Installing or upgrading
BlackBerry UEM
in a dark site environment

BlackBerry UEM

for dark sites provides a secure mobile device management solution without requiring

UEM

to connect to the

BlackBerry Infrastructure

and other services on the Internet. Because

UEM

does not connect to the Internet, some features are not supported. The following are some considerations to note when you set up

UEM

in a dark-site environment:

Item	Consideration
Supported components	Only the following components are enabled for UEM installed in a dark site environment: UEM management console BlackBerry UEM Core BlackBerry Gatekeeping Service to control which devices can access Exchange ActiveSync
Supported activation types	UEM for dark sites supports activation of only iOS and Samsung Knox devices. You can activate devices with the following activation types: MDM controls ( iOS only) Work space only ( Android Enterprise fully managed device) Work and personal - full control ( Android Enterprise fully managed device with work profile) Work and personal - user privacy ( Android Enterprise with work profile) Work and personal - full control ( Samsung Knox ) UEM for dark sites does not support Knox Mobile Enrollment .
Unsupported components	Features that require devices to connect to your organization's resources through the BlackBerry Infrastructure are not supported, including: BlackBerry Secure Connect Plus BlackBerry Secure Gateway Using UEM as a proxy for SCEP requests BlackBerry Proxy
Unsupported device features	BlackBerry Dynamics is not supported. For supported activation types, not all all device features are supported. In activation profiles, do not enable the following options: Enable MDM controls activation type for Android devices Turn on registration with the BlackBerry Infrastructure Google Play Integrity is not supported. Compliance profiles are not supported for iOS devices because the BlackBerry UEM Client for iOS cannot be installed in dark site environments. The default email app on Samsung Knox devices needs to connect to the Samsung infrastructure before it will send and receive data. You can choose to allow this connection or use a different email app on Samsung Knox devices.
Licensing	You must manually import license information into UEM . If your organization is using Samsung Knox devices in a dark site environment, an on-premises Samsung Knox License On-Premises server was installed with UEM . Devices communicate with the Knox License On-Premises server using your work Wi-Fi network. If you are activating devices with Android Enterprise activation types and the Knox License On-Premises server certificate is signed by an internal CA, you need to send the Knox License On-Premises server certificate to devices using a CA certificate profile.
APNs	To manage iOS devices, UEM must send notifications to devices through an APNs server. When devices receive a notification from APNs, they contact UEM for updates. The process for obtaining an APNs certificate is different for dark site environments. After you download and save the unsigned CSR certificate from BlackBerry , you must send it to your BlackBerry customer support representative to have it signed by the BlackBerry CA. Once they return the signed certificate, you can complete the instructions to register the certificate.
VPN	After activation, iOS devices connect to UEM and your resources using a VPN connection. To use VPN, you must install an appropriate VPN app on devices and set up a VPN profile in UEM . Samsung Knox can connect to UEM and your resources over a VPN connection. For information, see Set up VPN using Knox StrongSwan in the Configuration content.

Section:

Installing or upgrading the BlackBerry UEM software

Install or upgrade BlackBerry UEM in a dark site environment

Adding licenses to BlackBerry UEM for dark sites

Installing or upgrading BlackBerry UEM in a dark site environment

Installing or upgrading
BlackBerry UEM
in a dark site environment