BES12-Overview and What's New Guide

Overview and What's New Guide

BES12

Version 12.2 Published: 2015-06-17 SWD-20150617105620995 Contents

About this guide...... 5 What is BES12?...... 6 Key features of BES12...... 6 Product features...... 8 Key features for all device types...... 8 Key features for BlackBerry 10 devices...... 10 Key features for iOS, Android, and Windows Phone devices...... 11 What's New in BES12 ...... 13 Comparing BES12 with previous EMM solutions from BlackBerry...... 18 Enterprise solution comparison chart...... 18 Architecture: BES12 solution...... 25 Components used in the BES12 solution...... 26 Components used to manage BlackBerry 10, iOS, Android, and Windows Phone devices...... 29 Components used to manage BlackBerry OS devices...... 32 Activating devices...... 35 Data flow: Activating a BlackBerry 10 device...... 35 Data flow: Activating an Android device...... 38 Data flow: Activating a device to use KNOX Workspace...... 40 Data flow: Activating a device to use Android for Work...... 42 Data flow: Activating an iOS device...... 44 Data flow: Activating a Windows Phone device...... 47 Data flow: Activating a BlackBerry OS device...... 49 Receiving configuration updates...... 52 Data flow: Receiving configuration updates on a BlackBerry 10 device...... 52 Data flow: Receiving configuration updates on an Android device...... 54 Data flow: Receiving configuration updates on an iOS device...... 55 Data flow: Receiving configuration updates on a Windows Phone device...... 56 Sending and receiving work data ...... 58 Using enterprise connectivity...... 59 Data flow: Sending email and calendar data from a BlackBerry 10, iOS, or Android device using enterprise connectivity...... 60 Data flow: Receiving email and calendar data on a BlackBerry 10 or Android device using enterprise connectivity.... 61 Data flow: Receiving email and calendar data on an iOS device using enterprise connectivity...... 62 Data flow: Sending an email from a BlackBerry OS device...... 63 Data flow: Receiving an email on a BlackBerry OS device...... 64 Data flow: Receiving enterprise push updates on a BlackBerry 10 device using enterprise connectivity...... 65 Data flow: Accessing an application or content server from a work app on a device using BlackBerry Secure Connect Plus...... 66 Data flow: Accessing an application or content server from a work app on a device using enterprise connectivity...... 67 Data flow: Sending an instant message from the BlackBerry Enterprise IM app using enterprise connectivity...... 68 Using your organization's VPN or work Wi-Fi network...... 69 Data flow: Sending email or calendar data using your organization's VPN or work Wi-Fi network...... 70 Data flow: Receiving email and calendar data on a device using your organization's VPN or work Wi-Fi network...... 71 Data flow: Accessing an application or content server from a device using your organization's VPN or work Wi-Fi network...... 71 Product documentation...... 73 Glossary...... 75 Legal notice...... 77 About this guide

About this guide 1

BES12 helps you manage BlackBerry 10, BlackBerry OS (version 5.0 to 7.1), iOS, Android, and Windows Phone devices for your organization. This guide contains an overview of BES12, including its current features, architecture, and how data flows between the devices managed by BES12 and your organization's network. This guide also describes how to manage the product lifecycle, from evaluation and licensing to day-to-day administration and maintenance, and which resources to consult for more in-depth information.

This guide is intended for senior IT professionals who are responsible for evaluating the product and planning its deployment, as well as anyone who's interested in learning more about BES12. After you read this guide, you should understand the product's capabilities, the function of each BES12 component, and the full set of technical resources available.

5 What is BES12?

What is BES12? 2

BES12 is an EMM solution from BlackBerry. EMM solutions help you do the following:

• Manage mobile devices for your organization to protect business information • Keep mobile workers connected with the information that they need • Provide administrators with efficient business tools

With BES12, you can manage the following device types:

• BlackBerry 10 • BlackBerry OS (version 5.0 to 7.1) • iOS • Android (including Samsung KNOX) • Windows Phone

You can manage these devices from a single, simplified UI with industry-leading security.

Key features of BES12

Feature Description

Management of many types of devices You can manage BlackBerry 10, BlackBerry OS (version 5.0 to 7.1), iOS, Android, and Windows Phone devices.

Single, unified UI You can view all devices in one place and access all management tasks in a single, web-based UI. You can share administrative duties with multiple administrators who can access the management console at the same time.

Trusted and secure experience Device controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information.

Balance of work and personal needs BlackBerry Balance and Secure Work Space technologies are designed to make sure that personal information and work information are kept separate and secure on devices. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device.

6 What is BES12?

Feature Description

BlackBerry Secure Connect Plus BlackBerry Secure Connect Plus is a BES12 component that provides a secure IP tunnel between work space apps on BlackBerry 10, KNOX Workspace, and Android for Work devices and an organization’s network. This tunnel gives users access to work resources behind the organization’s firewall while ensuring the security of data using standard protocols and end-to-end encryption. Supported devices use BlackBerry Secure Connect Plus when the devices cannot access the work Wi-Fi network or VPN (for example, the user is off-site and not in range of the work Wi-Fi network).

7 Product features

Product features 3

BES12 includes many features for different device types. These lists highlight the most important features.

Some features are common to all device types, and some features are specific to a particular device type. In some cases, a feature behaves differently on each device type.

Key features for all device types

Feature Description

Use a browser to manage You can view all devices in one place and access all management tasks in a single, web-based devices UI. You can share administrative duties with multiple administrators who can access the administration consoles at the same time.

Device users can use a self-service console to perform tasks like activating or switching devices, changing their device passwords remotely, and deleting device data.

Use administrative roles Roles define the actions that an administrator can perform. Roles help you reduce security risks, distribute job responsibilities, and increase efficiency by limiting the options available to administrators. You can use predefined roles or create your own custom roles.

Integrate with your You can use local, built-in user authentication to access the management console and self- organization's company service console, or you can integrate with the Microsoft Active Directory or LDAP company directory directories that you use in your organization's environment (for example, IBM Domino Directory). BES12 supports connections to multiple directories. You can have any combination of both Microsoft Active Directory and LDAP.

You can also configure BES12 to automatically synchronize the membership of a directory- linked group to its associated company directory groups when the scheduled synchronization occurs.

Activate devices When you activate a device, you associate the device with your organization's environment so that users can access work data on their devices. You can activate a device with just an email address and activation password.

You can allow users to activate devices themselves or you can activate devices for users and then distribute the devices. All device types can be activated over the wireless network.

Manage devices You can manage multiple devices for each user account and view the device inventory for your organization. You can perform the following actions if the actions are supported by the device:

8 Product features

Feature Description

• Lock the device, change the device or work space password, or delete information from the device • Connect the device securely to your organization's mail environment, using Microsoft Exchange ActiveSync for email and calendar support • Control how the device can connect to your organization's network, including Wi-Fi and VPN settings • Configure single sign-on for the device so that it authenticates automatically with domains and web services in your organization's network • Control the capabilities of the device, such as setting rules for password strength and disabling functions like the camera • Manage app availability on the device, including specifying app versions and whether the apps are required or optional • Search app stores directly for apps to assign to devices • Install certificates on the device and optionally configure SCEP to permit automatic certificate enrollment • Extend email security using S/MIME or PGP

Manage groups of users Groups simplify the management of users and apps. You can use groups to apply the same and apps configuration settings to similar user accounts. You can assign different groups of apps to different groups of users, and a user can be a member of several groups.

Control which devices can Using gatekeeping in BES12 ensures that only devices managed by BES12 can access work access Microsoft Exchange email and other information on the device and meet your organization's security policy. ActiveSync

Control how apps connect You can use an enterprise connectivity profile to control how apps on BlackBerry 10 devices and to your organization's iOS and Android devices with Secure Work Space connect to your organization’s resources. resources When you enable enterprise connectivity, you avoid opening a direct connection from within your organization's firewall to the Internet for device management and third-party applications such as the mail server, certification authority, and other web servers or content servers. Enterprise connectivity sends all traffic through the BlackBerry Infrastructure to BES12.

Enforce your organization's You can use a compliance profile to help enforce your organization's requirements for devices, requirements for devices such as not permitting devices that are jailbroken, rooted, or have an integrity alert, or requiring that certain apps be installed on devices. You can send a notification to users to ask them to meet your organization's requirements, or you can limit users' access to your organization's resources and applications, delete work data, or delete all data on the device.

9 Product features

Feature Description

Create or import many user You can import a .csv file into BES12 to create or import many user accounts at once. accounts with a .csv file Depending on your requirements, you can also specify group membership and activation settings for the user accounts in the .csv file.

View reports of user and The reporting dashboard displays an overview of your BES12 environment. For example, you can device information view the number of devices in your organization sorted by service provider. You can view details about users and devices, export the information to a .csv file, and access user accounts from the dashboard.

Consolidate outbound In BES12, all components that connect to the BlackBerry Infrastructure use the outbound- connections to the initiated, two-way port 3101 (TCP). As a result, it is easy to configure your organization’s firewall BlackBerry Infrastructure to allow the outbound connections that BES12 requires to perform management tasks. over port 3101

Certificate-based You can send certificates to devices using certificate profiles. These profiles help to restrict authentication access to Microsoft Exchange ActiveSync, Wi-Fi connections, or VPN connections to devices that use certificate-based authentication.

Manage licenses for You can manage licenses and view detailed information for each license type, such as usage and specific features and device expiration. The license types that your organization uses determine the devices and features that controls you can manage. You must activate licenses before you can activate devices. Free trials are available so that you can try out the service.

EMM SIM-Based Licensing EMM SIM-Based Licensing is an alternative licensing model that allows you to buy licenses from your service provider instead of from BlackBerry. This option allows you to pay for licenses for BlackBerry 10, iOS, Android, and Windows Phone devices as part of your existing plan with your service provider. For more information about licensing, see the licensing content.

Key features for BlackBerry 10 devices

Feature Description

Manage work information BlackBerry Balance technology makes sure that personal and work information and apps are separately on a device separated on BlackBerry 10 devices. It creates a personal space and a work space and provides full management of the work space. For government and regulated industries that want to lock the device down further, additional options include full control over the work space and some control over the personal space, or you can create only a work space on the device to give your organization full control over the device.

10 Product features

Feature Description

Manage work apps You can install and manage work apps in the work space on BlackBerry 10 devices. Work apps can only access work data and interact with other work apps. Work apps can be internally developed apps or third-party apps. Several configuration options are available for work apps, including whether they are required on devices.

Key features for iOS, Android, and Windows Phone devices

Feature Description

Manage work information Secure Work Space is an option for providing additional security for work data on iOS and separately on an iOS or Android devices. Using containerization and app wrapping, it makes sure that personal and Android device work information and apps are kept separate on devices by creating a personal space and a work space and providing full management of the work space. You can choose whether you want control of the work space and personal space, or control of just the work space, to ensure user privacy.

Manage work apps and work On all managed devices, work apps are apps that your organization makes available for its space apps users.

You can search app stores directly for apps to assign to devices. You can specify whether apps are required on devices, and you can view whether a work app is installed on a device. Work apps can also be proprietary apps that were developed by your organization or by third-party developers for your organization's use.

On devices with Secure Work Space, secured apps are work apps that the work space secures with additional protections. Secured apps are separated from personal apps and data, and include an integrated email, calendar, and contacts app, an enterprise-level secure browser, and secure document viewing and editing. A secured app can also be an internal app that you secure and send to a device with Secure Work Space.

