The Government of Ontario

Good Control v2.3.53.62 • Good Proxy v2.3.53.69 • GEMS v2.2.22.25

The Government of Ontario

Contents Preface ...... 5 Good for BlackBerry ...... 6 About Blackberry Enterprise Server (BES) 12 ...... 6 Installing BlackBerry Enterprise Server 12 (BES 12)...... 6 The Government of Ontario BES12 Environment ...... 7 Unique BES12 Installation Conditions ...... 7 Key Points of the BES12 Installations ...... 8 Set the NIC Binding Order ...... 8 Stop all network interfaces ...... 10 About Service Principal Names ...... 11 Edit Mode Switches ...... 11 Edit Mode Modifiers ...... 11 Query Mode Switches ...... 12 Query Mode Modifiers ...... 12 Network Interface Card (NIC) and TCP/IPv4 Properties ...... 12 Create the SRP ID and Authentication Key ...... 13 Primary BES 12 Core Server Installation: B – MSG41 ...... 16 Primary BES 12 Management Console, B – MSG46, Database information ...... 18 Primary BES 12 Management Console, B – MSG46, Component Selection ...... 20 Secondary BES 12 Core Server, B – MSG42, Component Selection ...... 21 Primary BES 12 Management Console, B – MSG46, Setup Type ...... 22 Secondary BES 12 Core Server, B – MSG42, Setup Type ...... 23 Primary BES 12 Management Console, B – MSG46, Installation Summary ...... 25 Secondary BES 12 Core Server, B – MSG42, Installation Summary ...... 26 Primary BES 12 Management Console, B – MSG46, Console Addresses ...... 27 Uninstall the Primary BES 12 Core Server: B – MSG41...... 30 Reinstall the Primary BES 12 Core Server: B – MSG41 ...... 32 Secondary BES 12 Management Console, B – MSG47, Component Selection ...... 34 Third BES 12 Core Server, B – MSG43, Component Selection ...... 34 Secondary BES 12 Management Console, B – MSG47, Setup Type ...... 36 Third BES 12 Core Server, B – MSG43, Setup Type ...... 36 Third BES 12 Core Server, B – MSG43, Installation Summary ...... 39 BES12 Conclusion ...... 43 About GOOD ...... 44 BlackBerry’s Good Collaboration Suite ...... 44 BlackBerry’s Good Dynamics Implementation ...... 44

1 The Government of Ontario

Server Infrastructure ...... 45 Good Dynamics Client Server Environment ...... 46 Data Backup and Recovery for Good Upgrades ...... 46 Database Backup: gcdb ...... 46 Server Backup ...... 46 Installing Good Control (GC) on the Primary Server ...... 47 Good Control (GC) Installation ...... 48 Secondary GC Server B-MSG58 Installation Cluster Query ...... 53 Secondary GC Server B-MSG58 Installation Registration ...... 54 Installing Good Proxy (GP) on the Primary Server ...... 59 The Good Control and Good Proxy Module Contrast ...... 59 Good Proxy TCP/UDP Port Expansion and Commands ...... 60 Installing Good Proxy on the Good Control Primary Server ...... 60 About BlackBerry’s Good Enterprise Mobility Server (GEMS) ...... 70 GEMS Architecture ...... 70 GEMS Installation ...... 72 GEMS Upgrades ...... 72 Beta Upgrades ...... 72 Additional Upgrade Considerations ...... 72 GEMS Dashboard Supported Browsers ...... 73 Installing GEMS ...... 73 Configuring GEMS Services ...... 91 Mail: Push Notification System (PNS) ...... 91 Mail: Database Configuration ...... 91 Mail: Database Connectivity Issues ...... 92 Mail: Microsoft Exchange ...... 93 Mail: Web Proxy Configuration ...... 94 Mail: Android Push Notification and Google Cloud Messaging Sender ID and API Key ...... 95 Mail: Stop Notifications ...... 96 Mail: User Directory Lookup ...... 97 Mail: Certificate Directory Lookup ...... 98 Configuring the Good Work Application in Good Control ...... 99 Configuring Exchange ActiveSync (EAS) for Good Work ...... 99 Whitelisting the EAS server(s) in Good Control ...... 99 Enabling the JavaScript Object Notation (JSON) configuration for EAS ...... 100 Validating the JSON Syntax ...... 101 Whitelisting the GEMS Host(s) in Good Control...... 101 Adding GEMS to the Good Work Application Server List ...... 102

2 The Government of Ontario

Disabling SSL Certificate Checking in the JSON Configuration for EAS ...... 102 Docs: Configuring the Docs Service in the GEMS Dashboard ...... 103 Docs: Database Configuration ...... 103 Docs: Web Proxy Configuration ...... 104 Docs: Settings ...... 105 Docs: Security Settings ...... 106 Docs: Configuring Good Control for the Docs Service ...... 107 Docs: Entitling Users in Good Control ...... 107 Docs: Publishing the Docs App in Good Control ...... 108 Docs: Configuring User Affinity for Docs in Good Control ...... 109 About Docs Repositories ...... 110 Docs: Defining Repositories ...... 110 Docs: Repositories Configuration Dashboard ...... 110 Docs: Repository Attributes ...... 111 Docs: Admin Defined Shares in Repositories ...... 111 Docs: Granting User Access Permissions for Repositories ...... 113 Docs: Changing User Access Permissions for Repositories ...... 113 Docs: User Defined Shares in Repositories ...... 114 Docs: Setting User-Defined Access Rights in Repositories ...... 115 Docs: Setting User-Defined Allowed Data Resources in Repositories ...... 116 Docs: Granting User-Defined Access Permissions in Repositories ...... 116 Docs: User-Repository Rights in Repositories ...... 118 Connect: Activating the Connect Service Account ...... 120 Connect: Configuring the Good Connect Database ...... 122 Connect: Configuring GEMS Connectivity with Good Dynamics ...... 123 Connect: Configuring Microsoft Exchange Conversation History ...... 124 Connect: Configuring a Web Proxy ...... 125 Connect: Configuring Good Control for Connect ...... 127 Connect: Defining Allowed Domains and Servers ...... 127 Presence ...... 129 Presence: Activating the Presence Service Account ...... 129 Presence: Configuring GOOD Dynamics ...... 131 Presence: Configuring ‘Settings’ ...... 132 Presence: Configuring Lync 2013 ...... 133 Presence: Configuring Good Control for Presence ...... 134 Presence: Adding GEMS to the Good Work Application Server List ...... 134 GEMS Conclusion ...... 134 Appendix ...... 136

3 The Government of Ontario

Architecture Overview ...... 136 Glossary ...... 138

Document Document Date Sr. Architect Engineer Technical Writer Version 1.0 10/27/2016 Abe Nelson

4 The Government of Ontario

Preface This document outlines the intricate complexities of the BlackBerry Enterprise Server (BES) upgrade and installation for the Government of Ontario. Presently, the Government of Ontario operates in a BESv10 environment. The Government of Ontario will upgrade to BESv12.5 to enhance the effective Enterprise Mobility Management (EMM) of up to 20,000+ mobile devices, with concurrency calculated at twenty percent (20%) to maximize the management potential of 40,000 connections.

The number of servers required for the mobile support endeavors of the Government of Ontario represents the enormity of the EMM environment, expressed below:  The BES12 server installations consist of three core servers and two management consoles.  The Good Dynamics Client Server Environment contains two Good Control servers and five Good Proxy servers.  GEMS requires four servers.  Database servers are prerequisites for BES12, Good Dynamics, and GEMS.

Categorically, three topics of interest comprise this document’s content:  BES12 Server Installations (core servers and management consoles)  Good Dynamics Client Server Environment (Good Control and Good Proxy servers)  Good Enterprise Mobility Server (GEMS-mobile applications and management)

To reduce the volume of content within this document, a single master instruction set represents each topic. However, specific configuration steps will change relative to the installation type, server type, and server role. Within the master instruction set, inserted screen shots containing bold red alphanumeric characters represent the configuration and installation steps where changes occur for each BES12 server installation type. Additional notes will appear where other changes and/or omissions occur for the Good Dynamics and GEMS segments.

5 The Government of Ontario

Good for BlackBerry Good Technology officially became a subsidiary of BlackBerry on November 2, 2015 after BlackBerry announced the formal completion of the Good Technology acquisition. The alliance of BlackBerry and Good Technology shifts the focus in Enterprise Mobility Management (EMM) from competition to collaboration.

BlackBerry merges ‘BlackBerry Enterprise Server 12 (BES 12)’ with the Good Secure EMM Suites to form a coalescence of trusted end-to-end mobile security measures capable of supporting a diverse collection of mobile devices necessary for the adaptation of the ‘bring your own device (byod)’ practices prevalent in workforce mobilization.

Good Technology’s expertise in mobile data security strengthens BlackBerry’s ability to provide a unified platform for mobile devices. Cross-platform support allows provisioning for i0S, Android, Android for Work, Windows, and Samsung’s KNOX Workspace.

About Blackberry Enterprise Server (BES) 12 The ‘BlackBerry Enterprise Server 12 (BES 12)’ is a secure enterprise mobility management (EMM) solution esteemed for industry leading mobile security. BES 12 scales across multiple operating systems (OS) to accommodate present and future enterprise requirements notwithstanding the types of devices in use throughout an environment. BES 12 scales up to 25,000 devices per server and 150,000 devices per domain.

BlackBerry incorporates Mobile Application Management (MAM), Mobile Device Management (MDM), and Mobile Content Management (MCM) into a unified BES 12 console. A complete set of policies and profiles affords flexible management of distinct ownership models allowing varying degrees of access for differing employee roles or positions. Policies include:  BYOD – Bring Your Own Device  COPE – Corporate Owned Personally Enabled  COBO – Corporate Owned Business Only

BES 12 prioritizes privacy to protect the personal content of personnel while securing sensitive corporate data for businesses. ‘Work’ and ‘Personal’ are separate spaces on the same appliance devoted to business and personnel matters, respectively, providing content demarcation on a single device.

BES 12 supports an ecosystem considered powerful and extensible through value added services (VAS), including:  Good Work – a best-in-class business collaboration experience, which protects sensitive data in secure containers.  Good Dynamics Secure Mobility Platform – provides complete containerization of collaboration, line of business (LOB), independent software vendor (ISV) and custom applications.

Installing BlackBerry Enterprise Server 12 (BES 12) After completing the necessary pre-requisites required for installing the BlackBerry Enterprise Server 12 (BES 12) as outlined under the ‘Pre-installation Checklist’ document, please have the following information available:  Service account credentials  Database server hostnames; and database names  A License Key and/or Serial Number  Client Active Directory domain information  An administrator or service account set up on the host machine

6 The Government of Ontario

 Client database connection information

The Government of Ontario BES12 Environment Unique conditions apply to the BES12 environment for the Government of Ontario. Of foremost concern, understand the engineering of the BES12 environment includes the concept of clustering.

Clustering employs a group of servers (a cluster) to act as a single node to provide a service. Clustering is synonymous with the term ‘High Availability (HA).’ From the client perspective, all servers in the cluster are interchangeable and any server is capable of accessing a required service. The BES12 and Good Dynamics server clustering features enable this type of deployment in the Blackberry enterprise infrastructure. A BES 12 cluster is not reliant on any underlying Microsoft or virtual machine (VM) clustering for the BES12 and Good Dynamics clusters to function.

Furthermore, disaster discovery (DR) features prominently in support of redundancy, especially in the event of service failures on behalf of the primary server. Each of the following servers in the Blackberry enterprise infrastructure includes the cluster deployment capabilities:  BES12  Good Proxy (GP)  Good Control (GC)  Application Servers (Good Enterprise Mobility Server and others)

This means the Government of Ontario can deploy additional instances of these servers in a way contributing to the strategic benefits of clustering by:  Scaling up the capacity for concurrent users  Delivering high availability (HA) and resiliency.

Unique BES12 Installation Conditions The table at right provides the server names Server name Server role and roles of each BES12 server in the B – MSG41 Primary core server Government of Ontario environment: B – MSG42 Secondary core server B – MSG43 Third core server B – MSG46 Primary Management Console B – MSG47 Secondary Management Console Table 1

The unique installation condition for BES12 in the Government of Ontario environment regards the primary core server, B – MSG41. Importantly, B – MSG41 installed as the primary core server initially to establish a BES12 core server instance, an instance of the BES12 Management Console, and as a vehicle for the Device Connectivity Components. Specifically, a primary BES12 core installation was necessary to establish a separate, but primary, Management Console, B – MSG46, and the secondary BES12 core server, B – MSG42, respectively.

After establishing the primary Management Console, B – MSG46, and the secondary BES12 core server, B – MSG42, respectively, uninstalling Server Installation order Uninstallation order the original BES12 core server, B – MSG41, 1. B – MSG41; Primary Core was necessary for reinstallation as the 2. B – MSG46; Primary primary core server with the Management Management Console Console function disabled, as a matter of 3. B – MSG42; Secondary 4. B – MSG41; resource allocation and security. Core Primary Core 5. B – MSG41; Primary Core The table at right illustrates the order of 6. B – MSG47; Secondary installation and reinstallation for all BES12 Management Console servers: 7. B – MSG43; Third Core

7 The Government of Ontario

Table 2

Key Points of the BES12 Installations The following table describes key points of each BES12 server installation. The table is not an outline of the entire BES12 installation. Apply this table as a checklist for each subject listed:

BES12 Installation Checklist Before BES12 Installation: NIC and TCP/IPv4 Properties; SRPs ☐ Set the NIC binding order as ‘user interface, BlackBerry Secure Connect Plus, and Management.’ Do not deviate from this order. ☐ Stop all network interfaces except the primary interface, which was ‘user interface.’ Re-enable all interfaces once more. ☐ Set the servicePrincipleName (spn) of the service account on a Domain Controller (DC) to avoid setting the spn multiple times. The command is required only once as it updates the property in Active Directory ☐ Disable anti-virus ☐ Assign IPv4 addresses ☐ Change value for Management interface metric to 300 ☐ Create SRP ID and Authentication Key BES12 Readiness Tool ☐ License agreement: Set language to Canada (English) ☐ Proxy Configuration: Set to No proxy or BlackBerry Router ☐ Database information: set Port configuration to Dynamic; set Database Authentication Windows Authentication BES12 Setup Application ☐ License agreement: Set language to Canada (English) ☐ Component selection (for initial installation only): Primary BES12 components; Management console; Device connectivity components ☐ Setup Type (for initial installation only): Create a new domain ☐ Database information: set Port configuration to Static; set Port to 1433; Database Authentication Windows Authentication ☐ URL to access the Management Console: https://ctsbigdcemmsg46.cihs.ad.gov.on.ca:8080/admin Table 3

Set the NIC Binding Order The following ‘Step/Action’ table explains how the NIC binding order is set:

Step Action *NOTE: Administrative rights required to display multiple connections in Step 5 1. Open the ‘Control Panel.’ Navigate to ‘Network and Sharing Center.’

8 The Government of Ontario

2. Open the ‘Network and Sharing Center.

Click ‘Change Adapter Settings.’

3. Simultaneously press the ‘Alt’ key and click ‘Advanced’ from the top ribbon menu.

4. Select ‘Advance Settings’ from the drop down menu.

9 The Government of Ontario

5. The ‘Advanced Settings’ applet appears.

Under the ‘Adapters and Bindings’ tab is where connections list in order of access by network services.

Under ‘Connections:’ select the connection to modify.

Notice the directional arrows to the right of the applet

6. Under Bindings for , select the protocol to move up or down in the list, click the up or down arrow button, and then click OK. Table 4

Stop all network interfaces The following table describes how to start/stop (enable/disable) a network interface:

Step Action 1. Open an elevated (admin) Click ‘Start,’ right click ‘command prompt,’ and select ‘Run as administrator’ command prompt 2. Get NIC list and index number using the command wmic nic get name, index at right 3. Enable a NIC with the index number using the command wmic path win32_networkadapter where index=7 call enable at right 4. Disable a NIC with the index number using the command wmic path win32_networkadapter where index=7 call disable at right Table 5

10 The Government of Ontario

About Service Principal Names The following information regarding Service Principal Name (SPN) is an extraction from Microsoft resources:

“A Service Principal Name (SPN)’ is a unique identifier of a service instance used by authentication to associate a service instance with a service logon account. An SPN allows client application requests to authenticate accounts even though a client lacks the account name.

