and press Enter. 150 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Additional resources 3. Select File > Add/Remove Snap-in. 4. Ensure Certificates is highlighted in the left list and click Add and OK. 5. In the wizard, select Computer account and click Next. 6. Select Local computer and click Finish, then click OK. 7. In the left frame, expand Certificates (Local Computer), expand Personal, and select Certificates. 8. Right click on the "RIM UDS SERVER ROOT_XXXXXXXX" certificate and select All Tasks > Manage Private Keys. 9. On the Security Tab click Add. 10.Type "Everyone" and click Check Name and OK. 11.Make sure that the Read permission under the Allow column has a check and remove the check from the Full Control permission. 12.Click OK. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 151
Additional resources Scenario: Users are not receiving certificates Your organization has deployed SCEP as the method for enrolling certificates to BlackBerry devices. However, you have noticed that there seems to be a problem and the certificates are not synchronizing correctly. One user made a record of the error message they saw when activating their BlackBerry PlayBook tablet: Synchronization reported the following errors: Certificate Authority Profiles. 152 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Additional resources Troubleshooting proxy issues Proxy profiles are used to specify how users use a proxy server to access web services on the Internet or on your organization's network. You can associate a proxy profile with a Wi-Fi profile or VPN profile. If you want users to use a proxy server when they connect to the Internet or your organization's network using the BlackBerry Infrastructure, you can associate a proxy profile with a BlackBerry Enterprise Service 10 instance. Additionally, BlackBerry Enterprise Service 10 may use proxy settings in the following instances: The BlackBerry MDS Connection Service uses proxy servers to send notifications to push initiators. The Core Module uses an HTTP or HTTPS proxy server to access the BlackBerry Infrastructure. Requirements: Proxy configuration Requirement BlackBerry 10 OS devices that are associated with a BlackBerry Enterprise Service 10 instance use a proxy profile when they access web services on the Internet or on your organization's network using the BlackBerry Infrastructure: A properly configured proxy profile A properly configured PAC file, or the correct manual proxy settings An established connection to the proxy server BlackBerry MDS Connection Service uses proxy to send notifications to push initiators: A properly configured proxy profile A properly configured PAC file, or the correct manual proxy settings An established connection to the proxy server with valid authentication credentials (if required) Core Module uses an HTTP or HTTPS proxy server to access the BlackBerry Infrastructure: Proxy enabled for HTTP or HTTPS Proxy in the Universal Device Service console A valid server address and port for the proxy server Authentication enabled in the APNs proxy settings and valid authentication credentials (if required) 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 153
Additional resources Activity: Proxy issues 1. All BlackBerry 10 devices are unable to contact the web server hosting the proxy PAC file. What questions would you ask to try to find out what the problem is? What do you think the problem might be? 2. BlackBerry Enterprise Service 10 has been unable to contact the APNs since the initial installation and configuration of the service. The issue seems to be with the proxy configuration. What questions would you ask to try to find out what the problem with the proxy is? What do you think the problem might be? 154 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Additional resources 3. All BlackBerry 10 device users are unable to access websites when the request passes through the BlackBerry MDS Connection Service. When using any other interface, such as the work Wi-Fi or a VPN connection, they can access the sites. What questions would you ask to try to find out what the problem is? What do you think the problem might be? 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 155