Run app lock mode on iOS On iOS devices that are supervised using Apple Configurator or on Android devices that use devices or Android devices KNOX MDM, you can use an app lock mode profile to limit the device to run only one app. For that use KNOX MDM example, you can limit access to a single app for training purposes or for point-of-sales demonstrations.

Filter web content on iOS 7 For devices that run iOS 7.0 and later, you can use web content filter profiles to limit the devices websites that a user can view on a device. You can enable automatic filtering with the option to allow and restrict websites, or allow access only to specific websites.

11 Product features

Feature Description

Link Apple VPP accounts to a The Volume Purchase Program (VPP) allows you to buy and distribute iOS apps in bulk. You BES12 domain can link Apple VPP accounts to a BES12 domain so that you can distribute purchased licenses for iOS apps associated with the VPP accounts.

Manage devices using KNOX BES12 can manage Samsung devices using KNOX MDM. KNOX MDM includes the enhanced MDM management capabilities that Samsung provides for Samsung devices. When a device is activated, BES12 automatically identifies whether the device supports KNOX MDM.

In addition to the standard Android management capabilities, BES12 includes the following management capabilities for devices that support KNOX MDM:

• An enhanced set of IT policy rules, called the KNOX MDM policy set • Enhanced application management including silent app installations and uninstallations, silent uninstallations of restricted apps, and prohibitions to installing restricted apps • App lock mode

You can use KNOX MDM with or without Secure Work Space. Without Secure Work Space, devices require a Silver license and use the "MDM controls" activation type. If you also want to use Secure Work Space, devices require a Gold license and use the "Work and personal - full control" activation type.

For more information about supported devices, visit http://help.blackberry.com/detectLang/ bes12 to read the Compatibility Matrix content. For more information about KNOX MDM, visit https://www.samsungknox.com.

Manage devices using Android MDM uses the basic management options that are native to the Android OS to Android MDM manage the device. A separate, protected container is not created. For more information about managing devices using Android MDM, see the Administration content.

Manage devices using You can activate Android devices that run Android OS 5.0 or later to use Android for Work. Android for Work Android for Work is a feature developed by Google that provides additional security for organizations that want to manage Android devices and allow their data and apps on Android devices. For more information about managing devices using Android for Work, see the Administration content.

Manage devices using KNOX The KNOX Workspace is an encrypted, password-protected container on a Samsung device Workspace that includes your work apps and data. It separates a user’s personal apps and data from your organization’s apps and data and protects your apps and data using enhanced security and management capabilities that Samsung developed. For more information about managing devices using KNOX Workspace, see the Administration content.

12 What's New in BES12

What's New in BES12 4

Install or upgrade BES12 using a command prompt window

You can install or upgrade BES12 using a command prompt window.

For more information about installing BES12 using a command prompt window, see the Installation and upgrade content. Install the BES12 management console or BES12 Core on another computer

You can install the BES12 management console or BES12 Core on a separate computer.

For more information about installing BES12 components on separate computers, see the Installation and upgrade content. Licensing support for Android for Work and KNOX Workspace devices

You can use the following new license types in BES12: Gold (replaces Gold - BlackBerry), Gold - Flex, and Gold - KNOX Workspace.

The following license types support Android for Work and Samsung KNOX Workspace devices:

• Silver licenses are required to activate Android for Work devices. You can also use Gold - Secure Work Space, Gold, or Gold - Flex licenses. • Gold or Gold - Flex licenses are required to activate Android for Work devices with BlackBerry Secure Connect Plus • Gold - KNOX Workspace or Gold - Flex licenses are required to activate devices that use KNOX Workspace.

For more information, see the Licensing content. Enable secure connections to work resources using BlackBerry Secure Connect Plus

BlackBerry Secure Connect Plus is a BES12 component that provides a secure IP tunnel between work space apps on BlackBerry 10, KNOX Workspace, and Android for Work devices and an organization’s network. This tunnel gives users access to work resources behind the organization’s firewall while ensuring the security of data using standard protocols and end-to-end encryption. Supported devices use BlackBerry Secure Connect Plus when the devices cannot access the work Wi-Fi network or VPN (for example, the user is off-site and not in range of the work Wi-Fi network).

For more information about enabling BlackBerry Secure Connect Plus, see the Administration content. Configure BES12 and activate iOS devices using the DEP

You can configure BES12 to use Apple's Device Enrollment Program so that you can synchronize BES12 with DEP. After you configure BES12, you can use the BES12 management console to manage the activation of the iOS devices that your organization purchased for the DEP.

For more information about configuring BES12 and activating iOS devices that are enrolled in DEP, see the Configuration and Administration content.

13 What's New in BES12

Connect to your Google Apps for Work or Google for Work domain

You can configure BES12 to connect to your Google Apps for Work or Google for Work domain so that you can manage devices that use Android for Work.

For more information about configuring BES12 to support Android for Work, see the Configuration content. Activate Android for Work on a device

You can activate Android devices that are running Android OS 5.1 (Lollipop) or later to use Android for Work.

For more information about activating devices, see the Administration content. Manage apps on devices that use Android for Work

You can manage apps on devices that use Android for Work by adding Android apps to an app group that is enabled for Android for Work. Apps that you set as required are automatically installed on assigned devices.

For more information about managing app groups, see the Administration content. Use Wi-Fi profiles with Android for Work devices

You can use Wi-Fi profiles with Android for Work devices. If your organization uses proxy servers, you can associate proxy profiles with Wi-Fi profiles to permit Android for Work devices to connect to proxy servers when the device uses Wi-Fi.

For more information about setting up work connections, see the Administration content. Send IT administration commands to Android for Work devices

You can use IT administration commands to manage devices that use Android for Work. You can use IT administration commands to lock the device, wipe work data, reset the work profile password, and disable or enable the work profile.

For more information about sending IT administration commands to Android for Work devices, see the Administration content. Create multiple device activation messages

You can create customized activation email message templates for different device types or user groups. When you generate an activation password for a user, you can choose which activation email message template to assign to the user.

For more information about creating multiple device activation messages, see the Administration content. Activate devices that support KNOX Workspace

You can activate Samsung devices that support KNOX Workspace on BES12.

For more information about activating devices, see the Administration content. Manage apps on devices that use KNOX Workspace

You can manage apps on devices that use KNOX Workspace.

For more information about managing apps, see the Administration content.

14 What's New in BES12

Use Wi-Fi profiles with devices that use Samsung KNOX

You can use Wi-Fi profiles with Samsung KNOX devices using the following device settings when they connect:

• If your organization uses proxy servers, you can associate proxy profiles with Wi-Fi profiles to permit devices that use Samsung KNOX to connect to proxy servers. • You can specify DNS servers used by Samsung KNOX devices to resolve domain name requests over a Wi-Fi network. • You can associate the following profiles with Wi-Fi profiles to permit Samsung KNOX devices to authenticate with a Wi- Fi network:

◦ Shared certificate ◦ SCEP ◦ User credential ◦ CA certificate

For more information about setting up work connections, see the Administration content. Use email profiles with KNOX Workspace and Android for Work devices

You can use email profiles to set up an Exchange ActiveSync connection with devices that use Samsung KNOX Workspace and Android for Work so that they can synchronize email messages, calendar entries, and organizer data. You can also use certificate-based authentication for KNOX Workspace devices to authenticate with the mail server.

For more information about setting up work connections, see the Administration content. Use VPN profiles with KNOX Workspace devices

You can use VPN profiles to specify how Samsung KNOX Workspace devices connect to a work VPN.

For more information about setting up work connections, see the Administration content. Send IT administration commands to KNOX Workspace devices

You can manage KNOX Workspace devices using remote commands, such as Delete only work data, Reset work space password, and Disable/enable work space.

For more information about sending IT administration commands to KNOX Workspace devices,see the Administration content. Create web icons for iOS devices

You can use web icon profiles to create customized web icons and assign them to groups or users. The web icons are displayed on users' devices and provide links to websites.

For more information about creating web icons, see the Administration content. Locate iOS devices

BES12 supports device location for iOS devices. You can view the current or previous locations of up to 100 iOS devices at one time on a map in the management console. You can also allow users to locate their iOS devices on a map in BES12 Self-Service.

15 What's New in BES12

You can assign a location service profile to users, user groups, or device groups. You can locate iOS devices that have been lost or stolen and track the location of any iOS device when the device travels a distance that you specify.

For more information about locating iOS devices, see the Administration content. Copy IT policies

You can copy existing IT policies in BES12 to quickly create custom IT policies for different groups in your organization.

For more information about copying IT policies, see the Administration content. Set the wallpaper in the work space on BlackBerry 10 devices

You can set the wallpaper for the workspace of a BlackBerry 10 device from the BES12 management console. When you create a device profile, you can select a custom image to display on users BlackBerry 10 devices to provide information for your user.

For more information about setting wallpaper on BlackBerry 10 devices, see the Administration content. S/MIME enhancements for iOS and Android devices

On iOS and Android devices with Secure Work Space, you can use certificate retrieval profiles to search for and retrieve S/MIME certificates from LDAP certificate servers. Devices can use OCSP or Exchange ActiveSync to check the status of S/MIME certificates.

For more information about using S/MIME, see the Administration content. Specify whether a BlackBerry 10 device automatically accepts untrusted certificates

When you configure VPN profiles for BlackBerry 10 devices, you can specify whether a device automatically accepts untrusted certificates or prompts the user to choose. The minimum requirement is BlackBerry 10 OS version 10.3.2.

For more information about setting up work connections, see the Administration content. CA certificate support for iOS and Android devices with Secure Work Space

BES12 supports the use of CA certificates for iOS and Android devices that are activated with the “Work and personal - full control (Secure Work Space)” and “Work and personal - user privacy (Secure Work Space)” activation types. This allows you to assign a CA certificate profile to these devices so that they can use certificate-based authentication for SSL and S/MIME connections.

For more information about creating CA certificate profiles, see the Administration content. SCEP support for iOS and Android devices with Secure Work Space

BES12 supports SCEP profiles for iOS and Android devices that are activated with the “Work and personal - full control (Secure Work Space)” and “Work and personal - user privacy (Secure Work Space)” activation types. This allows you to assign SCEP profiles to these devices by associating them with an email profile so that they can request and obtain client certificates from a SCEP-compliant CA used by your organization. The SCEP profile must be associated with an email profile before BES12 sends it to a device with Secure Work Space.

For more information about creating email profiles, see the Administration content.

16 What's New in BES12

Exchange ActiveSync certificate authentication support for iOS and Android devices with Secure Work Space using SCEP

BES12 supports SCEP profiles for iOS and Android devices that are activated with the “Work and personal - full control (Secure Work Space)” and “Work and personal - user privacy (Secure Work Space)” activation types that have a SCEP profile associated with an email profile. This allows you to assign an email profile that provides Exchange ActiveSync provisioning and authentication to these devices. When an Exchange ActiveSync certificate is included in the SCEP package, no user input is required. The SCEP profile must be associated with an email profile before BES12 sends it to a device with Secure Work Space.

For more information about creating email profiles, see the Administration content.

17 Comparing BES12 with previous EMM solutions from BlackBerry

Comparing BES12 with previous EMM 5 solutions from BlackBerry

EMM solution Supported device types Description

BES12 • BlackBerry 10 You can manage the server, user accounts, and all device types with a single UI, the management console. The software • BlackBerry OS (version 5.0 architecture has been simplified for easier management, to 7.1) increased scalability, and additional multiplatform features. • iOS To manage BlackBerry (version 5.0 to 7.1) devices with • Android (including BES12, you must upgrade from BES5 to BES12. Samsung KNOX) For high availability, you can install additional active servers • Windows Phone that share the management load automatically.