Setspn is a command-line tool built into Windows Server 2008. Setspn is available with the Active Directory Domain Services (ADDS) server role installed. The spn command reads, modifies, and deletes the Service Principal Names (SPN) directory property for an Active Directory service account.

In Active Directory, the servicePrincipalName attribute is a multivalued, non-linked attribute built from the DNS host name. The SPN assists in the process of mutual authentication between the client and the server hosting a particular service. The client finds a computer account based on the SPN of the service to which it is trying to connect.

Use SPNs to locate a target principal name for running a service. Use the setspn command to view the current SPNs, reset the account's default SPNs, and add or delete supplemental SPNs. To use setspn, run the setspn command from an elevated command prompt.

To perform the prescribed tasks, membership in Domain Admins, Enterprise Admins is a prerequisite, or the appropriate delegated authority is necessary.” (Service Principal Names. (2016, May 10) Retrieved from https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx)

Edit Mode Switches The ‘setspn’ command uses several mode switches and modifiers in creating, verifying, and modifying an SPN. Understanding the purpose of each mode and modifier is imperative to properly configuring a spn. The following tables identify each mode or identifier and purpose:

Switch Purpose Usage -R reset HOST ServicePrincipalName setspn -R accountname* -A add arbitrary SPN setspn -A SPN accountname* -S add arbitrary SPN after verifying no duplicates exist setspn -S SPN accountname* -D delete arbitrary SPN setspn -D SPN accountname* -L list SPNs registered to target account setspn [-L] accountname* * accountname can be the name or domain\name of the target computer or user account Table 6

Edit Mode Modifiers

Note: ‘-C’ and ‘-U’ are exclusive. If either modifier remains unspecified, the tool interprets ‘accountname’ as a computer name, if such a computer exists, and a user name if such a computer does not exist.

Modifier Purpose Usage -C specifies ‘accountname’ is a computer account setspn –C accountname* -U specifies ‘accountname’ is a user account setspn –U accountname* * accountname can be the name or domain\name of the target computer or user account Table 7

11 The Government of Ontario

Query Mode Switches

Note: Searching for duplicates, particularly ‘forest wide,’ consumes large quantities of time and memory. ‘-Q’ executes on each target domain/forest. ‘-X’ returns existing duplicates across all targets. SPNs are not required to be unique across forests, but duplicates can cause authentication issues when authenticating cross-forest.

Switch Purpose Usage -Q queries for existence of SPN setspn –Q SPN -X searches for duplicate SPNs setspn –X Table 8

Query Mode Modifiers

NOTE: Combine the following modifiers with the ‘-S’ switch to specify where to check for duplicates before adding the SPN. The ‘-T’ modifier may be specified multiple times.

Modifier Purpose Usage Suppresses progress to the console and used when setspn –P domain redirecting output to a file or when used in an unattended -P script. There will be no output until the command is complete. Performs queries at the forest level, rather than the domain setspn –F domain -F level Performs queries on the specified domain. Performs setspn –T domain queries on the specified forest when combined with the ‘-F’ -T modifier or forest. "" or * can be used to indicate the current domain or forest. Table 9

The following table provides examples of output regarding edit and query mode switches and modifiers:

Example Output setspn -R daserver1 registers SPN ‘HOST/daserver1’ and ‘HOST/{DNS of daserver1}’ setspn -A http/daserver daserver1 registers SPN ‘http/daserver’ for computer ‘daserver1’ setspn -D http/daserver daserver1 deletes SPN ‘http/daserver’ for computer ‘daserver1’ setspn -F -S http/daserver daserver1 registers SPN ‘http/daserver’ for computer ‘daserver1’ if no such SPN exists in the forest setspn -U -A http/daserver dauser registers SPN ‘http/daserver’ for user account ‘dauser’ setspn -T * -T foo -X reports all duplicate registration of SPNs in this domain and foo setspn -T foo -F -Q */daserver finds all SPNs of the form ‘*/daserver’ registered in the forest to which foo belongs Table 10

Network Interface Card (NIC) and TCP/IPv4 Properties Specific servers of the Government of Ontario’s BES12 installation will possess two NICs to address network traffic, acting as ‘routers.’ Verifying the values and properties illustrated here are correct is a necessary and important prerequisite of every BES12 server’s configuration. Ensure each server’s configuration is correct before installing. The next image below depicts the settings for each server’s NIC as well as the TCP/IPv4 properties:

12 The Government of Ontario

Fig. 1

Create the SRP ID and Authentication Key SRP is an acronym for Server Routing Protocol. SRP is a proprietary network protocol used to transfer data between a BlackBerry Enterprise Server and the Research In Motion BlackBerry infrastructure. SRP communication takes place on TCP port 3101 by default. SRP consists of two different components: 1) SRP ID; 2) SRP Authentication Key

During a BlackBerry Enterprise Server installation, the unique Server Routing Protocol Identifier (SRP ID) and SRP Authentication Key must be entered. The SRP ID and SRP Authentication Key register and authenticate the BlackBerry Enterprise Server on the network. The workflow is the same as any authentication process. Consider the SRP ID as a login name and the Authentication Key as a password. The SRP ID uniquely identifies the BlackBerry Enterprise Server on the network. When the BlackBerry Enterprise Server connects to the BlackBerry Infrastructure, it must provide these two pieces of information to connect and open a session.

13 The Government of Ontario

The Government of Ontario BES12 environment required 36,000 connections demanding the need for twenty-four SRPs. The next ‘Step/Action’ table describes how to generate an SRP ID and Authentication Key:

Step Action 1. Login: https://login.good.com/sso/UI/Login 2. The BlackBerry ‘Admins for Enterprise Software’ prompt appears.

Select ‘BlackBerry myAccount’

3. The ‘Account Support’ prompt appears.

Select ‘SRP Management’

14 The Government of Ontario

4. The ‘SRP Management’ prompt appears.

Select ‘Create a New SRP’

5. The ‘SRP Management’ prompt returns a new SRP ID and Authentication Key.

6. Record the SRP ID and Authentication Key for SRP ID: S58664608 future use during the Authentication Key: 45gv-2bgu-qdtj-izis-chz7-23uk-gjv7-495j-25kk-ij7z BES12 installation(s). Table 11

15 The Government of Ontario

Primary BES 12 Core Server Installation: B – MSG41

NOTE: The following BES12 installation and configuration instructions apply to all BES12 server installations. Specific differences will reflect the role of the server installed by inserting the associated screen shot.

Step Action 1. Run the ‘BES12 Readiness Tool’ to verify the prerequisites:

A prerequisite check launches to verify installation requirements

2. The ‘License Agreement’ appears.

Read the agreement.

Select ‘I accept the terms of the license agreement.’

Click ‘Next’

16 The Government of Ontario

3. The ‘Proxy Configuration’ prompt appears.

Select ‘No proxy or BlackBerry Router’

Click ‘Next’

4. The ‘Database information’ prompt appears.

Enter the ‘Microsoft SQL Server name:’

Port configuration = Dynamic

Database authentication = Windows authentication

Click ‘Next’

As stated earlier, the instructions listed in this table will apply to all BES12 server installations. However, specific configuration steps will change relative to the installation type, server type, and server role. Inserted screen shots containing bold red alphanumeric characters represent the configuration and installation steps where changes occur for each BES 12 server installation.

The next screen shot indicates the change of step 4 during the BES12 Readiness Tool setup for the Primary BES 12 Management Console, B – MSG46, Database information:

17 The Government of Ontario

Primary BES 12 Management Console, B – MSG46, Database information 4a. The ‘Database information’ prompt appears.

Enter the ‘Microsoft SQL Server name:’

Port configuration = Static

Port = 1433

Database authentication = Windows authentication

Click ‘Next’

5. The prerequisite check continues.

Address all absent prerequisites and alerts before proceeding with the BES12 installation.

Please wait.

18 The Government of Ontario

6. Run the ‘BES12 Installer’ to launch the ‘BES12 Installation.’

Click ‘Next’

7. The ‘License agreement’ appears.

Select the appropriate language.

Read and accept the terms of the license agreement.

Click ‘Next’

19 The Government of Ontario

8. The ‘Component selection’ prompt appears.

Select the following:  Primary BES12 components  Management console  Device connectivity components

Click ‘Next’ Fig.06

The next screen shot indicates the change of step 8 during the BES12 Setup Application for the Primary BES 12 Management Console, B – MSG46, Database information:

Primary BES 12 Management Console, B – MSG46, Component Selection 8a. The ‘Component selection’ prompt appears.

Only select the following:  Management console

Click ‘Next’

20 The Government of Ontario

The next screen shot indicates the change of step 8 during the BES12 Setup Application for the Secondary BES 12 Core Server, B – MSG42, Component Selection:

Secondary BES 12 Core Server, B – MSG42, Component Selection 8b. The ‘Component selection’ prompt appears.

Select the following:  Primary BES12 components  Device connectivity components

Click ‘Next’

9. The ‘Installation requirements’ check appears.

Address all absent prerequisites and alerts before proceeding with the BES12 installation.

Click ‘Next’

21 The Government of Ontario

10. The ‘Setup type’ prompt appears.

Select ‘Create a new domain’

Click ‘Next’ Fig.07

The next screen shot indicates the change of step 10, the Setup type, during the BES12 Installation setup the Primary BES 12 Management Console, B – MSG46, Setup Type:

Primary BES 12 Management Console, B – MSG46, Setup Type 10a. The ‘Setup type’ prompt appears.

Select ‘Use an existing domain’

Click ‘Next’

22 The Government of Ontario

The next screen shot indicates the change of step 10, the Setup type, during the BES12 Installation setup for the Secondary BES 12 Core Server, B – MSG42, Setup Type:

Secondary BES 12 Core Server, B – MSG42, Setup Type 10b. The ‘Setup type’ prompt appears.

Select ‘Use an existing domain’

Click ‘Next’

11. The ‘Database information’ prompt appears.

Enter the ‘Microsoft SQL Server name:’

Port configuration = Static

Port number = 1433

Database authentication = Windows authentication

Click ‘Next’

Fig.08

23 The Government of Ontario

12. The ‘Folder locations’ prompt appears.

Enter a location for the Installation folder.

Enter a location for the Log file folder.

Click ‘Next’

13. The ‘Service account’ prompt appears.

Enter the account credentials.

Click ‘Next’

24 The Government of Ontario

14. The ‘Installation summary’ prompt appears.

Notice the Port configuration is Dynamic

Review all information for accuracy

Click ‘Install’

The next screen shot indicates the change of step 14, the Installation summary, during the BES12 Installation setup for the Primary BES 12 Management Console, B – MSG46:

Primary BES 12 Management Console, B – MSG46, Installation Summary 14a. The ‘Installation summary’ prompt appears.

Notice the Port configuration is Static [1433]

Review all information for accuracy

Click ‘Install’

25 The Government of Ontario

The next screen shot indicates the change of step 14, the Installation summary, during the BES12 Installation setup for the Secondary BES 12 Core Server, B – MSG42:

Secondary BES 12 Core Server, B – MSG42, Installation Summary 14b. The ‘Installation summary’ prompt appears.

Notice the Port configuration is Static [1433]

Review all information for accuracy

Click ‘Install’

15. The ‘Installing’ notice appears.

Please wait.

The ‘BES12 Installation’ completes successfully.

Click ‘Close’

Fig.010

26 The Government of Ontario

16. The ‘Console addresses’ prompt appears with self-service and management console links.

Enable ‘Export the console addresses to a file.’

Click ‘Close’

The next screen shot indicates the change of step 16, the Console addresses, during the BES12 Installation setup for the Primary BES 12 Management Console, B – MSG46:

Primary BES 12 Management Console, B – MSG46, Console Addresses 16a. The ‘Console addresses’ prompt appears with self- service and management console links.

Enable ‘Export the console addresses to a file.’

Click ‘Close’

27 The Government of Ontario

17. A ‘Reminder’ notice appears.

Read the notice and follow the instructions if applicable.

Click ‘OK’ 18. Open the exported URL enabled from Step 16.

Enter the administrative credentials.

Default User: admin Password: Password

19. The ‘Welcome to BES12’ greeting appears.

Select and/or verify the server location.

28 The Government of Ontario

20. The ‘Welcome to BES12’ prompt appears.

Enter the organization name.

Enter the SRP ID generated earlier.

Enter the SRP Key generated earlier.

Click ‘Submit’

21. The ‘New password’ prompt appears. Enter and confirm the new password.

Click ‘Submit’

Table 12

29 The Government of Ontario

Uninstall the Primary BES 12 Core Server: B – MSG41 As previously explained, the unique installation condition for BES12 in the Government of Ontario environment regards the primary core server, B – MSG41.

Importantly, B – MSG41 installed as the primary core server initially to establish a BES12 core server instance, an instance of the BES12 Management Console, and as a vehicle for the Device Connectivity Components.

Specifically, a primary BES12 core installation was necessary to establish a separate, but primary, Management Console, B – MSG46, and the secondary BES12 core server, B – MSG42, respectively.

After establishing the primary Management Console, B – MSG46, and the secondary BES12 core server, B – MSG42, respectively, uninstalling the original BES12 core server, B – MSG41, is necessary for reinstallation as the primary core server with the Management Console function disabled, as a matter of resource allocation and security.

The following ‘Step/Action’ table describes the uninstallation of the primary core server, B – MSG41:

Step Action 1. Navigate to Control Panel > Programs and features.

Select ‘BES12’ from the list of programs.

Click ‘Uninstall’

2. The ‘BES12 Uninstall application’ notification appears.

Click ‘Next’

30 The Government of Ontario

3. The ‘Uninstalling’ notification appears.

Please wait.

4. The ‘Uninstalling’ notification will indicate the uninstallation is ‘Successful with warnings.’

A restart of the computer is necessary.

Click ‘Close’ and restart

31 The Government of Ontario

5. After restarting the computer, login to the dashboard of the Primary BES 12 Management Console (B – MSG46): https://ctsbigdcemmsg46. cihs.ad.gov.on.ca:443/admi n

View the instance and delete the first BES12 Primary Core installed to ensure the new information will display properly when the reinstallation of B-MSG41 completes

Table 13

Reinstall the Primary BES 12 Core Server: B – MSG41 The following ‘Step/Action’ table describes the reinstallation of the Primary BES12 Core Server, B – MSG41:

Step Action 1. Run the ‘BES12 Installer’ to launch the ‘BES12 Installation.’

Click ‘Next’

32 The Government of Ontario

2. The ‘License agreement’ appears.

Select the appropriate language.

Read and accept the terms of the license agreement.

Click ‘Next’

3. The ‘Component selection’ prompt appears.

Select the following:  Primary BES12 components  Device connectivity components

Click ‘Next’

As stated earlier, the instructions listed in this table will apply to all BES12 server installations. However, specific configuration steps will change relative to the installation type, server type, and server role. The following screen shots represent the configuration and installation steps where changes occur for each BES 12 server installation.

33 The Government of Ontario

The next screen shot indicates the change of step 3 during the BES12 Setup Application for the Secondary BES 12 Management Console, B – MSG47, Component Selection:

Secondary BES 12 Management Console, B – MSG47, Component Selection 3a. The ‘Component selection’ prompt appears.

Only select the following:  Management console

Click ‘Next’

The next screen shot indicates the change of step 3 during the BES12 Setup Application for the Third BES 12 Core Server, B – MSG43, Component Selection:

Third BES 12 Core Server, B – MSG43, Component Selection 3b. The ‘Component selection’ prompt appears.

