Configure BlackBerry UEM for a BSI-certified environment
    BlackBerry UEM
 for a BSI-certified environmentYou must perform the following tasks to configure 
BlackBerry UEM
 for a BSI-certified environment:| Task | Steps | 
|---|---|
| Create administrator roles for different types of administrator users to manage the  UEMenvironment. | |
| Optional: Install a standalone  BlackBerry Router. | Follow the instructions in Install a standalone BlackBerry Router. | 
| Add users and groups. | With the LDAP directory connection configured, you can now proceed to add user accounts and groups to your  UEMenvironment to manage the assignment of common configurations to users in the tasks that follow. To add user accounts and groups, see the following:
                     | 
| Integrate  UEMwith the ApplePush Notification Service. | Follow the instructions in Request and register an APNs certificate. | 
| Configure  UEMto synchronize with the AppleDevice Enrollment Program. | Follow the instructions in Configure BlackBerry UEM for DEP. | 
| Integrate  UEMwith a syslog server. | Follow the instructions in Configure global logging settings. You can set up a syslog server for storing both device audit logs and server audit logs. You must use mutual X.509v3 authentication for the connection between  UEMand the syslog server. The syslog server must use a valid X.509v3 certificate for the presented server certificate in the TLS negotiation. The syslog certificate must be chained to the trust root certificate (CA) that you upload to UEMserver. | 
| Configure audit settings. | Follow the instructions in Configure audit settings. For more information about the options that you have to monitor your  UEMenvironment, see the UEM Monitoring and reporting Administration Guide. | 
| Create and configure a  Knox Service Pluginprofile. | See Managing Android devices with OEM app configurations and follow the instructions in Create a Knox Service Plugin profile. You can configure user password requirements using the  Knox Service Pluginconfiguration. Assign the profile to users and groups. | 
| Create an ACME profile. | Follow the instructions in Send client certificates to devices using ACME. Assign the profile to users and groups. | 
| Create and configure an activation profile. | Follow the instructions in Create an activation profile and configure the following: For  iOS: 
 For  Android, set the Activation type to Work space only (Android Enterprise fully managed device). Assign the profile to users and groups. | 
| Configure certificate management. | For more information about using  UEMto distribute and manage certificates, see the Managing secure connections Administration Guide. | 
| Configure attestation. | To configure attestation, follow the instructions in Configure attestation for iOS devices and Configure attestation for Android devices. Optionally, you can configure compliance rules to define actions that  UEMwill carry out when attestation failures occur on devices. See the next row for more information about creating and configuring a compliance profile. | 
| Create and configure a compliance profile. | Follow the instructions in Create a compliance profile and configure the profile as appropriate for your environment. Configure the following settings for  iOS: 
 Assign the profile to users and groups. After  iOSusers activate their devices on UEM, they will use an option in UEM Self-Servicethat allows them to manually install the user certificate that is trusted by the uploaded signing certificate (see the last 2 rows below). | 
| Create and configure IT policies. | Follow the instructions in Manage IT policies to create and configure IT policies. For more information about the available policy rules, see the IT policy spreadsheet. For  iOS, turn off the “Allow installing configuration profiles (supervised only)” policy rule. UEMfeatures policy rules for all current iOSrestrictions, including the following: 
 You can use IT policy rules to configure password requirements for  iOSdevice users. Assign the IT policies to users and groups. | 
| Configure  Knox Mobile Enrollment. | Follow the instructions in Activate multiple devices using Knox Mobile Enrollment. If you want to activate an individual  Samsung Androiddevice using a QR code, do the following: 
 Following activation, Work space only devices have only a limited set of the standard pre-installed apps, such as Camera, Phone, and Settings, plus any apps you have assigned with a required disposition. The list of retained preinstalled apps depends on the device vendor and OS version. Certificate pinning is not used for communication between enrolled  Androiddevices and UEM. Enrolled Androiddevices must be configured to trust only approved certificate authorities. | 
| Activate  iOSDEP devices. | Follow these instructions to activate  iOSDEP devices: 
 | 
| After activation,  iOSdevice users install the user certificate. | Instruct  iOSdevice users to log in to UEM Self-Serviceand click Temporarily allow profile installation > Enable. This will temporarily allow the user to manually install the user certificate that is trusted by the signing certificate that you associated with the compliance profile. Instruct device users on the preferred way to install the user certificate on the device. |