Skip Navigation

Configure
BlackBerry UEM
for a BSI-certified environment

You must perform the following tasks to configure
BlackBerry UEM
for a BSI-certified environment:
Task
Steps
Create administrator roles for different types of administrator users to manage the
UEM
environment.
Optional: Install a standalone
BlackBerry Router
.
Follow the instructions in Install a standalone BlackBerry Router.
Add users and groups.
With the LDAP directory connection configured, you can now proceed to add user accounts and groups to your
UEM
environment to manage the assignment of common configurations to users in the tasks that follow.
Integrate
UEM
with the
Apple
Push Notification Service.
Follow the instructions in Request and register an APNs certificate.
Configure
UEM
to synchronize with the
Apple
Device Enrollment Program.
Follow the instructions in Configure BlackBerry UEM for DEP.
Integrate
UEM
with a syslog server.
Follow the instructions in Configure global logging settings.
You can set up a syslog server for storing both device audit logs and server audit logs. You must use mutual X.509v3 authentication for the connection between
UEM
and the syslog server. The syslog server must use a valid X.509v3 certificate for the presented server certificate in the TLS negotiation. The syslog certificate must be chained to the trust root certificate (CA) that you upload to
UEM
server.
Configure audit settings.
Follow the instructions in Configure audit settings.
For more information about the options that you have to monitor your
UEM
environment, see the UEM Monitoring and reporting Administration Guide.
Create and configure a
Knox Service Plugin
profile.
You can configure user password requirements using the
Knox Service Plugin
configuration.
Assign the profile to users and groups.
Create an ACME profile.
Assign the profile to users and groups.
Create and configure an activation profile.
Follow the instructions in Create an activation profile and configure the following:
For
iOS
:
  • Activation type:
    MDM controls
  • Select the
    Pinning revocation check required
    check box.
  • Configure the
    Identify certificate
    settings as appropriate.
    • Certificate type:
      ACME
    • RSA strength:
      3072
      or higher
For
Android
, set the Activation type to
Work space only (Android Enterprise fully managed device)
.
Assign the profile to users and groups.
Configure certificate management.
For more information about using
UEM
to distribute and manage certificates, see the Managing secure connections Administration Guide.
Configure attestation.
To configure attestation, follow the instructions in Configure attestation for iOS devices and Configure attestation for Android devices.
Optionally, you can configure compliance rules to define actions that
UEM
will carry out when attestation failures occur on devices. See the next row for more information about creating and configuring a compliance profile.
Create and configure a compliance profile.
Follow the instructions in Create a compliance profile and configure the profile as appropriate for your environment. Configure the following settings for
iOS
:
  • Select the
    Unapproved certificate is installed
    check box.
  • Click
    Browse
    next to the
    Trusted signing certificate
    field and upload the trusted signing certificate.
  • Configure the desired compliance settings for this rule.
Assign the profile to users and groups.
After
iOS
users activate their devices on
UEM
, they will use an option in
UEM Self-Service
that allows them to manually install the user certificate that is trusted by the uploaded signing certificate (see the last 2 rows below).
Create and configure IT policies.
Follow the instructions in Manage IT policies to create and configure IT policies. For more information about the available policy rules, see the IT policy spreadsheet.
For
iOS
, turn off the “Allow installing configuration profiles (supervised only)” policy rule.
UEM
features policy rules for all current
iOS
restrictions, including the following:
  • Force encrypted backups
  • Allow apple personalized ads
  • Allow remote screen observation in Classroom
  • Allow devices to join classes automatically (supervised only)
  • Allow users to leave Classroom sessions (supervised only)
  • Allow teachers to lock Classroom app and device (supervised only)
  • Allow shared device temporary sessions
  • Allow use of satellite connectivity (supervised only)
  • Allowed External Intelligence Workspace IDs (supervised only)
  • Notes transcription summary (supervised only)
  • Allow Visual Intelligence Summary (supervised only)
You can use IT policy rules to configure password requirements for
iOS
device users.
Assign the IT policies to users and groups.
Configure
Knox Mobile Enrollment
.
If you want to activate an individual
Samsung
Android
device using a QR code, do the following:
  1. Create a
    Knox Mobile Enrollment
    profile in the
    Samsung
    Knox Mobile Enrollment
    portal. See Samsung Knox: Create profiles - Configure standard settings. Select
    BlackBerry UEM
    as the EMM solution and use the JSON configuration file that you can download from the management console (Settings > External integration > KNOX Mobile Enrollment).
    When you create the profile, a QR code is generated that can be used to activate devices.
  2. Factory reset the device.
  3. Use the QR code created in step 1 to complete device enrollment. See Samsung Knox: QR code enrollment for device users.
    The device will automatically download the
    BlackBerry UEM Client
    . You or the user can accept the license agreement, then scan the QR code from the activation email that the user received from
    UEM
    to start the
    UEM
    activation process.
Following activation, Work space only devices have only a limited set of the standard pre-installed apps, such as Camera, Phone, and Settings, plus any apps you have assigned with a required disposition. The list of retained preinstalled apps depends on the device vendor and OS version.
Certificate pinning is not used for communication between enrolled
Android
devices and
UEM
. Enrolled
Android
devices must be configured to trust only approved certificate authorities.
Activate
iOS
DEP devices.
Follow these instructions to activate
iOS
DEP devices:
  1. When you configured
    UEM
    for DEP, if you selected the "Automatically assign new devices to this configuration" check box, any DEP devices you add will automatically receive the DEP enrollment configuration. If you did not select that option, follow the instructions in Assign a DEP enrollment configuration.
After activation,
iOS
device users install the user certificate.
Instruct
iOS
device users to log in to
UEM Self-Service
and click
Temporarily allow profile installation > Enable
.
This will temporarily allow the user to manually install the user certificate that is trusted by the signing certificate that you associated with the compliance profile. Instruct device users on the preferred way to install the user certificate on the device.