BlackBerry Enterprise • BlackBerry 10 You can manage the server, devices, and user accounts with Service 10 dedicated, advanced UIs for different device types. You can • BlackBerry OS (version 5.0 also use BlackBerry Management Studio as a single, unified to 7.1) UI for basic administration of all devices. • BlackBerry PlayBook To manage BlackBerry OS (version 5.0 to 7.1) devices, you • iOS can install BlackBerry Enterprise Service 10 on the same • Android computer as BlackBerry Enterprise Server 5.0 SP4 and use BlackBerry Management Studio for basic administration.

For high availability, you can install standby instances of the server.

BlackBerry Enterprise • BlackBerry OS (version 5.0 You can manage the server, devices, and user accounts with Server 5 to 7.1) the BlackBerry Administration Service. For high availability, you can install standby instances of most server components.

Enterprise solution comparison chart

This quick reference compares supported devices and features across BES12 version 12.2, BES10 version 10.2, and BES5 version 5.0.4.

For more information about OS compatibility, see the Compatibility Matrix in the Installation and upgrade content..

18 Comparing BES12 with previous EMM solutions from BlackBerry

Device activation

Feature BES5 version 5.0.4 BES10 version 10.2 BES12 version 12.2

Supported device types Supports devices running Supports: Supports: BlackBerry OS • BlackBerry 10 • BlackBerry 10 • BlackBerry PlayBook • BlackBerry OS * • Android • Android (including • iOS Android for Work and Samsung KNOX) • iOS • Windows Phone

Activation methods Supports wireless activation: Supports wireless activation: Supports wireless activation:

• Over the mobile network • Over the mobile network • Over the mobile network • Over a Wi-Fi network • Over a Wi-Fi network • Over a Wi-Fi network

Supports wired activation for Supports wired activation for Supports wired activation for BlackBerry OS devices using: BlackBerry 10 devices and BlackBerry 10 devices using: BlackBerry PlayBook tablets • BlackBerry • BlackBerry Wired using: Administration Service Activation Tool • BlackBerry Desktop • BlackBerry Software Administration Service • BlackBerry Web • BlackBerry Web Desktop Manager Desktop Manager

Simplified wireless activation √ √ using the BlackBerry Infrastructure

Wired activation for more than √ one device at a time

Activation types Supports: Supports: Supports:

• BlackBerry Balance • BlackBerry Balance • BlackBerry Balance (optional) • Regulated BlackBerry • Regulated BlackBerry Balance Balance • Work space only • Work space only

19 Comparing BES12 with previous EMM solutions from BlackBerry

Feature BES5 version 5.0.4 BES10 version 10.2 BES12 version 12.2

• Secure Work Space with • Android for Work with user privacy user privacy • Secure Work Space with • Samsung KNOX full device control Workspace with full • MDM controls device control • Secure Work Space with user privacy • Secure Work Space with full device control • MDM controls

* Requires upgrade from BES5 Email, calendar, and contacts synchronization

Feature BES5 version 5.0.4 BES10 version 10.2 BES12 version 12.2

Supported messaging Supports: Supports messaging Supports messaging environments environments that support environments that support • Microsoft Exchange Exchange ActiveSync* Exchange ActiveSync* • IBM Domino Additional support for • Novell GroupWise Microsoft Exchange and IBM Domino for BlackBerry OS devices.**

* For more information about supported messaging environments, see the Compatibility matrix content.

** Requires upgrade from BES5 Console features

Feature BES5 version 5.0.4 BES10 version 10.2 BES12 version 12.2

Unified management console Limited √ to manage BlackBerry 10, BlackBerry OS, iOS, Android, and Windows Phone devices

Custom administrative roles √ √ √

20 Comparing BES12 with previous EMM solutions from BlackBerry

Feature BES5 version 5.0.4 BES10 version 10.2 BES12 version 12.2

Self-service console for device √ √ √ users

Company directory integration Supports: Supports: Supports:

• Microsoft Active • Microsoft Active • Microsoft Active Directory Directory Directory • LDAP • LDAP • LDAP

Synchronization of users and √* Limited √ groups from the company directory

Local user accounts √ √

Dashboard reporting √ √

Device detail reporting √ √

Administration auditing √ √ √

High availability support Active-passive Active-passive Active-active

Languages Supports: Supports: Supports:

• English • English • English • Brazilian Portuguese • French • French • German • German • Japanese • Italian • Japanese • Spanish

* Requires the BlackBerry Directory Sync Tool Security features

Feature BES5 version 5.0.4 BES10 version 10.2 BES12 version 12.2

Enhanced email encryption Supports: Supports S/MIME on Supports: BlackBerry 10 devices and • S/MIME iOS devices only

21 Comparing BES12 with previous EMM solutions from BlackBerry

Feature BES5 version 5.0.4 BES10 version 10.2 BES12 version 12.2

• PGP • S/MIME on iOS,Android, • NNE BlackBerry 10, and BlackBerry OS devices * • PGP on BlackBerry 10 and BlackBerry OS devices * • NNE on iOS, Android, Windows Phone, and BlackBerry 10 devices

Separation between personal √ √ √ space and work space on the device

Protection for lost and stolen √ √ √ devices

Apply IT policy rules to control √ √ √ device capabilities

Certificate enrollment for √ √ √ devices

Secure connection to your √ √** √** intranet (through the BlackBerry Infrastructure)

Configure TCP proxy for apps √ √ √ in the work space to connect to the BlackBerry Infrastructure

End-to-end encrypted IP Supports: traffic between device and • BlackBerry 10 devices organization's network using BlackBerry Secure Connect • KNOX Workspace Plus devices • Android for Work devices

22 Comparing BES12 with previous EMM solutions from BlackBerry

Feature BES5 version 5.0.4 BES10 version 10.2 BES12 version 12.2

Gatekeeping to control which √ √ devices can access Exchange ActiveSync

Restrict activations by device √ model

* Support for S/MIME and PGP on BlackBerry OS devices requires an upgrade from a BES5 server. Support for S/MIME on Android devices requires Secure Work Space.

** Requires Secure Work Space for iOS and Android devices Application management features

Feature BES5 version 5.0.4 BES10 version 10.2 BES12 version 12.2

Assign public and internal √ √* √* apps

Manage groups of apps √ √ √

Restrict app installation on √ √ √ devices

Search for and add apps from √ the management console

Manage device OS updates √ Supports BlackBerry 10 Supports: devices only • BlackBerry 10 devices • BlackBerry OS devices **

Manage app licenses Supports Apple VPP for iOS devices only

* Optional applications are made available in BlackBerry World for Work on BlackBerry 10 devices. Required and optional applications are made available in Work Apps and the BES12 Client on Android and iOS devices. Only public apps can be distributed for devices that use Android for Work.

** Ability to allow or disallow OS updates using an IT policy only and requires upgrade from BES5

23 Comparing BES12 with previous EMM solutions from BlackBerry

Support for additional mobility software

Feature BES5 version 5.0.4 BES10 version 10.2 BES12 version 12.2

Instant messaging Supports: Supports BlackBerry 10 devices Supports BlackBerry 10 and environments for work only in the following BlackBerry OS devices only in • IBM Sametime environments: the following environments*: • Microsoft Office Communications Server • IBM Sametime • IBM Sametime 2007 • Microsoft Office • Microsoft Lync Server • Microsoft Lync Server Communications Server 2007 R2 • Novell GroupWise Messenger • Microsoft Lync Server

VPN Authentication by √ √ √ BlackBerry

BBM Protected √ √ √

BlackBerry Blend √ √

* Support for BlackBerry OS devices requires upgrade from BES5 More information

For more information, visit help.blackberry.com/detectLang/category/enterprise-services/ to read the following content:

• BES5 Feature and technical overview • BES5 Product overview • BES10 Compatibility matrix • BES12 Overview and what's new • BES12 Compatibility matrix

24 Architecture: BES12 solution

Architecture: BES12 solution 6

Component Description

APNs The APNs is a service for iOS devices that Apple provides. BES12 uses the APNs to notify iOS devices to contact BES12 for updates and to provide information for your organization’s device inventory.

BES12 BES12 is a service that allows you to manage BlackBerry 10, BlackBerry OS (version 5.0 to 7.1), iOS, Android, and Windows Phone devices in your organization's environment.

BlackBerry The BlackBerry Infrastructure registers user information for device activation, validates licensing Infrastructure information for BES12, and provides a secure communication channel for devices outside the firewall to access your organization's network.

Devices BES12 supports BlackBerry 10, BlackBerry OS (version 5.0 to 7.1), iOS, Android, and Windows Phone devices.

GCM GCM is a service for Android devices that Google provides. BES12 uses GCM to notify Android devices to contact BES12 for updates and to provide information for your organization’s device inventory.

Routing By default, BES12 makes a direct connection to the BlackBerry Infrastructure over port 3101 and you do not need to install more routing components. However, if your organization's security policy requires components that internal systems cannot make connections directly to the Internet, you can install the BlackBerry Router or a TCP proxy server. The BlackBerry Router or TCP proxy server act as an intermediary between BES12 and the BlackBerry Infrastructure.

Third-party Additional applications in your organization's environment, including the company directory, mail applications server, certificate authorities, and application servers.

25 Architecture: BES12 solution

Components used in the BES12 solution

Component name Description

BES12 Core The BES12 Core is the central component of BES12 architecture and consists of several subcomponents that are responsible for:

• Logging, monitoring, reporting, and management functions • Authentication and authorization services for the BES12 Core local directory and company directories • Scheduling and sending commands, IT policies, and profiles to devices

26 Architecture: BES12 solution

Component name Description

If there are multiple BES12 instances in the domain, all the BES12 Core instances are active and each of them can connect to the BlackBerry Infrastructure and processes traffic. After you install BES12 on a computer, you can install the BES12 Core on another computer.

BES12 database The BES12 database is a relational database that contains user account information and configuration information that BES12 uses to manage devices. You can install the BES12 database on the same computer as a BES12 instance, or on a separate computer. For redundancy or business continuity, you can configure database mirroring.

BlackBerry Infrastructure The BlackBerry Infrastructure registers user information for device activation and validates licensing information for BES12. All the data that travels between the BlackBerry Infrastructure and BES12 is authenticated and encrypted to provide a secure communication channel into your organization for devices outside the firewall.

BlackBerry Router By default, BES12 makes a direct connection to the BlackBerry Infrastructure over port 3101. You do not need to install more routing components. However, if your organization's security policy requires that internal systems cannot make connections directly to the Internet, or that all systems must connect through another system in the DMZ, you can install the BlackBerry Router. The BlackBerry Router acts as a proxy server for connections over the BlackBerry Infrastructure between BES12 and all devices. The BlackBerry Router can support SOCKs v5 with no authentication. For more information, see the Configuration content.

For BlackBerry OS (version 5.0 to 7.1) devices, the BlackBerry Router also sends data directly to and receives data from devices that are connected to a work Wi-Fi network or to a computer that has the BlackBerry Device Manager.

If you upgrade from BES5.0.4 MR10 to BES12, the BlackBerry Router you originally installed with your BES5 continues to work only for the components used to manage BlackBerry OS devices. If you install a new instance of the BlackBerry Router with BES12, you can configure it to work with all components.

Management console The management console is a web-based UI that is used to:

• Complete postinstallation configuration settings • View and manage users, devices, policies, profiles, and apps • View and manage system settings, including customizing the activation email message and adding an APNs certificate • Move IT policies, profiles, groups, and users to BES12

27 Architecture: BES12 solution

Component name Description

The management console also provides access to BES12 Self-Service and allows iOS device users to manage apps using the Work Apps icon. After you install BES12 on a computer, you can install the management console on another computer.

