Get the PDF

Configuring BlackBerry UEM
Changing the certificates that BlackBerry UEM uses for secure communication
- Considerations for changing BlackBerry Dynamics certificates
- Change a BlackBerry UEM certificate
Installing the BlackBerry Connectivity Node to connect to resources behind your organization's firewall
- Steps to install and activate the BlackBerry Connectivity Node
- Requirements: BlackBerry Connectivity Node
- Install and configure the BlackBerry Connectivity Node
  - Install the BlackBerry Connectivity Node for UEM Cloud using the command prompt
- Create a server group to manage regional connections
- Troubleshooting: BlackBerry Connectivity Node
Configuring BlackBerry UEM to send data through a proxy server
- Sending data through a TCP proxy server to the BlackBerry Infrastructure
  - Configure BlackBerry UEM to use a transparent TCP proxy server
  - Enable SOCKS v5 on a TCP proxy server
- Install a standalone BlackBerry Router in a UEM Cloud environment
Configure connections through internal proxy servers
Connect to an SMTP server to send email notifications
Connecting to your company directories
- Connect to a Microsoft Active Directory instance
- Connect to an LDAP directory
- Enable directory-linked groups
- Enable and configure onboarding and offboarding
- Synchronize a directory connection
Connect BlackBerry UEM to Entra ID to create directory user accounts
Configuring BlackBerry UEM to manage Microsoft Intune app protection profiles
- Prerequisites to support Intune app protection
- Create an app registration in Entra
- Configure BlackBerry UEM to synchronize with Microsoft Intune
Configuring BlackBerry UEM as an Intune compliance partner in Entra
- Prerequisites to configure Entra ID conditional access
- Configure Entra ID conditional access
Obtaining an APNs certificate to manage iOS and macOS devices
- Request and register an APNs certificate
- Troubleshooting: APNs
Configure BlackBerry UEM for DEP
Configuring BlackBerry UEM to support Android Enterprise devices
- Configure BlackBerry UEM to support Android Enterprise devices
Configuring BlackBerry UEM to support Android Management devices
- Configure Android Management in the Google Cloud console
- Configure Android Management in BlackBerry UEM
Extending the management of Chrome OS devices to BlackBerry UEM
- Create a service account to authenticate with the Google domain
- Enable UEM to synchronize Chrome OS data
- Integrate UEM with the Google domain
Simplifying Windows 10 activations
- Integrate UEM with Entra ID join
  - Configure Windows Autopilot for device activation
Migrating users, devices, groups, and other data from a source server
- Prerequisites: Migrating users, devices, groups, and other data from a source BlackBerry server
- UEM migration best practices and considerations
- Connect to a source server
- Migrate IT policies, profiles, and groups from a source server
- Migrate users from a source server
- Migrate devices from a source server
Configuring network communication and properties for BlackBerry Dynamics apps
- Manage BlackBerry Proxy clusters
- Configure Direct Connect using port forwarding
- Configure BlackBerry Dynamics properties
- Configure communication settings for BlackBerry Dynamics apps
- Sending BlackBerry Dynamics app data through an HTTP proxy
  - Considerations for using a PAC file with BlackBerry Proxy
  - Configure BlackBerry Dynamics app proxy settings
- Methods for routing traffic for BlackBerry Dynamics apps
  - Example routing scenarios for BlackBerry Dynamics traffic
- Configuring Kerberos authentication for BlackBerry Dynamics apps
Encrypt the connection between BlackBerry UEM and Microsoft SQL Server
Integrating BlackBerry UEM with Cisco ISE
- Managing network access and device controls using Cisco ISE
- Requirements: Integrating BlackBerry UEM with Cisco ISE
- Connect BlackBerry UEM to Cisco ISE
Set up VPN using Knox StrongSwan for UEM dark site environments

Configure
Entra ID
conditional access

Verify that you meet the prerequisites for Entra ID conditional access.

In the

UEM

management console, on the menu bar, click

Settings > External integration > Entra ID Conditional Access

Click

Type a name for the configuration.

In the

Entra cloud

drop-down list, click

GLOBAL

In the

Entra tenant ID

field, type your organization’s tenant name in FQDN format or unique tenant ID in GUID format.

Under

Device mapping override

, click

UPN

If you choose UPN, verify that the

Entra ID

tenant and all mapped directories share the same UPN value for users before you save the connection. After you save the connection, you cannot change the device mapping override.

In the

Available company directories

list, select and add the appropriate company directories.

Click

Save

Select the administrator account that you want to use to log in to your organization's

Entra

tenant.

When prompted, authenticate with your

Entra

tenant using the appropriate

Microsoft

account.

