BlackBerry UEM

architecture

BlackBerry UEM

is a unified endpoint management solution that provides comprehensive multiplatform device, application, and content management with integrated security and connectivity.

The

BlackBerry Infrastructure

is a global private data network distributed across multiple regions that enables and secures data in transit between thousands of organizations and millions of users around the world. It is designed to efficiently manage the transport of data between

BlackBerry

services and end-user devices.

For organizations using

UEM

, the

BlackBerry Infrastructure

registers user information for device activation, validates licensing information, and provides a trusted path between the organization and every user based on strong cryptographic mutual authentication.

UEM

maintains a constant connection to the

BlackBerry Infrastructure

, ensuring that organizations require only a single outbound connection to a trusted IP address to send data to users. All the data that travels between the

BlackBerry Infrastructure

and

UEM

is authenticated and encrypted to provide a secure communication channel into your organization for devices outside the firewall.

The

BlackBerry Dynamics

NOC is a network operations center that provides secure communications between

BlackBerry Dynamics

apps on devices,

UEM

, and the

BlackBerry Enterprise Mobility Server

.

BlackBerry UEM

supports

iOS

,

macOS

,

Android

, and

Windows

devices.

UEM

sends notifications to devices to contact

UEM

for updates and to report information for your organization’s device inventory. These notifications are sent to the

BlackBerry Infrastructure

, where they are sent to the devices using the appropriate notification service:

APNs is a service that
Apple
provides to send notifications to
iOS
and
macOS
devices.
FCM is a service that
Google
provides to send notifications to
Android
devices.
Windows
Push Notification Services (WNS) is a service that
Microsoft
provides to send notifications to
Windows
devices.

By default,

UEM

makes a direct connection to the

BlackBerry Infrastructure

over ports 3101 and 443, and you do not need to install more routing components. If your organization's security standards require that internal systems cannot make connections directly to the Internet, you can use the

BlackBerry Router

or a proxy server.

The

BlackBerry Router

acts as a proxy server for connections over the

BlackBerry Infrastructure

between

UEM

and all devices. The

BlackBerry Router

can support SOCKs v5 with no authentication.

If your organization already has a TCP proxy server installed, or needs one to meet networking requirements, you can use a TCP proxy server instead of the

BlackBerry Router

. The TCP proxy server can support SOCKs v5 with no authentication.

The

BlackBerry UEM Core

and

BlackBerry Proxy

support using an HTTP proxy server to connect to the

BlackBerry Dynamics

NOC.

Additional content servers and application servers in your organization's environment, including the company directory, mail server, certificate authorities, and so on.

UEM

works with additional

BlackBerry

enterprise products such as

BlackBerry Enterprise Identity

,

BlackBerry 2FA

, and

BlackBerry Workspaces

to extend

UEM

capabilities in your organization. For more information, see Companion products and services.

The

BlackBerry Enterprise Mobility Server

provides services to send work data to and from

BlackBerry Dynamics

apps. For more information, see the BlackBerry Enterprise Mobility Server docs.

BlackBerry UEM Cloud

is a service that allows you to manage devices used in your organization's environment.

The

BlackBerry Infrastructure

registers user information for device activation and validates licensing information. If you enable

BlackBerry Secure Connect Plus

or the

BlackBerry Secure Gateway

, data in transit that uses these services passes through the

BlackBerry Infrastructure

.

The

BlackBerry Dynamics NOC

is a separately located NOC that provides secure communications between

BlackBerry Dynamics

apps on devices and

BlackBerry Proxy

installed behind the firewall as part of the

BlackBerry Connectivity Node

.

UEM Cloud

sends notifications to devices to contact

UEM

for updates and to report information for your organization's device inventory. These notifications are sent to the

BlackBerry Infrastructure

, where they are sent to devices using the appropriate notification service:

APNs is a service that
Apple
provides to send notifications to
iOS
and
macOS
devices.
FCM is a service that
Google
provides to send notifications to
Android
devices.
WNS is a service that
Microsoft
provides to send notifications to
Windows 10
devices.

The

BlackBerry Connectivity Node

is an optional component that you install inside your organization's firewall. It includes the following components that add functionality to

UEM Cloud

:

The
BlackBerry Cloud Connector
connects
UEM Cloud
to your company directory behind the firewall to allow basic attribute synchronization, search functionality, and user authentication services. If you don't install the
BlackBerry Connectivity Node
and your company directory is behind the firewall, you must create local user accounts in
UEM Cloud
instead of using the user accounts in your company directory. The
BlackBerry Cloud Connector
is not required for
UEM Cloud
to connect to
Microsoft Entra ID
.
BlackBerry Proxy
maintains a secure connection between your organization and the
BlackBerry Dynamics NOC
, which allows
BlackBerry Dynamics
apps to communicate securely with your organization's resources behind the firewall. It also supports
BlackBerry Dynamics Direct Connect
, which allows app data to bypass the
BlackBerry Dynamics NOC
.
The
BlackBerry Gatekeeping Service
sends commands to
Exchange ActiveSync
to add devices to an allowed list when devices are activated on
UEM Cloud
. Unmanaged devices that try to connect to an organization's mail server can be reviewed, verified, and blocked or allowed by an administrator using the
UEM
management console.
BlackBerry Secure Connect Plus
provides a secure IP tunnel between work apps on devices and your organization's network. One tunnel that supports standard IPv4 (TCP and UDP) data is established for each device through the
BlackBerry Infrastructure
.
BlackBerry Secure Gateway
provides a secure connection through the
BlackBerry Infrastructure
and
UEM Cloud
to your organization's mail server for
iOS
devices.

UEM Cloud

supports connectivity with your organization's

Microsoft Active Directory

or LDAP company directory behind the firewall using the

BlackBerry Connectivity Node

.

Microsoft Entra ID

is a cloud-based directory management service. If your organization uses

Entra ID

, you can connect to it instead of, or in addition to, a company directory behind the firewall.

When you enable

BlackBerry Secure Connect Plus

or when users have

BlackBerry Dynamics

apps, devices can connect to your organization's servers without requiring you to open a direct connection between the server and the Internet. Work data in transit between your servers and devices is sent through

BlackBerry Secure Connect Plus

and the

BlackBerry Infrastructure

.

BlackBerry Dynamics

app data is sent through

BlackBerry Proxy

and the

BlackBerry Dynamics NOC

.

BlackBerry Secure Gateway

provides a secure connection through the

BlackBerry Infrastructure

and

BlackBerry Connectivity Node

between your organization's mail server and

iOS

devices.

UEM

works with additional

BlackBerry

enterprise products such as

BlackBerry Enterprise Identity

,

BlackBerry 2FA

, and

BlackBerry Workspaces

to extend

UEM

capabilities in your organization. For more information, see Companion products and services.

The

BlackBerry Enterprise Mobility Server

provides services to send work data to and from

BlackBerry Dynamics

apps. For more information, see the BlackBerry Enterprise Mobility Server docs.