Select the following:  Primary BES12 components  Device connectivity components

Click ‘Next’

34 The Government of Ontario

4. The ‘Installation requirements’ check appears.

Address all absent prerequisites and alerts before proceeding with the BES12 installation.

Click ‘Next’

5. The ‘Setup type’ prompt appears.

Select ‘Use an existing domain’

Click ‘Next’ Fig.07

35 The Government of Ontario

The next screen shot indicates the change of step 5, the Setup type, during the BES12 Installation setup for the Secondary BES 12 Management Console, B – MSG47:

Secondary BES 12 Management Console, B – MSG47, Setup Type 5a. The ‘Setup type’ prompt appears.

Select ‘Use an existing domain’

Click ‘Next’

The next screen shot indicates the change of step 5, the Setup type, during the BES12 Installation setup for the Third BES 12 Core Server, B – MSG43:

Third BES 12 Core Server, B – MSG43, Setup Type 5b. The ‘Setup type’ prompt appears.

Select ‘Use an existing domain’

Click ‘Next’

36 The Government of Ontario

6. The ‘Database information’ prompt appears.

Enter the ‘Microsoft SQL Server name:’

Port configuration = Static

Port number = 1433

Database authentication = Windows authentication

Click ‘Next’

Fig.08

7. The ‘Folder locations’ prompt appears.

Enter a location for the Installation folder.

Enter a location for the Log file folder.

Click ‘Next’

37 The Government of Ontario

8. The ‘Service account’ prompt appears.

Enter the account credentials.

Click ‘Next’

9. The ‘Installation summary’ prompt appears.

Notice the Port configuration is Static [1433]

Review all information for accuracy

Click ‘Install’

38 The Government of Ontario

The next screen shot indicates the change of step 9, the Installation summary, during the BES12 Installation setup for the Third BES 12 Core Server, B – MSG43:

Third BES 12 Core Server, B – MSG43, Installation Summary 9b. The ‘Installation summary’ prompt appears.

Notice the Port configuration is Static [1433]

Review all information for accuracy

Click ‘Install’

10. The ‘Installing’ notice appears.

Please wait.

The ‘BES12 Installation’ completes successfully.

Click ‘Close’

39 The Government of Ontario

11. The ‘Console addresses’ prompt appears with self-service and management console links.

Enable ‘Export the console addresses to a file.’

Click ‘Close’

12. A ‘Reminder’ notice appears.

Read the notice and follow the instructions if applicable.

Click ‘OK’ 13. Open the exported URL enabled from Step 16.

Enter the administrative credentials.

Default User: admin Password: Password

40 The Government of Ontario

14. The ‘Welcome to BES12’ greeting appears.

Select and/or verify the server location.

15. The ‘Welcome to BES12’ prompt appears.

Enter the organization name.

Enter the SRP ID

Enter the SRP Key generated earlier.

Click ‘Submit’

41 The Government of Ontario

16. The ‘New password’ prompt appears. Enter and confirm the new password.

Click ‘Submit’

Table 14

Reference these links for review: Key Points of the BES12 Installations Network Interface Card (NIC) and TCP/IPv4 Properties Create the SRP ID and Authentication Key Primary BES 12 Core Server Installation: B – MSG41 Uninstall the Primary BES 12 Core Server: B – MSG41 Reinstall the Primary BES 12 Core Server: B – MSG41

42 The Government of Ontario

The following depiction illustrates a BES12 High Availability configuration:

Fig. 2

BES12 Conclusion This concludes the ‘BES12 Installation.’

43 The Government of Ontario

About GOOD BlackBerry’s Good Technology focuses on securing data and applications on mobile devices within enterprise business environments. BlackBerry’s Good clientele comprises more than 6000 organizations, globally, where providing information protection lies at the core of Good’s fundamental business purpose. These institutions span a myriad of industries, including:  Healthcare  Manufacturing  Financial services  Energy and utilities  Legal and government

BlackBerry’s Good Technology expertise is highly regarded within the enterprise sector concerning the use and adaptation of mobile technology, specifically mobile data security. Good protects client data providing military-grade, end-to-end channel encryption with no reliance on third party tools.

For instance, the U.S. Department of Defense required BlackBerry’s Good software on Android devices in 2012. Moreover, in 2013, the Good platform achieved the Common Criteria Evaluation Assurance Level 4 Augmented (EAL4+) certification, becoming the first cross-platform mobile collaboration solution to do so. To date, BlackBerry’s Good Dynamics Secure Mobility Platform is the only containerized solution to achieve this level of security certification on either iOS or Android.

BlackBerry’s Good Technology strengthens data security further by applying robust identity management to user validation methods including complex passwords, biometric log-ins, and multi-factor authentication. ‘Single sign-on’ credential recognition fosters ease-of-use. Additionally, BlackBerry’s Good modular services based architecture is extensible, scalable, and well designed for enterprise purposes, enabling product growth.

BlackBerry’s Good Collaboration Suite BlackBerry’s core Good Collaboration Suite is an enhanced set of business-adapted features developed to exceed the typical consumer-oriented applications of email, calendar, document sharing, and instant messaging services associated with iOS and Android operating systems.

Hereafter, the reference Good Collaboration Suite will identify BlackBerry’s Good Collaboration Suite. The term ‘Good’ will introduce all elements of the Good Collaboration Suite.

The Good Collaboration Suite delivers a rigid separation of corporate and personal content allowing each content type to coexist on the same device without compromising security. The core Good Collaboration Suite consists of:  Good Work – email, view online presence, manage contacts, and maintain calendar schedules  Good Access – secure browser particular to Intranet sites and Web applications  Good Connect – extends corporate Instant Messaging platforms such as Microsoft’s Lync

BlackBerry’s Good Dynamics Implementation The recommended BlackBerry Good Dynamics environment for small-to-medium businesses consists of one primary server and one secondary server, each containing an instance of Good Control (GC) and Good Proxy (GP). Good Control is the administrative portion of the Good Dynamics Secure Mobility Platform. Good Proxy is the recipient of client requests for internal or external (i.e. Intranet or Internet) resources.

Hereafter, the reference Good Dynamics will identify BlackBerry’s Good Dynamics Suite. The term ‘Good’ will introduce all elements of Good Dynamics to include Good Control, Good Proxy, and Good

44 The Government of Ontario

Enterprise Mobility Server. The term ‘Good’ will introduce all GOOD Dynamics Single Server Deployment

SMTP Relay Server elements of the Good Enterprise Mobile Devices

Mobility Server to include Good Windows GOOD Control Connect, Good Mail, Good GOOD Proxy GOOD Network Presence, and Good Docs. Operations Cellular / WiFi Network Center Firewall Firewall Windows Active TCP 44 The primary server is located on Diectory/DNS 3 the client’s premises. The secondary server resides at an Admin off-site location to provide Station disaster recovery (DR) support in Data is relayed only Fig. 3 the event of service failures on behalf of the primary server. The following illustration represents a ‘Good Dynamics Single Server Deployment:’

Server Infrastructure To reiterate, the recommended Good Dynamics environment for small-to-medium businesses consists of one primary server and one secondary server, each containing an instance of Good Control (GC) and Good Proxy (GP). Suggested server naming conventions, typically, should identify the company, facility location, server designation, and server domain.

For example, Bell Techlogix will deploy a Good Dynamics environment with one primary server and one secondary server, each containing an instance of Good Control (GC) and Good Proxy (GP), to the Bell Techlogix facilities in Richmond, Virginia and Danville, Virginia.

The naming conventions of each server will identify the company, facility location, server designation, and server domain resulting in the server name and identity. The following table demonstrates the formulation of each server name:

Company Location Svr. Designation Svr. Domain Hierarchy Svr. Name BELL RICH GCGP1 BELL-HQ Primary BELL-RICH-GCGP1.BELL-HQ.COM BELL DAN GCGP2 BELL-HQ Secondary BELL-DAN-GCGP2.BELL-HQ.COM Table 15

As indicated in ‘Table 1,’ above, the server identified as ‘BELL-RICH-GCGP1.BELL-HQ.COM’ is the primary server, which will exist on-site at the client’s premises specifically for administrative purposes.

The server identified as ‘BELL-DAN-GCGP2.BELL-HQ.COM’ is the secondary server, which will exist off-site from the client’s premises particularly for disaster recovery (DR) support purposes.

45 The Government of Ontario

Good Dynamics Client Server Environment Client name: Government of Ontario Client location: Administrator name: Serial number: GD11037154 License number: 33FA-9394-2939-A312-E8CA-CC2E

Svr. Type Upgrade? Version Svr. Name Domain Data Center Primary Location: GC N 2.3.53.62 B-MSG57 GC N 2.3.53.62 B-MSG58 GP N 2.3.53.69 B-MSG48 GP N 2.3.53.69 B-MSG49 GP N 2.3.53.69 B-MSG50 GP N 2.3.53.69 B-MSG51 GP N 2.3.53.69 B-MSG52 GEMS N 2.2.22.25 B-MSG53 GEMS N 2.2.22.25 B-MSG54 GEMS N 2.2.22.25 B-MSG55 GEMS N 2.2.22.25 B-MSG56 SQL N GEMS Version: 2.2.22.25 Is Lync present in client environment (Y/N)? N If so, which version? N/A GEMS Mail/Core database name: GEMS_EWS GEMS Connect database name: GEMS_CONNECT GEMS DOCS database name GEMS_DOCS GEMS Modules Presence Connect Mail Docs Y Y Y Y Table 16

Data Backup and Recovery for Good Upgrades Data backup and recovery only applies when upgrading an existing Good instance. System and application data backup ensures restoration of the network’s prior state in the event an upgrade produces a negative effect and the enterprise experiences data loss. The installation of the Good Control (GC) Primary Server begins when all data backups are completed and verified.

Database Backup: gcdb Again, before proceeding with Good Technology upgrades of any kind, a backup of the relevant system databases are necessary. Good Technology recommends an easily identifiable database name. An example of an easily identifiable database name is ‘gcdb.’

Server Backup Likewise, before proceeding with Good Technology upgrades of any kind, a backup of all relevant system and application data is required. Minimum considerations of each server backup should include:  System State

46 The Government of Ontario

 SQL database  Application logs  Application binaries Additionally, there are three recommended backup types supported: Log shipping, Mirroring, and Always On.

Installing Good Control (GC) on the Primary Server After completing the necessary pre-requisites required for installing the GC and GP servers as outlined under the ‘Pre-installation Checklist’ of the ‘Good Dynamics Server Deployment Planning and Installation’ document, please have the following information available:  Good Dynamics service account credentials  Database server hostnames; and database names

TIP: Always install/upgrade the GC server prior to installing/upgrading the Good Proxy (GP) servers. Perform all upgrades with the Good Administrator’s account.

A successful GC server installation includes:  The GC installer (gcsetup.exe), which is available through the GDN portal  A License Key and Serial Number, which are available through the ‘Licenses and Servers’ section on the GDN portal  Client Active Directory domain information  The fully qualified domain name (FQDN) of the GC server  An administrator or service account set up on the host machine to run the GC service  Client SMTP server connection information  Client database connection information

Reference these links for review: BlackBerry’s Good Dynamics Implementation Server Infrastructure Good Dynamics Client Server Environment Data Backup and Recovery for Good Upgrades

NOTE: The following installation set applies to the primary and secondary Good Control servers where applicable. The installations are identical. Simply enter the appropriate Hostnames in the Host Information prompt, join the cluster when queried during the secondary GC installation, and provide the license key for the second GC server.

47 The Government of Ontario

Good Control (GC) Installation The following ‘Step/Action’ table describes the Good Control (GC) installation on the Primary Server:

Step Action 1. Run the GC installer, gcsetup.exe, to launch the GC Primary Server installation:

Fig.2

2. The ‘Introduction’ prompt appears.

Read the provided recommendations.

Click ‘Next’

Fig.3

48 The Government of Ontario

3. The ‘Good License Agreement’ prompt appears.

Read the agreement.

Click ‘I accept the terms of the License Agreement.’

Click ‘Next’

Fig.4

4. The ‘Good Third Party Licenses’ prompt appears.

Read and view the third party licenses.

Click ‘Next’

Fig.5

49 The Government of Ontario

5. The ‘Good Host Information’ prompt appears.

Enter the appropriate hostname: Primary GC Server: ctsbigdcemmsg57

Secondary GC Server: ctsbigdcemmsg58

Select ‘Accept these values for Hostname and Domain.’

Click ‘Next’

Fig.6

6. The first of two installation folders for the ‘Choose Install Folder’ prompt appears.

First, choose and verify the ‘Destination Folder.’

Click ‘Next’

Fig.7

50 The Government of Ontario

7. The second of two installation folders for the ‘Choose Install Folder’ prompt appears.

Choose and verify the ‘Logs Folder.’

Click ‘Next’

Fig.8

8. The ‘Proxy Information’ prompt appears.

Enter the required information.

Click ‘Next’

Fig.9

NOTE: The Secondary GC Server will not require the ‘Proxy Information’ nor ‘Administrator Information’ prompts. Neither prompt will appear during the Secondary GC Server installation.

51 The Government of Ontario

9. The ‘Administrator Information’ prompt appears.

Enter the username, password, and domain of the administrator account.

Use the administrator account information to run the GC server service.

Click ‘Next’

Fig.10

10. The ‘Database Information’ prompt appears.

Select the ‘Database, Authentication,’ and ‘Connection’ types.

Enter the ‘Host’ and ‘Database’ names.

Enter the ‘Port’ number.

Click ‘Next’

Fig.11

52 The Government of Ontario

Secondary GC Server B-MSG58 Installation Cluster Query The following Query addresses the Secondary GC Server B-MSG58 Installation Cluster Query:

The ‘Query’ prompt at right will appear during the secondary GC Server B- MSG58 installation, after entering the ‘Database Information:’

Select ‘Join Cluster’

11. The ‘Domain Information’ prompt appears.

Select the ‘Enable GC to add users from trusted domains’ checkbox to include users from additional domains.

Click ‘Next’

Fig.12

53 The Government of Ontario

12. The ‘Mailbox Information’ prompt appears.

Select the ‘Active Directory with Exchange email services’ option in Microsoft Exchange environments.

Click ‘Next’

Fig.13

Secondary GC Server B-MSG58 Installation Registration The next two slides regard the Secondary GC Server B-MSG58 Installation Registration only:

To register the secondary GC Server, log in to the GC Dashboard.

Select ‘Licenses’ from the left pane.

Click ‘Generate License’

Copy the generated license

54 The Government of Ontario

Paste the generated key in the License Key field

13. The ‘Registration Information’ prompt appears.

Enter the ‘GOOD Control Serial Number’ and ‘License Key.’

The serial number and license key(s) are created on the Community website: https://community.Good.com

Click ‘Next’

Fig.14

55 The Government of Ontario

14. The ‘SMTP Information’ prompt appears.

Enter all requested information.

Leave the checkbox next to ‘Use SSL’ blank.

Place a check mark in the checkbox next to ‘Use Authentication.’

Click ‘Next’

Fig.15

15. The ‘Pre-Installation Summary’ prompt appears.

Review and verify the information presented.

Click ‘Install’

Fig.16

56 The Government of Ontario

16. The ‘Installing Good Control’ prompt appears.

Please wait as the installation continues

Fig.17

17. The ‘Certificate Information’ prompt appears.

Review and verify the certificate information:  Common Name=’Serial Number’  Organization=’Client Name’  Validity=’Installation date-Expiration date’  SHA1 Fingerprint

Click ‘OK’

Fig.18

57 The Government of Ontario

18. The ‘Install Complete’ prompt appears, indicating the ‘Good Control’ installation is complete.

Verify the provided directory path of the Good Control installation.

Installation is complete

Click ‘Done’ Fig.19

19. Log into the Good Control portal. In the ‘Status and Diagnostics’ section, verify the Good Control server is connected to the NOC.

The Good Control installation on the primary server is complete after verifying the NOC connection.

