BES10 v10.2 Architecture and Data Flow Overview En

8/17/2019 BES10 v10.2 Architecture and Data Flow Overview En

1/39

Architecture and Data Flow

Overview

BlackBerry Enterprise Service 10721-08877-123

Version: 10.2

Q u i c

k R

e f e r e n c

e


2/39

Published: 2013-11-28

SWD-20131128130321045


3/39

Contents

Key components of BlackBerry Enterprise Service 10................................. 4

Key components used to manage BlackBerry 10 devices and BlackBerryPlayBook tablets....................................................................................................... 6

Key components used to manage iOS devices and Android devices............................9

BlackBerry Enterprise Service 10 and the BlackBerry Infrastructure

authentication..........................................................................................13

Data flow: Authenticating the BlackBerry Device Service with the BlackBerry

Infrastructure..........................................................................................................13

Data flow: Authenticating the Universal Device Service with the BlackBerry

Infrastructure..........................................................................................................13

BlackBerry device data flows....................................................................15

Data flow: Activating a BlackBerry device................................................................ 15

Data flow: Receiving email and organizer data on a BlackBerry device..................... 18

Data flow: Sending policy and profile updates to BlackBerry devices........................ 20

Data flow: Sending app updates to BlackBerry devices............................................ 22

iOS and Android device data flows............................................................ 23

Data flow: Activating an iOS device..........................................................................23

Data flow: Activating an Android device................................................................... 27

Data flow: Receiving email and organizer data on iOS and Android devices...............30Data flow: Receiving email and organizer data on iOS and Android devices with a

work space............................................................................................................. 31

Troubleshooting app, policy, and profile updates for iOS and Android devices.......... 32

About the BES10 Client and the iOS MDM Daemon.........................................................33

Data flow: App, policy, and profile updates that use the BES10 Client on iOS and

Android devices...................................................................................................... 34

Data flow: App, policy, and profile updates that use the MDM Daemon on iOS

devices................................................................................................................... 35

Glossary...................................................................................................37Legal notice............................................................................................. 39


4/39

Key components of BlackBerryEnterprise Service 10

Key components of BlackBerry Enterprise Service 10

4 721-08877-123

10.2


5/39

BlackBerry Management Studio

The BlackBerry Management Studio is a web application that you can use to do the following:

• Administer licenses for the BlackBerry Enterprise Service 10 domain

• Administer iOS, Android, BlackBerry 10, and BlackBerry 7.1 or earlier devices, and BlackBerry PlayBook tablets in

your organization

• Allow users to activate devices

• Assign user accounts to groups based on common criteria, such as user location, organizational group, or device

model, and manage the user accounts

• Assign IT policies to user accounts and groups to customize and control what actions users can perform on their

devices

• View various reports related to the BlackBerry Enterprise Service 10 domain

• Access the BlackBerry Device Service console and the Universal Device Service console to perform advanced

administration tasks

The following are the key ports that the BlackBerry Management Studio uses.

BlackBerry Management Studio Connection typeDefault port

number

Where to

configure

Inbound and outbound connection between browsers and

the BlackBerry Management Studio

HTTPS 7443 BES10

Configuration Tool

BlackBerry Infrastructure

The BlackBerry Infrastructure validates SRP and licensing information for BlackBerry Enterprise Service 10. In addition,

the BlackBerry Infrastructure provides a secure connection between your organization and BlackBerry devices, work space

enabled Android devices, and work space enabled iOS devices. The BlackBerry Infrastructure also provides a securecommunication channel for activation and management traffic for all devices.

The following are the key ports that the BlackBerry Infrastructure uses.

BlackBerry Infrastructure Connection typeDefault port

number

Where to

configure

Registration of activation information and request a signed

CSR from BlackBerry when you configure the APNs

certificate

HTTPS 443 —

BlackBerry Enterprise Service 10 outbound initiated, bi-

directional TCP traffic

TCP 3101 BES10

Configuration Tool

(for theBlackBerry

Router) or the

BlackBerry Device

Service console

(for the


721-08877-123

10.2

5


6/39

BlackBerry Infrastructure Connection typeDefault port

number

Where to

configure

BlackBerry

Dispatcher)

For more information about the range of IP addresses for the BlackBerry Infrastructure, visit http:// www.blackberry.com/go/kbhelp to read article KB03735.

Key components used to manageBlackBerry 10 devices and BlackBerryPlayBook tablets

BlackBerry Device Service console

The BlackBerry Device Service console, also known as the BlackBerry Administration Service, is used to manage

BlackBerry devices and configure BlackBerry Enterprise Service 10 components.

You can manage user accounts and assign groups, administrative roles, software configurations, email profiles, and IT

policies to user accounts.

The BlackBerry Device Service console connects to the BlackBerry Configuration Database and to Microsoft Active

Directory.

User information updated in Microsoft Active Directory can be synchronized manually with the BlackBerry Device Service

console.

For example, if a user changes their name, you can immediately update their name in both Microsoft Active Directory and

the BlackBerry Device Service console.

The following are the key ports that the BlackBerry Device Service console uses.

BlackBerry Device Service console Connection typeDefault port

number

Where to

configure

Outbound connections to the BlackBerry Infrastructure to

register activation information for BlackBerry devices

HTTPS 443 —

Inbound and outbound connections to the BlackBerry

Configuration Database

TCP 1433 (for static

port)

BES10

Configuration Tool

Inbound and outbound connection between browsers and

the BlackBerry Device Service console

HTTPS

HTTP

38443

38180

BES10

Configuration Tool

Enterprise Management Web Service

The Enterprise Management Web Service is a set of web services that communicates commands, configuration

information, IT policies, VPN profiles, Wi-Fi profiles, SCP profiles, and email profiles between the BlackBerry Administration

Service and the Enterprise Management Agent on BlackBerry devices.


6 721-08877-123

10.2

http://www.blackberry.com/go/kbhelphttp://www.blackberry.com/go/kbhelp


7/39

The following are the key ports that the Enterprise Management Web Service uses.