TCP proxy If your organization already has a TCP proxy server installed or requires one to meet networking requirements, you can use a TCP proxy server instead of the BlackBerry Router. The TCP proxy server can support SOCKs v5 with no authentication. For more information, see the Configuration content.

If you use an existing TCP proxy server instead of the BlackBerry Router, BlackBerry OS devices that are connected to a work Wi-Fi network or to a computer that has BlackBerry Device Manager installed cannot bypass the BlackBerry Infrastructure to connect to your organization's network.

28 Architecture: BES12 solution

Components used to manage BlackBerry 10, iOS, Android, and Windows Phone devices

Component name Description

BES12 Self-Service Users can access BES12 Self-Service to set an activation password and send device commands, such as set password, lock device, and delete device data to their BlackBerry 10, iOS, Android, or Windows Phone devices. Users can also delete device data from their BlackBerry OS (version 5.0 to 7.1) devices.

BlackBerry Affinity Manager The BlackBerry Affinity Manager is responsible for maintaining an active SRP connection to the BlackBerry Infrastructure. If there are multiple BES12 instances in the domain, the BlackBerry Affinity Manager runs on all instances but only one BlackBerry Affinity Manager instance is active and responsible for maintaining a connection to the BlackBerry Infrastructure and processing traffic.

The BlackBerry Affinity Manager configures the Exchange ActiveSync connectivity and logging settings for the BlackBerry Work Connect Notification Service. It also assigns BlackBerry 10 devices to the BlackBerry Dispatcher using the information in the BES12 database. If a BlackBerry 10 device is moved to a different BES12 instance, the BlackBerry Affinity Manager performs all of the steps required to move the user to the new instance so that the user does not have to do anything for the device to maintain BES12 services.

29 Architecture: BES12 solution

Component name Description

BlackBerry Collaboration The BlackBerry Collaboration Service provides an encrypted connection between your Service organization's instant messaging server and the Enterprise IM app on BlackBerry 10 devices so that users can start and manage instant messaging conversations on their devices. The BlackBerry Collaboration Service is an optional component and is available as a separate installation.

BlackBerry Dispatcher The BlackBerry Dispatcher provides secure connectivity for BlackBerry 10 devices. The BlackBerry Dispatcher dynamically updates the devices that it handles based on the list it receives from the active BlackBerry Affinity Manager.

BlackBerry Gatekeeping The BlackBerry Gatekeeping Service sends commands to Exchange ActiveSync to add Service devices to an allowed list when devices are activated on BES12. Unmanaged devices that try to connect to an organization's mail server can be reviewed, verified, and blocked or allowed through the BES12 management console by an administrator.

BlackBerry MDS Connection The BlackBerry MDS Connection Service provides a secure connection between BlackBerry Service 10 devices and your organization's network when the device is not connected to your work Wi-Fi network or using a VPN connection. It is also responsible for providing enterprise data push services for BlackBerry 10 devices.

BlackBerry Secure Connect BlackBerry Secure Connect Plus provides a secure IP tunnel between work apps on devices Plus and your organization's network. One tunnel that supports standard IPv4 (TCP and UDP) data is established for each device through the BlackBerry Infrastructure.

BlackBerry Work Connect The BlackBerry Work Connect Notification Service is a web service responsible for providing Notification Service new and changed email and organizer notifications to iOS devices that are using Secure Work Space.

iOS devices are restricted from running applications in the background, with specific exceptions such as the default mail application. This means Secure Work Space applications cannot receive new data such as email notifications unless the application is open or unless the notification comes from the APNs. The BlackBerry Work Connect Notification Service sends the email and organizer notifications to the BlackBerry Infrastructure, where they are sent to the device using the APNs.

If there are multiple BES12 instances in the domain, only one instance of the BlackBerry Work Connect Notification Service is active and processing notifications. The BlackBerry Affinity Manager is responsible for starting other BlackBerry Work Connect Notification Service instance if the active one stops.

APNs APNs is a service that Apple provides that sends notifications to iOS devices. BES12 sends notifications to iOS devices to contact BES12 for updates and to report information for your organization’s device inventory. These notifications are sent to the BlackBerry Infrastructure, where they are sent to the device using the APNs.

30 Architecture: BES12 solution

Component name Description

GCM GCM is a service that Google provides for Android devices. BES12 sends notifications to Android devices to contact BES12 for updates and to report information for your organization’s device inventory. These notifications are sent to the BlackBerry Infrastructure, where they are sent to the device using the GCM.

31 Architecture: BES12 solution

Components used to manage BlackBerry OS devices

Component name Description

BlackBerry Administration You can use the BlackBerry Administration Service to configure BlackBerry OS device Service software updates, and VPN and Wi-Fi profiles for BlackBerry OS (versions 5.0 to 7.1) devices.

The BlackBerry Administration Service connects to the BES12 database. It also provides connection services for the management console so that you can manage BlackBerry OS devices.

BlackBerry Attachment The BlackBerry Attachment Service converts supported attachments into a format that can Service be viewed on BlackBerry OS devices. The BlackBerry Attachment Service converts attachments for the BlackBerry Messaging Agent, the BlackBerry MDS Connection Service for BlackBerry OS, and the BlackBerry Collaboration Service.

BlackBerry Collaboration The BlackBerry Collaboration Service for BlackBerry OS is an optional component that Service for BlackBerry OS provides a connection between your organization's instant messaging server and the collaboration client on BlackBerry OS devices.

32 Architecture: BES12 solution

Component name Description

BlackBerry Controller The BlackBerry Controller monitors components used to manage BlackBerry OS devices and restarts these components when they stop responding.

BlackBerry Dispatcher for The BlackBerry Dispatcher for BlackBerry OS performs the following functions: BlackBerry OS • Transfers data between components used to manage BlackBerry OS devices • Compresses and encrypts data that is sent to BlackBerry OS devices • Decrypts and decompresses data that is received from BlackBerry OS devices • Monitors and communicates the health of BlackBerry OS management components • Starts the processing of BlackBerry OS device users on the BlackBerry Messaging Agent

BlackBerry Mail Store Service The BlackBerry Mail Store Service connects to the mail servers in your organization's environment and retrieves the contact information that the BlackBerry Administration Service requires to search for user accounts on the mail servers.

BlackBerry MDS Connection The BlackBerry MDS Connection Service for BlackBerry OS permits applications on Service for BlackBerry OS BlackBerry OS devices to connect to your organization's application or content servers for application data and updates.

BlackBerry Messaging Agent The BlackBerry Messaging Agent performs the following functions:

• Connects to the mail server to provide messaging services, calendar management, contact lookups, attachment viewing, and attachment retrieval for BlackBerry OS devices • Allows the BlackBerry Synchronization Service to access organizer data on the mail server • Synchronizes configuration data between the BES12 database and BlackBerry OS device user mailboxes on the mail server

BlackBerry Policy Service The BlackBerry Policy Service performs administration services for BlackBerry OS devices over the wireless network, such as sending IT policies, device commands, and service books.

BlackBerry Synchronization The BlackBerry Synchronization Service synchronizes organizer data between BlackBerry OS Service devices and your organization's mail server using the BlackBerry Messaging Agent. The BlackBerry Synchronization Service also synchronizes BlackBerry OS device user data with the BES12 database.

BlackBerry Web Desktop BlackBerry OS device users can access BlackBerry Web Desktop Manager to set an Manager activation password, activate their devices by connecting them to the computer, and perform

33 Architecture: BES12 solution

Component name Description

other device management functions for their BlackBerry OS devices, such as updating the device software or sending device commands.

34 Activating devices

Activating devices 7

When you activate a device, you associate the device with BES12 so that you can manage devices and users can access work data on their devices.

When a device is activated, you can send IT policies and profiles to control the available features and manage the security of work data. You can also assign apps for the user to install. Depending on how much control the selected activation type allows, you may also be able to protect the device by restricting access to certain data, remotely setting passwords, locking the device, or deleting data.

You can assign activation types to accommodate the requirements of devices owned by your organization and devices owned by users. Different activation types give you different degrees of control over the work and personal data on devices, ranging from full control over all data to specific control over work data only.

Data flow: Activating a BlackBerry 10 device

1. You perform the following actions:

a Add a user to BES12 as a local user account or using the account information retrieved from your company directory b Assign an activation profile to the user c Use one of the following options to provide the user with activation details:

35 Activating devices

a Types the username and activation password on the device b For a "Work and personal - Regulated" or "Work space only" activation, accepts the organization notice, which outlines the terms and conditions that the user must agree to 3. If the activation is a "Work space only" activation, the device deletes all existing data and restarts. For other activation types, the Enterprise Management Agent on the device performs the following actions:

a Establishes a connection to the BlackBerry Infrastructure b Sends a request for activation information to the BlackBerry Infrastructure 4. The BlackBerry Infrastructure performs the following actions:

a Verifies that the user is a valid, registered user b Retrieves the BES12 address for the user c Sends the address to the Enterprise Management Agent 5. The device performs the following actions:

a Establishes a connection with BES12 b Generates a shared symmetric key that is used to protect the CSR and response BES12 using the activation password and EC-SPEKE. c Creates an encrypted CSR and HMAC as follows:

• Generates a key pair for the certificate • Creates a PKCS#10 CSR that includes the public key of the key pair • Encrypts the CSR using the shared symmetric key and AES-256 in CBC mode with PKCS#5 padding • Computes an HMAC of the encrypted CSR using SHA-256 and appends it to the CSR d Sends the encrypted CSR and HMAC to BES12 6. BES12 performs the following actions:

a Verifies the HMAC of the encrypted CSR and decrypts the CSR using the shared symmetric key b Retrieves the username, work space ID, and your organization’s name from the BES12 database c Packages a client certificate using the information it retrieved and the CSR that the device sent d Signs the client certificate using the enterprise management root certificate e Encrypts the client certificate, enterprise management root certificate, and the BES12 URL using the shared symmetric key and AES-256 in CBC mode with PKCS#5 padding

36 Activating devices

f Computes an HMAC of the encrypted client certificate, enterprise management root certificate, and the BES12 URL and appends it to the encrypted data g Sends the encrypted data and HMAC to the device 7. The device performs the following actions:

a Verifies the HMAC b Decrypts the data it received from BES12 c Stores the client certificate and the enterprise management root certificate in its keystore 8. BES12 performs the following actions:

a BES12 Core assigns the new device to a BES12 instance in the domain b BES12 Core notifies the active BlackBerry Affinity Manager that a new device is assigned to the BES12 instance c The active BlackBerry Affinity Manager notifies the BlackBerry Dispatcher on that BES12 instance that there is a new device d The BlackBerry Dispatcher starts processing configuration data for the device 9. The device and the BlackBerry Dispatcher perform the following actions:

a Establish a mutually authenticated TLS connection by verifying both the client certificate and the server certificate for BES12 using the enterprise management root certificate b Generate the device transport key using ECMQV and the authenticated long-term public keys from the client certificate and the server certificate for BES12 10. The device stores the device transport key in its keystore. 11. The BlackBerry Dispatcher stores the device transport key in the database and sends the IT policy, SRP information, profiles, and required apps to the device over TLS. 12. The device sends an acknowledgment over TLS to BES12, that it received and applied the IT policy and other data and has created the work space. The activation process is complete.

The elliptic curve protocols used during the activation process use the NIST-recommended 521-bit curve.