NOTE: Installation logs are located at ‘C:\Good\ialogs.’ Access the GC console by pointing a browser to ‘https://localhost/’ or ‘https://server_name’ on the GC server host machine.

Click ‘Done.’ Fig.20

Table 17

Reference this link for review: Installing Good Control (GC) on the Primary Server

NOTE: The preceding installation set applies to the primary and secondary Good Control servers where applicable. The installations are identical. Simply enter the appropriate Hostnames in the Host Information prompt, join the cluster when queried during the secondary GC installation, and provide the license key for the second GC server.

58 The Government of Ontario

Installing Good Proxy (GP) on the Primary Server The Good Control and Good Proxy installations share similarities. However, the Good Proxy installation requires fewer modules to install. The Good Proxy installation will not include the following modules:  Database Information  Domain Information  Mailbox Information  SMTP Information

The Good Control and Good Proxy Module Contrast The information for each of the aforementioned modules, about Good Proxy, relies on the previous Good Control installation, configuration, and associated server(s). The following table demonstrates the differences in the modular installation of Good Control and Good Proxy in order of occurrence:

GOOD Control Modules = 17 GOOD Proxy Modules = 13 Introduction Introduction Good License Agreement Good License Agreement Third Party Licenses Third Party Licenses Host Information Host Information Choose Install Folder Choose Install Folder Choose Logs Folder Choose Logs Folder Proxy Information Proxy Information Administrator Information Database Information Domain Information Mailbox Information Registration Information Registration Information SMTP Information Certification Information Pre-Installation Summary Administrator Information Installing Good Control Pre-Installation Summary Installing Good Proxy Certification Information Install Complete Install Complete Table 18

Reminder: Good Control is the administrative portion of the Good Dynamics Secure Mobility Platform. Good Proxy is the recipient of client requests for internal or external (i.e. Intranet or Internet) resources.

Installing additional Good Proxy servers are identical to the initial proxy server installation. Most importantly, the Good Proxy server is ‘stateless,’ unlike the Good Control server. In computing, ‘stateless’ is defined as a communications protocol which considers every request as an independent transaction unrelated to all previous requests. As a result, communication consists of independent pairs of request and response.

Furthermore, a ‘stateless’ protocol requires no retention of session information or status by the server concerning each communications partner for periods of multiple requests. By comparison, a ‘stateful’ protocol requires the retention of internal state(s) on the server.

It is just as easy to uninstall and reinstall (rather than restore) the GP if something goes wrong. The GC is not ‘stateless’ and requires appropriate backups for repair or recovery.

59 The Government of Ontario

Good Proxy TCP/UDP Port Expansion and Commands Good Proxy requires a minimum of 35000 TCP/IP ports. However, 50000 TCP/IP ports is the recommendation. The following commands set the dynamic port range for TCP. The start port is ‘number,’ and the total number of ports is ‘range:’

netsh int set dynamicport tcp start=10000 num=50000 netsh int ipv4 set dynamicport udp start=10000 num=50000

Reference these links for review: Installing Good Proxy (GP) on the Primary Server The Good Control and Good Proxy Module Contrast Good Proxy TCP/UDP Port Expansion and Commands

NOTE: The following installation set applies to the primary and secondary Good Proxy servers where applicable. The installations are identical. Simply enter the appropriate Hostnames in the Host Information prompt.

Installing Good Proxy on the Good Control Primary Server The following ‘Step/Action’ table describes the ‘Good Proxy Server (GP) Installation on the GC Primary Server’ and begins with the ‘TCP/UDP Port Expansion:’

Step Action 1. Open a command prompt. Enter the following commands to expand the TCP/UDP ports: netsh int ipv4 set dynamicport tcp start=10000 num=50000 netsh int ipv4 set dynamicport udp start=10000 num=50000

Close the command prompt when completed and begin the ‘GOOD Proxy’ installation. Fig.24

60 The Government of Ontario

2. Launch the ‘Good Proxy’ installer.

Fig.2a

3. The ‘Introduction’ prompt appears:

Read the prerequisite information before proceeding with the installation.

Click ‘Next’

Fig.3a

61 The Government of Ontario

4. The ‘Good License Agreement’ prompt appears.

Read the agreement.

Select “I accept the terms of the License Agreement.”

Click ‘Next’

Fig.4a

5. The ‘Third Party Licenses’ prompt appears.

Review the ‘Third Party Licenses.’

Click ‘Next’

Fig.5a

62 The Government of Ontario

6. The ‘Host Information’ prompt appears.

Enter the appropriate ‘Hostname’ Primary GP Server: ctsbigdcemmsg48

Secondary GP Server: ctsbigdcemmsg49

Third GP Server: ctsbigdcemmsg50

Fourth GP Server: ctsbigdcemmsg51

Fifth GP Server: ctsbigdcemmsg52

Select “Accept these values for Hostname and Domain.”

Click ‘Next’ Fig.6a 7. The ‘Choose Install Folder’ prompt appears.

Select the correct drive for the software installation .

Verify the ‘Destination Folder.’

Click ‘Next’

Fig.7a

NOTE: Subsequent GP Servers will not require ‘Install Folders’ and ‘Log Folders.’ The folder paths are provided in during the Primary GP server’s installation.

63 The Government of Ontario

8. The ‘Choose Logs Folder’ prompt appears.

Verify the ‘Logs Folder’ drive and location.

Click ‘Next’

Fig.8a

NOTE: The ‘Proxy Information’ prompt will not appear in subsequent GP Server installations. The initial GP Server installation contains the configuration.

9. The ‘Proxy Information’ prompt appears.

Direct connect Good Proxy servers do not use Web proxy servers.

Leave the checkbox next to ‘Use a Web Proxy’ blank.

Click ‘Next’

Fig.9a

64 The Government of Ontario

10. The ‘Registration Information’ prompt appears

Enter the FQDN of the primary ‘Good Control Server.’

Click ‘Next’

Fig.14a

11. The ‘Certification Information’ appears.

This information verifies the information of the self-signed certificate used to establish an SSL connection between the Good Proxy and Good Control.

Review and verify the information for accuracy.

Click ‘Accept’ Fig.18a

65 The Government of Ontario

12. The ‘Administrator Information’ prompt appears.

Enter the service account information used originally in the Good Control ‘Administrator Information’ prompt:  User Name  Password  Domain

Click ‘Next’

Fig.10a

13. The ‘Pre-Installation Summary’ prompt appears.

Review and verify the information presented for accuracy.

Please close all windows associated with the ‘Microsoft Management Console (MMC)’ at this time before proceeding.

Click ‘Install’

Fig.16a

66 The Government of Ontario

14. The ‘Installing Good Proxy Server’ prompt appears as the GP installation proceeds.

Please wait.

Fig.17a

15. The ‘Install Complete’ prompt appears, indicating the ‘Good Proxy Server’ installation is complete.

The directory path of the installation files is given.

The installation is complete.

Click ‘Done’

Fig.19a

67 The Government of Ontario

16. Log into the Good Control portal. In the ‘Status and Diagnostics’ section, verify the Good Proxy server is connected to the NOC.

The Good Proxy installation on the primary server is complete after verifying the NOC connection.

NOTE: The installation logs are located in the ‘C:\Good\ialogs’ directory. Access the GC console by pointing a browser to ‘https://localhost/’ or ‘https://server_name’ on the GC server host machine.

Click ‘Done.’ Fig.20a

Table 19

NOTE: The preceding installation set applies to the primary and secondary Good Proxy servers where applicable. Simply enter the appropriate Hostnames in the Host Information prompt.

Reference this link for review: Installing Good Proxy on the Good Control Primary Server

68 The Government of Ontario

GOOD Enterprise Mobility Server (GEMS) v2.2.22.25

69 The Government of Ontario

About BlackBerry’s Good Enterprise Mobility Server (GEMS) BlackBerry’s Good Enterprise Mobility Server (GEMS) leverages a services-based approach to integrated enterprise mobility through modular consolidation of BlackBerry’s Good Connect and Good Mobile Messaging servers on standard architecture. The following list describes the integrated services offered by GEMS:

Push Notifications Service (PNS) – A push notification alerts a subscriber of an application or service to a new event or message in real-time. BlackBerry’s Good PNS receives push requests from mobile devices while communicating with Microsoft Exchange through Exchange Web Services (EWS) to monitor changes in the subscriber’s enterprise mailbox.

Connect – Connect is an instant messaging (IM) service designed for enterprise use. Connect is similar to consumer IM services such as AOL’s AIM or MSN’s Messenger. However, Connect is a secure, mobile instant messaging application devoted to enterprise messaging systems such as Microsoft Lync and IBM Sametime.

Presence – The Presence feature establishes the on-line/off-line status of enterprise colleagues with a Microsoft Lync account in a mobile environment. Presence enhances mobile conferencing and collaboration, augmenting productivity greatly.

NOTE: The Presence indicator is not visible if Lync for IM and desktop publishing is unavailable in the enterprise.

Docs – Docs enables mobile access to enterprise file servers and SharePoint allowing personnel to open, synchronize, and share documents without firewall reconfiguration, VPN software, or duplicating data stores.

Directory Lookup – Directory Lookup produces an on-line directory service from the enterprise Global Address List (GAL) complete with first and last name searches and accompanying pictures, if provided, displayed within BlackBerry’s Good Launcher.

Follow-Me – Follow-Me supports BlackBerry’s Good Launcher on several Good Dynamics applications by maintaining synchronization across multiple devices.

GEMS Dashboard – The GEMS Dashboard is a browser-based administrative console designed for the configuration of all services and server components after the GEMS installation is completed.

GEMS Web Console – The GEMS Web Console is also browser-based. The GEMS Web Console supports analytical data through monitoring and logging of device connectivity, reporting traffic load, and calculating throughput in real-time.

The services-based approach to integrated enterprise mobility provided through GEMS allows client applications on authenticated devices to utilize and manage services through the ‘Good Developer Network (GDN)’ while enriching the enterprise user experience.

GEMS Architecture BlackBerry’s Good Collaboration Suite is a set of enhanced business-adapted features developed to exceed the typical consumer-oriented applications associated with iOS and Android operating systems. Good Work is a component of BlackBerry’s Good Collaboration Suite. Good Work is the end- user application installed on mobile devices utilizing the secure device facing services available from GEMS.

70 The Government of Ontario

The GEMS Integrated Services are the device facing services available from GEMS. Typically, the GEMS Integrated Services include the Push Notifications Service, Presence, Directory Lookup and Follow-Me. Additional services are available according to client needs and requirements.

GEMS’ role is prominent in making the GEMS Integrated Services available to Good Work on the end user’s mobile device. The GEMS Feature Modules engage with backend IT systems, such as Exchange, employing a shared SQL server, which interfaces with multiple databases for core and email services as well as Connect and Analytics. Furthermore, GEMS deploys as an on-site cluster for high availability and load balancing, enabling GEMS Integrated Services availability throughout every instance in the BlackBerry Good Dynamics infrastructure. Good Control manages entitlement to the GEMS Integrated Services. The following diagram depicts a high-level view of the GEMS Architecture:

GOOD GEMS Feature IT Systems Good Work Cellular / Firewall GOOD Proxy GEMS Integrated WiFi NOC Cluster Services Modules Network Push Registration Mail Follow Me Analytics EWS Exchange Presence Connect (IM) Directory Lookup Presence GEMS Service SIP Lync Mobile Data (HTTP/S) Device(s)

SMB Network Share GOOD Control GEMS Cluster

Core Shared SQL Database Database Connect Database

Fig. 4

The next diagram offers a different perspective of GEMS Architecture demonstrating redundancy between all respective servers and is limited to the GEMS Integrated Services Connect and Presence:

GEMS with Connect and Presence

Standalone GEMS Deployment

GEMS Lync GOOD Network Operations Cellular / WiFi Network Center Firewall Firewall SQL TCP 443

Active Directory Good Control Good Proxy Data is relayed only

Fig. 5

71 The Government of Ontario

The Push Notification System (PNS) portion of the GEMS Architecture offers another structured perspective leveraging Microsoft’s Exchange Web Services (EWS) and Exchange ActiveSync (EAS) while also demonstrating the GEMS/PNS service and Good Control share the same database server. However, the database server can be local to Good Control or remote:

NOTE: A single server approach consolidating Good Control/Good Proxy and GEMS on the same server is possible in a proof-of-concept (POC) environment only. Furthermore, a single server approach requires additional memory and CPUs. Moreover, port conflicts encountered between Good Dynamics and the Lync Presence Provider (LPP) are likely. Start Good Control/Good Proxy after Presence to reconcile the conflict.

GEMS Installation A successful GEMS installation relies on providing the necessary prerequisite support for each GEMS service deployed. Consider these points of interest:  Please ensure the completion of all requirements before proceeding to install GEMS.  Using a GEMS service account during the GEMS installation is highly recommended.  Verify the creation of all blank databases as specified under the PNS Requirements and Connect Requirements.

GEMS Upgrades The GEMS installer automatically detects previous versions of GEMS and offers an option to upgrade the current of GEMS version when detected. Select ‘Upgrade’ and follow the on-screen directions with regard to the following instructions.

Beta Upgrades There is no support for ‘Beta upgrades.’ A new installation of the evaluated GEMS beta version is required if participating in a BlackBerry Good PTEP (beta testing program).

Additional Upgrade Considerations  Use the GEMS installer to upgrade each GEMS instance within a GEMS cluster configuration.  For upgrades of multiple GEMS instances sharing a common database, new features will be unavailable until each conversion of GEMS completes. Each GEMS instance will continue to function with the earlier version’s features in a mixed-version environment.  Do not deploy GEMS in a mixed-version environment for an extended amount of time.

TIP: Enter the applicable database details of the current GEMS deployment when prompted to enter database information for the Mail/Core and Connect DBs during an upgrade.

72 The Government of Ontario

GEMS Dashboard Supported Browsers The following browsers are compatible with the GEMS Dashboard:  Internet Explorer (IE) 10 and IE 11; IE 9 is not supported  Firefox versions 30, 31, 32  Chrome 37.0.2062.120

Reference these links for review: About BlackBerry’s Good Enterprise Mobility Server (GEMS) GEMS Architecture GEMS Installation GEMS Upgrades

Installing GEMS

Step Action 1. Launch the ‘GoodEnterpriseMobilityServ er’ installer.

Fig. 1z

2. The ‘System Preparation’ wizard appears and monitors progress.

Please wait.

Fig. 2z

73 The Government of Ontario

3. The ‘Good Enterprise Mobility Server (GEMS)’ configuration begins.

Please wait. Fig.3z

4. The ‘Introduction’ prompt appears.

Read the provided recommendations.

Click ‘Next’

Fig. 4z

74 The Government of Ontario

5. The ‘License Agreement’ prompt appears.

Read the agreement.

Click ‘I accept the terms of the License Agreement.’

Click ‘Next’

Fig. 5z

6. The ‘Select Services’ prompt appears presenting the available GEMS services:

 Mail  Connect  Presence

Fig. 6z

75 The Government of Ontario

7. The ‘Select Services’ prompt continues presenting the available GEMS services:

 Docs  Analytics

Select all services to attain the necessary prerequisite configuration for each service installation.

8. The GEMS configuration begins.

Please wait.

Fig. 8z

76 The Government of Ontario

9. The ‘Prerequisites’ menu proceeds to verify required components for the existing Lync version.

Cancel the installation if any components are unavailable. Install missing components and re-initiate the GEMS installation.

NOTE: Address component failures to resolve future configuration issues. All component failures must be resolved before proceeding with the ‘GEMS’ installation.

Fig. 9z

10. The ‘Host Information’ prompt appears.

Enter the appropriate ‘Hostname’ and ‘Domain’

Verify the ‘Hostname’ and ‘Domain’ for accuracy.

Select “Accept these values for Hostname and Domain.”

Click ‘Next’

Fig. 10z

77 The Government of Ontario

11. The ‘Choose Install Folder’ prompt appears.

Select the correct drive for the software installation .