Additional resources Troubleshooting APNs About APNs You must use the APNs to manage ios devices in BlackBerry Enterprise Service 10 domains. The Universal Device Service requires the APNs to manage ios devices and send push notifications to ios devices. When the Universal Device Service needs to send information to an ios device, it sends a notification to the APNs. The APNs authenticates the Universal Device Service server and then sends the notification to the ios device. The ios device receives the notification from the APNs and retrieves the information from the Universal Device Service. To use APNs, your organization must obtain an APNs certificate for each Universal Device Service deployment. For example, if your organization includes a production deployment and a testing deployment, you need two APNs certificates. You must obtain the APNs certificate through the Universal Device Service interface. When you renew the APNs certificate, you must use the same Apple ID that you used when the certificate was created. The Google Chrome browser and Safari browser provide optimal support for displaying functionality. CAUTION: You must renew the APNs certificate before it expires (each certificate expires after one year). If the certificate expires, or if you insert a new APNs certificate instead of renewing the old one, ios devices do not receive commands, and users must reactivate their devices. Note: For more information, visit https://developer.apple.com to read Issues with Sending Push Notifications, in article TN2265. Requirements: APNs for ios devices Requirement In order to access the APNs, you require: An APNs certificate for each BlackBerry Enterprise Service 10 deployed in your environment The APNs certificate must be added to each BlackBerry Enterprise Service 10 computer through the Universal Device Service console When you renew the APNs certificate, you must use the same Apple ID that you used when the certificate was created 156 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Additional resources Common issues with APNs The system encountered an error. Check your network connection and try again. Description If you receive an error message when you request a signed CSR from Research In Motion, you should make sure that the Administration Console can communicate with RIM's web service. Possible cause Firewall not configured correctly. You are using a proxy server for outbound HTTP/HTTPS traffic. Possible solution Verify that the firewall is configured so that the Administration Console can generate a Certificate Signing Request during the configuration of the APNs certificate. Verify your HTTP or HTTPS proxy server settings To confirm the settings, see in the Core Module settings in the Universal Device Service console. The APNs certificate does not match the CSR. Provide the correct APNs file (.pem) or submit a new CSR. Description You may receive an error message when you upload an APNs certificate to the Universal Device Service if you did not upload the most recently signed CSR file from Research In Motion to the Apple Push Certificates Portal. Possible solution If you downloaded multiple CSRs from RIM, only the last one that you downloaded is valid. If you know which CSR is the most recent, return to the Apple Push Certificates Portal and upload it. If you are not sure which CSR is the most recent, request a new one from RIM, then return to the Apple Push Certificates Portal and upload it. I cannot set the access permissions for the certificate's private key If you do not see the option to set the access permissions for the certificate's private key, make sure you imported the.pfx file, not the.pem file. I cannot activate ios devices Possible cause If you are unable to activate ios devices, the APNs certificate may not be correctly installed. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 157
Additional resources Possible solution Perform one or more of the following actions: Make sure that the APNs certificate status window shows that the certificate is installed Make sure that you installed the.pfx file into the certificate store, and not the.pem file Make sure that you set the private key access permissions of the certificate to Authenticated Users Restart Microsoft IIS Remote administration commands to an ios device fail with the following error "APNs Connection Open: Authentication failed" Any remote administration commands issued from the Universal Device Service console of BlackBerry Enterprise Service 10 to any ios device will fail to deliver. Possible cause The Apple Push Notification Service - Client Certificate has expired. This can be verified via the following steps: Apple Certificate: 1. Click - Start. 2. Type mmc in the Search window. 3. In the Console window select File - Add/Remove Snap-in. 4. Select the Certificates snap in and click Add. 5. Select the Computer Account radio button and Next. 6. Select Local computer and Finish. Possible solution 1. Validate that the operating system time on the BlackBerry Enterprise Service 10 computer is correct. 2. If the time is accurate but the APNS Certificate Expiry is still older than the operating system time, you will need to request a new APNS Certificate. 