37 Activating devices

Data flow: Activating an Android device

1. You perform the following actions:

a Add a user to BES12 as a local user account or using the account information retrieved from your company directory b Make sure the activation profile "MDM controls," "Work and personal - full control (Secure Work Space)," or "Work and personal - user privacy (Secure Work Space)" is assigned to the user c Use one of the following options to provide the user with activation details:

• Automatically generate a device activation password and send an email with activation instructions for the user • Set a device activation password and communicate the username and password to the user directly or by email • Don't set a device activation password and communicate the BES12 Self-Service address to the user so that they can set their own activation password 2. The user downloads and installs the BES12 Client on the device. After it is installed, the user opens the BES12 Client and enters the email address and activation password on the device. 3. The BES12 Client on the device performs the following actions:

a Verifies that the user is a valid, registered user

38 Activating devices

b Retrieves the BES12 address for the user c Sends the address to the BES12 Client 5. The BES12 Client establishes a connection with BES12. 6. BES12 prompts the user to accept the BES12 certificate. This prompt includes information about the SSL certificate, including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. If the certificate has been preinstalled on the device, it is trusted. Otherwise, it is untrusted. 7. The user accepts the certificate. 8. The BES12 Client sends an activation request to BES12. The activation request includes the username, password, device operating system, and unique device identifier. 9. BES12 performs following actions:

a Inspects the credentials for validity b Creates a device instance c Associates the device instance with the specified user account in the BES12 database d Adds the enrollment session ID to an HTTP session e Sends a successful authentication message to the device 10. The BES12 Client creates a CSR using the information received from BES12 and sends a client certificate request to BES12 over HTTPS. 11. BES12 performs the following actions:

a Validates the client certificate request against the enrollment session ID in the HTTP session b Signs the client certificate request with the root certificate c Sends the signed client certificate and root certificate back to the BES12 Client

A mutually authenticated TLS session is established between the BES12 Client and BES12. 12. The BES12 Client requests all configuration information and sends the device and software information to BES12. 13. BES12 stores the device information in the database and sends the requested configuration information to the device. 14. The BES12 Client determines if the device uses KNOX MDM and is running a supported MDM version. If the device uses KNOX MDM, the device connects to the Samsung infrastructure and activates the KNOX management license. After it is activated, the BES12 Client applies the KNOX MDM IT policy rules from BES12. 15. The device sends an acknowledgment to BES12 that it received and applied the configuration information. The activation process is complete.

If the activation type for the device is"Work and personal - full control (Secure Work Space)," or "Work and personal - user privacy (Secure Work Space," after the activation is completed, the user is prompted to create a work space password. Additionally, the user may be prompted to install or may need to manually install some or all of the following apps:

• Secure Work Space • Work Space Manager • Documents To Go

39 Activating devices

Data flow: Activating a device to use KNOX Workspace

1. You perform the following actions:

a Add a user to BES12 as a local user account or using the account information retrieved from your company directory b Make sure the "Work and personal - full control (Samsung KNOX)" or "Work space only - (Samsung KNOX)" activation type is assigned to the user c Use one of the following options to provide the user with activation details:

40 Activating devices

a Verifies that the user is a valid, registered user b Retrieves the BES12 address for the user c Sends the address to the BES12 Client 5. The BES12 Client establishes a connection with BES12. 6. BES12 prompts the user to accept the BES12 certificate. This prompt includes information about the SSL certificate, including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. If the certificate has been preinstalled on the device, it is trusted. Otherwise, it is untrusted. 7. The user accepts the certificate. 8. The BES12 Client sends an activation request to BES12. The activation request includes the username, password, device operating system, and unique device identifier. 9. BES12 performs following actions:

A mutually authenticated TLS session is established between the BES12 Client and BES12. 12. The BES12 Client requests all configuration information and sends the device and software information to BES12. 13. BES12 stores the device information in the database and sends the requested configuration information to the device. 14. The BES12 Client determines if the device uses KNOX Workspace and is running a supported version. If the device uses KNOX Workspace, the device connects to the Samsung infrastructure and activates the KNOX management license. After it is activated, the BES12 Client applies the KNOX MDM and KNOX Workspace IT policy rules. 15. The device sends an acknowledgment to BES12 that it received and applied the configuration information. The activation process is complete.

After the activation is complete, the user is prompted to create a work space password that is used to set up and protect the KNOX Workspace. Data in the KNOX Workspace is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint.

Note: If the device is activated with the "Work space only - (Samsung KNOX)" activation type, the personal space is removed when the KNOX Workspace is set up.

41 Activating devices

Data flow: Activating a device to use Android for Work

1. You perform the following actions:

• Verify that the user has a Google account that is associated with the user’s work email address

Note: Optionally, you can configure BES12 to create the Google account for the user during the activation process. When BES12 creates the account for the user in Google, the user receives an email from the Google domain with their Google account password.

• Add a user to BES12 as a local user account or using the account information retrieved from your company directory. When you specify the email address, use the email address that is associated with the user's Google account. • Make sure the "Work and personal - user privacy (Android for Work)” or the "Work and personal - user privacy (Android for Work - Premium)” activation type is assigned to the user • Use one of the following options to provide the user with activation details:

◦ Automatically generate a device activation password and send an email with activation instructions for the user ◦ Set a device activation password and communicate the username and password to the user directly or by email ◦ Don't set a device activation password and communicate the BES12 Self-Service address to the user so that they can set their own activation password

42 Activating devices

2. The user downloads BES12 Client from Google Play and installs it on the device. After it is installed, the user opens the BES12 Client and enters their email address and activation password. 3. The BES12 Client on the device performs the following actions:

• Establishes a connection to the BlackBerry Infrastructure • Sends a request for activation information to the BlackBerry Infrastructure 4. The BlackBerry Infrastructure performs the following actions:

• Verifies that the user is a valid, registered user • Retrieves the BES12 address for the user • Sends the address to the BES12 Client 5. The BES12 Client establishes a connection with BES12. 6. BES12 prompts the user to accept the BES12 certificate. This prompt includes information about the SSL certificate, including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. If the certificate has been preinstalled on the device, it is trusted. Otherwise, it is untrusted. 7. The user accepts the certificate. 8. The BES12 Client sends an activation request to BES12. The activation request includes the username, password, device operating system, and unique device identifier. 9. BES12 performs the following actions:

• Determines the activation type assigned to the user account • Connects to the managed Google domain to verify the user information • Creates a device instance • Associates the device instance with the specified user account • Adds the enrollment session ID to an HTTP session • Sends a successful authentication message to the device 10. If the device is not encrypted, the user is prompted to encrypt the device. 11. The BES12 Client performs the following actions:

• Prompts the user for the user's Google account information • Connects to the managed Google domain to authenticate the user • Creates a CSR using the information received from BES12 and sends a client certificate request to BES12 over HTTPS. 12. BES12 performs the following actions:

• Validates the client certificate request against the enrollment session ID in the HTTP session • Signs the client certificate request with the root certificate • Sends the signed client certificate and root certificate back to the BES12 Client

A mutually authenticated TLS session is established between the BES12 Client and BES12.

43 Activating devices

13. The BES12 Client requests all configuration information and sends the device and software information to BES12. 14. BES12 stores the device information and sends the requested configuration information to the device. 15. The device sends an acknowledgment to BES12 that it received and applied the configuration information. The activation process is complete.

Data flow: Activating an iOS device

1. If you plan to use Apple's Device Enrollment Program, you perform the following actions:

a Make sure that BES12 is configured to synchronize with DEP b Register the device in DEP and assign it to an MDM server c Assign an enrollment configuration to the device 2. You perform the following actions:

44 Activating devices

• Don't set a device activation password and communicate the BES12 Self-Service address to the user so that they can set their own activation password 3. If the device is registered in the Apple DEP, the device communicates with the Apple DEP web service during its initial setup. If you configured the device to install the BES12 Client, the device automatically downloads and installs it. 4. If the device is not registered in the Apple DEP or if you did not configure the device to install the BES12 Client, the user manually downloads and installs the BES12 Client on the device. After it is installed, the user opens the BES12 Client and enters the email address and activation password on the device. 5. The BES12 Client on the device performs the following actions:

a Establishes a connection to the BlackBerry Infrastructure b Sends a request for activation information to the BlackBerry Infrastructure 6. The BlackBerry Infrastructure performs the following actions:

a Verifies that the user is a valid, registered user b Retrieves the BES12 address for the user c Sends the address to the BES12 Client 7. The BES12 Client establishes a connection with BES12. 8. BES12 prompts the user to accept the BES12 certificate. This prompt includes information about the SSL certificate, including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. If the certificate has been preinstalled on the device, it is trusted. Otherwise, it is untrusted. 9. The BES12 Client sends an activation request to BES12. The activation request includes the username, password, device operating system, and unique device identifier. 10. BES12 performs following actions:

a Inspects the credentials for validity b Creates a device instance c Associates the device instance with the specified user account in the BES12 database d Adds the enrollment session ID to an HTTP session e Sends a successful authentication message to the device 11. The BES12 Client creates a CSR using the information received from BES12 and sends a client certificate request over HTTPS. 12. BES12 performs the following actions:

A mutually authenticated TLS session is established between the BES12 Client and BES12.

45 Activating devices

13. The BES12 Client displays a message to inform the user that a certificate must be installed to complete the activation. The user clicks OK and is redirected to the link for the native MDM Daemon activation. The BES12 Client establishes a connection to BES12. 14. BES12 provides the MDM profile to the BES12 Client. This profile contains the MDM activation URL and the challenge. The MDM profile is wrapped as a PKCS#7 signed message that includes the full certificate chain of the signer, which allows the device to validate the profile. This triggers the enrollment process. 15. The native MDM Daemon on the device sends the device profile, including the customer ID, language, and OS version, to BES12. 16. BES12 validates that the request is signed by a CA and responds to the native MDM Daemon with a successful authentication notification. 17. The native MDM Daemon sends a request to BES12 asking for the CA certificate, CA capabilities information, and a device issued certificate. 18. BES12 sends the CA certificate, CA capabilities information, and the device issued certificate to the native MDM Daemon. 19. The native MDM Daemon installs the MDM profile on the device. The BES12 Client notifies BES12 of the successful installation of the MDM profile and certificate and polls BES12 periodically until it acknowledges that the MDM activation is complete. 20. BES12 acknowledges that the MDM activation is complete. 21. The BES12 Client requests all configuration information and sends the device and software information to BES12. 22. BES12 stores the device information in the database and sends configuration information to the device. 23. The device sends an acknowledgment to BES12 that it received and applied the configuration updates. The activation process is complete.

If the activation type for the device is "Work and personal - user privacy" or "Work and personal - full control," after the activation is completed, the user is prompted to create a work space password. Additionally, the user may be prompted to install some or all of the following apps:

• Work Connect • Work Browser • Documents To Go

Note: If the device is activated with the "Work and personal - user privacy" activation type, the users are not prompted to install the secure apps and must manually download and install them.

46 Activating devices

Data flow: Activating a Windows Phone device

1. You perform the following actions:

a Verifies that the user is a valid, registered user b Retrieves the BES12 address for the user

47 Activating devices

c Sends the address to the BES12 Client 5. The BES12 Client establishes a connection with BES12. 6. BES12 prompts the user to accept the BES12 certificate. This prompt includes information about the SSL certificate, including the Common Name and fingerprint. 7. The user accepts the certificate. 8. The BES12 Client sends an activation request to BES12. The activation request includes the username, password, device operating system, and unique device identifier. 9. BES12 performs following actions:

a Inspects the credentials for validity b Creates a device instance c Associates the device instance with the specified user account in the BES12 database d Adds the enrollment session ID to an HTTP session e Sends a successful authentication message to the device 10. The BES12 Client creates a CSR using the information received from BES12 and sends a client certificate request over HTTPS. 11. BES12 performs the following actions:

A mutually authenticated TLS session is established between the BES12 Client and BES12. 12. The BES12 Client displays a message and a video to show the user the steps the user must take to complete the activation. The BES12 Client sends the device information to BES12. 13. The user copies the server address and navigates to the Windows Phone settings to complete the activation. The user adds an account using their username and activation password and pastes the server address. 14. The native MDM Daemon on the Windows Phone device sends a CSR to BES12 that contains the username and activation password. 15. BES12 validates the username and password, validates the CSR and returns the client certificate and the CA certificate to the device.