Enterprise Management Web Service Connection typeDefault port

number

Where to

configure




port)

BES10

Configuration Tool

Inbound connections from BlackBerry devices for

activation (used if you are not activating devices through

the BlackBerry Infrastructure)

HTTP

HTTPS

38084

38444

BlackBerry Device

Service console

BlackBerry MDS Connection Service

The BlackBerry MDS Connection Service provides a secure connection between the Enterprise Management Agent on

BlackBerry devices and the Enterprise Management Web Service in BlackBerry Enterprise Service 10. The connection is

used when the device is not connected to your organization's Wi-Fi network or VPN.

The BlackBerry MDS Connection Service is also responsible for providing enterprise push functionality.

The following are the key ports that the BlackBerry MDS Connection Service uses.

BlackBerry MDS Connection Service Connection typeDefault port

number

Where to

configure




port)

BES10

Configuration Tool

Inbound and outbound connection to the BlackBerry

Dispatcher

TCP 3201 —

Inbound connection from server-side push applications to

BlackBerry MDS Connection Service using web servers

(used if you do not set up a proxy server)

HTTP

HTTPS

9080

9443

BlackBerry Device

Service console

BlackBerry Dispatcher

The BlackBerry Dispatcher maintains an SRP connection with the BlackBerry Infrastructure over the Internet. The

BlackBerry Dispatcher also routes traffic between BlackBerry devices and the BlackBerry MDS Connection Service service

when users are not connected to a work Wi-Fi access point or using a VPN connection.

The following are the key ports that the BlackBerry Dispatcher uses.

BlackBerry Dispatcher Connection typeDefault port

number

Where to

configure




port)

BES10

Configuration Tool

Inbound and outbound connection to the BlackBerry

Router or the BlackBerry Infrastructure

TCP 3101 BES10

Configuration Tool

(for the

BlackBerry

Router) or the


721-08877-123

10.2

7


8/39

BlackBerry Dispatcher Connection typeDefault port

number

Where to

configure

BlackBerry Device

Service console

(for the

BlackBerryDispatcher)

Inbound and outbound connections from the BlackBerry

MDS Connection Service

TCP 3201 —

BlackBerry Router

The BlackBerry Router connects to the BlackBerry Infrastructure which sends data to BlackBerry devices over mobile

networks or the Internet.

If BlackBerry Enterprise Service 10 is installed on a computer that hosts BlackBerry Enterprise Server 5.0 SP4, the

BlackBerry Router associated with it is only used by the BlackBerry Enterprise Server. If you install the BlackBerry Router

in the DMZ, you can configure the BlackBerry Router to work with BlackBerry Enterprise Service 10 and the BlackBerryEnterprise Server.

The following are the key ports that the BlackBerry Router uses.

BlackBerry Router Connection typeDefault port

number

Where to

configure


Dispatcher and the BlackBerry Infrastructure

TCP 3101 BES10

Configuration Tool

(for the

BlackBerry

Router) or the

BlackBerry Device

Service console

(for the

BlackBerry

Dispatcher)

BlackBerry Configuration Database

The BlackBerry Configuration Database is a relational database that contains user account information and configuration

information that are used to manage BlackBerry 10 devices and BlackBerry PlayBook tablets.

Note: The Management Database and the BlackBerry Configuration Database must be installed on the same database

server. If they are not, issues can arise with functionality, including issues with single sign-on functionality and the reporting

services.

The following are the key ports that the BlackBerry Configuration Database uses.


8 721-08877-123

10.2


9/39

BlackBerry Configuration Database Connection typeDefault port

number

Where to

configure


Administration Service, BlackBerry Dispatcher, BlackBerry

MDS Connection Service, and Enterprise Management Web

Service


port)

BES10

Configuration Tool

Key components used to manage iOSdevices and Android devices

Universal Device Service console

The Universal Device Service console, also known as the Administration Console, provides a web-based interface that you

can use to manage user accounts, IT policies, profiles, apps, and iOS devices and Android devices.

The following are the key ports that the Universal Device Service console uses.

Universal Device Service console Connection typeDefault port

number

Where to

configure

Outbound connection from the Administration Console to

the BlackBerry Infrastructure to request a signed CSR from

Research In Motion when you configure the APNs

certificate

HTTPS 443 —

Outbound connections to the Management Database TCP 1433 (for static

port)

BES10

Configuration Tool

Inbound and outbound connection between browsers andthe Universal Device Service console

HTTPS

HTTP

6443

9440

—

Core Module

The Core Module is a device-agnostic module that is installed behind the organization’s firewall. The Core Module performs

the following functions:

• Manages all the configuration data used to manage iOS devices and Android devices (for example, user

configuration, group configuration, device configuration, policy enforcement checks, and so on) and stores it in the

Management Database. The Core Module is the only component that accesses the Management Database.

• The Core Module connects to the following external components:

• Microsoft Active Directory, using LDAP, to retrieve user account information that BlackBerry Enterprise

Service 10 needs to search for and create user accounts.

• APNs to inform iOS devices to contact the Communication Module when the configuration assigned to the

device is updated (for example, a new or updated IT policy or VPN profile is applied to it).

• mail server, using SMTP, to send activation emails and policy enforcement breach emails.

• Database server, using ADO.NET, to make database connections and execute queries or commands.


721-08877-123

10.2

9


10/39


11/39

BlackBerry Secure Connect Service Connection typeDefault port

number

Where to

configure

Inbound and outbound connections to the Communication

Module

HTTPS 33443 —

Inbound and outbound connections to the Core Module HTTPS 38081 —

APNs

The APNs is a service for iOS devices provided by Apple that BlackBerry Enterprise Service 10 uses to inform iOS devices to

contact the Communication Module for configuration updates (such as Wi-Fi profile, VPN profile, or Microsoft ActiveSync

profile updates) and to provide information for your organization’s device inventory.

The following are the key ports that the APNs uses.