3. Open the Universal Device Service console and click Settings - APNs Certificate - Renew Certificate. 4. Refer to the Universal Device Service Advanced Administration Guide for instructions on Installing the APNs Certificate. View the Communication Logs: 1. Log-in to the Universal Device Service console. 2. Click the Home Tab. 3. Click on one of the affected ios users. 4. Select Lock device. 5. Select Communication Logs. 6. The Communication Logs display the following log lines: November 5, 2012 4:13:28 PM UTC: action.poke failure November 5, 2012 4:13:17 PM UTC: action.lock request 158 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Additional resources Possible cause Possible solution View the Core Module Service Logs at the Default Core Module Log Location - C:\Program Files (x86)\research In Motion\BlackBerry Enterprise Service 10\Logs\Core: The Core Service Logs display the following log lines: Message: The remote certificate is invalid according to the validation The Server hosting the Core Module is missing the Entrust Secure Root Certificate under Trusted Root Certification Authorities. 1. Go to Start > Run and Type mmc. 2. Click on File > Add/Remove Snap-In and select Add. 3. Select Certificates and click on Add. 4. Select Computer account and then click on Next. 5. Select Local Computer and click on Finish and then click on Close and then OK. 6. Expand Certificates and Navigate to Trusted Root Certification Authorities > Certificates. 7. Under Certificates verify Entrust.net Certification Authority is listed. If it's not listed, check under Untrusted Certificates as well to see if it's untrusted. 8. If Entrust.net Certification Authority is listed under Untrusted Certificates, simply copy and paste the cert to Trusted Root Certification Authorities. 9. If Entrust.net Certification Authority is not listed anywhere, download the certificate from http:// www.entrust.net/ and install it under Trusted Root Certification Authorities. The Authenticated Users group does not have the Read permission to the Apple Push Notification Service - Client Certificate. The Core Service Logs display the following log lines: Message: The credentials supplied to the package were not recognized 1. Go to Start > Run and Type mmc. 2. Click on File > Add/Remove Snap-In and select Add. 3. Select Certificates and click on Add. 4. Select Computer account and then click on Next. 5. Select Local Computer and click on Finish and then click on Close and then OK. 6. Expand Certificates and Navigate to Personal > Certificates. 7. Right click on the Apple Push Notification Service - Client Certificate > Select All Tasks > Manage Private Keys. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 159
Additional resources Possible cause Possible solution 8. In the Security Tab for the properties of the certificate, click Add. 9. Type Authenticated Users and click Check Name and then OK. 10.Check Read under the Allow column and click Apply then OK. "Enroll profile sending error. Please contact your administrator" during ios enrollment in BlackBerry Enterprise Service 10 During the activation process on the ios device an error is received stating: Enroll profile sending error. Please contact your administrator. Within the Communication Module logs, the following error may be logged: FATAL,"2012-05-08 10:31:44,668",10,0,"efa025b7-b976-46dcb536-8cd5f3192c4b","Enroll profile sending error. Please, contact your administrator.",,type: System.NullReferenceException,Message: Object reference not set to an instance of an object.,source: RIM.BUDS.Core.Client,TargetSite: "Boolean IsMdmMessagesAuthenticationValid(System.String, Int32, System.String ByRef)",StackTrace: at RIM.BUDS.Core.Client.Model.Tenant.IsMdmMessagesAuthenticationValid(String platformname, Int32 tenantid, String& message) in c:\ec_build \604689\BUDSServer\source\enterprise\BUDS\Server\Sources \RIM.BUDS.Core.Client\Model\Tenant.cs:line 229, at RIM.BUDS.Communication.iOS.ProfileServices.Handlers.EnrollHandler.DoEnroll( Boolean isdeviceclient, Int32 tenantid, Int32 userid, String hash, String language, String osversion) in c:\ec_build\604689\budsserver\source \enterprise\buds\server\sources\rim.buds.communication.ios\profileservices \Handlers\EnrollHandler.cs:line 63 Possible cause The APNs certificate has not been installed through the administration console. Possible solution Follow the steps within the console to request and import the APNs certificate. For more information about how to request and install APNs Certificate, see the BlackBerry Enterprise Service 10 Administration Guide During the activation process on the