Configure BlackBerry UEM for a BSI-certified environment
BlackBerry UEM
for a BSI-certified environmentYou must perform the following tasks to configure
BlackBerry UEM
for a BSI-certified environment:Task | Steps |
---|---|
Create administrator roles for different types of administrator users to manage the UEM environment. | |
Optional: Install a standalone BlackBerry Router . | Follow the instructions in Install a standalone BlackBerry Router. |
Add users and groups. | With the LDAP directory connection configured, you can now proceed to add user accounts and groups to your UEM environment to manage the assignment of common configurations to users in the tasks that follow.To add user accounts and groups, see the following:
|
Integrate UEM with the Apple Push Notification Service. | Follow the instructions in Request and register an APNs certificate. |
Configure UEM to synchronize with the Apple Device Enrollment Program. | Follow the instructions in Configure BlackBerry UEM for DEP. |
Integrate UEM with a syslog server. | Follow the instructions in Configure global logging settings. You can set up a syslog server for storing both device audit logs and server audit logs. You must use mutual X.509v3 authentication for the connection between UEM and the syslog server. The syslog server must use a valid X.509v3 certificate for the presented server certificate in the TLS negotiation. The syslog certificate must be chained to the trust root certificate (CA) that you upload to UEM server. |
Configure audit settings. | Follow the instructions in Configure audit settings. For more information about the options that you have to monitor your UEM environment, see the UEM Monitoring and reporting Administration Guide. |
Create and configure a Knox Service Plugin profile. | See Managing Android devices with OEM app configurations and follow the instructions in Create a Knox Service Plugin profile. You can configure user password requirements using the Knox Service Plugin configuration.Assign the profile to users and groups. |
Create an ACME profile. | Follow the instructions in Send client certificates to devices using ACME. Assign the profile to users and groups. |
Create and configure an activation profile. | Follow the instructions in Create an activation profile and configure the following: For iOS :
For Android , set the Activation type to Work space only (Android Enterprise fully managed device) .Assign the profile to users and groups. |
Configure certificate management. | For more information about using UEM to distribute and manage certificates, see the Managing secure connections Administration Guide. |
Configure attestation. | To configure attestation, follow the instructions in Configure attestation for iOS devices and Configure attestation for Android devices. Optionally, you can configure compliance rules to define actions that UEM will carry out when attestation failures occur on devices. See the next row for more information about creating and configuring a compliance profile. |
Create and configure a compliance profile. | Follow the instructions in Create a compliance profile and configure the profile as appropriate for your environment. Configure the following settings for iOS :
Assign the profile to users and groups. After iOS users activate their devices on UEM , they will use an option in UEM Self-Service that allows them to manually install the user certificate that is trusted by the uploaded signing certificate (see the last 2 rows below). |
Create and configure IT policies. | Follow the instructions in Manage IT policies to create and configure IT policies. For more information about the available policy rules, see the IT policy spreadsheet. For iOS , turn off the “Allow installing configuration profiles (supervised only)” policy rule.UEM features policy rules for all current iOS restrictions, including the following:
You can use IT policy rules to configure password requirements for iOS device users.Assign the IT policies to users and groups. |
Configure Knox Mobile Enrollment . | Follow the instructions in Activate multiple devices using Knox Mobile Enrollment. If you want to activate an individual Samsung Android device using a QR code, do the following:
Following activation, Work space only devices have only a limited set of the standard pre-installed apps, such as Camera, Phone, and Settings, plus any apps you have assigned with a required disposition. The list of retained preinstalled apps depends on the device vendor and OS version. Certificate pinning is not used for communication between enrolled Android devices and UEM . Enrolled Android devices must be configured to trust only approved certificate authorities. |
Activate iOS DEP devices. | Follow these instructions to activate iOS DEP devices:
|
After activation, iOS device users install the user certificate. | Instruct iOS device users to log in to UEM Self-Service and click Temporarily allow profile installation > Enable .This will temporarily allow the user to manually install the user certificate that is trusted by the signing certificate that you associated with the compliance profile. Instruct device users on the preferred way to install the user certificate on the device. |