APNs Connection typeDefault port

number

Where to

configure

Outbound connections from iOS devices that use a work

Wi-Fi network to APNs

TCP 5223 —

Outbound connections to the Core Module HTTPS 9081 —

Management Database

The Management Database is a relational database that contains user account information and configuration information

(such as connection details) that BlackBerry Enterprise Service 10 components use to manage iOS devices and Android

devices.

Note: The Management Database and the BlackBerry Configuration Database must be installed on the same database

server. If they are not, issues can arise with functionality, including such as issues with single sign-on functionality and the

reporting services.

The following are the key ports that the Management Database uses.

Management Database Connection typeDefault port

number

Where to

configure

Inbound and outbound connections to the Universal Device

Service console


port)

BES10

Configuration Tool

BlackBerry Work Connect Notification Service

The BlackBerry Work Connect Notification Service is a web service responsible for providing new or changed email and

organizer notifications to iOS devices that are using Secure Work Space.

iOS devices are restricted from running applications in the background, with specific exceptions such as the default mail

application. This means Secure Work Space applications cannot receive new data such as email message notifications

unless the application is open or unless the notification comes from the APNs. The BlackBerry Work Connect Notification

Service receives notifications of new data from third-party applications such as mail servers, web servers, or other content

servers, and sends a notification through the BlackBerry Infrastructure to the APNs. The APNs can then notify the Work

Connect application on the device of the new data.


721-08877-123

10.2

11


12/39

The following are the key ports that the BlackBerry Work Connect Notification Service uses.

BlackBerry Work Connect Notification Service Connection typeDefault port

number

Where to

configure

Outbound connections to the BlackBerry Infrastructure HTTPS 443 —

Inbound connections from Microsoft Exchange WebServices for email notifications

HTTP 8088 During installationonly

TCP proxy

The TCP proxy is an optional, customer provided, component that is used to meet installation specific networking

requirements. The TCP proxy acts as an intermediary for requests that allows the BlackBerry Secure Connect Service to

route TCP traffic from port 3101 to the BlackBerry Infrastructure, providing connectivity to iOS devices and Android

devices.

The following are the key ports that the TCP proxy uses.

TCP proxy Connection type

Default port

number

Where to

configure


Infrastructure

TCP 3101 —


12 721-08877-123

10.2


13/39

BlackBerry Enterprise Service 10and the BlackBerry Infrastructure

authenticationFor more information on security for BlackBerry Enterprise Service 10, visit www.blackberry.com/go/serverdocs to read

BlackBerry Device Service Security Technical Overview and Secure Work Space for iOS and Android Security Note.

Data flow: Authenticating the BlackBerryDevice Service with the BlackBerryInfrastructure1. The BlackBerry Device Service sends a data packet that contains its unique SRP identifier to the BlackBerry

Infrastructure to claim the SRP identifier.

2. The BlackBerry Infrastructure sends a random challenge string to the BlackBerry Device Service.

3. The BlackBerry Device Service sends a challenge string to the BlackBerry Infrastructure.

4. The BlackBerry Infrastructure hashes the challenge string it received from the BlackBerry Device Service with the SRP

authentication key using HMAC with the SHA-1 algorithm. The BlackBerry Infrastructure sends the resulting 20-byte

value to the BlackBerry Device Service as a challenge response.

5. The BlackBerry Device Service hashes the challenge string it received from the BlackBerry Infrastructure with the SRP

authentication key, and sends the result as a challenge response to the BlackBerry Infrastructure.

6. The BlackBerry Infrastructure performs one of the following actions:

• Accepts the challenge response and sends a confirmation to the BlackBerry Device Service to complete the

authentication process and configure an authenticated SRP connection

• Rejects the challenge response

If the BlackBerry Infrastructure rejects the challenge response, the authentication process is not successful. The

BlackBerry Infrastructure and BlackBerry Device Service close the SRP connection.

If the BlackBerry Device Service uses the same SRP authentication key and SRP identifier to connect to (and then

disconnect from) the BlackBerry Infrastructure five times in one minute, the BlackBerry Infrastructure deactivates the

SRP identifier to help prevent an attacker from using the SRP identifier to create conditions for a DoS attack.

Data flow: Authenticating the Universal

Device Service with the BlackBerryInfrastructure1. The Universal Device Service connects to the BlackBerry Infrastructure and initiates a TLS connection.

2. The BlackBerry Infrastructure sends an authentication certificate to the Universal Device Service.

BlackBerry Enterprise Service 10 and the BlackBerry Infrastructure authentication

721-08877-123

10.2

13

http://www.blackberry.com/go/serverdocshttp://www.blackberry.com/go/serverdocs


14/39

3. The Universal Device Service verifies that the authentication certificate is signed by a trusted authority and verifies the

name of the server in the BlackBerry Infrastructure to establish the TLS connection.

4. The Universal Device Service sends a data packet that contains its unique SRP identifier and SRP authentication key to

the BlackBerry Infrastructure.

5. The BlackBerry Infrastructure authenticates the SRP identifier and SRP authentication key. The BlackBerry

Infrastructure now only allows traffic for this instance of the Universal Device Service, uniquely identified by its SRP

identifier, to flow over the connection.

BlackBerry Enterprise Service 10 and the BlackBerry Infrastructure authentication

14 721-08877-123

10.2


15/39

BlackBerry device data flows

Data flow: Activating a BlackBerry device

Adding and registering the user

1. In BlackBerry Management Studio, or the BlackBerry Device Service console, the administrator creates a local or a

directory user account.

Note: If creating a local user account, the account must be created in the BlackBerry Device Service console.

2. The administrator creates an activation password for the user account. The BlackBerry Administration Service stores

the activation password in the BlackBerry Configuration Database.

3. The BlackBerry Administration Service sends the email address or username information to the BlackBerry

Infrastructure to register the user account.

4. The BlackBerry Infrastructure notifies the BlackBerry Administration Service whether the account registration is

successful or not.

