Skip Navigation

Data flow: Activating an
Android Enterprise
Work and personal - full control
device in a
Google
domain

Diagram showing the steps and components mentioned in the following data flow.
This data flow applies when
BlackBerry UEM
is connected to a
Google Cloud
or
Google Workspace
domain.
  1. You perform the following actions:
    1. Verify that the user has a
      Google
      account that is associated with the user’s work email address. Optionally, you can configure
      BlackBerry UEM
      to create the
      Google
      account for the user during the activation process. When
      BlackBerry UEM
      creates the account for the user in
      Google
      , the user receives an email from the
      Google
      domain with their
      Google
      account password.
    2. Verify that the "Enforce EMM Policy" setting is enabled for the
      Google
      domain. This setting specifies that activated devices are managed by an EMM provider, such as
      BlackBerry UEM
      .
    3. Add a user to
      BlackBerry UEM
      as a local user account or using the account information retrieved from your company directory. When you specify the email address, use the email address that is associated with the user's
      Google
      account.
    4. Make sure that the "
      Work and personal - full control
      " activation type is assigned to the user.
    5. Set the user's activation password.
  2. The user resets their device to the factory default settings.
  3. The device restarts and prompts the user to select a
    Wi-Fi
    network and to add an account.
  4. The user enters their work email address and password.
  5. The device communicates with the
    Google
    domain to verify that the user is a work user and to check if the Enforce EMM Policy setting is enabled. After the device performs the appropriate validations, the device performs the following actions:
    1. If the device is not encrypted, prompts the user to encrypt the device and restarts
    2. Downloads the
      BlackBerry UEM Client
      from
      Google Play
      and installs it
  6. The
    BlackBerry UEM Client
    on the device prompts the user to type their email address and activation password.
  7. The user types their email address and activation password or scans the
    QR Code
    .
  8. The
    BlackBerry UEM Client
    on the device performs the following actions:
    1. Establishes a connection to the
      BlackBerry Infrastructure
    2. Sends a request for activation information to the
      BlackBerry Infrastructure
  9. The
    BlackBerry Infrastructure
    performs the following actions:
    1. Verifies that the user is a valid, registered user
    2. Retrieves the
      BlackBerry UEM
      server address for the user
    3. Sends the server address to the
      BlackBerry UEM Client
  10. The
    BlackBerry UEM Client
    establishes a connection with
    BlackBerry UEM
    using an HTTP CONNECT call over port 443 and sends an activation request to
    BlackBerry UEM
    . The activation request includes the username, password, device operating system, and unique device identifier.
  11. BlackBerry UEM
    performs the following actions:
    1. Determines the activation type assigned to the user account
    2. Connects to the
      Google
      domain to verify the user information. If the user does not exist, depending on your configuration,
      BlackBerry UEM
      may create the user in the
      Google
      domain
    3. Creates a device instance
    4. Associates the device instance with the specified user account
    5. Adds the enrollment session ID to an HTTP session
    6. Sends a successful authentication message to the device
  12. The
    BlackBerry UEM Client
    performs the following actions:
    1. Creates the work profile on the device
    2. Prompts the user for the user's
      Google
      account information
    3. Connects to the
      Google
      domain to authenticate the user
    4. Creates a CSR using the information received from
      BlackBerry UEM
      and sends a client certificate request to
      BlackBerry UEM
      over HTTPS
  13. BlackBerry UEM
    performs the following actions:
    1. Validates the client certificate request against the enrollment session ID in the HTTP session
    2. Signs the client certificate request with the root certificate
    3. Sends the signed client certificate and root certificate back to the
      BlackBerry UEM Client
    A mutually authenticated TLS session is established between the
    BlackBerry UEM Client
    and
    BlackBerry UEM
    .
  14. The
    BlackBerry UEM Client
    requests all configuration information and sends the device and software information to
    BlackBerry UEM
    .
  15. BlackBerry UEM
    stores the device information and sends the requested configuration information to the device.
  16. The device sends an acknowledgment to
    BlackBerry UEM
    that it received and applied the configuration information. The activation process is complete.