BlackBerry UEM architecture Skip Navigation

BlackBerry UEM
architecture

The
BlackBerry UEM
architecture is designed to help you manage mobile devices for your organization and provide a secure link for data to travel between your organization's mail and content servers and your user's devices.

Architecture:
BlackBerry UEM
solution

Component
Description
BlackBerry UEM
BlackBerry UEM
is a unified endpoint management solution that provides comprehensive multiplatform device, application, and content management with integrated security and connectivity.
BlackBerry Infrastructure
The
BlackBerry Infrastructure
is a global private data network distributed across multiple regions that enables and secures data in transit between thousands of organizations and millions of users around the world. It is designed to efficiently manage the transport of data between
BlackBerry
services and end-user devices.
For organizations using
UEM
, the
BlackBerry Infrastructure
registers user information for device activation, validates licensing information, and provides a trusted path between the organization and every user based on strong cryptographic mutual authentication.
UEM
maintains a constant connection to the
BlackBerry Infrastructure
, ensuring that organizations require only a single outbound connection to a trusted IP address to send data to users. All the data that travels between the
BlackBerry Infrastructure
and
UEM
is authenticated and encrypted to provide a secure communication channel into your organization for devices outside the firewall.
BlackBerry Dynamics
NOC
The
BlackBerry Dynamics
NOC is a network operations center that provides secure communications between
BlackBerry Dynamics
apps on devices,
UEM
, and the
BlackBerry Enterprise Mobility Server
.
Devices
BlackBerry UEM
supports
iOS
,
macOS
,
Android
, and
Windows
devices.
Notification services
UEM
sends notifications to devices to contact
UEM
for updates and to report information for your organization’s device inventory. These notifications are sent to the
BlackBerry Infrastructure
, where they are sent to the devices using the appropriate notification service:
  • APNs is a service that
    Apple
    provides to send notifications to
    iOS
    and
    macOS
    devices.
  • FCM is a service that
    Google
    provides to send notifications to
    Android
    devices.
  • Windows
    Push Notification Services (WNS) is a service that
    Microsoft
    provides to send notifications to
    Windows
    devices.
Routing components
By default,
UEM
makes a direct connection to the
BlackBerry Infrastructure
over ports 3101 and 443, and you do not need to install more routing components. If your organization's security standards require that internal systems cannot make connections directly to the Internet, you can use the
BlackBerry Router
or a proxy server.
The
BlackBerry Router
acts as a proxy server for connections over the
BlackBerry Infrastructure
between
UEM
and all devices. The
BlackBerry Router
can support SOCKs v5 with no authentication.
If your organization already has a TCP proxy server installed, or needs one to meet networking requirements, you can use a TCP proxy server instead of the
BlackBerry Router
. The TCP proxy server can support SOCKs v5 with no authentication.
The
BlackBerry UEM Core
and
BlackBerry Proxy
support using an HTTP proxy server to connect to the
BlackBerry Dynamics
NOC.
Third-party application and content servers
Additional content servers and application servers in your organization's environment, including the company directory, mail server, certificate authorities, and so on.
BlackBerry
plug-ins and
BEMS
UEM
works with additional
BlackBerry
enterprise products such as
BlackBerry Enterprise Identity
,
BlackBerry 2FA
, and
BlackBerry Workspaces
to extend
UEM
capabilities in your organization. For more information, see Companion products and services.
The
BlackBerry Enterprise Mobility Server
provides services to send work data to and from
BlackBerry Dynamics
apps. For more information, see the BlackBerry Enterprise Mobility Server docs.