5. If the option to email the activation information to the user is selected, the BlackBerry Administration Service sends the

activation information to the user's email address. If the option is not selected, the administrator must communicate

the information to the user directly. The activation information includes the account information (email address ordomain\username), account activation password, and server information (SRP ID of the BlackBerry Device Service)

that the user needs to type on the BlackBerry device.

Note: If BlackBerry Enterprise Service 10 is set to register activation information, the user is registered with the BlackBerry

Infrastructure, whether the device they are activating is a BlackBerry 10 device or a BlackBerry PlayBook tablet.


721-08877-123

10.2

15


16/39


17/39

When activating a device using a wireless connection

through the BlackBerry Infrastructure

When activating a device using a direct connection to the

Enterprise Management Web Service

connection information for BlackBerry Enterprise

Service 10.

4. The Enterprise Management Agent uses the connection

information to establish a connection to BlackBerry

Enterprise Service 10 through the BlackBerry

Infrastructure.

5. If there is a BlackBerry Router installed, the BlackBerry

Router receives the activation request on port 3101 and

forwards it to the BlackBerry Dispatcher. If there is no

BlackBerry Router installed, the BlackBerry Dispatcher

receives the activation request.

6. The BlackBerry Dispatcher forwards the request to the

BlackBerry MDS Connection Service through port

3201.

7. The BlackBerry MDS Connection Service returns theEnterprise Management Web Service host and port

information to the Enterprise Management Agent

through the BlackBerry Dispatcher.

8. The Enterprise Management Agent uses this

information to establish a secure connection through

the BlackBerry Infrastructure to the Enterprise

Management Web Service.

Completing the activation


721-08877-123

10.2

17


18/39

1. The Enterprise Management Agent on the device sends a message requesting activation details to the Enterprise


2. The Enterprise Management Agent receives the activation details from the Enterprise Management Web Service. If the

activation is a "Work and personal - Regulated" or a "Work space only" activation type, the device displays a

notification requesting user acceptance to proceed with the activation.

3. The Enterprise Management Agent sends a message back to the Enterprise Management Web Service to confirm the

Enterprise Management Agent has completed the activation and created the work space.

4. The Enterprise Management Web Service and the Enterprise Management Agent configure IT policies, software

configurations, and more, on the device.

Data flow: Receiving email and organizerdata on a BlackBerry deviceWhen users send and receive email and organizer data on a BlackBerry device, there are two communication paths that

can be used:

• Connectivity through the BlackBerry Infrastructure to the mail server that is running Microsoft ActiveSync to

provide security for devices that are not connected to the organization's internal network or do not have a VPN

connection

• Direct connection from the device to the mail server that is running Microsoft ActiveSync, through the VPN or over

the work Wi-Fi network

1. The device issues an HTTPS request to the mail server and requests that the mail server notifies the device if any items

change in the folders that are configured to synchronize.


18 721-08877-123

10.2


19/39

2. The device stands by. You can adjust the synchronization time, depending on your mail server.

3. The mail server checks for any new or changed items and notifies the device when items change or new items come

into the user's mailbox. The notification contains the name of the folder that has the new or changed item.

• Changed items include marking an email as read, moving an email into a sub folder, or updating organizer data

• New items include receiving a new email or creating a new organizer data entry

4. The device issues a synchronization request for the folder.

5. The mail server synchronizes the changed files with the device.

6. When the synchronization is complete, the device issues another request to restart the process.

7. If there are no new or changed items during this interval, the mail server sends an "HTTP 200 OK" message to the

device.

8. The device issues a new PING request.


721-08877-123

10.2

19


20/39

Data flow: Sending policy and profileupdates to BlackBerry devicesYou can configure IT administration commands, app information, IT policies, email profiles, SCEP profiles, Wi-Fi profiles,

and VPN profiles for devices using the BlackBerry Device Service console. This configuration information is sent to the

Enterprise Management Agent on the device over a secure, preauthenticated connection through the Enterprise


1. You complete one of the following actions in the BlackBerry Device Service console:

• Select an IT administration command

• Remove a device from a user account

• Assign or change an IT policy

• Assign or change a VPN profile or Wi-Fi profile

• Assign or change Microsoft ActiveSync configuration settings

• Assign or change email configuration settings

• Assign or change root certificates

• Assign or change proxy profiles

• Assign or change SCEP profiles

2. If data conflicts exist, the BlackBerry Device Service console uses predefined reconciliation rules to resolve the

conflicts. Updates are applied in the BlackBerry Enterprise Service 10 and the BlackBerry Device Service console

identifies objects that must be shared with the device.

3. The Enterprise Management Web Service notifies the Enterprise Management Agent on the device that there is an

update.


20 721-08877-123

10.2


21/39

Note: The Enterprise Management Web Service can only notify the Enterprise Management Agent on the device that

there is an update over the IPPP pathway through the BlackBerry Infrastructure.

4. The Enterprise Management Agent polls the Enterprise Management Web Service for the update.

5. The Enterprise Management Web Service sends the configuration updates to the Enterprise Management Agent.

6. The Enterprise Management Agent retrieves the configuration updates and applies the new or updated configuration

on the work space of the device.


721-08877-123

10.2

21


22/39

Data flow: Sending app updates toBlackBerry devicesYou use software configurations to specify apps that are required or optional for the work space of the devices. Required

apps are installed in the work space after the device receives them. Optional apps can be downloaded and installed in the

work space. Apps that are not listed as required or optional can only be installed in the personal space.

1. You complete one of the following actions in the BlackBerry Device Service console:

• Create a software configuration and assign it to a user account or a group the user account belongs to

• Update a software configuration that is already assigned to the user account

• Update app information

2. If data conflicts exist, the BlackBerry Device Service console uses predefined reconciliation rules to resolve the

conflicts. Updates are applied in BlackBerry Enterprise Service 10 and the BlackBerry Device Service console identifies

objects that must be shared with the device.