All comunication between the native MDM Daemon and BES12 is now mutually authenticated end to end using these certificates.

16. The BES12 Client polls BES12 periodically until it acknowledges that the MDM activation is complete. 17. BES12 acknowledges that the MDM activation is complete. 18. The BES12 Client requests all configuration information. 19. BES12 stores the device information in the database and sends configuration information to the device.

48 Activating devices

20. The device sends an acknowledgment to BES12 that it received and applied the configuration updates. The activation process is complete.

Data flow: Activating a BlackBerry OS device

1. You use the management console to create a new user account and use one of the following options to provide the user with activation details:

The device user list stored in the BES12 database is updated with the new device user name, email address, mailbox information, activation password, activation status, and other information. 2. The BlackBerry Dispatcher for BlackBerry OS assigns the new user to a BlackBerry Messaging Agent. The BlackBerry Messaging Agent starts to monitor the user's mailbox on the mail server for new email. An email containing an etp.dat file attachment is required to continue the activation process. 3. The device user navigates to the Enterprise Activation screen on the BlackBerry OS (version 5.0 to 7.1) device and types the email address and activation password. The device user opens the menu and clicks Activate. The device displays "Activating."

49 Activating devices

4. The device creates an activation request email that contains the email address, device PIN, and public key authentication information, based on the enterprise activation password the user typed. The device encrypts the email using SPEKE and sends it to the BlackBerry Infrastructure. 5. The BlackBerry Infrastructure receives the activation request email and identifies it as an activation request. The BlackBerry Infrastructure forwards the email using SMTP to the email address that the user typed on the Enterprise Activation screen. 6. When the activation request email arrives in the user's mailbox, the BlackBerry Messaging Agent identifies it and removes it from the user's mailbox. The BlackBerry Messaging Agent recognizes the etp.dat attachment in the activation request email and begins an authentication process. 7. The BlackBerry Messaging Agent compares the authentication key received in the activation request email with the authentication key generated from the activation password and stored in the BES12 database. If the authentication keys match, the BlackBerry Messaging Agent notifies the BlackBerry OS device that the activation request was received. 8. BES12 and the BlackBerry OS device establish an encryption key and verify their knowledge of the encryption key to each other.

The BlackBerry OS device displays "Encryption Verified. Waiting for Services."

All the data sent between the BlackBerry OS device and BES12 from now on is compressed and encrypted using this encryption key and the device can now be managed from the management console.

9. The BlackBerry Messaging Agent forwards a request to the BlackBerry Policy Service to generate service books. The BlackBerry Policy Service receives and queues the request. The BlackBerry Policy Service adds the unique authentication key that the BES12 domain uses to sign IT policy data and then forwards the IT policy data through the BlackBerry Dispatcher for BlackBerry OS to the device. The BlackBerry Policy Service waits for confirmation from the device that the IT policy has been applied successfully. 10. The BlackBerry OS device applies the IT policy and sends a confirmation to BES12. The IT policy applied to the BlackBerry OS device is now in a read-only state and can be modified only by updates sent from the same BES12 domain. 11. Once the BlackBerry Policy Service receives confirmation that the IT policy was applied successfully, the BlackBerry Policy Service generates and sends the service books to the BlackBerry OS device. 12. The BlackBerry OS device receives the service books. The device user is notified that the email address has been activated.

The BlackBerry OS device displays "Services Received. Your email address, @.com is now enabled."

The device user can now send and receive email messages on the BlackBerry OS device.

13. The slow synchronization process begins. The BlackBerry OS device requests the synchronization configuration information from the BlackBerry Synchronization Service. The configuration information indicates whether wireless data synchronization on BES12 is turned on and which organizer databases can be synchronized. The configuration information also provides database synchronization types (unidirectional or bidirectional) and conflict resolution settings. 14. The BlackBerry Synchronization Service returns the configuration information and synchronizes the databases on the BlackBerry OS device using that information.

The BlackBerry OS device and BES12 do not delete records during the initial synchronization process.

50 Activating devices

15. The slow synchronization process is complete when all databases are synchronized between the BlackBerry OS device and BES12.

The activation process is complete when the BlackBerry OS device displays “Activation Complete” and the device user account status displays “Completed” in the management console or BlackBerry Administration Service.

51 Receiving configuration updates

Receiving configuration updates 8

When you use the management console to send device commands, such as lock device or delete the work data, or when you perform other device management tasks, such as updates to policy, profile, and app settings or assignments, you trigger a configuration update for the device.

When a configuration update needs to be sent to a device, BES12 notifies the devices, except Windows Phone devices, that a configuration update is pending. Windows Phone devices poll BES12 every hour to request pending updates. Other devices poll BES12 every 8 hours to ask for any actions that need to be run on the device to prevent any configuration update from being missed if a notification is not received on the device.

On BlackBerry 10 devices, the Enterprise Management Agent receives and completes all configuration updates.

On Android devices, the BES12 Client receives and completes all configuration updates.

On iOS and Windows Phone devices, the BES12 Client displays compliance status and configuration information for the device, such as apps or policies assigned to it. However, the native MDM Daemon on iOS and Windows Phone devices complements the BES12 Client and receives and completes all configuration updates sent to the device.

Data flow: Receiving configuration updates on a BlackBerry 10 device

52 Receiving configuration updates

1. An action is taken in the management console that triggers a configuration update for the device. For example, you update the IT policy or assign a new profile or app to the user account. 2. Updates are applied in BES12, and objects that must be shared with the device are identified. 3. The BES12 Core notifies the BlackBerry Infrastructure that there is an update for a device. The notification passes through the BlackBerry Router or TCP proxy server, if installed, and the external firewall, over port 3101. 4. The BlackBerry Infrastructure notifies the Enterprise Management Agent on the device that there is an update. 5. The Enterprise Management Agent on the device polls the BES12 Core to request any pending actions and commands that must be performed on the device. This poll passes through the BlackBerry Infrastructure and the BlackBerry Router, if installed, to the BES12 Core. 6. The BES12 Core replies, through the BlackBerry Infrastructure and BlackBerry Router or TCP proxy server, if installed, with the highest priority action.

Priority is given to IT administration commands, such as Delete device data and Lock device, followed by requests for device information, installed apps, and so on. The BES12 Core sends only one command at a time. If necessary, additional information is included in the response.

7. The Enterprise Management Agent on the device receives the configuration updates and applies the new or updated configuration on the device. The Enterprise Management Agent sends a response to the BES12 Core, through the BlackBerry Infrastructure, to update the command status. The status indicates whether the command ran successfully and provides an error message in the event of a failure. 8. If more actions or commands are pending for the device, the BES12 Core replies, through the BlackBerry Infrastructure, with the highest priority action. If no actions or commands are pending for the device, the BES12 Core replies with an idle command.

Steps 6 to 8 are repeated until no more pending actions or commands must be performed on the device.

53 Receiving configuration updates

Data flow: Receiving configuration updates on an Android device

1. An action is taken in the management console that triggers a configuration update for an Android device. 2. Updates are applied in BES12, and objects that must be shared with the device are identified. 3. The BES12 Core contacts the BlackBerry Infrastructure, through the BlackBerry Router or TCP proxy server, if installed, and the external firewall over port 3101. 4. The BlackBerry Infrastructure uses the GCM to notify Android devices that an update is pending. 5. The GCM sends a notification to the BES12 Client on the Android device to contact the BES12 Core. 6. The BES12 Client contacts the BES12 Core, on port 3101 on the external firewall, to request any pending actions and commands that must be performed on the device. 7. The BES12 Core replies, through the BlackBerry Infrastructure and BlackBerry Router or TCP proxy server, if installed, with the highest priority action.

8. The BES12 Client inspects the response, schedules the command to be processed, and waits for the command to be run. The BES12 Client sends a response to the BES12 Core, through the BlackBerry Infrastructure, to update the command status. The status indicates whether the command ran successfully and provides an error message in the event of a failure.

54 Receiving configuration updates

9. If more actions or commands are pending for the device, the BES12 Core replies, through the BlackBerry Infrastructure, with the highest priority action. If no actions or commands are pending for the device, the BES12 Core replies with an idle command.

Steps 7 to 9 are repeated until no more pending actions or commands must be performed on the device.

Data flow: Receiving configuration updates on an iOS device

1. An action is taken in the management console that triggers a configuration update for an iOS device. For example, you update the IT policy or assign a new profile or app to the user account. 2. Updates are applied in BES12. and objects that must be shared with the device are identified. 3. The BES12 Core contacts the BlackBerry Infrastructure, through the BlackBerry Router or TCP proxy server, if installed, and the external firewall over port 3101. 4. The BlackBerry Infrastructure uses the APNs to notify the device that an update is pending. 5. The APNs sends a notification to the native MDM Daemon on the iOS device to contact the BES12 Core. 6. When the native MDM Daemon on the iOS device receives the notification, it contacts the BES12 Core, on port 3101 on the external firewall, passing through the BlackBerry Router or TCP proxy server, if installed, to retrieve any pending actions. 7. The BES12 Core replies with the highest priority action. Priority is given to device actions, such as Delete device data and Lock device. The BES12 Core sends only one command at a time. If necessary, additional information is included in the

55 Receiving configuration updates

response. If no actions or commands are pending for the device, the BES12 Core replies to the device with an idle command. 8. The native MDM Daemon on the iOS device inspects the response, schedules the command to be processed, and waits for the command to be run. 9. The native MDM Daemon sends a response to the BES12 Core to update the command status. The status indicates whether the command ran successfully and provides an error message in the event of a failure.

Steps 7 to 9 are repeated until no more pending actions or commands must be performed on the device.

Data flow: Receiving configuration updates on a Windows Phone device

1. An action is taken in the management console that triggers a configuration update for a Windows Phone device. For example, you update the IT policy or assign a new profile or app to the user account. 2. Updates are applied in BES12, and objects that must be shared with the device are identified. 3. The native MDM Daemon on the Windows Phone polls BES12 for updates at regular intervals. 4. When an update is pending for the device, the BES12 Core replies with the highest priority action. Priority is given to device actions, such as Delete device data and Lock device. If necessary, additional information is included in the response. If no actions or commands are pending for the device, the BES12 Core replies to the device with an idle command. 5. The native MDM Daemon on the Windows Phone device inspects the response, schedules the command to be processed, and waits for the command to be run. The native MDM Daemon on the Windows Phone device sends a response to the

56 Receiving configuration updates

BES12 Core to update the command status. The status indicates whether the command ran successfully and provides an error message in the event of a failure.

Steps 4 and 5 are repeated until no more pending actions or commands must be performed on the device.

57 Sending and receiving work data

Sending and receiving work data 9

When BlackBerry 10, iOS, Android, and Windows Phone devices that are active on BES12 send and receive work data, they connect to your organization's mail, application, or content servers. For example, when they use the work email or calendar apps, devices establish a connection to the mail server. When they use the work browser to navigate the intranet, devices establish a connection to the web server in your organization, and so on.

