Data flow: Activating 
BBM Enterprise
 on a device

Data flow: BBM Enterprise activation
  1. You perform the following actions:
    1. Create a 
      BBM Enterprise
       profile.
    2. Review the 
      BBM Enterprise
       activation email template and modify it if necessary.
    3. Add a user to 
      BlackBerry UEM
       as a local user account or using the account information retrieved from your company directory.
    4. Assign the 
      BBM Enterprise
       profile to a user.
      • BlackBerry UEM
         pushes the assigned 
        BBM Enterprise
         profile through the 
        BlackBerry Infrastructure
         to 
        BBM Enterprise
        .
    5. Make sure an activation profile that specifies the MDM controls activation type is assigned to the user.
    6. Use one of the following options to provide the user with activation details:
      • Automatically generate a device activation password and send an email with activation instructions for the user.
      • Set a device activation password and communicate the username and password to the user directly or by email.
      • Don't set a device activation password and communicate the 
        BlackBerry UEM Self-Service
         address to the user so that they can set their own activation password.
  2. The user downloads and installs 
    BBM Enterprise
     on their device. After it is installed, the user opens 
    BBM Enterprise
     and enters the email address and activation password.
    1. If provided, the user can click a link in the activation email to be taken directly to 
      BBM Enterprise
      .
  3. The 
    BBM Enterprise
     client on the device performs the following actions:
    1. Establishes a connection to the 
      BlackBerry Infrastructure
    2. Sends a request for activation information to the 
      BlackBerry Infrastructure
  4. The 
    BlackBerry Infrastructure
     performs the following actions:
    1. Verifies that the user is a valid, registered user.
    2. Retrieves the 
      BlackBerry UEM
       address for the user.
    3. Sends the address to the 
      BlackBerry UEM Client
      .
  5. The 
    BBM Enterprise
     client performs the following actions:
    1. Establishes a connection with 
      BlackBerry UEM
      .
    2. Generates a shared symmetric key that is used to protect the CSR (certificate signing request) and responds to 
      BlackBerry UEM
       using the activation password and EC-SPEKE.
    3. Creates an encrypted CSR and HMAC as follows:
      • Generates a key pair for the certificate.
      • Creates a PKCS#10 CSR that includes the public key of the key pair.
      • Encrypts the CSR using the shared symmetric key and AES-256 in CBC mode with PKCS#5 padding.
      • Computes an HMAC of the encrypted CSR using SHA-256 and appends it to the CSR.
      • Sends the encrypted CSR and HMAC to BlackBerry UEM.
  6. BlackBerry UEM
     performs the following actions:
    1. Verifies the HMAC of the encrypted CSR and decrypts the CSR using the shared symmetric key.
    2. Retrieves the username, work space ID, and your organization’s name from the 
      BlackBerry UEM
       database.
    3. Packages a client certificate using the information it retrieved and the CSR that the device sent.
    4. Signs the client certificate using the enterprise management root certificate.
    5. Encrypts the client certificate, enterprise management root certificate, and the 
      BlackBerry UEM
       URL using the shared symmetric key and AES-256 in CBC mode with PKCS#5 padding.
    6. Computes an HMAC of the encrypted client certificate, enterprise management root certificate, and the 
      BlackBerry UEM
       URL and appends it to the encrypted data.
    7. Sends the encrypted data and HMAC to the device.
  7. The 
    BBM Enterprise
     client performs the following actions:
    1. Verifies the HMAC.
    2. Decrypts the data it received from 
      BlackBerry UEM
      .
    3. Stores the client certificate and the enterprise management root certificate encrypted in 
      BBM Enterprise
      .
    4. Sends the device information (if it is available) and  software information to 
      BlackBerry UEM
      .
  8. BlackBerry UEM
     performs the following actions:
    1. The 
      BlackBerry UEM
       Core assigns the 
      BBM Enterprise
       device to a 
      BlackBerry UEM
       instance in the domain.
  9. The 
    BBM Enterprise
     client performs the following actions:
    1. Retrieves a SCEP profile from 
      BlackBerry UEM
      . This profile is used to trigger an assisted SCEP procedure in order to obtain a device-specific certificate, which will be used to access 
      BlackBerry UEM
       and servers that are providing 
      BBM Enterprise
       services.
    2. The  snap-in returns a SCEP profile (default or configured).
    3. The  client performs an assisted SCEP operation against the 
      BlackBerry Enterprise Identity
       service mediated by 
      BlackBerry UEM
      .
    4. The resulting certificate, specific to a  device, is sent back to the  client.
  10. The 
    BBM Enterprise
     
    BlackBerry UEM
     activation process is complete.
  11. The 
    BBM Enterprise
     client uses the 
    BBM Enterprise
     device certificate to connect to the 
    BBM Enterprise
     infrastructure and retrieves the 
    BBM Enterprise
     policy configured for the user and completes the 
    BBM Enterprise
    -specific portion of the activation.