ios device an error is received stating: Enroll profile sending error. Please contact your administrator. Within the Communication Module logs, the following error may be logged: FATAL,"2013-01-02 11:41:02,751",6,0,"4394e826-747d-40e1- b3e9-3dd60bfe91f5","enroll profile sending error. Please, contact your administrator.", 160 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Additional resources,type: System.Security.Cryptography.CryptographicException,Message: Keyset does not exist,source: System.Security,TargetSite: "CMSG_SIGNER_ENCODE_INFO CreateSignerEncodeInfo(System.Security.Cryptography.Pkcs.CmsSigner, Boolean)",StackTrace: at System.Security.Cryptography.Pkcs.PkcsUtils.CreateSignerEncodeInfo(CmsSigne r signer, Boolean silent), at System.Security.Cryptography.Pkcs.SignedCms.Sign(CmsSigner signer, Boolean silent), at System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner signer, Boolean silent), at RIM.BUDS.Communication.iOS.ProfileServices.MessageSigner.Sign(Byte[] input, X509Certificate2 signercertificate, X509Certificate2 cacertificate) in c:\ec_build\898095\budsserver\source\enterprise\buds\server\sources \RIM.BUDS.Communication.iOS\ProfileServices\MessageSigner.cs:line 36, at RIM.BUDS.Communication.iOS.ProfileServices.Handlers.EnrollHandler.DoEnroll( Boolean isdeviceclient, Int32 tenantid, Int32 userid, String hash, String language, String osversion) in c:\ec_build\898095\budsserver\source \enterprise\buds\server\sources\rim.buds.communication.ios\profileservices \Handlers\EnrollHandler.cs:line 123 DEBUG,"2013-01-02 11:41:02,821",6,183,"4394e826-747d-40e1- b3e9-3dd60bfe91f5","http Request Completed: https:// u01app05sen139.sen139.bcts.cso.labs.rim.net/ios/enroll/2/english/5.1.1", Possible cause Under Manage Private Keys for the SSL cert, the Everyone group is missing Read permissions. Possible solution 1. Open up the Certificate Snap In tool using MMC 2. Right-click on the SSL Certificate and select All Tasks > Manage Private Keys 3. Ensure the Everyone Group has Read Permissions. It is not possible to reuse old or previously used APNs certificates. If one is not installed, you will have to recreate a new one to import the APNs certificate through the administrative console. There should be no additional cost in creating another APNs certificate. Error "The system encountered an error installing the APNs certificate. Try again." When installing the APNs certificate, the following error occurs: The system encountered an error installing the APNs certificate. Try again. The BlackBerryAdministrationConsole.log displays the following log lines: Caused by: java.io.ioexception: exception encrypting data - java.security.invalidkeyexception: Illegal key size at org.bouncycastle.jce.provider.jdkpkcs12keystore.wrapkey(unknown Source) at org.bouncycastle.jce.provider.jdkpkcs12keystore.dostore(unknown Source) at org.bouncycastle.jce.provider.jdkpkcs12keystore.enginestore(unknown 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 161
Additional resources Source) at java.security.keystore.store(keystore.java:1146) Possible cause The password specified for the Private Key is greater than 7 characters. Currently only passwords with 1-7 characters are supported. Workaround The password specified for the Private Key is greater than 7 characters. Currently only passwords with 1-7 characters are supported. When trying to submit the Certificate Signing Request for Apple Push Notification Service creation the following error is returned "System error encountered, please check your network connection" When trying to submit the CSR (Certificate Signing Request) for APNS (Apple Push Notification Service) creation, the following error is returned System error encountered, please check your network connection if BlackBerry Enterprise Service 10 is trying to go through a proxy. May 07 14:46:53 [UwpLogger] [INFO ] [http-8443-1] : 693C9993AB74C49FCA9D19C531F8A25D (AbstractEntityCache.java:50) : Entity Trace: Read called (cached) for /tenant_2 May 07 14:46:58 [UwpLogger] [INFO ] [http-8443-1] : 693C9993AB74C49FCA9D19C531F8A25D (SigningServiceImpl.java:55) : Sending request to BSS. Request ID: S70572760-46678185- c85c-4433-97d3-44d2d806c4f9 May 07 14:47:00 [UwpLogger] [ERROR] [http-8443-1] : 693C9993AB74C49FCA9D19C531F8A25D (SettingsController.java:403) : ERROR_SYSTEM Unable to contact Signing Service org.springframework.web.client.resourceaccessexception: I/O error: sun.security.validator.validatorexception: PKIX path building failed: sun.security.provider.certpath.suncertpathbuilderexception: unable to find valid certification path to requested target; nested exception is javax.net.ssl.sslhandshakeexception: sun.security.validator.validatorexception: PKIX path building failed: sun.security.provider.certpath.suncertpathbuilderexception: unable to find valid certification path to requested target at org.springframework.web.client.resttemplate.doexecute(resttemplate.java: 453) at org.springframework.web.client.resttemplate.execute(resttemplate.java:401) at org.springframework.web.client.resttemplate.exchange(resttemplate.java:377) [UwpLogger] [INFO ] [http-8443-3] : 89A93D03D5F7DA3EFAF502D940340FBA (SigningServiceImpl.java:55) : Sending request to BSS. Request ID: S44526216-278336f8-4fe0-4545-bfcc-971be9d0a63d May 04 12:29:00 [UwpLogger] [ERROR] [http-8443-3] : 89A93D03D5F7DA3EFAF502D940340FBA (SettingsController.java:403) : ERROR_SYSTEM Unable to contact Signing Service org.springframework.web.client.resourceaccessexception: I/O error: 162 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Additional resources Connection timed out: connect; nested exception is java.net.connectexception: Connection timed out: connect Possible cause When a proxy is configured in the environment, the BlackBerry Enterprise Service 10 is unable to make a connection to https://bss.blackberry.com/pcwr and https://bss.blackberry.com/. Possible solution BlackBerry Enterprise Service 10 does not auto detect the browser settings if a proxy server is enabled. In order for BlackBerry Enterprise Service 10 to use the proxy, we need to modify the Catalina.properties file located here C:\Program Files (x86)\research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.Gui\conf \Catalina.properties (open with Notepad to edit) with the following entries. Add the following to the bottom: http.proxyhost=fqdn_or_ip_of_proxy http.proxyport=xxxx http.nonproxyhosts=fqdn_of_universal_device_service https.proxyhost=fqdn_or_ip_of_proxy https.proxyport=xxxx Please note that all FQDN's listed above should be in capitals. Now once these have been added, restart the Services and try to resubmit the CSR request. The APNs certificate import fails while attempting to upload the APNs certificate When attempting to upload the APN file (.pem) downloaded from the Apple website the following error is returned: The APNs certificate does not match the CSR. Provide the correct APNs file (.pem) or submit a new CSR. Possible cause When attempting to upload the APN file (.pem) downloaded from the Apple website the following error is returned: The APNs certificate does not match the CSR. Provide the correct APNs file (.pem) or submit a new CSR. The administration website's service has been restarted between Step 1 and Step 3 of the APN import process. Possible solution Log into the Apple website and manually download the MDM_ Research in Motion Limited_Certificate.pem file. Start the import process over again and complete Step 1 through Step 3 prior to restarting the administration website's service. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 163
Additional resources The Universal Device Service console shows a status of "Pending activation" for an ios device The Universal Device Service console shows a status of Pending activation under the Model column for the specific ios device. While the ios device is in this state, BlackBerry Enterprise Service 10 will be unable to perform any administrative functions on the ios device including: Remote Lock Device, Successfully Deploy an Email Profile or IT Policy. The ios device may also be missing the 'BUDS (Policy)' Possible cause The ios device is not permitted outgoing TCP connections to the Apple APNs over port 5223. The Core Module is not permitted outgoing TCP connections to the Apple APNs over port 2195, required for push notifications to ios. The following log for the Core Module would indicate its inability to contact the Apple APNs over TCP port 2195. The default log location is: \Program Files \Research In Motion\BlackBerry Enteprise Service 10\Logs\Core\YYYYMMDD\ ERROR,"2012-01-25 17:31:20,980", 9,0,"","Push notification send error for device Token='yxVImO8pb6yX04wXTmF49+lrOBgx njmrdy/2noyn/oi=', PushMagic = '2FC41888-C8CD-4EE5-BBE0- B7A20D21FC64'..",,Type: System.Exception,Message: APNs Connection Open error,source: RIM.BUDS.ApnsGateway,TargetSite: "Void Open()",StackTrace: at RIM.BUDS.ApnsGateway.ApnsConnection.Open() in c:\ec_build \500343\BUDSServer\source \enterprise\buds\server\sources \RIM.BUDS.ApnsGateway \ApnsConnection.cs:line 78, at Possible solution Ensure that the Wi-Fi network or wireless service provider are not preventing connectivity to Apple's APNs over TCP port 5223. To diagnose this, use an application on the ios device that will show port information. Search the Apple App Store and install an application such as Netstat. Use