Verify the ‘Destination Folder.’

Click ‘Next’

Fig. 11z

12. The ‘Choose Logs Folder’ prompt appears.

Verify the ‘Logs Folder’ drive and location.

Click ‘Next’

Fig. 12z

78 The Government of Ontario

13. The ‘Administrator Information’ prompt appears.

Select ‘Local System Account’ unless otherwise stipulated.

Enter the service account information used originally in the ‘Good Control Administrator Information’:  Domain\User Name  Password

Click ‘Next’

Fig. 13z

14. The ‘Database Information’ prompt appears.

Enter the SQL database information as shown:  Host  Database name  Port  Authentication type

Click ‘Next’

Fig. 14z

79 The Government of Ontario

15. The ‘Connect Administrator Information’ prompt appears.

Enter the login credentials.

Click ‘Next’

16. The ‘Connect Database Information’ prompt appears.

Enter the ‘Connect Database Information’ as shown:  Host  Database name  Port  Authentication type

Click ‘Next’

80 The Government of Ontario

17. The ‘Presence Administrator Information’ prompt appears.

Enter the login credentials.

Click ‘Next’

18. The ‘Docs Database Information’ prompt appears.

Enter the SQL Docs service database information as shown:  Host  Database name  Port  Additional Properties  Authentication type

Click ‘Next’

Fig. 19z

81 The Government of Ontario

19. The ‘Replace JCE Policy Files’ prompt appears.

Select ‘Yes (Recommended)’

Click ‘Next’

Fig. 20z

20. The ‘Pre-Installation Summary’ prompt appears.

Review and verify the information presented for accuracy. Fig. 21z

82 The Government of Ontario

21. The ‘Pre-Installation Summary’ prompt continues.

Review and verify the information presented for accuracy.

Please close all windows associated with the ‘Microsoft Management Console (MMC)’ at this time before proceeding.

Click ‘Install’

22. The ‘Installing Good Enterprise Mobility Server’ notice appears.

The GEMS Core installation proceeds.

Please wait.

Fig. 22z

83 The Government of Ontario

23. The ‘Installing Good Enterprise Mobility Server’ continues.

Please wait.

Fig. 23z

24. The ‘Install Complete’ prompt appears, indicating the ‘Good Enterprise Mobility Server’ installation is complete.

The directory path of the installation files is given.

The installation is complete.

Click ‘Done’

Fig. 24z

84 The Government of Ontario

25. GEMS restarts immediately after the GEMS installation completes.

Please wait.

Fig. 25z

26. The GEMS configuration proceeds after restarting the GEMS service.

Please wait.

Fig. 26z

85 The Government of Ontario

27. The ‘Install Complete’ prompt appears, indicating the ‘Good Enterprise Mobility Server’ installation is complete.

The directory path of the installation files is given.

Access the GEMS console at https://localhost8443/dashboard

Click ‘Done’ Fig. 27z

28. The ‘GOOD Enterprise Mobility Server (GEMS) Dashboard’ appears.

Select ‘GEMS Configuration.’

Fig. 28z

86 The Government of Ontario

29. The ‘Settings’ menu appears.

Select ‘Dashboard Administrators’ for ‘Active Directory’ membership groups and GEMS configuration.

Fig. 29z

30. The ‘Settings > Active Directory’ membership menu appears.

Create the ‘Administrators’ group and role.

Save the identity.

Fig. 30z

31. The ‘Database Configuration’ prompt appears.

Enter the ‘Server’ name.

Enter the ‘Database’ name.

Select the ‘Authentication Type.’

Click ‘Test’

Click ‘Save’

Fig. 31z

87 The Government of Ontario

32. The ‘Good Dynamics Server Configuration’ prompt appears.

Enter the ‘Good Proxy Hostnames.’

Enter the ‘Good Proxy Ports.’

Select ‘HTTPS-Requires SSL Certificate.’

Enforce SSL Cert should be unchecked

Click ‘Test’

Click ‘Save’

Fig. 32z

33. Return to ‘GEMS Dashboard.’

Select ‘Troubleshooting’ under the ‘GEMS System Settings.’

Fig. 33z

88 The Government of Ontario

34. The ‘Troubleshooting’ prompt appears.

Select ‘Log Upload Credentials.’

Fig. 34z

35. The ‘Credentials’ prompt appears.

Enter the ‘Good Online Portal Username’ and the ‘Good Online Portal Password.’

Click ‘Test’ to validate the credentials.

Click ‘Save.’ Fig. 35z

89 The Government of Ontario

36. Return to ‘GEMS Dashboard.’

Select ‘SSL Certificate’ under the ‘GEMS System Settings.’

37. The ‘Download SSL Certificate’ prompt appears.

Click the ‘Download SSL Certificate’ button to receive the appropriate certificate.

Table 20

Reference this link for review: Installing GEMS

90 The Government of Ontario

Configuring GEMS Services

Remember: The Presence indicator is not visible if Lync for IM and desktop publishing is unavailable in the enterprise.

 The ‘Presence’ service furnishes the Lync Presence Provider (LPP) to BlackBerry’s Good Dynamics applications and, most importantly, to Good Work.  The ‘Connect’ service provides presence and instant messaging services on mobile client devices.  The ‘Mail’ service is required for the Good Work mobile collaboration application.  The ‘Docs’ service enables file share access (ex: SharePoint) for Good Work clients.

Mail: Push Notification System (PNS) The protocol, ‘Exchange ActiveSync (EAS),’ synchronizes email, contacts, tasks, and notes for Good Work clients from the messaging server. GEMS does not participate in EAS activity. However, GEMS cannot support Good Work clients with PNS without properly enabling EAS. By default, the Client Access server role installed on the computer provisioned with ‘Microsoft Exchange Server 2010’ or ‘Exchange 2013’ enables EAS.

Mail: Database Configuration

IMPORTANT: Enable EAS on port 443 to permit connectivity to the Good Proxy server.

NOTE: Good Dynamics must be operating before configuring GEMS PNS for Good Dynamics.

Step Action 1. Return to ‘GEMS Dashboard.’

Select ‘Mail’

Fig. 36z

91 The Government of Ontario

2. The ‘Good Mail Service Configuration’ menu appears.

Select ‘Database’

Fig. 37z

3. The Mail ‘Database Configuration’ prompt appears.

Enter the ‘Server’ name. Enter the ‘Database’ name.

Select the ‘Authentication Type.’

Click ‘Test’ Click ‘Save’

NOTE: Restart GEMS after saving the mail database configuration. Check the registry table dbo.KeyValueRecord to verify GEMS is using the SQL Server database.

Fig. 38z

Table 21

Mail: Database Connectivity Issues

Issue GEMS is unable to connect to the ‘Push Notification’ database.

The ‘Mail > Microsoft Exchange’ configuration information was applied in the GEMS Cause Dashboard before configuring the ‘Mail > Database’ information.

a. From the GEMS Dashboard, restart the ‘Good Technology Common’ service. b. Ensure the information in ‘Mail > Database’ is correct. Solution c. Repopulate the ‘Mail > Exchange Server’ configuration, then test and save the changes.

Table 22

92 The Government of Ontario

Mail: Microsoft Exchange

Step Action 1. Return to the ‘Good Mail Service Configuration’ menu.

Select ‘Microsoft Exchange.’

Fig. 39z

2. The Mail ‘Exchange Server Configuration’ prompt appears.

Enable ‘Use Windows Integrated Authentication’ if applicable.

Enter a valid end user email address to test service accounts and permissions. Enable ‘Enforce SSL Certificate validation…’ if applicable.

NOTE: ‘SSL Certificate validation’ relies upon the client’s environmental settings. Consult the client to determine the need for ‘SSL Certificate validation.’ Otherwise, leave the ‘SSL Certificate validation’ checkbox blank.

Click ‘Save’ Fig. 40z

Table 23

93 The Government of Ontario

Mail: Web Proxy Configuration

Step Action 1. Return to the ‘Good Mail Service Configuration’ menu.

Select ‘Web Proxy.’

Fig. 41z

2. The Mail ‘Web Proxy’ prompt appears.

Enter the required Web Proxy information and enable ‘Use Web Proxy’ if applicable.

Click ‘Save’

Fig. 42z

Table 24

94 The Government of Ontario

Mail: Android Push Notification and Google Cloud Messaging Sender ID and API Key

IMPORTANT: Configure ‘Google Cloud Messaging (GCM)’ to support Android Push Notifications (APNS). The Android Push Notification configuration requires a GCM sender ID and API key.

Step Action 1. Return to the ‘Good Mail Service Configuration’ menu.

Select ‘Android Push Notification.’

Fig. 43z

2. The ‘Android Push Notification’ prompt appears.

Fig. 44z

3. Open another browser instance and login to Good Control (GC). In the GC Dashboard, under ‘Settings,’ click ‘Licenses and Keys,’ and open the ‘API Keys’ tab.

Copy the ‘Sender ID’ and the ‘Key.’ (The screen shot at right is for example purposes only.) Fig. 49

95 The Government of Ontario

4. Return to the ‘Android Push Notification’ prompt.

Paste the ‘Sender ID’ and the ‘Key’ into the corresponding fields.

Click ‘Save’

Fig.50

Table 25

Mail: Stop Notifications The GEMS Mail service is required for the Good Work mobile collaboration application. Good Work is a component of BlackBerry’s Good Collaboration Suite. Good Work delivers a secure connection from any mobile device, anytime from anywhere, to an individual’s corporate email account. Good Work allows full synchronization to send and receive email, view attachments, manage contacts and business calendars.

The GEMS Mail Push Notifications Service (PNS) provides immediate alerts to new mail and chat requests from colleagues. However, the GEMS Mail: Stop Notifications function is primarily an administrative tool. The GEMS Mail: Stop Notifications function is an optional configuration component.

Step Action 1. Return to the ‘Good Mail Service Configuration’ menu.

Select ‘Stop Notifications.

Fig. 45z

96 The Government of Ontario

2. The ‘Stop Notifications’ prompt appears.

Enter a user’s email address to discontinue sending notifications to the user’s mailbox.

Click ‘Save’

Fig. 46z

Table-26

Mail: User Directory Lookup Similar to the GEMS Mail: Stop Notifications function, the GEMS Mail: User Directory Lookup query is primarily an administrative tool. The GEMS Mail: User Directory Lookup tool allows administrators to query users by their first and last names as well as pictures (if provided) from an organization’s Global Address List (GAL).

Step Action 1. Return to the ‘Good Mail Service Configuration’ menu.

Select ‘User Directory Lookup.’

Fig. 47z

97 The Government of Ontario

2. The ‘User Directory Lookup’ prompt appears.

Enter the ‘User ID Property Name.’

Enable ‘GAL Lookup’ or ‘LDAP Lookup.’

Click ‘Save’

Fig. 48z

Table 27

Mail: Certificate Directory Lookup The Mail: Certificate Directory Lookup service retrieves S/MIME digital certificates from a user’s Active Directory (AD) profile. The S/MIME digital certificates enable encryption and signature functionality in the Good Work mobile applications.

Step Action 1. Return to the ‘Good Mail Service Configuration’ menu.

Select ‘Certificate Directory Lookup.’

Fig. 49z

2. The ‘Certificate Directory Lookup’ prompt appears.

Enter the ‘User ID Property Name.’

Enable ‘Contact Lookup’ and ‘GAL Lookup.’

Click ‘Save’

Fig. 50z

Table 28

98 The Government of Ontario

Reference these links for review: Mail: Database Configuration Mail: Database Connectivity Issues Mail: Microsoft Exchange Mail: Web Proxy Configuration Mail: Android Push Notification and Google Cloud Messaging Sender ID and API Key Mail: Stop Notifications Mail: User Directory Lookup Mail: Certificate Directory Lookup

Configuring the Good Work Application in Good Control

Remember: GEMS cannot support Good Work clients with PNS without properly enabling EAS. Enable EAS on port 443 to permit connections to the Good Proxy server.

GEMS supports the Good Work application. Good Work is the end-user application installed on a client’s mobile device utilizing GEMS mail services such as PNS. PNS relies on the protocol, Exchange ActiveSync (EAS), to synchronize email, contacts, tasks, and notes for Good Work clients from the messaging server. Consequently, clients must enroll in EAS when activating their Good Work application. Interestingly, GEMS does not participate in EAS activity. However, GEMS cannot support Good Work clients with PNS without properly enabling EAS.

Configuring Exchange ActiveSync (EAS) for Good Work Configuring EAS for Good Work requires:  Whitelisting the EAS server(s) in Good Control  Adding the correct JavaScript Object Notation (JSON) configuration

Whitelisting the EAS server(s) in Good Control The term ‘blacklist’ refers to a record of unaccepted entities denied of specific services, privileges, recognition, or access. Alternately, the term ‘whitelist’ refers to a compilation of accepted entities granted specific services, privileges, recognition, or access. For BlackBerry’s Good installations, ‘whitelisting’ EAS servers for the enterprise, in particular, is necessary, and for the BlackBerry Good environment, specifically, to support Good Work clients with PNS.

Step Action

1. Login to Good Control with full administrative rights to complete the PNS configuration and enable EAS, with respect to GEMS.  From the left pane, select ‘Client Connections > Master Connectivity Profile,’ then click ‘Add’ under ‘ADDITIONAL SERVERS.’  Enter the fully qualified domain name (FQDN) of the EAS server in the ‘Server’ field. (ex: eas1.bell- hq.com)  Enter the autodiscover server port number, 443, in the ‘Port’ field.  Include additional EAS or Autodiscover servers as required, repeating the first four steps. Click ‘Submit’ Fig.51 Table 29

99 The Government of Ontario

Enabling the JavaScript Object Notation (JSON) configuration for EAS ‘JavaScript Object Notation (JSON)’ parses and generates data into an easily read format compatible with Good Work’s supporting infrastructure. Copy and paste, or manually enter, the following highlighted configuration parameters into the ‘Configuration’ field:

Step Action 1. EXCEPTION: When using ‘Autodiscover,’ replace the ‘EASServer’ parameter (fig.52) with the ‘AutodiscoverURL’ parameter (fig.53).

IMPORTANT: The ‘EASServer’ parameter always takes precedence over the Fig.52 ‘AutodiscoverURL’ parameter whether the ‘AutodiscoverURL’ parameter is present or not. Good practice dictates the omission of the ‘AutodiscoverURL’ parameter from the JSON block to avoid confusion later.

Fig.53 2. Set must match the email users> to the FQDN (ex: suffix of clients in Good Control. For example, if usernames in Good belltechlogix.com). Control follow the pattern, ‘[email protected],’ then the value for is belltechlogix.com. 3. The default value for This is mainly for proof-of-concept (POC) deployments. While this ‘EASUseSSL’ is ‘FALSE.’ setting has no effect on iOS devices, always set ‘EASUseSSL’ to ‘TRUE’ for Android devices in a production environment. 4. Add the GOOD Work Again, the value of must match the application to the email suffix of clients in Good Control. Otherwise, the Good Work ‘Everyone Application client cannot retrieve the predefined EAS configuration from Good Group.’ Control.

5. If multiple email suffixes are supported, add an additional ‘domain block’ in the JSON configuration, as demonstrated in ‘Fig.54:’

Click ‘Save’ Fig.54

Table 30

100 The Government of Ontario

Validating the JSON Syntax

Step Action

1. Prior to adding the correct JSON configuration for EAS, validate the code syntax to ensure the formatting is correct.

Open a new browser instance for http://jsonlint.com/ to test the code. An example of validation is presented in ‘Fig.55:’ Fig.55

2. Formatting issues exist …the test results do not produce a ‘Valid JSON’ response. Please within the configuration correct the syntax before copying the code to Good Control. if… 3. Test and verify EAS Provision a client device with the Good Work application. The JSON functionality Configuration for EAS is complete when the EAS communications and functionality test successfully.

Table 31

Remember: Every user is assigned to the ‘Everyone’ group by default. Add the Good Work application to the ‘Everyone Application Group’ if ‘default’ is the planned option.