3. The Enterprise Management Web Service notifies the Enterprise Management Agent on the device that there is an

update.

4. The Enterprise Management Agent on the device polls the Enterprise Management Web Service for updates.

5. The Enterprise Management Web Service sends the update to the Enterprise Management Agent.

6. If a required app was added or updated, the Enterprise Management Agent accesses the URL that is specified in the

app information to download and install the required app to the work space.

7. If the list of optional apps changed, the Work tab in the BlackBerry World storefront on BlackBerry PlayBook tablets, or

the BlackBerry World for Work app for BlackBerry 10 devices, displays the updated list and the user can download and

install the optional apps.


22 721-08877-123

10.2


23/39

iOS and Android device data flows

Data flow: Activating an iOS device

Adding the user

1. In BlackBerry Management Studio, or the Universal Device Service console, the administrator creates a local or adirectory user account, and does one of the following:

• If the account is a local account, the administrator specifies an activation password (the local account

password cannot be used for device activation).

• If the account is a directory account, the administrator can choose whether to specify an activation password

or use the login information for the account instead. The administrator can select the option to send an

activation email to the user, assign group membership, and specify other device activation settings such as

activation expiry date and time, maximum number of activations per device, device platform and device

version.

• Optionally, the administrator assigns an activation type profile to the account.

Note: If the option to send an activation email to the user is selected, the administrator can customize the email

message to reflect company specific details.

2. The Core Module performs one of the following actions:

• If the account is a local account, the Core Module generates a hash of the user account password and stores it

along with the account information in the Management Database.


721-08877-123

10.2

23


24/39

• If the account is a directory account, the Core Module accesses Microsoft Active Directory, using LDAP, to

retrieve the user account information and keeps a copy of the user account information in the Management

Database. The Scheduler and Management Database periodically retrieve this information and keep it current.

3. If the option to send an activation email was selected, the Core Module generates the activation email and sends it to

the user using the SMTP settings configured by the administrator. The email message describes how to obtain the

BES10 Client from the App Store and additional information the user needs to enter on the client, such as the domainname and SRP ID, the username, and the activation password for the user account if one was specified.

Starting the activation process

1. The user installs the BES10 Client on the iOS device. After launching the BES10 client, the user is prompted to enter

the URL provided by the administrator (which consists of the BlackBerry Infrastructure URL followed by the SRP ID of

the customer, for example .bbsecure.com/S1234567, where is the country code), and accept the

BlackBerry Enterprise Service 10 certificate. This prompt includes information about the SSL certificate, including the

Common Name, fingerprint, and whether the certificate is trusted or untrusted. Once the user accepts the certificate,

they enter the username specified in the activation email and their password, and clicks Activate My Device.

• If the user clicks Decline, they are returned to the previous activation screen and the activation process stops.

• If the user clicks Accept, the certificate is installed on the device and the activation process continues.

2. The client sends an activation request over a secured channel, to the BlackBerry Infrastructure, which sends it to the

server name specified by the user. The activation request includes the username, password, device operating system,and unique device identifier.

3. The BlackBerry Secure Connect Service receives the activation request from the BlackBerry Infrastructure and sends it

to the Communication Module.

4. The Communication Module receives the activation request and queries the Core Module to validate the activation

request.

5. The Core Module checks if the activation request is valid and performs one of the following actions:


24 721-08877-123

10.2


25/39

• If the activation request does not meet the criteria defined in the activation settings (for example, the

username is not valid, the password has expired, or the device type or version is not allowed for the user

account), the Core Module responds with an error message.

• If the activation request meets all the activation criteria, the Core Module creates a device instance, associates

it with the specified user account in the Management Database, sets the activation status for the device as

unknown, and responds with a successful authentication to the Communication Module.

6. The Communication Module performs one of the following actions:

• If the response from the Core Module is an error, the Communication Module sends the error message to the

BlackBerry Secure Connect Service to send to the BlackBerry Infrastructure. The BlackBerry Infrastructure

passes the error message to the device and the activation stops.

• If the response from the Core Module is a successful authentication, the Communication Module generates a

unique identifier for the device. This identifier is used to verify the authenticity of the device in every

subsequent communication. The Communication Module sends a response to the BlackBerry Secure Connect

Service that includes the identifier, the MDM profile of the device (these are the specific permissions that the

BES10 Client can request to manage on the device such as Wi-Fi, VPN, Microsoft ActiveSync profile

configuration, IT policy configuration, activation type and so on), a command to provide device information and

configuration, and a link to the BlackBerry Secure Connect Service to initiate the MDM Daemon enrollment

process. The BlackBerry Secure Connect Service sends this information to the BlackBerry Infrastructure,

which sends it to the device.

Installing the certificate and completing the activation

1. After receiving a successful response, the client displays a message to inform the user that a certificate must be

installed to complete the activation. The user clicks OK and is redirected to the BlackBerry Secure Connect Service link

for the MDM Daemon enrollment.

2. The BlackBerry Secure Connect Service connects to the Communication Module for the MDM Daemon enrollment.


721-08877-123

10.2

25


26/39

3. A certificate is provided by the Communication Module and the user is presented with the option to install it. The user

clicks Install Now and Done.

4. The client communicates with the BlackBerry Secure Connect Service to notify the successful installation of the MDM

profile and certificate.

5. The BlackBerry Secure Connect Service informs the Communication Module of the successful installation of the MDM

profile and certificate.

6. The Communication Module informs the Core Module of this success.

7. After successfully confirming the MDM enrollment of the device, the Core Module sets the device activation status to

active on the Management Database.

8. The client continually checks with the Communication Module through the BlackBerry Secure Connect Service to verify

the activation status. When the activation is set to active, the device requests all IT policy and configuration information

from, and sends device information to, BlackBerry Enterprise Service 10.

9. The BlackBerry Secure Connect Service receives the device information and sends it to the Communication Module.

10. The Communication Module receives the information, converts it to a device-agnostic format and forwards it to the

Core Module.

