Skip Navigation

Configure email notifications for
BlackBerry Work

BEMS
Cloud accepts push registration requests from devices, such as
iOS
and
Android
, and then communicates with the on-premises
Microsoft Exchange Server
or
Microsoft Office 365
server to check the user's mailbox for changes. When you specify the on-premises
Microsoft Exchange Server
or
Microsoft Office 365
server information, you specify the settings to create the
BEMS
Cloud tenant for your organization.
When the tenant is created, the following services are automatically enabled:
  • BlackBerry Directory Lookup
    : This service allows users to look up other users by first name, last name, and associated photo or avatar from the company directory.
  • BlackBerry
    Follow-Me: This feature supports the
    BlackBerry Dynamics Launcher
    on
    BlackBerry Work
    .
A hybrid modern authentication environment (for example, on-premises
Microsoft Exchange Server
and
Microsoft Office 365
), allows the on-premises
Microsoft Exchange Server
to use a more secure user authentication and authorization by consuming OAuth access tokens obtained from the cloud. For more information on how to configure an on-premises
Microsoft Exchange Server
to use hybrid modern authentication, see How to configure Exchange Server on-premises to use Hybrid Modern Authentication.
Verify that you have the following information and completed the appropriate tasks.
  1. In the management console, click
    Settings > BlackBerry Dynamics > Email notifications
    .
  2. In the
    Authentication type
    section, select an authentication type based on your environment and complete the associated tasks to allow
    BEMS
    to communicate with the
    Microsoft Exchange Server
    or
    Microsoft Office 365
    :
    Authentication type
    Description
    Steps
    Credential
    This option uses a defined
    BEMS
    username and password to authenticate to the
    Microsoft Exchange Server
    or
    Microsoft Office 365
    using Basic Authentication.
    1. In the
      Service account username
      field, enter the username of the
      BEMS
      service account.
      • For
        Microsoft Office 365
        , enter the service account's User Principal Name (UPN).
      • For on-premises
        Microsoft Exchange Server
        , use the format <
        domain
        >\<
        username
        >.
    2. In the
      Service account password
      field, enter the password for the service account.
    Client Certificate
    This option uses a client certificate to allow the
    BEMS
    service account to authenticate to the
    Microsoft Exchange Server
    or
    Microsoft Office 365
    .
    1. Beside the
      Certificate file (.pfx)
      field, click
      Browse
      . Navigate to and select the client certificate file.
    2. In the
      Password
      field, enter the password for the client certificate.
    Passive authentication
    This option uses an identity provider (IDP) to authenticate the user and provide
    BEMS
    with OAuth tokens to authenticate to
    Microsoft Office 365
    .
    In a hybrid environment, authenticates to on-premises
    Microsoft Exchange Server
    *
    .
    1. In the
      Authentication Authority
      field, enter the Authentication Server URL that
      BEMS
      accesses and retrieves the OAuth token for authentication with
      Microsoft Office 365
      (for example, https://login.microsoftonline.com/common).
    2. In the
      Client Application ID
      field, enter the
      Azure
      app ID for the credential authentication. For instructions, see Obtain an Azure app ID for BEMS with credential or passive authentication .
    3. In the
      Server Name
      field, enter the FQDN of the
      Microsoft Office 365
      server. By default, the the server name is https://outlook.office365.com.
    4. The
      Redirect URI
      field displays the URL that the IDP redirects the administrator to when the client app ID is authorized and the authentication tokens are provided. This field is prepopulated with the partition information and can't be modified.
    5. Click
      Login
      .
    6. Enter the credentials for the service account.
    7. Click
      OK
      to acknowledge that the authentication tokens were obtained.
    8. Important:
      BEMS
      Cloud doesn't automatically refresh the OAuth tokens. Repeat steps e to g to refresh the OAuth tokens. The tokens expiration time depends on your tenant policy (by default, the token expiration is 90 days). When the OAuth tokens expire, email notifications on the users' devices stop. The OAuth token expiration is displayed after you login to the IDP.
  3. If you connect to a
    Microsoft Office 365
    environment, do the following to enable modern authentication:
    1. Select the
      Enable Modern Authentication
      check box.
    2. In the
      Authentication authority
      field, enter the Authentication Server URL that
      BEMS
      accesses to retrieve the OAuth token for authentication with
      Microsoft Office 365
      (for example, https://login.microsoftonline.com/
      tenantname
      or https://login.microsoftonline.com/
      tenantid
      ).
    3. In the
      Client application ID
      field, enter one of the following
      Azure
      app IDs depending on the authentication type you selected. Do one of the following to obtain an
      Azure
      app ID:
    4. In the
      Server name
      field, enter the FQDN of the
      Microsoft Office 365
      server (for example, https://outlook.office365.com).