the diagnosing application to ensure the ios device can receive traffic from gateway.push.apple.com through port 5223 (UDS Profiles must be already installed on the ios device). Ensure that there is no firewall preventing connectivity to Apple's APNs over TCP port 2195. The following log for the Core Module would indicate its ability to contact Apple's APNs over TCP port 2195. The default log location is: \Program Files\Research In Motion\BlackBerry Universal Device\Logs\Core \YYYYMMDD\ INFO,"2012-01-24 00:24:03,330", 9,0,"","Certificate with key 'APSP: 7d183d64-a1fd-4c71-81fdaee520fc5d3e' is loaded successfully", INFO,"2012-01-24 00:24:04,578", 9,0,"","PushNotification is sent for device token='xyxwvygfog71rou/ 7pnHV+0KZLP+Qn3iPbcbnmE0EEg=', PushMagic = '8304C029-1BF3-4D88-8234-24D4FBB155 EE'.", 164 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Additional resources Possible cause Possible solution RIM.BUDS.ApnsGateway.ApnsGateway.Se ndpushnofitication(string certsubject, String token, String pushmagic) in c:\ec_build \500343\BUDSServer\source \enterprise\buds\server\sources \RIM.BUDS.ApnsGateway \ApnsGateway.cs:line 36,Type: System.Net.Sockets.SocketException The Universal Device Service console provides a utility under Settings > External Integration > APNs Certificate that allows the administrator the ability to test for the presence of the APNS certificate and that the path over TCP port 2195 is open to gateway.push.apple.com. Pushing Test Connection, we expect the connection status result to return Successful. This would indicate both the certificate and the connections path are valid. However, if the the result fails you may see a connection status result of The system encountered an error. Try again. The following log for the Core Module log would indicate its inability to contact the Apple APNs over TCP port 2195. The default log location is: \Program Files\Research In Motion\BlackBerry Enterprise Service 10\Logs \Core\YYYYMMDD\ DEBUG,"2013-03-18 10:48:35,855", 58,0,"8a160a0e-c2f3-495b-a1adc10e4a331d07","DefaultRouteHandler (util/tenant/{tenantid}/test/ apns): PUT https://bds2- w2k8.cso.testnet.rim.net:9081/util/ tenant/2/test/apns", DEBUG,"2013-03-18 10:48:35,855", 58,0,"8a160a0e-c2f3-495b-a1adc10e4a331d07","Request User-Agent: Java/1.7.0_05", DEBUG,"2013-03-18 10:48:40,976", 58,0,"8a160a0e-c2f3-495b-a1adc10e4a331d07","Establishing connection to APNS", DEBUG,"2013-03-18 10:50:47,072", 58,0,"8a160a0e-c2f3-495b-a1adc10e4a331d07","Error of getting poke sender instance! Details: Thread was being aborted.", ERROR,"2013-03-18 10:50:47,073", 58,0,"8a160a0e-c2f3-495b-a1adc10e4a331d07","Request timed out.", DEBUG,"2013-03-18 10:50:47,073", 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 165
Additional resources Possible cause Possible solution 58,131218,"8a160a0e-c2f3-495b-a1adc10e4a331d07","HTTP Request Completed: https://bds2- w2k8.cso.testnet.rim.net:9081/util/ tenant/2/test/apns", If TCP port 2195 used by the Core Module is open you should be able to telnet and connect to gateway.push.apple.com on port 2195. 1. Click Start > Run. 2. Type cmd.exe and press OK. 3. Type telnet gateway.push.apple.com 2195 and press Enter. 166 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Additional resources Discussion: APNs in the BlackBerry Enterprise Service 10 environment As you've seen, the APNs for ios devices plays a critical role in ios device functionality in the BlackBerry Enterprise Service 10. What steps can you take to prevent issues with the APNs? 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 167
Additional resources Review: Additional resources 1. Can you use SCEP profiles to enroll client certificate to Android devices? 2. If you do not renew your APNs certificate before it expires, will ios devices receive management commands? 3. When is the BlackBerry Licensing Service out of compliance? 168 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Answers Answers Review: BlackBerry Enterprise Service 10 version 10.1.1 architecture 1. 38180, 38443 2. BlackBerry Configuration Database 3. Port 3201 for TCP communication 4. BlackBerry Management Studio Administration Console BlackBerry Secure Connect Service Communication Module Core Module Scheduler 5. The BlackBerry 10 device or BlackBerry PlayBook tablet can connect to the Enterprise Management Web Service when using a VPN connection to the organization or when using a work Wi-Fi network. 6. BlackBerry Secure Connect Service 7. Apple Push Notification service Review: Troubleshooting tools for BlackBerry Enterprise Service 10 1. Audit log files 2. Audit logs record requests that you make to create, update, and delete user accounts or groups, send IT administration commands to ios devices and Android devices, add user accounts to groups or remove user accounts from groups, and create or assign profiles, software configurations and IT policies to ios devices and Android devices. 