Whitelisting the GEMS Host(s) in Good Control Whitelist the GEMS host in Good Control to communicate between the Good Proxy server and GEMS.

Step Action 1. From the left pane of the GC Console, select ‘Settings > Client Connections,’ then click ‘Add’ under ‘ADDITIONAL SERVERS.’

2. Add the FQDN of the GEMS Host in the ‘Server’ field and enter port number 8443 in the ‘Port’ field. Choose a primary GP cluster and a secondary GP cluster (if available).

White list additional GEMS hosts with GP Clusters by repeating step 2. Click ‘Submit’ to save all changes. Fig.56

Table 32

101 The Government of Ontario

NOTE: When multiple GEMS hosts are present, use Good Work's ‘Preferred Presence Server Configuration’ parameter to set up a ‘Presence Affinity’ association.

Adding GEMS to the Good Work Application Server List The Good Work client checks the Good Work server list for available GEMS instances hosting the ‘Presence’ service. The Good Work server list must be populated with at least one GEMS machine configured for the ‘Good Enterprise Services’ entitlement application.

Step Action 1. Add GEMS to the From the left pane of the GC Console, select ‘APPS > Manage Apps,’ in GOOD Work the applications list, search for and select ‘GOOD Work.’ Application Server List.

2. Click the ‘Good DYNAMICS’ tab. In the ‘Server’ section, click ‘EDIT.’

3. Enter the GEMS host FQDN in the ‘Host Name’ field and enter port number 8443 in the ‘Port’ field. Fig.57 4. Repeat step 3, if additional GEMS hosts exist, after clicking the ‘plus sign’ to add a new row. Click ‘Save’ Table 33

NOTE: Access to the GEMS Dashboard from a browser displays an untrusted SSL certificate due to an absence of a publicly verifiable certificate in the ‘GEMS Java Keystore.’ Disable ‘SSL Certificate Checking’ on the Good Work client from the JSON configuration for EAS to address the untrusted SSL certificate matter.

Disabling SSL Certificate Checking in the JSON Configuration for EAS

Step Action

1. Change the value for “disableSSLCertification Checking” to “false”

Click ‘Save’ to retain all changes. Fig.58

Table 34

Reference these links for review: Configuring the Good Work Application in Good Control Whitelisting the EAS server(s) in Good Control Enabling the JavaScript Object Notation (JSON) configuration for EAS Validating the JSON Syntax Whitelisting the GEMS Host(s) in Good Control Adding GEMS to the Good Work Application Server List

102 The Government of Ontario

Docs: Configuring the Docs Service in the GEMS Dashboard

Important: Good Dynamics servers must be operating to configure the ‘Docs’ service for Good Dynamics.

‘Docs’ enables mobile access to enterprise file shares and SharePoint, allowing personnel to open, synchronize, and share documents without firewall reconfiguration, VPN software, or duplicating data stores.

A ‘file share’ distributes data and resources throughout a network with varying levels of access and sharing privileges. ‘SharePoint’ is a document management tool and/or content management system (CMS) supporting enterprise libraries, content, and file shares. Additionally, ‘Docs’ maintains user access policies for mobile application users.

The ‘Docs’ service configuration includes configuring the following modules:  Web Proxy  Database  Repositories  Settings

Docs: Database Configuration

Step Action 1. Return to the ‘GEMS Dashboard.’

Select ‘Docs’

Fig. 51z

2. The ‘Good Docs Service Configuration’ menu appears.

Select ‘Database.’

Fig. 52z

103 The Government of Ontario

3. The Docs ‘Database Configuration’ prompt appears.

Enter the ‘Server’ name. Enter the ‘Database’ name.

Select the ‘Authentication Type.’

Click ‘Test’ Click ‘Save’ Fig. 53z 4. Refer to step 3 to use  Select SQL Server Login as the Authentication Type. ‘SQL Authentication’ as  Enter the SQL Server Username and Password. the ‘Authentication Type’  Click the Test button to verify connectivity with the database. to access the database:  Click Save to commit your changes. Critical: Restart the Good Technology Common service in the Windows Services Manager to allow these settings to take effect. Table 35

Docs: Web Proxy Configuration

Step Action 1. Return to the ‘Good Docs Service Configuration’ menu appears.

Select ‘Web Proxy.’

Fig. 54z

104 The Government of Ontario

2. The ‘Web Proxy Configuration’ prompt appears.

Enter the required information to enable the Good Docs service to connect to a Web Proxy server, if applicable.

Enable ‘Use Web Proxy.’

Click ‘Save.’ Fig. 55z

Table 36

IMPORTANT: This is the path to the Windows Service Manager: Start > Control Panel > Administrative Tools > Services. Open the Windows Service Manager (SrvMan) to locate the service named ‘GOOD Technology Common Services’.

Docs: Settings The initial configuration of the ‘Docs Security Settings’ followed by configuring ‘Good Control for the Docs Service’ is essential before proceeding to ‘Docs Repositories.’ The ‘Docs Repositories’ configuration will resume after configuring ‘Good Control for the Docs Service.’

Step Action 1. Return to the ‘Good Docs Service Configuration’ menu appears.

Scroll down to ‘Audit’ (screen shot unavailable)

Select ‘Audit.’

Fig. 56z

105 The Government of Ontario

2. The Docs ‘Audit’ prompt appears.

Select ‘Enable Audit Logs,’ if applicable.

Select the desired ‘Audit Operations.’

NOTE: Settings may take several minutes to initiate.

Click ‘Save’ Fig. 57z

Table 37

Docs: Security Settings The ‘Docs Security Settings’ controls the following functions:  Acceptable ‘SharePoint Online’ domains  The approved URL of the ‘Office Web App Server (OWAS)  The appropriate ‘Lightweight Directory Access Protocol (LDAP)’ domains  The use of ‘Kerberos Constrained Delegation (KCD)’ for user authentication

‘Delegation’ allows a service to impersonate a user account to access resources throughout the network. ‘Constrained delegation’ limits this trust to a select group of services explicitly specified by a domain administrator.

Step Action 1. Return to the ‘Good Docs Service Configuration’ menu appears.

Select ‘Settings.’

Fig. 58z

106 The Government of Ontario

2. The ‘Settings’ prompt appears.

NOTE: The ‘Settings’ options rely upon the client’s environmental configuration(s). Consult the client to gather the proper information and determine the need for each option before proceeding with the ‘Settings’ configuration.

Save the settings.

Fig, 59z

Table 38

IMPORTANT: It is essential to complete the initial configuration of the ‘Docs Security Settings’ followed by configuring ‘Good Control for the Docs Service’ before proceeding to ‘Docs Repositories.’

Docs: Configuring Good Control for the Docs Service

Configuring ‘Good Control for the Docs Service’ consists of three primary tasks:  Entitling users  Publishing the Docs application  Configuring User Affinity

Docs: Entitling Users in Good Control

Step Action 1. Login to the GOOD Control Dashboard with full administrative rights to complete ‘Entitling Users.’

Navigate to ‘APPS > Manage APPS.’ Enter a full or partial search string for ‘Feature – Docs Service Entitlement’

Click ‘Feature – Docs Service Entitlement’ in the search results. Fig.107

107 The Government of Ontario

2. Click the ‘Good DYNAMICS’ tab, then, in the ‘GD Application ID’, click ‘EDIT.’

Select a policy from the ‘Policy Set Override’ drop- down menu to override the default policy if required. Click ‘Save’

Fig.108

Table 39

Docs: Publishing the Docs App in Good Control

Step Action 1. Return to the Good Control Dashboard with full administrative rights to complete ‘Publishing the Docs App.’ Navigate to ‘APPS > App Groups.’

Edit the ‘Everyone’ group. Fig.109

2. Click ‘Add More’, and enable the checkbox for ‘Feature - Docs Service Entitlement - ALL.’

Click ‘OK’

Fig.110

Table 40

108 The Government of Ontario

Docs: Configuring User Affinity for Docs in Good Control

Caution: When a distributed computer system is truly load balanced, each request routes to a different server. This load balancing approach diminishes when server affinity techniques are applied. Be aware when ‘Affinity’ is set, ‘Affinity’ takes precedence.

Step Action 1. Return to the GOOD Control Dashboard with full administrative rights to complete ‘Configuring User Affinity for Docs.’

Navigate to ‘Policies > Policy Sets.’

Click the ‘APP POLICIES’ tab. Fig.111

2. Scroll down and click ‘Good Work.’ Open the ‘App Settings’ tab.

In the ‘Server Hosts’ field, enter in the FQDN of the GEMS host and a colon (:) followed by port 8443. Add more preferred servers in the same manner, each separated by a comma and no space.

Repeat steps 1 and 2 for every policy using the ‘Docs Service.’

Fig.112

Table 41

109 The Government of Ontario

About Docs Repositories BlackBerry’s Good ‘Docs’ service provides users with access to data stored on enterprise servers containing ‘file shares’ furnished by authorized users. The terms ‘repository, file share,’ and ‘share’ are synonymous to each other regarding ‘Docs.’

Docs: Defining Repositories Two ‘Repository’ storage types exist in ‘Docs’:  File Share – a remotely accessible secure directory on an enterprise file server containing shared files and sub-directories.  SharePoint – a secure web server containing shared files accessed via the Internet.

Furthermore, there are two types of GEMS-Docs ‘repositories:’  Admin-defined – file shares and SharePoint sites added and maintained by GEMS administrators granting access for individual users and user groups. A named (defined) list can only belong to one list, which enforces unwanted or unintended duplication.  User-defined – file shares and/or SharePoint sites added by individual end users from their mobile devices. The GEMS administrator may rescind and/or reinstate mobile-based access according to the enterprise IT acceptable-user policies.

Docs: Repositories Configuration Dashboard The ‘Docs Repositories Dashboard’ contains three tabs:  Admin Defined: o supports the creation and administration of repositories o allows the addition and removal of users and user groups o assigns file access and permissions  User Defined: o allows the addition and removal of users and user groups o enables and disables the ability of users to create user-defined shares o grants and rescinds permissions to perform file-related actions on user-defined shares  Users: o allows search capabilities for specific users in Active Directory domains o details the repositories permitted by path or override o indicates defined shares by administrator or user status

The following example illustrates the ‘Docs Repositories Configuration Dashboard:

Fig.113

Table 42

110 The Government of Ontario

Docs: Repository Attributes The following table describes the ‘Docs Repository Attributes:’

Attribute Properties The ‘Display Name’ is the repository name displayed to permitted users. The display name must be unique without duplication. Spaces are acceptable. Due to third party limitations, the following special characters are not permitted Display Name in ‘SharePoint 2007, 2010, 2013: ’ ~ " # % & * : < > ? / \ { | } Due to third party limitations, the following special characters are not permitted in ‘File Share: ’ \ / : * ? " < > | The ‘Storage Type’ must be either ‘File Share’ or ‘SharePoint,’ selected from the drop-down list. If ‘Storage Type’ is ‘SharePoint’, enter a fully qualified ‘SharePoint’ URL Storage Type with/without AD attributes. If ‘Storage Type’ is ‘File Share,’ ‘Path’ can include AD attributes; e.g., \\fileshare1\ or . An error displays when attempting to save the definition if the path is invalid. Select an existing list from the drop-down menu to associate with a repository. If a list is undefined, either create one later, or leave the ‘List’ field blank. List If a ‘List’ is selected, check ‘Enable inheriting of access control of repository list’ to apply the ‘Access Permissions’ of the ‘List’ to this repository. Otherwise, define specific access permissions for the share (repository). Table 43

Docs: Admin Defined Shares in Repositories

Step Action 1. Return to the ‘Good Docs Service Configuration’ menu.

Select ‘Repositories.’

Fig.114

111 The Government of Ontario

2. The ‘Repositories Configuration Dashboard’ appears.

Select the ‘Admin Defined’ tab:

Fig.115

3. Existing (already defined) Click a ‘List’ name to expand or contract the member repositories. shares display by ‘NAME’ To view and/or edit an existing repository definition, click the and ‘PATH.’ Organize ‘NAME’ or ‘PATH’ of the repository in the list. existing shares by ‘List’ name, where applicable. 4. Click ‘New Repository’ to create a new repository definition. Provide the following information in the corresponding field to define the share:  Display Name  Storage Type  List

Click ‘Save.’ Review the following table to complete the definition.

Fig.116

Table 44

112 The Government of Ontario

Docs: Granting User Access Permissions for Repositories

Defined or inherited access permissions for a repository originate from an existing list of repositories. Existing Active Directory domain users and user groups may receive selectively granted permissions. However, at least one user or user group must be added to the repository definition in order to begin configuring access permissions.

The following table details a list of allowed permissions:

Access Permission Permission Attributes Default Setting List (Browse) View/browse repository content in a displayed list; sort lists by Enabled Name, Date, Size, or Kind Delete Files Remove files from the repository Enabled Read (Download) Download repository files to user's device to open and read Enabled Write (Upload) Upload files from a user's device to the repository for storage Enabled Cache (Offline Temporarily store a cache of repository files on a device for Enabled Files) offline access Open In Open a file in a format-compatible app on the device Enabled Create Folder Add new folders to the repository Enabled Copy/Paste Copy/Paste repository files into a different file or app Enabled Check In/ A user can edit, close, reopen, and work with a checked out Enabled Check Out file offline. Other users cannot change the file or see changes (SharePoint until it is checked back in only) Table 45

Docs: Changing User Access Permissions for Repositories

Step Action 1. Return to the ‘Good Docs Service Configuration’ menu.

Select ‘Repositories.’

Fig.114

113 The Government of Ontario

2. The ‘Repositories Configuration Dashboard’ appears.

Check or uncheck a permission under ‘Access Permissions’ to grant or rescind a privilege:

Fig.116a

3. Click the ‘X’ in the far right column to remove a user or group from the repository definition:

Click ‘Save.’

Fig.117

Table 46

Docs: User Defined Shares in Repositories Administrators may allow users to define their own ‘named’ data resources on ‘Admin-Defined’ repositories provided the user acquires permissions to the specific repository. Configuring permissions for ‘User-Defined’ repositories involves three steps:  Setting access rights  Setting allowed data resources  Granting access permissions

114 The Government of Ontario

Docs: Setting User-Defined Access Rights in Repositories

Step Action 1. Return to the ‘Good Docs Service Configuration’ menu.

Select ‘Repositories.’

Fig.114

2. The ‘Repositories Configuration’ prompt appears.

Click the ‘User Defined’ tab:

Fig.113

3. Check ‘Enable User Defined Shares’ to allow mobile users to define their own data sources:

(Optional) Check ‘Automatically add sites followed by users’ for authorized SharePoint 2013 repositories with the required ‘MySite’ plugin enabled. Fig.118

Table 47

115 The Government of Ontario

Docs: Setting User-Defined Allowed Data Resources in Repositories

Step Action 1. Remain under the ‘User Defined’ tab. Beneath ‘Data Resources. ’Check:  ‘Allow Files Shares’ to enable user-defined File Share repositories.  ‘Allow SharePoint Sites’ to enable user-defined SharePoint repositories.

Fig.118a

IMPORTANT: At least one of the above options under ‘Data Resources’ must be enabled or the entire user-defined option is disabled. Table 48

Docs: Granting User-Defined Access Permissions in Repositories

Step Action 1. Return to the ‘Good Docs Service Configuration’ menu.

Select ‘Repositories.’

Fig.114

116 The Government of Ontario

2. The ‘Repositories Configuration Dashboard’ appears.

Check or uncheck a permission under ‘Access Permissions’ to grant or rescind a privilege:

Fig.116a

3. Click the ‘X’ in the far right column to remove a user or group from the repository definition:

Click ‘Save.

Fig.117

Table 49

117 The Government of Ontario

Docs: User-Repository Rights in Repositories The need to search for and review a specific user, as well as the user’s permissions, may surface on occasion. In particular, the user remains unlisted in the Admin-Defined or User-Defined repository configurations when the user is the only member of an AD group configured for repositories.

