Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.17
  3. Planning and Architecture
  4. BlackBerry UEM Architecture and Data Flows
  5. Sending and receiving work data
  6. Sending and receiving work data using the BlackBerry Infrastructure
  7. Data flow: Authenticating with the mail server from an iOS device when using BlackBerry Secure Gateway

Data flow: Authenticating with the mail server from an
iOS
 device when using
BlackBerry Secure Gateway

This data flow describes how
iOS
 13 and later devices authenticate with your mail server through
BlackBerry Secure Gateway
 using
Microsoft
 modern authentication. For information on configuring the
BlackBerry Secure Gateway
 to use modern authentication, see the Administration content.
Diagram showing the steps and components mentioned in the following data flow.
The following steps describe the standard data flow. Some details may vary depending on the configuration of your
Azure
 tenant. For more information on how the
Microsoft
 identity provider manages authorization requests, see the
Microsoft
 documentation.
  1. BlackBerry Secure Gateway
     retrieves and caches the discovery documents from the authorization server/identity provider specified in the
    BlackBerry Secure Gateway
     configuration settings.
    BlackBerry Secure Gateway
     retrieves both the unversioned discovery document for
    iOS
     13 devices and the v2.0 discovery document for
    iOS
     14.6 and later devices.
  2. The device establishes a secure connection through the
    BlackBerry Infrastructure
     to the
    BlackBerry Secure Gateway
    .
  3. The
    BlackBerry Secure Gateway
     establishes a TLS connection with the authorization server/identity provider specified in the
    BlackBerry Secure Gateway
     configuration settings.
  4. The device sends an authorization code request through the
    BlackBerry Secure Gateway
     to the authorization server/identity provider.
  5. The authorization server/identity provider returns a 302 HTTP redirect response to the device.
  6. The device sends an authorization request to the URL specified by the redirect response. The request does not route through the
    BlackBerry Secure Gateway
    .
  7. The authorization server/identity provider sends user authentication request to the device. The type of request (for example, a login page, or prompt from the
    Microsoft
     Authenticator app) and the message flow for user authentication depends on the configuration of your
    Azure
     tenant.
  8. The user provides the requested credentials to the authorization server/identity provider.
  9. When user authentication is complete, the authorization server/identity provider sends an authorization code to the device.
  10. The device requests the authorization server/identity provider discovery document from the
    BlackBerry Secure Gateway
    .
  11. The
    BlackBerry Secure Gateway
     sends the discovery document to the device.
  12. The device sends an access token request through the
    BlackBerry Secure Gateway
     to the authorization server/identity provider.
  13. The authorization server/identity provider sends the access token to the device.
  14. When it sends or receives email, the device presents the access token to establish a secure connection to the mail server.
    When the access token expires, the device sends a new token request through the
    BlackBerry Secure Gateway
     to the authorization server/identity provider.