When BlackBerry OS (version 5.0 to 7.1) devices send or receive work data, they connect to BES12. BES12 then establishes a connection to your organization's mail, application, or content servers to send and receive work data on behalf of the BlackBerry OS devices.

Depending on the type of device and how it is configured, a device may establish these connections using one of the following:

• Communicating over your organization's work Wi-Fi network: You can use BES12 to configure Wi-Fi profiles for devices so that devices can connect to your organization's resources using your work Wi-Fi network. • Communicating over your organization's VPN: You can use BES12 to configure VPN profiles for devices or users may configure VPN profiles on their devices so that devices can connect to your organization's resources using a VPN. To use your organization's VPN, users with a Windows Phone device or an Android device that does not use Android for Work or KNOX Workspace must configure a VPN profile on their devices manually. • Communicating through the BlackBerry Infrastructure: When devices use this communication channel, they use enterprise connectivity. When devices use enterprise connectivity, all the traffic between the devices and BES12 is authenticated and encrypted and travels through the BlackBerry Infrastructure. Enterprise connectivity limits the number of ports that you need to open on your organization's external firewall to a single port, 3101. Additionally, for BlackBerry 10 devices and devices activated to use Android for Work or KNOX Workspace, you can configure the enterprise connectivity profile to use BlackBerry Secure Connect Plus. When these devices use BlackBerry Secure Connect Plus, all the traffic flows in a secure IP tunnel established between the work space apps on the device and your organization's network through the BlackBerry Infrastructure.

58 Sending and receiving work data

Using enterprise connectivity

The following diagram shows how devices access your organization's resources when they use enterprise connectivity.

The following table list the devices that can connect to your organization's network using enterprise connectivy and when they use it.

Device type Description

All devices All devices use this communication path to send and receive configuration data, such as device commands, policy and profile updates, and sending device information and activity reports.

iOS and Android devices with Secure iOS and Android devices with Secure Work Space always use this path to send and Work Space receive Exchange ActiveSync data and other work app data when they have enterprise connectivity enabled. Enterprise connectivity is enabled by default for iOS and Android devices with Secure Work Space.

BlackBerry 10 devices BlackBerry 10 devices use this communication path to send and receive work data when this is the most direct, cost-efficient route available.

BlackBerry 10 devices and devices that Devices that have an enterprise connectivity profile configured to use BlackBerry use Android for Work or KNOX Secure Connect Plus, use a secure IP tunnel through the BlackBerry Infrastructure Workspace that are configured to use to transfer data between work apps and your organization's network when this is BlackBerry Secure Connect Plus the most direct, cost efficient route available. One tunnel is established for each device, and the tunnel supports standard IPv4 protocols (TCP and UDP). As long as the tunnel is open, any apps in the work space can access network resources. When the tunnel is no longer required (for example, the user is in range of the work Wi-Fi network), it is terminated.

BlackBerry OS (version 5.0 to 7.1) BlackBerry OS (version 5.0 to 7.1) devices use this communication path to send devices and receive email, organizer, and app data updates when this is the most direct, cost-efficient route available.

59 Sending and receiving work data

For more information on how to configure an enterprise connectivity profile, see the Administration content.

Data flow: Sending email and calendar data from a BlackBerry 10, iOS, or Android device using enterprise connectivity

This data flow describes how work email and calendar data travels from the device to the mail server through the BlackBerry Infrastructure using Exchange ActiveSync.

1. A user creates an email or updates an organizer item in the work space. 2. The device sends the new or changed item through the secure channel established between the BlackBerry Infrastructure and BES12 to the mail server:

• If the device is an iOS or Android device, the new or changed item travels through the BlackBerry Infrastructure and the BES12 Core to the mail server. • If the device is a BlackBerry 10 device, the new or changed item travels through the BlackBerry Infrastructure, BlackBerry Affinity Manager, BlackBerry Dispatcher, and BlackBerry MDS Connection Service to the mail server. 3. The mail server updates the organizer data on the user's mailbox or sends the mail item to the recipient and sends a confirmation to the device.

60 Sending and receiving work data

Data flow: Receiving email and calendar data on a BlackBerry 10 or Android device using enterprise connectivity

This data flow describes how work email and calendar data travels between the mail server and the BlackBerry 10 or Android devices through the BlackBerry Infrastructure using Exchange ActiveSync.

• If the device is an Android device, the request travels through the BlackBerry Infrastructure and the BES12 Core to the mail server. • If the device is a BlackBerry 10 device, the request travels through the BlackBerry Infrastructure, BlackBerry Affinity Manager, BlackBerry Dispatcher, and BlackBerry MDS Connection Service to the mail server. 2. The device stands by. 3. When there are new or changed items for the device, such as a new email or updated calendar entry, the mail server sends the updates to device. The new or changed items travel through the secure channel established between BES12 and the BlackBerry Infrastructure to the email or organizer data app on the work space of the device:

• If the device is an Android device, the new or changed item travels through the BES12 Core and the BlackBerry Infrastructure to the device. • If the device is a BlackBerry 10 device, the request travels through the BlackBerry MDS Connection Service, BlackBerry Dispatcher, BlackBerry Affinity Manager, and BlackBerry Infrastructure to device. 4. When the synchronization is complete, the device issues another request to restart the process.

61 Sending and receiving work data

5. If there are no new or changed items during this interval, the mail server sends a "HTTP 200 OK" message to the device through the secure channel established between BES12 and the BlackBerry Infrastructure. 6. The device issues a new request and the process starts over.

Data flow: Receiving email and calendar data on an iOS device using enterprise connectivity

This data flow describes how work email and calendar data travels between the mail server and iOS devices through the BlackBerry Infrastructure using Exchange ActiveSync.

1. If the email or organizer app is open or the device OS allows it to run in the background,

a The device issues an HTTPS request to the mail server and requests that the mail server notifies the device when any items change in the folders that are configured to synchronize. The request travels through the encrypted and authenticated channel established between the BlackBerry Infrastructure and BES12 Core to the mail server. b The device stands by. c If there are no new or changed items during this interval, the mail server sends a "HTTP 200 OK" message to the device. The device issues a new request and the process starts over. d When there are new or changed items for the device, such as a new email or updated calendar entry, the mail server sends the updates to the device through the secure channel established between BES12 Core and the BlackBerry Infrastructure to the email or organizer app on the work space of the device. e When the synchronization is complete, the device issues another request to restart the process. 2. If the email or organizer app is not open and is not running in the background,

a The BlackBerry Work Connect Notification Service listens for new or updated items for the device.

62 Sending and receiving work data

b When there is a new or updated item, the BlackBerry Work Connect Notification Service sends the notification to the BlackBerry Infrastructure using the secure channel established between BES12 Core and the BlackBerry Infrastructure. c The BlackBerry Infrastructure sends the notification to the app on the iOS device using the APNs. d The device shows there is a new email or organizer item available. When the user opens the app, the device issues an HTTPS request to the mail server and requests the mail server sends any new or changed items to the device. The request travels through the secure channel established between the BlackBerry Infrastructure and BES12 Core to the mail server. e The mail server sends the new or changed items to the device through the secure channel established between BES12 Core and the BlackBerry Infrastructure to the email or organizer app on the work space of the device. f When the synchronization is complete, the process starts over.

Data flow: Sending an email from a BlackBerry OS device

1. A user sends an email from a BlackBerry OS (version 5.0 to 7.1) device.

The BlackBerry OS device assigns a RefId to the email. The device compresses and encrypts the email, and sends it to the BlackBerry Infrastructure.

2. The BlackBerry Infrastructure sends the encrypted and compressed email to BES12 over port 3101. 3. The BlackBerry Dispatcher for BlackBerry OS uses the device transport key of the BlackBerry device to decrypt and decompress the email and sends it to the BlackBerry Messaging Agent.

63 Sending and receiving work data

If the BlackBerry Dispatcher for BlackBerry OS cannot decrypt the email using the device transport key, BES12 ignores it and sends an error message to the BlackBerry OS device.

4. The BlackBerry Messaging Agent sends the email to the mail server. 5. The BlackBerry Messaging Agent sends a copy of the email to the Sent Items in the user’s mailbox. 6. The mail server delivers the email to the recipient.

Data flow: Receiving an email on a BlackBerry OS device

1. An email arrives in a BlackBerry OS (version 5.0 to 7.1) device user's mailbox on the mail server. 2. The BlackBerry Messaging Agent retrieves the email message from the mail server. 3. The BlackBerry Messaging Agent checks the email message filters to determine whether the email message can be forwarded to the BlackBerry OS device. 4. The BlackBerry Messaging Agent sends the email message to the BlackBerry Dispatcher for BlackBerry OS. 5. The BlackBerry Dispatcher for BlackBerry OS compresses and encrypts the email message and sends it through the BlackBerry Router or TCP proxy, if installed, to the BlackBerry Infrastructure, on port 3101 of the firewall. 6. The BlackBerry Infrastructure sends the email message to the BlackBerry OS device. 7. The BlackBerry OS device sends a delivery confirmation to the BlackBerry Messaging Agent. 8. The BlackBerry OS device decrypts and decompresses the email message.

64 Sending and receiving work data

Data flow: Receiving enterprise push updates on a BlackBerry 10 device using enterprise connectivity

1. When there is new or updated data for a work app on a BlackBerry 10 device, the application or content server pushes the data to the BlackBerry MDS Connection Service using an HTTP or HTTPS request. 2. The BlackBerry MDS Connection Service sends the pushed data through the BlackBerry Dispatcher, BlackBerry Affinity Manager, and TCP proxy server or BlackBerry Router if installed, to the BlackBerry Infrastructure over port 3101 on the firewall. 3. The BlackBerry Infrastructure sends the data to the BlackBerry 10 device. 4. The BlackBerry 10 device sends an delivery confirmation to the BlackBerry Infrastructure. The device app detects the incoming content and displays the content when the user opens the app. 5. The BlackBerry Infrastructure sends a delivery confirmation through the BlackBerry Router or TCP proxy server, if installed, the BlackBerry Affinity Manager, and the BlackBerry Dispatcher to the BlackBerry MDS Connection Service. 6. If configured to do so, the BlackBerry MDS Connection Service sends the delivery confirmation to the push initiator using an HTTP request.

65 Sending and receiving work data

Data flow: Accessing an application or content server from a work app on a device using BlackBerry Secure Connect Plus

Work apps on devices that have the BlackBerry Secure Connect Plus client installed and configured can connect to your organization's network using a secure IP tunnel through the BlackBerry Infrastructure. One tunnel is established for each device. You can configure BlackBerry Secure Connect Plus on BlackBerry 10 devices and on Android devices that use Android for Work and KNOX Workspace.

This data flow describes how data travels between an application or content server in your organization and a work app on a device that uses BlackBerry Secure Connect Plus.

1. The user opens a work app to access work data from a content or application server behind your organization's firewall. For example, the user opens the work browser to navigate the intranet. 2. The device determines that a secure IP tunnel is the most direct, cost efficient method available to connect to the application or content server to retrieve the data and it sends a requests through a TLS tunnel, over port 443, to the BlackBerry Infrastructure to request a secure tunnel to the work network. The signal is encrypted by default using FIPS-140 certified Certicom libraries. The signaling tunnel is encrypted end-to-end. 3. BlackBerry Secure Connect Plus receives the request from the BlackBerry Infrastructure through port 3101. 4. The device and BlackBerry Secure Connect Plus negotiate the tunnel parameters and establish a secure tunnel for the device through the BlackBerry Infrastructure. The tunnel is authenticated and encrypted end-to-end with DTLS. 5. The work app uses the tunnel to connect to the application or content server using standard IPv4 protocols (TCP and UDP). 6. BlackBerry Secure Connect Plus transfers the IP data to and from your organization's network. BlackBerry Secure Connect Plus encrypts and decrypts traffic using FIPS-140 certified Certicom libraries.

