Installing and configuring BlackBerry UEM in a BSI-certified environment
- Requirements and considerations for a BSI-certified UEM environment
- Prerequisites for installing BlackBerry UEM 12.21 MR1 in a BSI-certified environment
Install BlackBerry UEM version 12.21 MR1 in a BSI-certified environment
Create an LDAP client certificate used for mutual authentication and connect to an LDAP directory
Configure BlackBerry UEM for a BSI-certified environment
- Administrator roles in a BSI-certified UEM environment
Exporting audit records to a syslog server
- Set up the export of device audit records to a syslog server
  - Script to enable the export of server audit records to syslog
- Set up the export of server audit records to a syslog server
  - Script to enable the export of device audit records to syslog

Requirements and considerations for a BSI-certified
UEM
environment

For complete guidance on preparing your environment to install

BlackBerry UEM

, see the UEM Planning Guide. The following table highlights requirements or considerations that are specific to a BSI-certified

UEM

environment:

Item	Requirements
Certified version of BlackBerry UEM	BlackBerry UEM on-premises version 12.21 MR1 (build 40.32.0). Earlier versions of UEM on-premises and UEM Cloud are not BSI-certified.
Third-party software requirements and considerations	A supported version of Windows Server . See the UEM compatibility matrix. A supported Microsoft SQL Server for managing the SQL database used by UEM . See the UEM compatibility matrix. Communication is not protected for a local database server. Communication is protected by TLS and IPsec for a non-local database server. You must configure the SQL Server for TLS connections. See the prerequisites and step 10 in Install BlackBerry UEM version 12.21 MR1 in a BSI-certified environment. An IPsec channel must be implemented in the host Windows Server OS for all communication between UEM and a non-local Microsoft SQL Server . Verify that the system time is configured correctly on the Windows computer that will host the UEM instance. The configured time must be reliable since it is used for time stamps. An LDAP server for authenticating mobile device users and administrative users. Communication between UEM and the LDAP server is protected by LDAPS/TLS. An LDAP directory is recommended for BSI-certified environments to provide a secure channel to the company directory. See Create an LDAP client certificate used for mutual authentication and connect to an LDAP directory. A syslog server for external log storage. Communication between UEM and the syslog server is protected by TLS. The LDAP server and syslog server must be configured to use mutual X.509v3 certificate authentication. An ACME server to issue and manage client certificates on iOS devices. For more information, see Send client certificates to devices using ACME. Device enrollment services: the Apple Device Enrollment Program (DEP) for iOS devices and Samsung Knox for Android devices. A push notification service for sending push notifications to mobile devices: the Apple Push Notification service (APNs) for iOS and Firebase Cloud Messaging for Android (communication protected by HTTPS/TLS). This document includes instructions for setting up APNs with UEM . No configuration is required for FCM, it is enabled by default. Do not install any untrusted software on the same computer as UEM .
Supported devices and activation types	For iOS : Apple DEP devices without the UEM Client, using the MDM controls activation type. For the supported versions of iOS , see the iOS compatibility matrix. For Android : Samsung Android devices using Knox Mobile Enrollment and a Knox Service Plugin profile, with the latest version of the BlackBerry UEM Client and the Work space only (Android Enterprise fully managed device) activation type. For the supported versions of Android OS, see the Android compatibility matrix. UEM supports other devices as well, but only iOS devices enrolled using DEP and Samsung devices enrolled using Samsung Knox are supported in a BSI-certified environment.
UEM components and features that are not supported	The following UEM components or features are not supported in a BSI-certified environment: BlackBerry Dynamics BlackBerry Secure Connect Plus BlackBerry Connectivity Node BlackBerry Gatekeeping Service BlackBerry Secure Gateway Integrating UEM with a SIEM solution Integrating UEM with Microsoft Intune Entra ID conditional access SNMP monitoring BlackBerry snap-ins for UEM ( BlackBerry Workspaces , BlackBerry 2FA , BBM Enterprise , BlackBerry Org Connect , BlackBerry AtHoc ) In the management console, the UI option to add apps from the Windows store to the app list is removed and the UI related to Windows apps in Settings > App management is removed.
Supported ciphersuites	In a BSI-certified environment, UEM supports a stricter list of GCM ciphersuites for TLS communications: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Every external service that UEM communicates with must support these ciphersuites.
Certificate validation and requirements	Verify that the certificates that you upload to UEM for syslog and LDAP integrations are trustworthy and have the basic constraints and key usage fields set. Note the following certification validation details and requirements for using certificates with UEM in a BSI-certified environment: UEM uses RFC 5280 certificate validation and certificate path validation. UEM supports only certificates with a public exponent greater than 2^16. The certificate path must terminate with a trusted CA certificate. UEM validates a certificate path by ensuring the presence of the basicConstraints extension and that the CA flag is set to true for all CA certificates. UEM validates the revocation status of a certificate using OCSP or CRL. UEM validates that any CA certificate includes the caSigning purpose in the key usage field. UEM validates the extendedKeyUsage field according to the following rules: Certificates used for trusted updates and executable code integrity verification must have the Code Signing purpose (id-kp 3 with OID 1.3.6.1.5.5.7.3.3) in the extendedKeyUsage field. Server certificates presented for TLS must have the Server Authentication purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the extendedKeyUsage field. Client certificates presented for TLS shall have the Client Authentication purpose (id-kp 2 with OID 1.3.6.1.5.5.7.3.2) in the extendedKeyUsage field. Server certificates presented for EST shall have the CMC Registration Authority (RA) purpose (id-kp-cmcRA with OID 1.3.6.1.5.5.7.3.28) in the extendedKeyUsage field. OCSP certificates presented for OCSP responses shall have the OCSP Signing purpose (id-kp 9 with OID 1.3.6.1.5.5.7.3.9) in the extendedKeyUsage field.
Consideration when configuring software updates for DEP devices	In a BSI-certified environment, if you configure OS updates for supervised DEP devices (Users > Managed devices > select user(s) > Update), some tool tips and UI text may indicate that the OS update time on iOS 17 and later devices is the device local time, but for all supported iOS versions the time is handled as server UTC time instead.

Section:

Installing and configuring BlackBerry UEM in a BSI-certified environment

Requirements and considerations for a BSI-certified UEM environment

Requirements and considerations for a BSI-certified
UEM
environment