Get the PDF

Configure email notifications for
BlackBerry Work

BEMS

Cloud accepts push registration requests from devices, such as

iOS

and

Android

, and then communicates with the on-premises

Microsoft Exchange Server

Microsoft Exchange Online

to check the user's mailbox for changes. When you specify the on-premises

Microsoft Exchange Server

Microsoft Exchange Online

information, you specify the settings to create the

BEMS

Cloud tenant for your organization.

When the tenant is created, the following services are automatically enabled:

BlackBerry Directory Lookup

: This service allows users to look up other users by first name, last name, and associated photo or avatar from the company directory.

BlackBerry

Follow-Me: This feature supports the

BlackBerry Dynamics Launcher

BlackBerry Work

A hybrid modern authentication environment (for example, on-premises

Microsoft Exchange Server

and

Microsoft Exchange Online

), allows the on-premises

Microsoft Exchange Server

to use a more secure user authentication and authorization by consuming OAuth access tokens obtained from the cloud. For more information on how to configure an on-premises

Microsoft Exchange Server

to use hybrid modern authentication, see How to configure Exchange Server on-premises to use Hybrid Modern Authentication.

Verify that you have the following information and completed the appropriate tasks.

Verify that the service account has application impersonation permissions applied.

If you have a hybrid environment, and you enable Modern Authentication, make sure that the on-premises

Microsoft Exchange Server

is configured to use hybrid modern authentication. For more information, see How to configure Exchange Server on-premises to use Hybrid Modern Authentication. If the

Microsoft Exchange Server

is not configured appropriately, users won't receive email notifications.

In a

Microsoft Exchange Online

environment, verify that you have enabled modern authentication, and completed the following:

If you use client-certificate authentication, do one of the following:

Obtain the client application ID with certificate-based authentication

Create and associate a self-signed .pfx certificate to the Azure app ID for BEMS

If you have configured

Entra ID

conditional access for your organization, make sure that the

BlackBerry Connectivity Node

is installed and configured in your environment.

Configure email notifications for

BlackBerry Work

In an on-premises

Microsoft Exchange

environment, make sure that the

Microsoft Exchange Server

is updated to support TLS 1.2 or push notifications will fail. Weaker cipher suites such as TLSv1 or TLS 1.0 are disabled by default. Disabling the cipher suites provides enhanced security.

If you use SSL for SCP lookup, verify that you exported the

Microsoft Active Directory

SSL certificate.

In the management console, click

Settings > BlackBerry Dynamics > Email notifications

In the

Authentication type

section, select an authentication type based on your environment and complete the associated tasks to allow

BEMS

to communicate with the

Microsoft Exchange Server

Microsoft Exchange Online

The Passive authentication type has been deprecated due to

Microsoft

's deprecation of the Application Impersonation permission in

Microsoft Exchange Online

environments. To avoid email notifications for users in the environment, you must configure

BEMS

to use certificate-based authentication for modern authentication, or

Microsoft Graph

to communicate to user's mailboxes. The passive authentication type will be removed in a future release. For more information, see BEMS: Customers using Office 365 and EWS with Credential or Passive Authentication will stop receiving notifications.

Authentication type	Description	Steps
Credential	This option uses a defined BEMS username and password to authenticate to the on-premises Microsoft Exchange Server using Basic authentication.	In the Service account username field, enter the username of the BEMS service account. Use the format <`domain`>\<`username`>. In the Service account password field, enter the password for the service account.
Client Certificate	This option uses a client certificate to allow the BEMS service account to authenticate to the Microsoft Exchange Server or Microsoft Exchange Online .	Beside the Certificate file (.pfx) field, click Browse . Navigate to and select the client certificate file. In the Password field, enter the password for the client certificate.