66 Sending and receiving work data

7. The app receives and displays the data on the device. 8. As long as the tunnel is open, any apps in the work space can access network resources. When the tunnel is no longer the best available method to connect to your organization's network, BlackBerry Secure Connect Plus terminates it.

Data flow: Accessing an application or content server from a work app on a device using enterprise connectivity

This data flow describes how data travels between an application or content server in your organization and a work app in a device using enterprise connectivity.

1. The user opens a work app to view work data. For example, the user opens the work browser to navigate the intranet or uses BlackBerry Work Drives to access a file on a network drive. 2. The app establishes a connection to the application or content server to retrieve the data. The request travels through the secure channel established between the BlackBerry Infrastructure and BES12 to the application or content server:

• If the device is an iOS or Android device, the request travels through the BlackBerry Infrastructure and the BES12 Core to the application or content server. • If the device is a BlackBerry 10 device, the request travels through the BlackBerry Infrastructure, BlackBerry Affinity Manager, BlackBerry Dispatcher, and BlackBerry MDS Connection Service to the application or content server. 3. The application or content server replies with the work data. The work data travels through the secure channel established between BES12 and the BlackBerry Infrastructure to the app on the work space of the device:

• If the device is an iOS or Android device, the data travels through the BES12 Core and the BlackBerry Infrastructure to the device.

67 Sending and receiving work data

• If the device is a BlackBerry 10 device, the data travels through the BlackBerry MDS Connection Service, BlackBerry Dispatcher, BlackBerry Affinity Manager, and BlackBerry Infrastructure to device. 4. The app receives and displays the data on the device.

Data flow: Sending an instant message from the BlackBerry Enterprise IM app using enterprise connectivity

1. A user logs in to the BlackBerry Enterprise IM app on a BlackBerry 10 device that is running BlackBerry 10 OS version 10.2.1 or later. The BlackBerry 10 device compresses and encrypts the user ID and password. 2. The Enterprise IM app request on the device opens an SSL connection through the BlackBerry Infrastructure, BlackBerry Affinity Manager, BlackBerry Dispatcher, and BlackBerry MDS Connection Service to the BlackBerry Collaboration Service over port 8181. 3. The BlackBerry Collaboration Service checks the BES12 database to check whether the maximum number of available sessions has been reached. 4. The BlackBerry Collaboration Service connects to Microsoft Active Directory to validate the user's login information. 5. The BlackBerry Collaboration Service connects to the instant messaging server and registers an active endpoint for the user using UCMA, over an MTLS connection over port 5061. 6. The instant messaging server sends the registration information back to the BlackBerry Collaboration Service. 7. The BlackBerry Collaboration Service sends the registration response to the device using the SSL connection through the BlackBerry MDS Connection Service, BlackBerry Dispatcher, BlackBerry Affinity Manager, and BlackBerry Infrastructure. 8. The session is created between the BlackBerry 10 device and the BlackBerry Collaboration Service and between the BlackBerry Collaboration Service and the Microsoft Lync Server.

For more information about BlackBerry Enterprise IM, visit help.blackberry.com/detectLang/enterprise-im-for-bes12/.

68 Sending and receiving work data

Using your organization's VPN or work Wi-Fi network

Devices that have VPN or Wi-Fi profiles configured by you or by the users, may be able to access your organization's resources using your organization's VPN or work Wi-Fi network. To use your organization's VPN, users with a Windows Phone device or an Android device that does not use Android for Work or Samsung KNOX Workspace must manually configure a VPN profile on their devices.

This diagram shows how data can travel when a BlackBerry 10, iOS, Android, or Windows Phone device connects to your organization's resources using your organization's VPN or work Wi-Fi network.

This diagram shows how data can travel when a BlackBerry OS (version 5.0 to 7.1) device connects to your organization's resources using your organization's VPN or work Wi-Fi network.

The following table describes what devices use your organization's VPN or work Wi-Fi network to connect to your organization's network and when.

69 Sending and receiving work data

Device type Description

iOS and Android devices with Secure iOS and Android devices with Secure Work Space always use this communication Work Space path to send and receive Exchange ActiveSync data and other work data updates when they have enterprise connectivity disabled. To use your organization's VPN, Android device users must manually configure a VPN profile on their devices.

Devices that use Android for Work or Devices that use Android for Work or KNOX Workspace use this communication KNOX Workspace path when BlackBerry Secure Connect Plus is not enabled in their enterprise connectivity profile.

Windows Phone devices and iOS and Windows Phone devices and iOS and Android devices without Secure Work Space Android devices without Secure Work use this communication path to send and receive Exchange ActiveSync data and Space other work data updates. To use your organization's VPN, Android and Windows Phone device users must manually configure a VPN profile on their devices.

BlackBerry 10 BlackBerry 10 devices use this communication path to send and receive Exchange ActiveSync data updates and other work data updates when this is the most direct, cost-efficient route available. BlackBerry 10 devices only use VPN or Wi-Fi profiles configured by you, not by the user, when accessing work data.

BlackBerry OS BlackBerry OS (version 5.0 to 7.1) devices use this communication path to send and receive all email, organizer, and app data updates when this is the most direct, cost-efficient route available.

Data flow: Sending email or calendar data using your organization's VPN or work Wi-Fi network

This data flow describes how work email and calendar data travels from the device to the mail server over your organization's VPN or work Wi-Fi network using Exchange ActiveSync.

70 Sending and receiving work data

1. A user creates an email or updates an organizer item in the work space. 2. The device sends the new or changed item to the mail server over your organization's VPN or work Wi-Fi network. 3. The mail server updates the organizer data on the user's mailbox or sends the mail item to the recipient and sends a confirmation to the device.

Data flow: Receiving email and calendar data on a device using your organization's VPN or work Wi-Fi network

1. The device issues an HTTPS request to the mail server and requests that the mail server notifies the device when any items change in the folders that are configured to synchronize. The request travels through your organization's VPN or work Wi-Fi network to the mail server. 2. The device stands by. 3. When there are new or changed items for the device, such as a new email or updated calendar entry, the mail server sends the updates to the device. The new or changed items travel through your organization's VPN or work Wi-Fi network to the email or organizer data app on the device. 4. When the synchronization is complete, the device issues another request to restart the process. 5. If there are no new or changed items during this interval, the mail or application server sends a "HTTP 200 OK" message to the device. 6. The device issues a new request and the process starts over.

Data flow: Accessing an application or content server from a device using your organization's VPN or work Wi-Fi network

This data flow describes how data travels between an application or content server in your organization and a work app in a device using a VPN connection or a work Wi-Fi network.

71 Sending and receiving work data

1. The user opens a work app to view work data. For example, the user opens the work browser to navigate the intranet or uses BlackBerry Work Drives to access a file on a network drive. 2. The app establishes a connection to the application or content server to retrieve the data. The request travels through your VPN or work Wi-Fi network to the application or content server. 3. The application or content server replies with the work data. The work data travels through your VPN or work Wi-Fi network to the app on the work space of the device. 4. The app receives and displays the data on the device.

72 Product documentation

Product documentation 10

Resource Description

Overview and what's new • Introduction to BES12 and its features • Finding your way through the documentation • Architecture • Descriptions of BES12 components • Descriptions of activation and other data flows, such as configuration updates and email, for different types of devices

Release notes and advisories • Descriptions of known issues and potential workarounds

Installation and upgrade • System requirements • Planning BES12 deployment for an installation or an upgrade from BES5 or BES10 • Installation instructions • Upgrade instructions

Installation and administration • System requirements • Installation instructions • Basic administration of BlackBerry Collaboration Service instances • Description of BlackBerry Collaboration Service components • Architecture

Configuration • Descriptions of different types of licenses • Instructions for activating and managing licenses • Instructions for how to configure server components before you start administering users and their devices • Instructions for migrating BES10 data from an existing BES10 database

Administration • Basic and advanced administration for all supported device types, including BlackBerry 10 devices, iOS devices, Android devices, Windows Phone devices and BlackBerry OS (version 5.0 to 7.1) and earlier devices • Instructions for creating user accounts, groups, roles, and administrator accounts

73 Product documentation

Resource Description

• Instructions for activating devices • Instructions for creating and assigning IT policies and profiles • Instructions for managing apps on devices • Descriptions of profile settings • Descriptions of IT policy rules for BlackBerry 10 devices, iOS devices, Android devices, Windows Phone devices and BlackBerry OS (version 5.0 to 7.1) and earlier devices

Security • Description of the security maintained by BES12, the BlackBerry Infrastructure, and BlackBerry 10 devices to protect data and connections • Description of the BlackBerry 10 OS • Description of how work data is protected on BlackBerry 10 devices when you use BES12 • Description of the security maintained by BES12, the BlackBerry Infrastructure, and iOS, Android, and Windows Phone devices activated on BES12 to protect data at rest and in transit • Description of how work space apps are protected on work space-enabled devices when you use BES12

74 Glossary

Glossary 11

AES Advanced Encryption Standard

APNs Apple Push Notification service

BES5 BlackBerry Enterprise Server 5

BES12 BlackBerry Enterprise Service 12

CA certification authority

CBC cipher block chaining

CSR certificate signing request

DMZ A demilitarized zone (DMZ) is a neutral subnetwork outside of an organization's firewall. It exists between the trusted LAN of the organization and the untrusted external wireless network and public Internet.

ECMQV Elliptic Curve Menezes-Qu-Vanstone

EMM Enterprise Mobility Management

GCM Google Cloud Messaging

HMAC keyed-hash message authentication code

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol over Secure Sockets Layer

IT policy An IT policy consists of various IT policy rules that control the security features and behavior of BlackBerry smartphones, BlackBerry PlayBook tablets, the BlackBerry Desktop Software, and the BlackBerry Web Desktop Manager.

LDAP Lightweight Directory Access Protocol

MDM mobile device management

PGP/MIME PGP Multipurpose Internet Mail Extensions

PKCS Public-Key Cryptography Standards

SCEP simple certificate enrollment protocol

S/MIME Secure Multipurpose Internet Mail Extensions

SMTP Simple Mail Transfer Protocol

SRP Server Routing Protocol

SSL Secure Sockets Layer

TCP Transmission Control Protocol

75 Glossary

TCP/IP Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of communication protocols that is used to transmit data over networks, such as the Internet.

UDP User Datagram Protocol

VPN virtual private network

76 Legal notice

Legal notice 12

©2015 BlackBerry. All rights reserved. BlackBerry® and related trademarks, names, and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world.

Android, Google and Google Apps are trademarks of Google Inc. Apple Configurator is a trademark of Apple Inc. iOS is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS® is used under license by Apple Inc. IBM and Domino are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. KNOX and Samsung KNOX are trademarks of Samsung Electronics Co., Ltd. Microsoft, Active Directory, SQL Server, ActiveSync, Windows, and Windows Phone are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Wi-Fi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of their respective owners.

This documentation including all documentation incorporated by reference herein such as documentation provided or made available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.

This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way.

EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON- INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON- PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.

77 Legal notice

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON- PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.

THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.

IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.

Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry.

The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.

78 Legal notice

BlackBerry Enterprise Software incorporates certain third-party software. The license and copyright information associated with this software is available at http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp.

BlackBerry Limited 2200 University Avenue East Waterloo, Ontario Canada N2K 0A7

BlackBerry UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom

Published in Canada