11. The Core Module stores the device information in the Management Database and sends the IT policy and configuration

information back to the device.

If the activation type for the device is "Work and personal - user privacy" or "Work and personal - full control", after the

activation is completed, the user is prompted to create a work space password. Additionally, the user may be prompted

to install some or all of the following apps:

• Work Connect

• Work Browser

• Documents To Go

Note: If the device is activated with the "Work and personal - user privacy" activation type, the users are not prompted

to install the work space apps and must go to a website provided by their administrator to download the apps.


26 721-08877-123

10.2


27/39

Data flow: Activating an Android device

Adding the user

1. In BlackBerry Management Studio, or the Universal Device Service console, the administrator creates a local or a

directory user account, and does one of the following:

• If the account is a local account, the administrator specifies an activation password (the local accountpassword cannot be used for device activation).

• If the account is a directory account, the administrator can choose whether to specify an activation password

or use the login information for the account instead. The administrator can select the option to send an

activation email to the user, assign group membership, and specify other device activation settings such as

activation expiry date and time, maximum number of activations per device, device platform and device

version.

• Optionally, the administrator assigns an activation type profile to the account.

Note: If the option to send an activation email to the user is chosen, the administrator can customize the email

message to reflect company specific details.

2. The Core Module performs one of the following actions:

• If the account is a local account, the Core Module generates a hash of the user account password and stores it

along with the account information in the Management Database.

• If the account is a directory account, the Core Module accesses Microsoft Active Directory, using LDAP, to

retrieve the user account information and keeps a copy of the user account information in the Management


721-08877-123

10.2

27


28/39

Database. The Scheduler and Management Database periodically retrieve this information and keep it up to

date.

3. If the option to send an activation email was selected, the Core Module sends the activation email using the SMTP

settings configured by the administrator. The email message describes how to obtain the BES10 Client from Google

Play and additional information the user needs to type in the client, such as the company server name, the username,

and the activation password for the user account if one was specified.

Starting the activation process

1. The user installs the BES10 Client on the Android device. After launching the BES10 Client, the user is prompted to

enter the URL provided by the administrator (which consists of the BlackBerry Infrastructure URL followed by the SRP

ID of the customer, for example .bbsecure.com/S1234567, where is the country code), and accept the

BlackBerry Enterprise Service 10 certificate. This prompt includes information about the SSL certificate, including the

Common Name, fingerprint, and whether the certificate is trusted or untrusted. Once the user accepts the certificate,

they enter the username specified in the activation email and their password, and clicks Activate My Device.

• If the user clicks Decline, they are returned to the previous activation screen and the activation process stops.

• If the user clicks Accept, the certificate is installed on the device and the activation process continues.

2. The client sends an activation request over a secured channel, to the BlackBerry Infrastructure, which sends it to the

server name specified by the user. The activation request includes the username, password, device operating system,

and unique device identifier.

3. The BlackBerry Secure Connect Service receives the activation request from the BlackBerry Infrastructure and sends it

to the Communication Module.

4. The Communication Module receives the activation request and queries the Core Module to validate the activation

request.

5. The Core Module checks if the activation request is valid and performs one of the following actions:


28 721-08877-123

10.2


29/39

• If the activation request does not meet the criteria defined in the activation settings, for example, the

username is not valid, the password has expired, or the device type or version is not allowed for the user

account, the Core Module responds with an error message.

• If the activation request meets all the activation criteria, the Core Module creates a device instance, associates

it to the specified user account in the Management Database, sets the activation status for the device as

unknown, and responds with a successful authentication to the Communication Module.

6. The Communication Module performs one of the following actions:

• If the response from the Core Module is an error, the Communication Module sends the error message to the

BlackBerry Secure Connect Service to send to the BlackBerry Infrastructure. The BlackBerry Infrastructure

sends the error message and the activation stops.

• If the response from the Core Module is a successful authentication, the Communication Module generates a

unique identifier for the device. This identifier is used to verify the authenticity of the device in every

subsequent communication. The Communication Module sends a response to the BlackBerry Secure Connect

Service that includes the identifier, the MDM profile of the device (these are the specific permissions that the

BES10 Client requests to manage on the device such as, Wi-Fi, VPN, IT policy configuration, and so on), and a

command to provide device information and configuration. The BlackBerry Secure Connect Service sends this

information through the BlackBerry Infrastructure to the device.

Completing the activation

1. After receiving a successful response, the BES10 Client requests all IT policy and configuration information and sends

the device information and software information through the BlackBerry Infrastructure to the BlackBerry Secure

Connect Service, which sends this information to the Communication Module.

2. The Communication Module receives the information, converts it to a device-agnostic format and sends it to the Core

Module.


721-08877-123

10.2

29


30/39

3. The Core Module stores the device information in the Management Database and sends the IT policy and configuration

information back to the device.

If the activation type for the device is "Work and personal - user privacy" or "Work and personal - full control", after the

activation is completed, the user is prompted to create a work space password. Additionally, the user may be prompted

to install some or all of the following apps:

• Secure Work Space• Work Space Manager

• Documents To Go

Data flow: Receiving email and organizerdata on iOS and Android devices

1. The device issues an HTTPS request to the mail server and requests that the mail server notify the device if any items

change in the folders that are configured to synchronize.

2. The device stands by. You can adjust the synchronization time, depending on your mail server.

3. The mail server checks for any new or changed items and notifies the device when items change or new items come

into the user's mailbox. The notification contains the name of the folder that has the new or changed item.

• Changed items include marking an email as read, moving an email into a sub folder, or updating organizer data

• New items include receiving a new email or creating a new organizer data entry

4. The device issues a synchronization request for the folder.

5. The mail server synchronizes the changed files with the device.


30 721-08877-123

10.2


31/39

6. When the synchronization is complete, the device issues another request to restart the process.

7. If there are no new or changed items during this interval, the mail server sends a "HTTP 200 OK" message to the

device.

