Configure email notifications for BlackBerry Work
BlackBerry Work
BEMS
Cloud accepts push registration requests from devices, such as iOS
and Android
, and then communicates with the on-premises Microsoft Exchange
Server
or Microsoft Office
365
server to check the user's mailbox for changes. When you specify the on-premises Microsoft Exchange
Server
or Microsoft Office
365
server information, you specify the settings to create the BEMS
Cloud tenant for your organization.
When the tenant is created, the following services are automatically enabled:
- BlackBerry Directory Lookup: This service allows users to look up other users by first name, last name, and associated photo or avatar from the company directory.
- BlackBerryFollow-Me: This feature supports theBlackBerry Dynamics LauncheronBlackBerry Work.
A hybrid modern authentication environment (for example, on-premises
Microsoft Exchange
Server
and Microsoft Office
365
), allows the on-premises Microsoft Exchange
Server
to use a more secure user authentication and authorization by consuming OAuth access tokens obtained from the cloud. For more information on how to configure an on-premises Microsoft Exchange
Server
to use hybrid modern authentication, see How to configure Exchange Server on-premises to use Hybrid Modern Authentication.Verify that you have the following information and completed the appropriate tasks.
- If you have a hybridMicrosoft Office 365and on-premisesMicrosoft Exchange Serverenvironment, and you enable Modern Authentication, make sure that the on-premisesMicrosoft Exchange Serveris configured to use hybrid modern authentication. For more information, see How to configure Exchange Server on-premises to use Hybrid Modern Authentication. If theMicrosoft Exchange Serveris not configured appropriately, users won't receive email notifications.
- In aMicrosoft Office 365environment, if you plan to enable modern authentication, verify that you completed the following:
- If you enable modern authentication using client-certificate authentication, do one of the following:
- If you have configuredAzure ADconditional access for your organization, make sure that theBlackBerry Connectivity Nodeis installed and configured in your environment.
- Configure email notifications forBlackBerry Work
- In an on-premisesMicrosoft Exchangeenvironment, make sure that theMicrosoft Exchange Serveris updated to support TLS 1.2 or push notifications will fail. Weaker cipher suites such as TLSv1 or TLS 1.0 are disabled by default. Disabling the cipher suites provides enhanced security.
- If you use Passive Authentication, verify that you have the App ID for BEMS using credential authentication.
- If you use SSL for SCP lookup, verify that you exported theMicrosoft Active DirectorySSL certificate.
- In the management console, clickSettings > BlackBerry Dynamics > Email notifications.
- In theAuthentication typesection, select an authentication type based on your environment and complete the associated tasks to allowBEMSto communicate with theMicrosoft Exchange ServerorMicrosoft Office 365:Authentication typeDescriptionStepsCredentialThis option uses a definedBEMSusername and password to authenticate to theMicrosoft Exchange ServerorMicrosoft Office 365using Basic Authentication.
- In theService account usernamefield, enter the username of theBEMSservice account.
- ForMicrosoft Office 365, enter the service account's User Principal Name (UPN).
- For on-premisesMicrosoft Exchange Server, use the format <domain>\<username>.
- In theService account passwordfield, enter the password for the service account.
Client CertificateThis option uses a client certificate to allow theBEMSservice account to authenticate to theMicrosoft Exchange ServerorMicrosoft Office 365.- Beside theCertificate file (.pfx)field, clickBrowse. Navigate to and select the client certificate file.
- In thePasswordfield, enter the password for the client certificate.
Passive authenticationThis option uses an identity provider (IDP) to authenticate the user and provideBEMSwith OAuth tokens to authenticate toMicrosoft Office 365.In a hybrid environment, authenticates to on-premisesMicrosoft Exchange Server*.- In theAuthentication Authorityfield, enter the Authentication Server URL thatBEMSaccesses and retrieves the OAuth token for authentication withMicrosoft Office 365(for example, https://login.microsoftonline.com/common).
- In theClient Application IDfield, enter theAzureapp ID for the credential authentication. For instructions, see Obtain an Azure app ID for BEMS with credential or passive authentication .
- In theServer Namefield, enter the FQDN of theMicrosoft Office 365server. By default, the the server name is https://outlook.office365.com.
- TheRedirect URIfield displays the URL that the IDP redirects the administrator to when the client app ID is authorized and the authentication tokens are provided. This field is prepopulated with the partition information and can't be modified.
- ClickLogin.
- Enter the credentials for the service account.
- ClickOKto acknowledge that the authentication tokens were obtained.
- Important:BEMSCloud doesn't automatically refresh the OAuth tokens. Repeat steps e to g to refresh the OAuth tokens. The tokens expiration time depends on your tenant policy (by default, the token expiration is 90 days). When the OAuth tokens expire, email notifications on the users' devices stop. The OAuth token expiration is displayed after you login to the IDP.