3. The BlackBerry MDS Connection Service 4. 1. In the Administration Console, search for the user. 2. In the search results, click the name of the user account. 3. In the Manage Device window, click the Communications Log icon. 5. Event ID 50097 169 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Answers 6. BlackBerry Solution topology > BlackBerry Domain > Component view > Logging 7. The BES10 Configuration Tool is found on the computer that BlackBerry Enterprise Service 10 is installed on. It can be accessed at Start > All Programs > BlackBerry Enterprise Service 10 > Configuration Tool for BlackBerry Enterprise Service 10. 8. Knowledge Base BlackBerry Expert Support Center BlackBerry Enterprise Service 10 management console help files Review: Troubleshooting issues with device activation 1. True. 2. Username, password, SRP ID 3. False. ios devices and Android devices can only be activated wirelessly. 4. A, B 5. True 6. False. The BlackBerry Web Desktop Manager can be used to activate BlackBerry devices only. 7. Server URL, which consists of the BlackBerry Infrastructure address and your organization's SRP ID, provided by an administrator Username Password Review: Troubleshooting data flows 1. True. 2. Yes. In order to send policy updates, profile updates, or app updates, to BlackBerry devices, you require an IPPP path over the BlackBerry Infrastructure between the Enterprise Management Web Service and the Enterprise Management Agent on the BlackBerry device. 3. Microsoft ActiveSync profile 4. True. 5. Changed items include marking an email as read, moving an email into a sub folder, updating organizer data 170 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Answers Review: Preventing issues with your BlackBerry Enterprise Service 10 installation before they happen Back up the BlackBerry Enterprise Service 10 data regularly Distribute your users across multiple instances equally for enterprise connectivity and balance workload Analyze information available on the BlackBerry Management Studio reporting screen regularly Use the BlackBerry Management Studio licensing interface to monitor licensing status Review: Additional resources 1. No. Android devices do not support SCEP. 2. No. You must renew the APNs certificate before it expires (each certificate expires after one year). If the certificate expires, or if you insert a new APNs certificate instead of renewing the old one, ios devices no longer receive management commands, and users must reactivate their devices. 3. The BlackBerry Licensing Service is out of compliance when the number of used licenses for any license type exceed the total number of licenses available. This can happen if all licenses have been used and some of them expire. 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 171
Glossary Glossary APNs BlackBerry Enterprise Server databases CA DMZ DNS EMM HTTP HTTPS IP IT policy IT policy rule LAN MDM messaging server over the wireless network PAC PIM SCEP SIM S/MIME SMTP space Apple Push Notification service The BlackBerry Enterprise Service 10 databases are the BlackBerry Configuration Database (associated with the BlackBerry Device Service) and the Management Database (associated with the Universal Device Service). By default, the databases are named BDSMgmt and BDSMgmt_UDS, respectively, when you install BlackBerry Enterprise Service 10. certification authority A demilitarized zone (DMZ) is a neutral subnetwork outside of an organization's firewall. It exists between the trusted LAN of the organization and the untrusted external wireless network and public Internet. Domain Name System Enterprise Mobility Management Hypertext Transfer Protocol Hypertext Transfer Protocol over Secure Sockets Layer Internet Protocol An IT policy consists of various IT policy rules that control the security features and behavior of BlackBerry smartphones, BlackBerry PlayBook tablets, the BlackBerry Desktop Software, and the BlackBerry Web Desktop Manager. An IT policy rule permits you to customize and control the actions that BlackBerry smartphones, BlackBerry PlayBook tablets, the BlackBerry Desktop Software, and the BlackBerry Web Desktop Manager can perform. local area network mobile device management A messaging server sends and processes messages and provides collaboration services, such as updating and communicating calendar and address book information. The process of sending data over the wireless network is sometimes referred to as over the air or OTA. proxy auto-configuration personal information management simple certificate enrollment protocol Subscriber Identity Module Secure Multipurpose Internet Mail Extensions Simple Mail Transfer Protocol (SMTP) is a TCP/IP protocol used with POP or IMAP to send and receive email messages over a network, such as the Internet. A space is a distinct area of the device that enables the segregation and management of different types of data, applications, and network connections. Different spaces can have different rules for data storage, application permissions, and network routing. Spaces were formerly known as perimeters. 