8. The device issues a new PING request.

Data flow: Receiving email and organizerdata on iOS and Android devices with awork space

1. At defined intervals, the mail server checks for any new or changed items and notifies the iOS device or Android device,

through BlackBerry Enterprise Service 10, when there are new or changed items.

If the device is an iOS device:

• The BlackBerry Work Connect Notification Service receives the notification and passes it to the BlackBerry

Secure Connect Service for forwarding

If the device is an Android device:

• The notification is received by the BlackBerry Secure Connect Service for forwarding

2. BlackBerry Secure Connect Service notifies the BlackBerry Infrastructure that there are new or changed items in the

user's mailbox over port 3101.

3. The BlackBerry Infrastructure passes a notification to the device that there are new or changed items in the user's

mailbox.

• If the device is an iOS device:


721-08877-123

10.2

31


32/39

• The BlackBerry Infrastructure contacts the APNs over port 2195 to notify the user that there is an item

waiting to be synchronized.

• The APNs notifies the device that there is a new or changed item waiting to be synchronized.

• When the app receives the notification, it displays an icon that indicates that there are new updates

available for the user.

• If the device is an Android device:

• The BlackBerry Infrastructure contacts the device to notify the user that there is an item waiting to be

synchronized.

• When the app receives the notification, it displays an icon that indicates that there are new updates

available for the user.

4. The device contacts the BlackBerry Infrastructure to request the new or changed items.

5. The BlackBerry Infrastructure contacts the BlackBerry Secure Connect Service and requests the new or changed

items.

6. The BlackBerry Secure Connect Service contacts the mail server and requests the new or changed items be sent to the

device.

7. The mail server sends the items to the device, through the BlackBerry Secure Connect Service and the BlackBerryInfrastructure.

8. The device sends confirmation back to the mail server, through the BlackBerry Secure Connect Service and the

BlackBerry Infrastructure, that the updates have been received.

9. When the synchronization of all items is complete, the mail server sends an "HTTP 200 OK" message to the device.

10. The device waits for the next notification from BlackBerry Enterprise Service 10 that there are new or changed items to

synchronize.

Troubleshooting app, policy, and profile

updates for iOS and Android devicesApp, policy, and profile updates for iOS and Android devices can be triggered in any of the following ways:

• Using the Universal Device Service console, the administrator performs any of the following actions:

• Lock device

• Unlock device

• Delete only work data

• Delete all device data

• Specify device password and lock (Android devices only)

• Update an IT policy

• Update VPN profile• Update Wi-Fi profile

• Update Microsoft ActiveSync profile

• Update CA certificate profile

• Update SCEP profile (iOS devices only)

• Update shared certificate profile


32 721-08877-123

10.2


33/39

• Assign or remove a profile to a user account or group

• Assign a new software configuration to a user account or group

• Edit a software configuration or associated application definition

• At defined intervals, the Scheduler contacts the Core Module and requests the list of devices that have an action or

command that need to be performed (for example, check jailbroken or rooted status or request the list of installed

applications). If an action or command needs to performed, the Scheduler adds it to the list of pending commandsor actions for the device.

• At defined intervals, the BES10 Client contacts the Communication Module and provides device information and

the list of installed applications, based on the default polling cycle defined by the administrator.

• Android devices use the BES10 Client to perform all actions and commands.

• iOS devices use the BES10 Client to provide device information to BlackBerry Enterprise Service 10 such

as jailbroken status and displaying policy enforcement information. The MDM Daemon on iOS devices

supplements the BES10 Client protocol and performs the rest of the actions and commands on iOS

devices.

• When BlackBerry Enterprise Service 10 receives device information or the list of installed applications, several

enforcement checks are performed on the device. The enforcement check may trigger one of the following:

• Send an enforcement breach email to the user, using SMTP

• Schedule an enforcement breach action (for example, delete all data, delete only work data, or inform the

user they are in breach and that there may be further enforcement action at a later time)

About the BES10 Client and the iOS MDM DaemonAt defined intervals, the BES10 Client contacts the Communication Module, through the BlackBerry Secure Connect

Service, to ask for any actions that need to be run on the device. Polling occurs every 15 minutes, by default. This setting

can be modified in the Universal Device Service console.

• Android devices use the BES10 Client to perform all actions and commands.

• iOS devices use the BES10 Client to provide device information to BlackBerry Enterprise Service 10 such as jailbroken status and displaying policy enforcement information. The MDM Daemon on iOS devices supplements

the BES10 Client protocol and performs the rest of the actions and commands on iOS devices.


721-08877-123

10.2

33


34/39

Data flow: App, policy, and profile updatesthat use the BES10 Client on iOS and

Android devices

1. At defined intervals, the BES10 Client contacts the BlackBerry Secure Connect Service, on port 3101 of the external

firewall, to check for any pending actions and commands that need to be performed on the device. Polling occurs every15 minutes, by default, but the interval can be configured by the administrator.

2. The BlackBerry Secure Connect Service contacts the Communication Module, over internal port 33443 to request any

pending actions and commands.

3. The Communication Module contacts the Core Module, over internal port 9081, to verify the device authentication

information and get a list of pending actions and commands that need to be run on the device.

4. If there are no pending actions or commands for the device, the Communication Module replies to the device, through

the BlackBerry Secure Connect Service, with an idle command. If there are actions or commands pending for the

device, the Communication Module replies, through the BlackBerry Secure Connect Service, with the highest priority

action.

For Android devices, priority is given to IT administration commands, such as Delete device data and Lock device,

followed by request for device information, installed applications, and so on. The Communication Module sends only

one command at a time. If necessary, additional information is included in the response.

5. The client inspects the response, schedules the command to be processed, and waits for the command to be run.

6. The client sends a response to the Communication Module, through the BlackBerry Secure Connect Service, to update

the command status. The status indicates whether the command ran successfully and in the event of failure, it provides

an error message.

7. Steps 2 to 5 are repeated until there are no more pending actions or commands that need to be performed on the

device.