If you connect to a

Microsoft Exchange Online

environment, you must enable and configure Modern Authentication. The "use Credentials if Modern authentication fails" option has been deprecated due to

Microsoft

's deprecation of the Application Impersonation permission for users' mailboxes that are on

Microsoft Exchange Online

, enabled for modern authentication, and configured to use credential or passive authentication methods. The option will be removed in a future release. Complete the following steps:

Select the

Enable Modern Authentication

check box.

In the

Authentication authority

field, enter the Authentication Server URL that

BEMS

accesses to retrieve the OAuth token for authentication with

Microsoft Exchange Online

(for example, https://login.microsoftonline.com/tenantname or https://login.microsoftonline.com/tenantid).

In the

Client application ID

field, enter the client app ID. For instructions, see Obtain the client application ID with certificate-based authentication.

In the

Server name

field, enter the FQDN of the

Microsoft Exchange Online

server (for example, https://outlook.office365.com).

In the

Service account username

field, enter the username that is used to log in to the

Microsoft Exchange Server

. The username must be in the format of <Domain>\<Username> or UPN.

In the

Service account password

field, enter the password for the service account username you provided.

Optionally, in the

Autodiscover URL override

field, enter the Autodiscover URL to allow

BEMS

to obtain user information from the

Microsoft Exchange Server

Microsoft Exchange Online

server when it discovers users for

BlackBerry Push Notifications

If you don't enter a URL,

BEMS

uses Autodiscover to locate the

Microsoft Exchange Server

Microsoft Exchange Online

server to obtain user information.

Select the

Allow HTTP redirection and DNS SRV record

check box to allow HTTP Redirection and DNS SRV lookups for retrieving the Autodiscover URL when discovering users for

BlackBerry Push Notifications

. By default, this feature is enabled.

Select the

Use BlackBerry Connectivity Node route

to allow

BEMS

Cloud to connect to the

Microsoft Exchange Server

Microsoft Exchange Online

using the corporate network rather than using a direct connection from the

BlackBerry

BEMS

Cloud infrastructure. This setting requires that the

BlackBerry Connectivity Node

is installed and configured in your environment. If your environment uses

Entra ID

conditional access, make sure that this option is selected.

If your environment uses an internal URL to access and communicate with an on-premises

Microsoft Exchange Server

, select the

Use internal Exchange Web Services URL

check box. This setting requires that the "Use BlackBerry Connectivity Node route" setting is enabled. This option is not available if modern authentication is enabled.

Optionally, select the

Enable SCP Lookup

check box to query

Microsoft Active Directory

using LDAP and locate Autodiscover endpoint URLs. This setting is valid only if the "Credential" authentication is selected and that a

BlackBerry Connectivity Node

is installed and configured in your environment. This option is not available when the "Autodiscover URL override" is specified.

Select the

Enable SSL for SCP

check box. This allows

BEMS

to communicate with the

Microsoft Active Directory

using SSL. This setting requires that the "Enable SCP Lookup" is selected. If you enable this feature, you must add the

Microsoft Active Directory

SSL certificate to the

BEMS

Cloud database. For information on how to add the certificate, see Create a trusted connection between BEMS Cloud and Microsoft Exchange Server.

If you enabled

Enable SCP Lookup

and

Enable SSL for SCP

, specify the

Domain Controllers for SCP

to configure LDAP over SCP. If you have multiple domain controllers, separate the domain controllers using commas (for example, domaincontroller1.example.com,domaincontroller2.example.com, and so forth).

Optionally, in the

User email address

field, enter an email address to test the connection to the

Microsoft Exchange Server

Microsoft Exchange Online

server. Click

Test connection

. If the test fails, resolve the issues that are identified and try the test again. You can delete the email address after you complete the test.

Click

Save

Assign the BlackBerry Cloud Enterprise Services (com.blackberry.gdservice-entitlement.cloud) entitlement to users to receive email notifications for

BlackBerry Work

. If the entitlement is not assigned, users will not receive email notifications. For instructions, see Managing apps in the

BlackBerry UEM

administration content.