Skip Navigation

Data flow: Activating
BBM Enterprise
on a device

Data flow: BBM Enterprise activation
  1. You perform the following actions:
    1. Create a
      BBM Enterprise
      profile.
    2. Review the
      BBM Enterprise
      activation email template and modify it if necessary.
    3. Add a user to
      BlackBerry UEM
      as a local user account or using the account information retrieved from your company directory.
    4. Assign the
      BBM Enterprise
      profile to a user.
      • BlackBerry UEM
        pushes the assigned
        BBM Enterprise
        profile through the
        BlackBerry Infrastructure
        to
        BBM Enterprise
        .
    5. Use one of the following options to provide the user with activation details:
      • Automatically generate a device activation password and send an email with activation instructions for the user.
      • Set a device activation password and communicate the username and password to the user directly or by email.
      • Don't set a device activation password and communicate the
        BlackBerry UEM Self-Service
        address to the user so that they can set their own activation password.
  2. The user downloads and installs
    BBM Enterprise
    on their device. After it is installed, the user opens
    BBM Enterprise
    and enters the email address and activation password.
    1. If provided, the user can click a link in the activation email to be taken directly to
      BBM Enterprise
      .
  3. The
    BBM Enterprise
    client on the device performs the following actions:
    1. Establishes a connection to the
      BlackBerry Infrastructure
    2. Sends a request for activation information to the
      BlackBerry Infrastructure
      .
  4. The
    BlackBerry Infrastructure
    performs the following actions:
    1. Verifies that the user is a valid, registered user.
    2. Retrieves the
      BlackBerry UEM
      address for the user.
    3. Sends the address to the
      BBM Enterprise
      client.
  5. The
    BBM Enterprise
    client performs the following actions:
    1. Establishes a connection with
      BlackBerry UEM
      using HTTP Connect over port 443.
    2. Generates a shared symmetric key that is used to protect the CSR (certificate signing request) and responds to
      BlackBerry UEM
      using the activation password and EC-SPEKE.
    3. Creates an encrypted CSR and HMAC as follows:
      • Generates a key pair for the certificate.
      • Creates a PKCS#10 CSR that includes the public key of the key pair.
      • Encrypts the CSR using the shared symmetric key and AES-256 in CBC mode with PKCS#5 padding.
      • Computes an HMAC of the encrypted CSR using SHA-256 and appends it to the CSR.
      • Sends the encrypted CSR and HMAC to BlackBerry UEM.
  6. BlackBerry UEM
    performs the following actions:
    1. Verifies the HMAC of the encrypted CSR and decrypts the CSR using the shared symmetric key.
    2. Retrieves the username, work space ID, and your organization’s name from the
      BlackBerry UEM
      database.
    3. Packages a client certificate using the information it retrieved and the CSR that the device sent.
    4. Signs the client certificate using the enterprise management root certificate.
    5. Encrypts the client certificate, enterprise management root certificate, and the
      BlackBerry UEM
      URL using the shared symmetric key and AES-256 in CBC mode with PKCS#5 padding.
    6. Computes an HMAC of the encrypted client certificate, enterprise management root certificate, and the
      BlackBerry UEM
      URL and appends it to the encrypted data.
    7. Sends the encrypted data and HMAC to the device.
  7. The
    BBM Enterprise
    client performs the following actions:
    1. Verifies the HMAC.
    2. Decrypts the data it received from
      BlackBerry UEM
      .
    3. Stores the client certificate and the enterprise management root certificate encrypted in
      BBM Enterprise
      .
    4. Sends the device information (if it is available) and software information to
      BlackBerry UEM
      .
  8. BlackBerry UEM
    performs the following actions:
    1. The
      BlackBerry UEM
      Core assigns the
      BBM Enterprise
      device to a
      BlackBerry UEM
      instance in the domain.
  9. The
    BBM Enterprise
    client performs the following actions:
    1. Retrieves a SCEP profile from
      BlackBerry UEM
      . This profile is used to trigger an assisted SCEP procedure in order to obtain a device-specific certificate, which will be used to access
      BlackBerry UEM
      and servers that are providing
      BBM Enterprise
      services.
    2. The snap-in returns a SCEP profile (default or configured).
    3. The client performs an assisted SCEP operation against the
      BlackBerry Enterprise Identity
      service mediated by
      BlackBerry UEM
      .
    4. The resulting certificate, specific to a device, is sent back to the client.
  10. The
    BBM Enterprise
    BlackBerry UEM
    activation process is complete.
  11. The
    BBM Enterprise
    client uses the
    BBM Enterprise
    device certificate to connect to the
    BBM Enterprise
    infrastructure and retrieves the
    BBM Enterprise
    policy configured for the user and completes the
    BBM Enterprise
    -specific portion of the activation.