34 721-08877-123

10.2


35/39

Note: For secure work apps, the initial notification is sent to the iOS or Android device by the content server, through the

APNs for iOS devices, using whatever transport method the app developer specified. This may not involve BlackBerry

Enterprise Service 10. After the notification is delivered to the device, the device contacts the BlackBerry Secure Connect

Service to retrieve updated data.

Data flow: App, policy, and profile updatesthat use the MDM Daemon on iOS devices

1. The Core Module notifies the BlackBerry Secure Connect Service that there is an update pending for an iOS device.

2. The BlackBerry Secure Connect Service contacts the BlackBerry Infrastructure, over port 3101, to notify the APNs that

there is an update pending for an iOS device.

3. The BlackBerry Infrastructure, over port 2195, notifies the APNs that there is an update pending for an iOS device.

4. The APNs sends a notification to the MDM Daemon on the iOS device to contact the Communication Module.

5. When the MDM Daemon on the iOS device receives the notification, it contacts the BlackBerry Secure Connect

Service, on port 3101 of the external firewall, to retrieve any pending actions.

6. The BlackBerry Secure Connect Service contacts the Communication Module, over internal port 33443, to request the

updates.

7. The Communication Module contacts the Core Module, over internal port 9081, to verify the device and get a list of

pending actions and commands that need to be run on the device.

8. If there are no pending actions or commands for the device, the Communication Module, through the BlackBerrySecure Connect Service, replies to the device with an idle command. If there are actions or commands pending for the

device, the Communication Module, through the BlackBerry Secure Connect Service, replies with the highest priority

action. Priority is given to actions, such as Delete device data and Lock device, followed by requests for device

information, installed applications, etc. The Communication Module sends only one command at a time. If necessary,

additional information is included in the response.

9. The MDM Daemon on the iOS device inspects the response, schedules the command to be processed, and waits for

the command to be run.


721-08877-123

10.2

35


36/39

10. The MDM Daemon sends a response to the Communication Module, through the BlackBerry Secure Connect Service,

to update the command status. The status indicates whether the command ran successfully providing any additional

information, and in the event of failure, it provides an error message.

11. Steps 4 to 7 are repeated until there are no more pending actions or commands that need to be performed on the

device.


36 721-08877-123

10.2


37/39

Glossary

APNs Apple Push Notification service

BlackBerry

Enterprise Server

databases

The BlackBerry Enterprise Service 10 databases are the BlackBerry Configuration Database

(associated with the BlackBerry Device Service) and the Management Database (associated with

the Universal Device Service). By default, the databases are named BDSMgmt and

BDSMgmt_UDS, respectively, when you install BlackBerry Enterprise Service 10.

CA certification authority

CAL A BlackBerry Client Access License (BlackBerry CAL) limits how many users you can add to a

BlackBerry Enterprise Server.

DMZ A demilitarized zone (DMZ) is a neutral subnetwork outside of an organization's firewall. It exists

between the trusted LAN of the organization and the untrusted external wireless network and

public Internet.

DNS Domain Name System

EMM Enterprise Mobility Management

FQDN fully qualified domain name

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol over Secure Sockets Layer

IP Internet Protocol

IT policy An IT policy consists of various IT policy rules that control the security features and behavior of

BlackBerry smartphones, BlackBerry PlayBook tablets, the BlackBerry Desktop Software, and

the BlackBerry Web Desktop Manager.

IT policy rule An IT policy rule permits you to customize and control the actions that BlackBerry smartphones,

BlackBerry PlayBook tablets, the BlackBerry Desktop Software, and the BlackBerry Web

Desktop Manager can perform.

LAN local area network

LDAP Lightweight Directory Access Protocol

MDM mobile device management

messaging server A messaging server sends and processes messages and provides collaboration services, such as

updating and communicating calendar and address book information.

MMS Multimedia Messaging Service

over the wireless

network

The process of sending data over the wireless network is sometimes referred to as “over the air”

or “OTA.”

PAC proxy auto-configuration

PIM personal information management

PIN personal identification number

SCEP simple certificate enrollment protocol

SIM Subscriber Identity Module

Glossary

721-08877-123

10.2

37


38/39

S/MIME Secure Multipurpose Internet Mail Extensions

SMS Short Message Service

SMTP Simple Mail Transfer Protocol (SMTP) is a TCP/IP protocol used with POP or IMAP to send and

receive email messages over a network, such as the Internet.

space A space is a distinct area of the device that enables the segregation and management of

different types of data, applications, and network connections. Different spaces can have

different rules for data storage, application permissions, and network routing. Spaces were

formerly known as perimeters.

SQL Structured Query Language

SRP Server Routing Protocol

SRP ID The SRP ID is a unique identifier for the BlackBerry Enterprise Server that the BlackBerry

Enterprise Server uses to identify itself to the BlackBerry Infrastructure during SRP

authentication.

SSL Secure Sockets Layer

TCP Transmission Control Protocol

TCP/IP Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of communication protocols

that is used to transmit data over networks, such as the Internet.

UDP User Datagram Protocol

UTF-8 8-bit UCS/Unicode Transformation Format

VPN virtual private network

WAN wide area network

Glossary

38 721-08877-123

10.2


39/39

Legal notice © 2013 BlackBerry. All rights reserved. BlackBerry ® and related trademarks, names and logos are the property of

BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. Android is a trademark of

Google Inc. iOS is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS ® is

used under license by Apple Inc. Microsoft, Active Directory, and ActiveSync are trademarks of Microsoft Corporation. Wi-

Fi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of their respective owners. This documentation

is provided "as is" and without condition, endorsement, guarantee, representation or warranty, or liability of any kind by

BlackBerry Limited and its affiliated companies, all of which are expressly disclaimed to the maximum extent permitted by

applicable law in your jurisdiction.

Legal notice

BES10 v10.2 Architecture and Data Flow Overview En

Documents

Transcript of BES10 v10.2 Architecture and Data Flow Overview En