Architecture:
BlackBerry UEM Cloud
solution

The
BlackBerry UEM Cloud
architecture was designed to help you manage mobile devices for your organization in a cloud environment and provide a secure link for data to travel between your organization's mail and content servers and your users' devices.
Diagram that shows the components used in the in the BlackBerry UEM Cloud solution
Component
Description
BlackBerry UEM Cloud
BlackBerry UEM Cloud
is a service that allows you to manage devices used in your organization's environment.
BlackBerry Infrastructure
and
BlackBerry Dynamics NOC
The
BlackBerry Infrastructure
registers user information for device activation and validates licensing information. If you enable
BlackBerry Secure Connect Plus
or the
BlackBerry Secure Gateway
, data in transit that uses these services passes through the
BlackBerry Infrastructure
.
The
BlackBerry Dynamics NOC
is a separately located NOC that provides secure communications between
BlackBerry Dynamics
apps on devices and
BlackBerry Proxy
installed behind the firewall as part of the
BlackBerry Connectivity Node
.
Devices
BlackBerry UEM Cloud
supports
iOS
,
macOS
,
Android
, and
Windows
devices.
Notification services
UEM Cloud
sends notifications to devices to contact
UEM
for updates and to report information for your organization's device inventory. These notifications are sent to the
BlackBerry Infrastructure
, where they are sent to devices using the appropriate notification service:
  • APNs is a service that
    Apple
    provides to send notifications to
    iOS
    and
    macOS
    devices.
  • FCM is a service that
    Google
    provides to send notifications to
    Android
    devices.
  • WNS is a service that
    Microsoft
    provides to send notifications to
    Windows 10
    devices.
BlackBerry Connectivity Node
The
BlackBerry Connectivity Node
is an optional component that you install inside your organization's firewall. It includes the following components that add functionality to
UEM Cloud
:
  • The
    BlackBerry Cloud Connector
    connects
    UEM Cloud
    to your company directory behind the firewall to allow basic attribute synchronization, search functionality, and user authentication services. If you don't install the
    BlackBerry Connectivity Node
    and your company directory is behind the firewall, you must create local user accounts in
    UEM Cloud
    instead of using the user accounts in your company directory. The
    BlackBerry Cloud Connector
    is not required for
    UEM Cloud
    to connect to
    Microsoft Entra ID
    .
  • BlackBerry Proxy
    maintains a secure connection between your organization and the
    BlackBerry Dynamics NOC
    , which allows
    BlackBerry Dynamics
    apps to communicate securely with your organization's resources behind the firewall. It also supports
    BlackBerry Dynamics Direct Connect
    , which allows app data to bypass the
    BlackBerry Dynamics NOC
    .
  • The
    BlackBerry Gatekeeping Service
    sends commands to
    Exchange ActiveSync
    to add devices to an allowed list when devices are activated on
    UEM Cloud
    . Unmanaged devices that try to connect to an organization's mail server can be reviewed, verified, and blocked or allowed by an administrator using the
    UEM
    management console.
  • BlackBerry Secure Connect Plus
    provides a secure IP tunnel between work apps on devices and your organization's network. One tunnel that supports standard IPv4 (TCP and UDP) data is established for each device through the
    BlackBerry Infrastructure
    .
  • BlackBerry Secure Gateway
    provides a secure connection through the
    BlackBerry Infrastructure
    and
    UEM Cloud
    to your organization's mail server for
    iOS
    devices.
Company directory
UEM Cloud
supports connectivity with your organization's
Microsoft Active Directory
or LDAP company directory behind the firewall using the
BlackBerry Connectivity Node
.
Microsoft Entra ID
(formerly Azure AD)
Microsoft Entra ID
is a cloud-based directory management service. If your organization uses
Entra ID
, you can connect to it instead of, or in addition to, a company directory behind the firewall.
Content, application, and mail servers
When you enable
BlackBerry Secure Connect Plus
or when users have
BlackBerry Dynamics
apps, devices can connect to your organization's servers without requiring you to open a direct connection between the server and the Internet. Work data in transit between your servers and devices is sent through
BlackBerry Secure Connect Plus
and the
BlackBerry Infrastructure
.
BlackBerry Dynamics
app data is sent through
BlackBerry Proxy
and the
BlackBerry Dynamics NOC
.
BlackBerry Secure Gateway
provides a secure connection through the
BlackBerry Infrastructure
and
BlackBerry Connectivity Node
between your organization's mail server and
iOS
devices.
BlackBerry
plug-ins and
BEMS
UEM
works with additional
BlackBerry
enterprise products such as
BlackBerry Enterprise Identity
,
BlackBerry 2FA
, and
BlackBerry Workspaces
to extend
UEM
capabilities in your organization. For more information, see Companion products and services.
The
BlackBerry Enterprise Mobility Server
provides services to send work data to and from
BlackBerry Dynamics
apps. For more information, see the BlackBerry Enterprise Mobility Server docs.