Step Action 1. Return to the ‘Good Docs Service Configuration’ menu.

Select ‘Repositories.’

Fig.114

2. Click the ‘USERS’ tab:

Fig.113

118 The Government of Ontario

3. Enter a full or partial search string for the user’s AD account. ‘User’ search results appear:

The screenshot at right provides an example of expected information.

Narrow or extend the search string if the ‘User’ is not found or click ‘Switch Domains to search a different AD domain.

Fig.119

4. Click the ‘NAME’ to view the list of repositories allowed for the particular user.

In the example at right, the ‘DEFINED BY’ column identifies the repository type (Admin). Fig.120

5. Click the repository name to display the user’s access permission(s):

Optionally, enter an ‘Override Path for this User’ to narrow or broaden access within this repository. Click ‘Save’

Fig.121

Table 50

119 The Government of Ontario

To make changes to a user's access permissions, reference the following links:  Docs: Granting User Access Permissions for Repositories  Docs: Changing User Access Permissions for Repositories

Reference these links for review:  Docs: Configuring the Docs Service in the GEMS Dashboard  Docs: Database Configuration  Docs: Web Proxy Configuration  Docs: Settings  Docs: Security Settings  Docs: Configuring Good Control for the Docs Service  Docs: Entitling Users in Good Control  Docs: Publishing the Docs App in Good Control  Docs: Configuring User Affinity for Docs in Good Control  About Docs Repositories  Docs: Defining Repositories  Docs: Repositories Configuration Dashboard  Docs: Repository Attributes  Docs: Admin Defined Shares in Repositories  Docs: Granting User Access Permissions for Repositories  Docs: Changing User Access Permissions for Repositories  Docs: Setting User-Defined Access Rights in Repositories  Docs: Setting User-Defined Allowed Data Resources in Repositories  Docs: Granting User-Defined Access Permissions in Repositories  Docs: User-Repository Rights in Repositories

Connect: Activating the Connect Service Account The Good Connect service securely obtains enterprise instant messaging services while gathering user presence information from Microsoft Lync.

IMPORTANT: The ‘Windows Service Account’ must possess ‘RTCUniversalReadOnlyAdmins’ rights. Contact the Windows domain administrator to ensure the ‘Windows Service Account’ exists and has the necessary rights.

Step Action 3.1. Return to the ‘GEMS Dashboard.’

Select ‘Connect’

Fig. 64z

120 The Government of Ontario

4.2. Stop the ‘Good This is the path to the Windows Service Manager: ‘Start > Control Technology Connect’ Panel > Administrative Tools > Services.’ service. 5.3. Open the Windows Locate the service named ‘Good Technology Connect,’ right click the Service Manager. service, and select ‘Stop’ to halt the service.

6.4. The ‘Good Connect Service Configuration’ menu appears.

Select ‘Service Account’

Fig. 65z

7.5. The Connect ‘Domain Service Account’ prompt appears.

Enter the ‘Username’ and ‘Password.’

Click ‘Save’

Fig.74a

Table 51

121 The Government of Ontario

Connect: Configuring the Good Connect Database

Step Action 3.1. Return to the ‘Good Connect Service Configuration’ menu appears.

Select ‘Database’

Fig.

4.2. The ‘Database Configuration’ prompt appears.

 Enter the ‘Server’ and ‘Database’ names.

 Select the appropriate ‘Authentication Type.’

Note: Enter ‘SQL Server Login’ credentials only if selecting the ‘SQL Server Login.’

Click ‘Test’ Click ‘Save’ Fig.76

Table 52

122 The Government of Ontario

Connect: Configuring GEMS Connectivity with Good Dynamics

Step Action 3.1. Return to the ‘Good Connect Service Configuration’ menu.

Select ‘Good Dynamics’

Fig. 66z

4.2. The Connect ‘GOOD Dynamics Server Configuration’ prompt appears.

Enter the ‘Hostname.’ Enter the ‘Port.’

Choose the desired communication method, ‘HTTP’ or ‘HTTPS’

NOTE: An ‘HTTPS’ connection requires a well-known third party CA-signed SSL certificate.

Click ‘Test’ Click ‘Save’

Fig. 67z

Table 53

123 The Government of Ontario

Connect: Configuring Microsoft Exchange Conversation History

Step Action 1. Return to the ‘GOOD Connect Service Configuration’ menu.

Select ‘Microsoft Exchange.’

Fig. 69z

2. The ‘Exchange Server Configuration’ prompt appears.

NOTE: Please read the ‘Important’ message for additional configuration details.

Place a checkmark in the checkbox next to ‘Enable Conversation History’ to activate the option.

Click ‘Test’ Click ‘Save’ Fig. 70z

124 The Government of Ontario

3. Enter the following information in the corresponding fields of the ‘Enable Conversation History’ applet:  Enter the Microsoft Exchange Server URL in ‘Please enter the Microsoft Exchange server information.’  Select the supported ‘Exchange Server Type’  The ‘Server Write Interval’ is the relay frequency for each conversation in Exchange. Enter the desired ‘Server Write Interval’ in minutes.

Click ‘Test. Click ‘Save’ Fig.83

Table 54

Connect: Configuring a Web Proxy

Step Action 0.1. Return to the ‘GOOD Connect Service Configuration’ menu.

Select ‘Web Proxy.’

Fig. 71z

125 The Government of Ontario

1.2. Three ‘Proxy Server 4. ‘Basic’ authentication requires a user name and password Authentication Types’ are provided by the GEMS Connect service to authenticate a provided. Determine the request. appropriate type before 5. ‘Digest’ authentication applies a hash function to the password proceeding: for greater security purposes before sending it over the network. 6. ‘None’ is the choice when no authentication is required.

2.3. The Connect ‘Web Proxy Configuration’ prompt appears.

Select the ‘Use Web Proxy’ option.

Fig. 72z

3.4. Enter the ‘Proxy Address’ and the ‘Proxy Port.’ The ‘Proxy Address’ and the ‘Proxy Port’ are exclusive to a specific organization. 5. Select the ‘Proxy Server Authentication Type.’

6. A Connect Service Username and Password automatically populate when choosing an ‘Authentication Type.’

7. ‘Domain’ information is optional. Fig.86

126 The Government of Ontario

4.5. Verify the connection Click ‘Test’ to the ‘Web Proxy. 5.6. Secure all changes. Click ‘Save’

6.7. Restart the ‘Good This is the path to the Windows Service Manager: ‘Start > Control Technology Connect’ Panel > Administrative Tools > Services.’ Open the Windows Service service in the Windows Manager to locate the service named ‘GOOD Technology Connect,’ Services Manager. right click the service, and select ‘Start’ to begin the service. Table 55

Connect: Configuring Good Control for Connect Associating GEMS and the GOOD Connect Client within GOOD Control’s application manager is a matter of importance and required for each individual and clustered GEMS appliance. Associating GEMS and the GOOD Connect Client within GOOD Control’s application manager prescribes the available servers a GOOD Connect client may access.

Step Action 4.1. Enter the FQDN of the Connect service host in the ‘HOST NAME’ field.

Enter the corresponding port number (typically 8080) in the ‘PORT’ field.

Change the ‘PRIORITY’ as required of clustered configuration. Fig.87

5.2. Enter the following 4. PLATFORM=LYNC information in the 5. SERVERS= each GEMS machine: 6.3. Save all changes. Click ‘Submit’ Table 56

Connect: Defining Allowed Domains and Servers

REMEMBER: The term ‘whitelist’ refers to a compilation of accepted entities granted specific rights, privileges, or access when introduced into an IT setting.

For Good installations, whitelisting each GEMS server for the enterprise is conducive for an environmentally friendly network and necessary to support Good services and applications. Whitelisting every GEMS appliance within the enterprise network is a highly recommended best practice for all Good deployments.

Defining allowed domains and servers within the enterprise network assures the guaranteed connectivity of Good Collaboration applications for clients. In each instance, the configured domain allows Good Dynamics (GD) connections to the enterprise Microsoft Exchange server and the necessary port(s) for Connect IM.

127 The Government of Ontario

Step Action 6.1. From the left pane of Select ‘Client Connections > Master Connectivity Profile,’ then click the GC Console: ‘Add’ under ‘ADDITIONAL SERVERS.’ This is a list of specific servers for all Good Dynamics (GD) applications connections. Add servers to this list instead of using the ‘ALLOWED DOMAINS’ list to restrict access so GD applications connect only to certain servers—like GEMS and Exchange—and not to every machine in a domain. 7.2. Enter the server’s ‘Fully Qualified Host Name (FQHN)’ in the ‘Server’ field.

Enter the port number (typically 8080 or 8443) in the ‘Port’ field.

Fig.65

8.3. Choose a primary GP The first attempts to connect through GP servers occur in the cluster and a secondary primary cluster. The secondary cluster attempts connectivity if the GP cluster, if applicable. primary cluster is unresponsive. 9.4. Define additional Repeat step 2 as required. servers if necessary. 10.5. Save all changes. Click ‘Submit’ Table 57

The following ‘When/Then’ table describes the steps to edit information for an allowed server, remove a server from a list, and how to whitelist a GEMS host/server:

When… Then… Editing data for an Click the ‘Edit’ icon (pencil) for the server allowed server Modify the server name or GP cluster configuration Click ‘Submit’ to commit the change Removing a server Click the ‘Delete’ icon (red ‘X’) for the server from the list Click ‘Submit’ to commit the change Whitelisting a Click the ‘Edit’ icon (pencil) GEMS host/server Under ‘Additional Servers,’ add an entry for the GEMS Connect service using port 8080. The entry should indicate the specific machine information, similar to: goodconnect.:8080 Click ‘Submit’ to commit the change Table 58

Reference these links for review: Connect: Activating the Connect Service Account Connect: Configuring the Good Connect Database Connect: Configuring GEMS Connectivity with Good Dynamics Connect: Configuring Microsoft Exchange Conversation History Connect: Configuring a Web Proxy Connect: Configuring Good Control for Connect

128 The Government of Ontario

Presence

Remember: The Presence indicator is not visible if Lync for IM and desktop publishing is unavailable in the enterprise network.

The Presence service exposes the Lync Presence Provider (LPP) to third-party Good Dynamics applications. Presence obtains user presence information from Microsoft Lync.

IMPORTANT: The ‘Windows Service Account’ must possess ‘RTCUniversalReadOnlyAdmins’ rights. Contact the Windows domain administrator to ensure the ‘Windows Service Account’ exists and has the necessary rights.

Presence: Activating the Presence Service Account

Step Action 1. Return to ‘GEMS Dashboard.’

Select ‘Presence’

Fig.37a

129 The Government of Ontario

2. The ‘Good Presence Service Configuration’ menu appears.

Select ‘Service Account’

Fig.90a

3. The ‘Domain Service Account’ prompt appears.

Enter the ‘Username’ and ‘Password.’

Click ‘Save’ to retain all settings.

Fig.91

Table 59

130 The Government of Ontario

Presence: Configuring GOOD Dynamics

Step Action 1. Return to the ‘Good Presence Service Configuration’ menu.

Select ‘GOOD Dynamics:’

Fig.92

2. The ‘GOOD Dynamics Server Configuration’ prompt appears.

Use the following server names for the appropriate data centers:

Choose the desired communication method, ‘HTTP’ or ‘HTTPS’

NOTE: An ‘HTTPS’ connection requires a well-known third party CA-signed SSL certificate.

Click ‘Test.’

Click ‘Save’ Fig.93

Table 60

131 The Government of Ontario

Presence: Configuring ‘Settings’

Step Action 1. Return to the ‘GOOD Presence Service Configuration’ menu.

Select ‘Settings.’ Fig.94

The ‘Settings’ prompt appears. The provided default settings are typically sufficient.

Click ‘Save’ to commit all settings.

Table 61

132 The Government of Ontario

Presence: Configuring Lync 2013

Step Action 1. Return to the ‘GOOD Presence Service Configuration’ menu.

Select ‘Lync 2013.’

Fig.95

2. The ‘Lync 2013 Configuration’ prompt appears.

The system will query the ‘Lync’ server to verify the appropriate GEMS Lync topology and confirm all required software is available. Please wait.

NOTE: An empty list implies the GEMS Lync topology setup is incorrect or the service account lacks the proper permissions to query for the settings. Refer to ‘Microsoft Lync 2010 Requirements’ to correct the topology or permissions.

Click ‘Test’ to verify the connection.

Click ‘Save’ Fig.96

Table 62

133 The Government of Ontario

Presence: Configuring Good Control for Presence Presence is one of three services, along with Follow-Me, and Directory Lookup, enabled through Good Control’s Good Enterprise Services (GES) entitlement application. Add GEMS as the application server to GES entitlement once, to enable all three services, rather than for each service individually. See Configuring Good Enterprise Service’ in ‘Good Control’ for guidance.

Presence: Adding GEMS to the Good Work Application Server List The Good Work client checks the Good Work server list for available GEMS instances hosting the ‘Presence’ service. The Good Work server list must be populated with at least one GEMS machine configured for the ‘Good Enterprise Services’ entitlement application.

NOTE: When multiple GEMS hosts are present, use Good Work's ‘Preferred Presence Server Configuration’ parameter to set up a ‘Presence Affinity’ association, discussed later in this document.

Step Action 1. Add GEMS to the GOOD From the left pane of the GC Console, select ‘APPS > Manage Apps,’ Work Application Server in the applications list, search for and select ‘GOOD Work.’ List. 2. Click the ‘GOOD DYNAMICS’ tab. In the ‘Server’ section, click ‘EDIT.’ 3. Enter the GEMS host FQHN in the ‘Host Name’ field and enter port number 8443 in the ‘Port’ field Fig.97 4. If additional GEMS hosts exist, configure each one by repeating step 3 after clicking to the ‘plus sign’ add a new row. Click ‘Save’ Table 63

NOTE: Access to the GEMS Dashboard from a browser displays an untrusted SSL certificate due to an absence of a publicly verifiable certificate in the ‘GEMS Java Keystore.’ Disable ‘SSL Certificate Checking’ on the GOOD Work client from the JSON configuration for EAS to address the untrusted SSL certificate matter.

Reference these links for review: Presence: Activating the Presence Service Account Presence: Configuring GOOD Dynamics Presence: Configuring ‘Settings’ Presence: Configuring Lync 2013 Presence: Adding GEMS to the GOOD Work Application Server List

GEMS Conclusion This concludes the Good GEMS installation.

134 The Government of Ontario

Appendix

135 The Government of Ontario

Appendix

Architecture Overview The following diagram shows the logical domain placement of the Good systems and the network flow/traffic between the components of the service.

136 The Government of Ontario

Glossary

137 The Government of Ontario

Glossary A Active Directory – a Microsoft directory service developed for Windows domain networks encompassing a broad range of directory-based, identity-related services.

AD – acronym for Active Directory.

Always On – a continuously and immediately available Internet connection.

Analytics - supplies metric evaluations regarding traffic and usage concerning the effectiveness of the mobile apps deployed in the GEMS environment. Specifically, Analytics monitors apps used, by whom, the purpose, and the duration and frequency of use.

API – acronym for Application Programming Interface

APNS – acronym for Apple Push Notification Service.

Apple Push Notification Service – forwards third party application notifications to Apple devices.

Application Programming Interface – described as a set of routines, protocols, and tools for building software and applications.

B BES12 – acronym for Blackberry Enterprise Server version 12.

Blackberry Enterprise Server version 12 - The ‘BlackBerry Enterprise Server 12 (BES 12)’ is a secure enterprise mobility management (EMM) solution esteemed for industry leading mobile security. BES 12 scales across multiple operating systems (OS) to accommodate present and future enterprise requirements notwithstanding the types of devices in use throughout an environment. BES 12 scales up to 25,000 devices per server and 150,000 devices per domain.

Blacklist - a record of unaccepted entities denied of specific services, privileges, recognition, or access.

