Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.21
  3. BlackBerry UEM Installation and Upgrade
  4. Installing or upgrading the BlackBerry UEM software
  5. Installing or upgrading BlackBerry UEM in a dark site environment

Installing or upgrading
BlackBerry UEM
 in a dark site environment

BlackBerry UEM
 for dark sites provides a secure mobile device management solution without requiring
UEM
 to connect to the
BlackBerry Infrastructure
 and other services on the Internet. Because
UEM
 does not connect to the Internet, some features are not supported. The following are some considerations to note when you set up
UEM
 in a dark-site environment:
Item
Consideration
Supported components
Only the following components are enabled for
UEM
 installed in a dark site environment:
  • UEM
     management console
  • BlackBerry UEM Core
  • BlackBerry Gatekeeping Service
     to control which devices can access
    Exchange ActiveSync
Supported
iOS
 activation types
For
iOS
 devices, dark site environments support the MDM controls activation type only.
Supported activation types for
Android
  • Work and personal - user privacy (
    Android Enterprise
     with work profile)
  • Work and personal - full control (
    Android Enterprise
     fully managed device with work profile)
  • Work space only (
    Android Enterprise
     fully managed device)
Due to third-party limitations for
Samsung Knox
 devices:
  • The Work and personal - full control (
    Android Enterprise
     fully managed device with work profile) activation type is not supported for
    Samsung Knox
     devices in a dark site environment.
  • DualDAR is not supported in a dark site environment.
  • For devices with the Work and personal - user privacy (
    Android Enterprise
     with work profile) activation type, the CA certificate of the
    Knox
     licensing server must be sideloaded onto
    Samsung
     devices.
Unsupported components
Features that require devices to connect to your organization's resources through the
BlackBerry Infrastructure
 are not supported, including:
  • BlackBerry Secure Connect Plus
  • BlackBerry Secure Gateway
  • Using
    UEM
     as a proxy for SCEP requests
  • BlackBerry Proxy
Unsupported device features
  • BlackBerry Dynamics
     is not supported.
  • For supported activation types, not all all device features are supported. In activation profiles, do not enable the following options:
    • Enable MDM controls activation type for Android devices
    • Turn on registration with the BlackBerry Infrastructure
  • Google Play Integrity
     is not supported.
  • Compliance profiles are not supported for
    iOS
     devices because the
    BlackBerry UEM Client
     for
    iOS
     cannot be installed in dark site environments.
  • The default email app on
    Samsung Knox
     devices needs to connect to the
    Samsung
     infrastructure before it will send and receive data. You can choose to allow this connection or use a different email app on
    Samsung Knox
     devices.
Licensing
You must manually import license information into
UEM
.
If your organization is using
Samsung Knox
 devices in a dark site environment, an on-premises
Samsung Knox
 License On-Premises server was installed with
UEM
.
Devices communicate with the
Knox
 License On-Premises server using your work 
Wi-Fi
 network. If you are activating devices with
Android Enterprise
 activation types and the
Knox
 License On-Premises server certificate is signed by an internal CA, you need to send the
Knox
 License On-Premises server certificate to devices using a CA certificate profile.
APNs
To manage
iOS
 devices,
UEM
 must send notifications to devices through an APNs server. When devices receive a notification from APNs, they contact
UEM
 for updates.
The process for obtaining an APNs certificate is different for dark site environments. After you download and save the unsigned CSR certificate from
BlackBerry
, you must send it to your
BlackBerry
 customer support representative to have it signed by the
BlackBerry
 CA. Once they return the signed certificate, you can complete the instructions to register the certificate.
VPN
After activation,
iOS
 devices connect to
UEM
 and your resources using a VPN connection. To use VPN, you must install an appropriate VPN app on devices and set up a VPN profile in
UEM
.
Samsung Knox
 can connect to
UEM
 and your resources over a VPN connection. For information, see Set up VPN using Knox StrongSwan in the Configuration content.
FCM notifications for
Android
 devices
FCM notifications are not available, but the
UEM Client
 will periodically check for commands. You can configure the poll rate using the Enterprise Management Agent poll rate setting in the Enterprise Management Agent profile. You can reduce the poll rate to increase the rate at which apps are installed and commands are executed. Note that reducing the poll rate can have an impact on device battery use.