173 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Glossary SQL SRP SRP ID SSL TCP TCP/IP UDP UTF-8 VPN WAN Structured Query Language Server Routing Protocol The SRP ID is a unique identifier for the BlackBerry Enterprise Server that the BlackBerry Enterprise Server uses to identify itself to the BlackBerry Infrastructure during SRP authentication. Secure Sockets Layer Transmission Control Protocol Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of communication protocols that is used to transmit data over networks, such as the Internet. User Datagram Protocol 8-bit UCS/Unicode Transformation Format virtual private network wide area network 174 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Legal notice Legal notice 2013 Research In Motion Limited. All rights reserved. BlackBerry, RIM, Research In Motion, and related trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. Android is a trademark of Google Inc. IBM, Domino, and Notes are trademarks of International Business Machines Corporation. ios is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. ios is used under license by Apple Inc. Microsoft, ActiveSync, ActiveX, Active Directory, SQL Server, Windows, and Windows Server are trademarks of Microsoft Corporation. GroupWise and Novell are trademarks of Novell, Inc. Wi-Fi is a trademark of the Wi-Fi Alliance.. All other trademarks are the property of their respective owners. This documentation including all documentation incorporated by reference herein such as documentation provided or made available at www.blackberry.com/go/docs is provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by Research In Motion Limited and its affiliated companies ("RIM") and RIM assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect RIM proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of RIM technology in generalized terms. RIM reserves the right to periodically change information that is contained in this documentation; however, RIM makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all. This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or thirdparty websites (collectively the "Third Party Products and Services"). RIM does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by RIM of the Third Party Products and Services or the third party in any way. EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL RIM BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO 175 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Legal notice REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH RIM PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF RIM PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, RIM SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY. THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO RIM AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED RIM DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS. IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM OR ANY AFFILIATES OF RIM HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION. Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with RIM's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with RIM's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by RIM and RIM assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with RIM. Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server, BlackBerry Desktop Software, and/or BlackBerry Device Software. The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY RIM FOR PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION. Certain features outlined in this documentation might require additional development or Third Party Products and Services for access to corporate applications. Research In Motion Limited 295 Phillip Street 176 2013 Research In Motion Limited. All Rights Reserved. 726-08745-123
Legal notice Waterloo, ON N2L 3W8 Canada Research In Motion UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom Published in Canada 726-08745-123 2013 Research In Motion Limited. All Rights Reserved. 177