BoxTone - a leading innovator of mobile service management. Good Technology acquired BoxTone in 2014.

Bring Your Own Device - the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to the workplace, and allowing those devices to access privileged company information and applications.

BYOD - acronym for Bring Your Own Device

C CA – acronym for certificate authority.

CAC – acronym for Common Access Card

CAL – acronym for Client Access License

138 The Government of Ontario

Certificate - an electronic (digital) document used to prove ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct.

Certificate Authority - a trusted third party authorized to issue digital certificates.

Certificate Directory Lookup - retrieves S/MIME digital certificates from a user’s Active Directory (AD) profile. The S/MIME digital certificates enable encryption and signature functionality in the ‘Good Work’ mobile applications.

Client Access License -

CMS – acronym for Content Management System

COBO – acronym for Corporate Owned Business Only

Common Access Card - A common access card is a single corporate card or token used for PC, network and application login (user authentication) and building access.

Connect - Connect is a secure, mobile instant messaging application devoted to enterprise messaging systems such as Microsoft Lync and IBM Sametime deployed in the GEMS environment.

Content Management System - a computer application supporting the creation and modification of digital content using a common user interface. A CMS usually supports multiple users working in a collaborative environment.

COPE – acronym for Corporate Owned Personally Enabled

Corporate Owned Business Only - users are given a device to use (often there is no choice over which device to use), and restricted to using it for business purposes only. This model has become largely outdated among organizations without high security requirements as high connectivity and cloud applications make it easy for employees to access multiple types of content from the same device.

Corporate Owned Personally Enabled - an IT business strategy where an organization buys and provides computing resources and devices used and managed by employees. COPE allows an organization to source and deliver computing devices and services to employees and is how most organizations provide handheld or portable devices/gadgets to their employees.

D Directory Lookup - produces an on-line directory service from an enterprise Global Address List (GAL) complete with first and last name searches and accompanying pictures, if provided, displayed within the GOOD Launcher. Demilitarized Zone – In computer security, a ‘demilitarized zone’ (sometimes referred to as a perimeter network) is a physical or logical subnetwork containing and exposing an organization's external-facing services to a larger and untrusted network, usually the Internet. A demilitarized zone (DMZ) adds an additional layer of security to an organization's local area network (LAN). An external network node only has direct access to equipment in the DMZ, rather than any other part of the network. The name derives from the term ‘demilitarized zone,’ an area between nation states in which military operations are not permissible.

DMZ – acronym for Demilitarized Zone

139 The Government of Ontario

DNS – acronym for

Docs - deployed in the GEMS environment. Enables mobile access to enterprise file servers and SharePoint allowing personnel to open, synchronize, and share documents without firewall reconfiguration, VPN software, or duplicating data stores.

Domain Name System - a hierarchical decentralized naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.

E EAS – acronym for Exchange ActiveSync

EMM – acronym for Enterprise Mobility Management

Enterprise Mobility Management - the set of people, processes and technology focused on managing mobile devices, wireless networks, and other mobile computing services in a business context. An all-encompassing approach to securing and enabling employee use of smartphones and tablets. In addition to addressing security concerns, a strong EMM strategy assists users’ productivity by providing the tools needed to perform work-related tasks on mobile devices.

EWS – acronym for Exchange Web Services.

Exchange ActiveSync - a communications protocol, which synchronizes email, contacts, calendars, tasks, and notes from a messaging server to mobile devices.

Exchange Web Services - Exchange Web Services (EWS) enables client applications to communicate with the Exchange server. EWS provides access to much of the same data made available through Microsoft’s Office Outlook.

Extensible Markup Language - a markup language that defines a set of rules for encoding documents in a format, which is both human-readable and machine-readable.

Extensible Messaging and Presence Protocol - a communications protocol for message-oriented middleware based on Extensible Markup Language (XML). It enables the near-real-time exchange of structured yet extensible data between any two or more network entities. Originally named Jabber; acquired by Cisco.

F File Share – a remotely accessible secure directory on an enterprise file server containing shared files and sub-directories.

Follow-Me - deployed in the GEMS environment. Supports the ‘GOOD Launcher’ on several GOOD Dynamics applications by maintaining synchronization across multiple devices.

Fully Qualified Domain Name - the complete domain name for a specific computer, or host, on the Internet. The FQDN consists of two parts: the hostname and the domain name.

FQDN – acronym for Fully Qualified Domain Name.

140 The Government of Ontario

G GAL – acronym for Global Address List.

GCM – acronym for Google Cloud Messaging.

GDN – acronym for Good Developer Network.

GEMS – acronym for Good Enterprise Mobility Server.

GEMS Dashboard - a browser-based administrative console designed for the configuration of all services and server components after a GEMS installation is completed.

GEMS Web Console – a browser based Web console supporting analytical data through monitoring and logging of device connectivity, reporting traffic load, and calculating throughput in real-time.

Global Address List – an electronically shared address book referencing all individuals in an organization complete with first and last name searches and accompanying pictures, if provided.

Good Collaboration Suite - an enhanced set of business-adapted features developed to exceed the typical consumer-oriented applications of email, calendar, document sharing, and instant messaging services associated with iOS and Android operating systems.  Good Work – email, view online presence, manage contacts, and maintain calendar schedules.  Good Access – secure browser particular to Intranet sites and Web applications.  Good Share – document and file sharing supporting collaboration and file synchronization.  Good Connect – extends corporate Instant Messaging platforms such as Microsoft’s Lync.

Good Control - the administrative portion of the GOOD Dynamics Secure Mobility Platform.

Good Enterprise Mobility Server - leverages a services-based approach to integrated enterprise mobility through modular consolidation of the GOOD Connect and GOOD Mobile Messaging servers on standard architecture.

Good Proxy - the recipient of client requests for internal or external (i.e. Intranet or Internet) resources.

Good Technology – Good creates products to manage and secure mobile devices in business environments with emphasis on application and data security.

Google Cloud Messaging – a Google developed mobile service enabling developers to send notification data or information from developer-run servers to applications targeting the Google Android Operating System, as well as applications or extensions developed for the Google Chrome internet browser.

H HA – acronym for High Availability

High Availability – ensures a high degree of operational performance for lengthier periods, reducing downtime, or unavailability, of resources. High Availability is a system design principle adding redundancy to an enterprise to eliminate a single point of failure.

HTTP – acronym for Hypertext Transfer Protocol

141 The Government of Ontario

HTTPS – acronym for Hypertext Transfer Protocol Secure

Hypertext Transfer Protocol – an application protocol for distributed, collaborative hypermedia information systems utilizing logical links (hyperlinks) between nodes containing text. Hypertext Transfer Protocol is the foundation of data communication for the World Wide Web.

Hypertext Transfer Protocol Secure - a protocol for secure communication over a computer network. Hypertext Transfer Protocol Secure authenticates websites while protecting the privacy and integrity of exchanged data.

I

IIS – acronym for Internet Information Services.

IM – acronym for Instant Messaging.

Independent Software Vendor – an independent software vendor (ISV) is an organization specializing in making or selling software, designed for mass or niche markets.

Instant Messaging – described as a type of online chat service offering real-time text transmission over the Internet.

Internet Information Services – an extensible Web server created by Microsoft supporting various types of Internet protocols.

Internet Protocol – the principal communications protocol essentially establishing the Internet by relaying information and data across network boundaries. iOS – mobile operating system(s) developed by Apple and exclusively distributed for Apple hardware.

IP – acronym for .

ISV – acronym for Independent Software Vendor

J Jabber - the original name of the Extensible Messaging and Presence Protocol (XMPP), the open technology for instant messaging and presence. An Instant Messaging application deployed by Cisco and available in new versions of GEMS, including v2.0.16.23.

Java Cryptography Extension - provides a framework and implementation for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms.

Java Memory Heap - defines the amount of available memory for the Java Virtual Machine processing. Set the Java Memory Heap size to a value up to 60% of the available memory in the Good Proxy server, or 6GB maximum.

JavaScript Object Notation - a lightweight data-interchange format. JavaScript Object Notation is easy for humans to read and write and easy for machines to parse and generate. The basis of JavaScript Object Notation is a subset of the JavaScript Programming Language, Standard ECMA- 262 3rd Edition.

142 The Government of Ontario

JCE - acronym for Java Cryptography Extension.

JSON – acronym for JavaScript Object Notation.

K KCD – acronym for Kerberos Constrained Delegation

Kerberos – authenticates a user’s identity when accessing network resources. Kerberos authentication uses encrypted tickets decrypted by secret keys, which do not contain user passwords.

Kerberos Delegation – client authentication defers to a second service acting on behalf of a specified Kerberos security principal allowing a service to impersonate a user account to access resources throughout the network.

Kerberos Constrained Delegation – similar to Kerberos Delegation. However, Kerberos Constrained Delegation limits trust to a select group of services explicitly specified by a domain administrator.

L LDAP – acronym for Lightweight Directory Access Protocol.

Lightweight Directory Access Protocol – an industry standard application protocol for distributed information services over an Internet Protocol network.

Line of Business - is a general term referring to a set of one or more highly related products serving a particular customer transaction or business need.

Log Shipping - the process of automating the backup of log files and a database on a primary (production) database server, and then restoring them onto a standby server. Microsoft SQL Server, 4D Server, MySQL and PostgreSQL support Log Shipping.

LOB – acronym for Line of Business

LPP – acronym for Lync Presence Provider.

Lync Presence Provider – the GEMS Lync Presence Provider (LPP) is a trusted Microsoft Lync Server Unified Communications Managed API (UCMA) application. The LPP is required to establish trust with Microsoft Lync.

M MAM – acronym for Mobile Application Management

Microsoft Lync – described as an instant messaging tool combining voice communications, Instant Messaging, Web conferencing, audio, and video in a single interface.

Microsoft Management Console – a system administration interface used for system configuration and monitoring.

Mirroring - the act of copying data from one location to a storage device in real time. Data mirroring is useful in the speedy recovery of critical data after a disaster.

143 The Government of Ontario

MMC – acronym for Microsoft Management Console.

Mobile Application Management - describes software and services responsible for provisioning and controlling access to internally developed, and commercially available, mobile apps used in business settings on both company-provided and ‘bring your own’ smartphones and tablet computers.

MCM – acronym for Mobile Content Management

Mobile Content Management - a type of content management system (CMS) capable of storing and delivering content and services to mobile devices, such as mobile phones, smart phones, and PDAs.

Mobile Service Manager - a mobile device monitoring system combining IT Service Management (ITSM) and the fundamentals of the Information Technology Infrastructure Library (ITIL). The Good MSM integrates with present enterprise monitoring tools, supporting a diverse collection of mobile platforms.

MSM – acronym for Mobile Service Manager.

N Network Operations Center - one or more locations from which network monitoring and control, or network management, occurs over a computer, telecommunication or satellite network.

NOC – acronym for Network Operations Center

O OWA – acronym for Outlook Web Access

Outlook Web Access - a suite of Outlook web apps from Microsoft spanning across Office 365, Outlook.com, Exchange Server, and Exchange Online. Outlook Web Access includes a web-based email client, a calendaring tool, a contact manager, and a task manager.

Office Web App Server - a browser-based file viewing and editing service for Office files.

OWAS – acronym for Office Web App Server

P PAC – acronym for Proxy Auto-Configuration

PNS – acronym for Push Notification Service.

POC – acronym for Proof of Concept.

Presence - establishes the on-line/off-line status of enterprise colleagues with a Microsoft Lync account in a mobile environment.

Proxy – a server facilitating indirect connections to other network servers or services.

144 The Government of Ontario

Proxy Auto-Configuration – A ‘proxy auto-config (PAC)’ file defines how web browsers and other user agents automatically choose the appropriate proxy server (access method) for retrieving a given URL.

Push Notifications Service – the Push Notifications Service alerts a subscriber of an application, or a service, to a new event or message in real-time.

Q R Repository – a storage location for files, data, and information. Two ‘Repository’ storage types exist in ‘Docs’:  File Share – a remotely accessible secure directory on an enterprise file server containing shared files and sub-directories.  SharePoint – a secure web server containing shared files accessed via the Internet.

S SDK – acronym for Software Development Kit.

Server Routing Protocol – Server Routing Protocol (SRP) is the proprietary network protocol used to transfer data between a BlackBerry Enterprise Server and the Research In Motion BlackBerry infrastructure.

SRP communication takes place on TCP port 3101 by default. SRP works in two different parts: 1. SRP ID 2. SRP Authorization Key

During BlackBerry Enterprise Server installation, the unique Server Routing Protocol Identifier (SRP ID) and SRP Authentication Key must be entered. The SRP ID and SRP Authentication Key register and authenticate the BlackBerry Enterprise Server on the network. The workflow is the same as any authentication process. Consider the SRP ID as a login name and the Authentication Key as a password. The SRP ID uniquely identifies the BlackBerry Enterprise Server on the network. When the BlackBerry Enterprise Server connects to the BlackBerry Infrastructure, it must provide these two pieces of information to connect and open a session.

SharePoint - a web application platform in the Microsoft Office server suite combining various functions traditionally considered separate applications. The separate applications are intranet, extranet, content management, document management, personal cloud, enterprise social networking, enterprise search, business intelligence, workflow management, web content management, and an enterprise application store.

Simple Mail Transfer Protocol - an Internet standard for electronic mail (email) transmission. First defined by RFC 821 in 1982 and last updated in 2008 with the Extended SMTP additions by RFC 5321, which is the protocol in widespread use today. SMTP uses TCP port 25 by default.

SMTP – acronym for Simple Mail Transfer Protocol.

Software Development Kit – also referred to as a ‘devkit.’ A Software Development Kit is a set of software development tools used to create applications for software packages, frameworks, hardware platforms, and computer and operating systems.

145 The Government of Ontario

SQL – acronym for Structured Query Language.

SRP – acronym for Server Routing Protocol

SSL Certificate – an SSL Certificate provides secure, encrypted communications between a website and an internet browser. SSL stands for Secure Sockets Layer, the protocol providing the encryption. SSL certificates typically install on pages requiring end-users to submit sensitive information over the internet like credit card details or passwords.

Stateful – a technical term not realized as a true vocabulary word, describing a communications protocol requiring the retention of internal states on a server.

Stateless - defined as a communications protocol, which considers every request as an independent transaction unrelated to all previous requests.

Stop Notification - primarily an administrative tool, which discontinues notifications and/or alerts to an individual’s mailbox.

Structured Query Language – a programming language used for managing data in a relational database management system.

T TCP – acronym for Transmission Control Protocol.

Transmission Control Protocol – delivers reliably ordered and error-checked octet streams between hosted applications communicating over an Internet Protocol network. Major Internet applications such as the World Wide Web, email, remote administration, and file transfer rely on the Transmission Control Protocol.

U UDP – acronym for .

User Datagram Protocol – a connectionless datagram service emphasizing reduced latency over reliability

User Directory Lookup - primarily an administrative tool. The GEMS ‘Mail: User Directory Lookup’ tool allows administrators to query users by their first and last names as well as pictures (if provided) from an organization’s Global Address List.

V VAS – acronym for Value Added Services

Value Added Services - a popular telecommunications industry term for non-core services, or in short, all services beyond standard voice calls and fax transmissions.

Virtual Private Network – uses a public network (ex: Internet) to extend a private network through dedicated network links to establish virtual point-to-point connectivity.

146 The Government of Ontario

VPN – acronym for Virtual Private Network.

W Webmail – an email client implemented as a web application running on a web server.

Whitelist - a compilation of accepted entities granted specific services, privileges, recognition, or access.

Work – also known as Good Work. GOOD Work delivers a secure connection from any mobile device, anytime from anywhere, to an individual’s corporate email account. GOOD Work allows full synchronization to send and receive email, view attachments, manage contacts and business calendars. X XML – acronym for Extensible Markup Language

XMPP – acronym for Extensible Messaging and Presence Protocol.

Y Z

147 The Government of Ontario

148