- If you connect to aMicrosoft Office 365environment, do the following to enable modern authentication:
- Select theEnable Modern Authenticationcheck box.
- In theAuthentication authorityfield, enter the Authentication Server URL thatBEMSaccesses to retrieve the OAuth token for authentication withMicrosoft Office 365(for example, https://login.microsoftonline.com/tenantnameor https://login.microsoftonline.com/tenantid).
- In theClient application IDfield, enter one of the followingAzureapp IDs depending on the authentication type you selected. Do one of the following to obtain anAzureapp ID:
- In theServer namefield, enter the FQDN of theMicrosoft Office 365server (for example, https://outlook.office365.com).
- Optionally, select theUse credentials if modern authentication failscheck box to allowBEMSto communicate withMicrosoft Office 365in the event thatBEMScan't access the modern authentication source. When you select this check box, you must provide theBEMSservice account credentials.When you configure modern authentication, all nodes use the specified configuration.
- In theService account usernamefield, enter the username that is used to log in to theMicrosoft Exchange ServerorMicrosoft Office 365server. The username must be in one of the following formats:
- If your environment uses an on-premisesMicrosoft Exchange Server, use <Domain>\<Username> or UPN.
- If your environment usesMicrosoft Office 365, use <username>@<domain>.com.
- In theService account passwordfield, enter the password for the service account username you provided.
- Optionally, in theAutodiscover URL overridefield, enter the Autodiscover URL to allowBEMSto obtain user information from theMicrosoft Exchange ServerorMicrosoft Office 365server when it discovers users forBlackBerry Push Notifications.If you don't enter a URL,BEMSuses Autodiscover to locate theMicrosoft Exchange ServerorMicrosoft Office 365server to obtain user information.
- Select theAllow HTTP redirection and DNS SRV recordcheck box to allow HTTP Redirection and DNS SRV lookups for retrieving the Autodiscover URL when discovering users forBlackBerry Push Notifications. By default, this feature is enabled.
- Select theUse BlackBerry Connectivity Node routeto allowBEMSCloud to connect to theMicrosoft Exchange ServerorMicrosoft Office 365using the corporate network rather than using a direct connection from theBlackBerryBEMSCloud infrastructure. This setting requires that theBlackBerry Connectivity Nodeis installed and configured in your environment. If your environment usesAzure ADconditional access, make sure that this option is selected.
- If your environment uses an internal URL to access and communicate with an on-premisesMicrosoft Exchange Server, select theUse internal Exchange Web Services URLcheck box. This setting requires that the "Use BlackBerry Connectivity Node route" setting is enabled. This option is not available if modern authentication is enabled.
- Optionally, select theEnable SCP Lookupcheck box to queryMicrosoft Active Directoryusing LDAP and locate Autodiscover endpoint URLs. This setting is valid only if the "Credential" authentication is selected and that aBlackBerry Connectivity Nodeis installed and configured in your environment. This option is not available when the "Autodiscover URL override" is specified.
- Select theEnable SSL for SCPcheck box. This allowsBEMSto communicate with theMicrosoft Active Directoryusing SSL. This setting requires that the "Enable SCP Lookup" is selected. If you enable this feature, you must add theMicrosoft Active DirectorySSL certificate to theBEMSCloud database. For information on how to add the certificate, see Create a trusted connection between BEMS Cloud and Microsoft Exchange Server.
- If you enabledEnable SCP LookuporEnable SCP LookupandEnable SSL for SCP, specify theDomain Controllers for SCPto configure LDAP over SCP. If you have multiple domain controllers, separate the domain controllers using commas (for example, domaincontroller1.example.com,domaincontroller2.example.com, and so forth).
- Optionally, in theUser email addressfield, enter an email address to test the connection to theMicrosoft Exchange ServerorMicrosoft Office 365server. ClickTest connection. If the test fails, resolve the issues that are identified and try the test again. You can delete the email address after you complete the test.
- ClickSave.
- Assign the BlackBerry Cloud Enterprise Services (com.blackberry.gdservice-entitlement.cloud) entitlement to users to receive email notifications forBlackBerry Work. If the entitlement is not assigned, users will not receive email notifications. For instructions, see the following administration content:
- Test the connection to the on-premisesMicrosoft Exchange ServerorMicrosoft Office 365server and Autodiscover. Refresh or reopen the Email notifications screen. ClickTest connection.Make sure that the connection test is successful before provisioning devices to avoid any Autodiscover issues. If devices are activated prior to configuring the email notification service, have users log out ofBlackBerry Workand then log in. If the test returns an error message, complete the tasks to resolve the issue and test the connection again.
- Optionally, create a trusted connection between theBEMSCloud andMicrosoft Exchange Server. For instructions, see Create a trusted connection between BEMS Cloud and Microsoft Exchange Server.
- Optionally, configure theBEMS-Docsservice. For instructions, see Enable the BEMS-Docs service.