    5. Optionally, select the
      Use credentials if modern authentication fails
      check box to allow
      BEMS
      to communicate with
      Microsoft Office 365
      in the event that
      BEMS
      can't access the modern authentication source. When you select this check box, you must provide the
      BEMS
      service account credentials.
      When you configure modern authentication, all nodes use the specified configuration.
  4. In the
    Service account username
    field, enter the username that is used to log in to the
    Microsoft Exchange Server
    or
    Microsoft Office 365
    server. The username must be in one of the following formats:
    • If your environment uses an on-premises
      Microsoft Exchange Server
      , use <
      Domain
      >\<
      Username
      > or UPN.
    • If your environment uses
      Microsoft Office 365
      , use <
      username
      >@<
      domain
      >.com.
  5. In the
    Service account password
    field, enter the password for the service account username you provided.
  6. Optionally, in the
    Autodiscover URL override
    field, enter the Autodiscover URL to allow
    BEMS
    to obtain user information from the
    Microsoft Exchange Server
    or
    Microsoft Office 365
    server when it discovers users for
    BlackBerry Push Notifications
    .
    If you don't enter a URL,
    BEMS
    uses Autodiscover to locate the
    Microsoft Exchange Server
    or
    Microsoft Office 365
    server to obtain user information.
  7. Select the
    Allow HTTP redirection and DNS SRV record
    check box to allow HTTP Redirection and DNS SRV lookups for retrieving the Autodiscover URL when discovering users for
    BlackBerry Push Notifications
    . By default, this feature is enabled.
  8. Select the
    Use BlackBerry Connectivity Node route
    to allow
    BEMS
    Cloud to connect to the
    Microsoft Exchange Server
    or
    Microsoft Office 365
    using the corporate network rather than using a direct connection from the
    BlackBerry
    BEMS
    Cloud infrastructure. This setting requires that the
    BlackBerry Connectivity Node
    is installed and configured in your environment. If your environment uses
    Azure AD
    conditional access, make sure that this option is selected.
  9. If your environment uses an internal URL to access and communicate with an on-premises
    Microsoft Exchange Server
    , select the
    Use internal Exchange Web Services URL
    check box. This setting requires that the "Use BlackBerry Connectivity Node route" setting is enabled. This option is not available if modern authentication is enabled.
  10. Optionally, select the
    Enable SCP Lookup
    check box to query
    Microsoft Active Directory
    using LDAP and locate Autodiscover endpoint URLs. This setting is valid only if the "Credential" authentication is selected and that a
    BlackBerry Connectivity Node
    is installed and configured in your environment. This option is not available when the "Autodiscover URL override" is specified.
  11. Select the
    Enable SSL for SCP
    check box. This allows
    BEMS
    to communicate with the
    Microsoft Active Directory
    using SSL. This setting requires that the "Enable SCP Lookup" is selected. If you enable this feature, you must add the
    Microsoft Active Directory
    SSL certificate to the
    BEMS
    Cloud database. For information on how to add the certificate, see Create a trusted connection between BEMS Cloud and Microsoft Exchange Server.
  12. If you enabled
    Enable SCP Lookup
    or
    Enable SCP Lookup
    and
    Enable SSL for SCP
    , specify the
    Domain Controllers for SCP
    to configure LDAP over SCP. If you have multiple domain controllers, separate the domain controllers using commas (for example, domaincontroller1.example.com,domaincontroller2.example.com, and so forth).
  13. Optionally, in the
    User email address
    field, enter an email address to test the connection to the
    Microsoft Exchange Server
    or
    Microsoft Office 365
    server. Click
    Test connection
    . If the test fails, resolve the issues that are identified and try the test again. You can delete the email address after you complete the test.
  14. Click
    Save
    .
  15. Assign the BlackBerry Cloud Enterprise Services (com.blackberry.gdservice-entitlement.cloud) entitlement to users to receive email notifications for
    BlackBerry Work
    . If the entitlement is not assigned, users will not receive email notifications. For instructions, see the following administration content:
  • Test the connection to the on-premises
    Microsoft Exchange Server
    or
    Microsoft Office 365
    server and Autodiscover. Refresh or reopen the Email notifications screen. Click
    Test connection
    .
    Make sure that the connection test is successful before provisioning devices to avoid any Autodiscover issues. If devices are activated prior to configuring the email notification service, have users log out of
    BlackBerry Work
    and then log in. If the test returns an error message, complete the tasks to resolve the issue and test the connection again.
  • Optionally, create a trusted connection between the
    BEMS
    Cloud and
    Microsoft Exchange Server
    . For instructions, see Create a trusted connection between BEMS Cloud and Microsoft Exchange Server.
  • Optionally, configure the
    BEMS-Docs
    service. For instructions, see Enable the BEMS-Docs service.