On the menu bar, click

Policies and Profiles > Policy > BlackBerry Dynamics

. Perform the following steps for any BlackBerry Dynamics profile that you plan to assign to device users (for example, the default profile and any custom profiles).

Open and edit the profile.

Select

Enable UEM Client to enroll in BlackBerry Dynamics

If you want to delay the conditional access enrollment process until the

Microsoft Authenticator

app is installed on devices, select

Start Entra Conditional Access enrollment after authentication broker is installed

Click

Save

Assign the profile to users and groups as necessary.

On the menu bar, click

Policies and Profiles > Networks and Connections > BlackBerry Dynamics connectivity

. Perform the following steps for any BlackBerry Dynamics connectivity profile that you plan to assign to device users (for example, the default profile and any custom profiles).

Open and edit the profile.

In the

App servers

section, click

Add

Search for and click

Feature - Azure Conditional Access

Click

Save

In the

Azure Conditional Access

table, click The add icon

In the

Server

field, type

gdas-<UEM_SRP_ID>.<region_code>.bbsecure.com

In the

Port

field, type 443.

Under

Route type

, click

Direct

Click

Save

Assign the profile to users and groups as necessary.

Create and configure a compliance profile and assign the profile to users and groups as necessary. The following table details how

UEM

compliance actions are reported to

Intune

UEM compliance enforcement action	Behavior
Enforcement action: Monitor and log	Nothing is reported to Intune .
Enforcement action: Untrust Delete only work data Delete all data	UEM notifies Entra ID after all user prompts have expired.
Enforcement action for BlackBerry Dynamics apps: Monitor and log	Nothing is reported to Intune .
Enforcement action for BlackBerry Dynamics : Do not allow BlackBerry Dynamics apps to run Delete BlackBerry Dynamics app data	UEM notifies Entra ID as soon as the compliance violation is detected.

Optionally, if your conditional access policies include network-based restrictions (for example, blocking access from untrusted locations or allowing access only from the work network), you can route

Microsoft Authenticator

traffic through

BlackBerry Secure Connect Plus

to ensure the traffic comes from a trusted network path. Follow the instructions in Using BlackBerry Secure Connect Plus for connections to work resources to create and assign an enterprise connectivity profile. Use the following configuration:

Platform	Configuration
iOS	In the enterprise connectivity profile, select Enable per-app VPN . Add the Microsoft Authenticator app to UEM so you can deploy it to users and groups. When you assign the Microsoft Authenticator app to users and groups, in the Per-app VPN drop-down list, select the enterprise connectivity profile.
Android	In the enterprise connectivity profile, if you want to use per-app routing, select Enable per-app VPN and add the app package ID of the Microsoft Authenticator app. Otherwise, select Container wide VPN . Assign the enterprise connectivity profile to the appropriate users and groups.

Assign the

Feature – Azure Conditional Access

app to users or groups. For more information, see Manage user accounts and Manage a user group.

Install both the

UEM Client

and the

Microsoft Authenticator

app on users' devices. You can assign and deploy the

Microsoft Authenticator

app with

UEM

(see Adding public apps to the app list), or you can instruct users to download it themselves.

Instruct users to activates their devices.

When a user activates their device, the

UEM Client

prompts the user to register with

Entra

conditional access (

Microsoft

Online Device Registration). Users with activated devices are prompted to register with

Entra

conditional access the next time they open the

UEM Client

Instruct users to initiate the registration with

Entra

using the

UEM Client

, not using any sign-in options within

Microsoft Authenticator

. The registration prompt from the

UEM Client

will open

Microsoft Authenticator

to prompt the user for credentials and to complete the registration process.

Depending on the email client that your organization wants to use, you must complete additional steps to ensure that the mail client can validate and communicate with

Entra

For

BlackBerry Work

, see Configuring the BlackBerry Work app configuration for Entra ID conditional access in the

BlackBerry Work

Administration Guide.

For the

iOS

native mail client, see KB 94163.

For

Android

Gmail

, see KB 94494.

After a user activates a device with

UEM

, you can check the user's device properties in

Microsoft

Endpoint Manager to confirm that it was registered with

Entra

as expected. The name of the device will be in the following format: <username> - <platform> unknown unknown - <xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx>.

If you change the scope of users or groups in the

Entra

partner compliance configuration, in the

Entra

portal, navigate to the security permissions for

BlackBerry UEM

Conditional Access and grant administrator consent for

BlackBerry

again.

When you remove a device from

UEM

, the device remains registered for

Entra ID

conditional access. Users can remove their

Entra ID

account from the account settings in the

Microsoft Authenticator

app, or you can remove the device from the

Entra

portal.

Section:

Configuring BlackBerry UEM as an Intune compliance partner in Entra

Configure Entra ID conditional access

Configure
Entra ID
conditional access