Академический Документы
Профессиональный Документы
Культура Документы
721-08877-123
Version: 10.2
Quick Reference
Published: 2013-11-28
SWD-20131128130321045
Contents
Key components of BlackBerry Enterprise Service 10................................. 4
Key components used to manage BlackBerry 10 devices and BlackBerry
PlayBook tablets....................................................................................................... 6
Key components used to manage iOS devices and Android devices............................9
Data flow: App, policy, and profile updates that use the BES10 Client on iOS and
Android devices...................................................................................................... 34
Data flow: App, policy, and profile updates that use the MDM Daemon on iOS
devices................................................................................................................... 35
Glossary...................................................................................................37
Legal notice............................................................................................. 39
721-08877-123
10.2
Administer iOS, Android, BlackBerry 10, and BlackBerry 7.1 or earlier devices, and BlackBerry PlayBook tablets in
your organization
Assign user accounts to groups based on common criteria, such as user location, organizational group, or device
model, and manage the user accounts
Assign IT policies to user accounts and groups to customize and control what actions users can perform on their
devices
Access the BlackBerry Device Service console and the Universal Device Service console to perform advanced
administration tasks
The following are the key ports that the BlackBerry Management Studio uses.
BlackBerry Management Studio
Connection type
Default port
number
Where to
configure
HTTPS
7443
BES10
Configuration Tool
BlackBerry Infrastructure
The BlackBerry Infrastructure validates SRP and licensing information for BlackBerry Enterprise Service 10. In addition,
the BlackBerry Infrastructure provides a secure connection between your organization and BlackBerry devices, work space
enabled Android devices, and work space enabled iOS devices. The BlackBerry Infrastructure also provides a secure
communication channel for activation and management traffic for all devices.
The following are the key ports that the BlackBerry Infrastructure uses.
BlackBerry Infrastructure
Connection type
Default port
number
Where to
configure
HTTPS
443
TCP
3101
BES10
Configuration Tool
(for the
BlackBerry
Router) or the
BlackBerry Device
Service console
(for the
721-08877-123
10.2
BlackBerry Infrastructure
Connection type
Default port
number
Where to
configure
BlackBerry
Dispatcher)
For more information about the range of IP addresses for the BlackBerry Infrastructure, visit http://
www.blackberry.com/go/kbhelp to read article KB03735.
Connection type
Default port
number
Where to
configure
HTTPS
443
TCP
BES10
Configuration Tool
HTTPS
38443
HTTP
38180
BES10
Configuration Tool
721-08877-123
10.2
The following are the key ports that the Enterprise Management Web Service uses.
Default port
number
Where to
configure
TCP
BES10
Configuration Tool
HTTP
38084
HTTPS
38444
BlackBerry Device
Service console
Connection type
Where to
configure
TCP
BES10
Configuration Tool
TCP
3201
HTTP
9080
HTTPS
9443
BlackBerry Device
Service console
Connection type
BlackBerry Dispatcher
The BlackBerry Dispatcher maintains an SRP connection with the BlackBerry Infrastructure over the Internet. The
BlackBerry Dispatcher also routes traffic between BlackBerry devices and the BlackBerry MDS Connection Service service
when users are not connected to a work Wi-Fi access point or using a VPN connection.
The following are the key ports that the BlackBerry Dispatcher uses.
Default port
number
Where to
configure
TCP
BES10
Configuration Tool
TCP
3101
BES10
Configuration Tool
(for the
BlackBerry
Router) or the
BlackBerry Dispatcher
Connection type
721-08877-123
10.2
BlackBerry Dispatcher
Connection type
Default port
number
Where to
configure
BlackBerry Device
Service console
(for the
BlackBerry
Dispatcher)
TCP
3201
BlackBerry Router
The BlackBerry Router connects to the BlackBerry Infrastructure which sends data to BlackBerry devices over mobile
networks or the Internet.
If BlackBerry Enterprise Service 10 is installed on a computer that hosts BlackBerry Enterprise Server 5.0 SP4, the
BlackBerry Router associated with it is only used by the BlackBerry Enterprise Server. If you install the BlackBerry Router
in the DMZ, you can configure the BlackBerry Router to work with BlackBerry Enterprise Service 10 and the BlackBerry
Enterprise Server.
The following are the key ports that the BlackBerry Router uses.
BlackBerry Router
Connection type
Default port
number
Where to
configure
TCP
3101
BES10
Configuration Tool
(for the
BlackBerry
Router) or the
BlackBerry Device
Service console
(for the
BlackBerry
Dispatcher)
721-08877-123
10.2
Connection type
Default port
number
Where to
configure
BES10
Configuration Tool
Connection type
Default port
number
Where to
configure
HTTPS
443
TCP
BES10
Configuration Tool
HTTPS
6443
HTTP
9440
Core Module
The Core Module is a device-agnostic module that is installed behind the organizations firewall. The Core Module performs
the following functions:
Manages all the configuration data used to manage iOS devices and Android devices (for example, user
configuration, group configuration, device configuration, policy enforcement checks, and so on) and stores it in the
Management Database. The Core Module is the only component that accesses the Management Database.
Microsoft Active Directory, using LDAP, to retrieve user account information that BlackBerry Enterprise
Service 10 needs to search for and create user accounts.
APNs to inform iOS devices to contact the Communication Module when the configuration assigned to the
device is updated (for example, a new or updated IT policy or VPN profile is applied to it).
mail server, using SMTP, to send activation emails and policy enforcement breach emails.
Database server, using ADO.NET, to make database connections and execute queries or commands.
721-08877-123
10.2
SCEP server, using HTTP, to obtain a challenge code the device can use for certificate enrollment.
The following are the key ports that the Core Module uses.
Core Module
Connection type
Default port
number
Where to
configure
HTTP
80
HTTPS
443
HTTPS
9081
HTTPS
38081
Communication Module
The Communication Module is a gateway between iOS devices and Android devices and BlackBerry Enterprise Service 10.
It is responsible for conversion of the proprietary protocols supported on the devices to and from the device-agnostic
format used by the Core Module. The Communication Module should be accessible from any internal Wi-Fi networks used
by iOS devices and Android devices.
The following are the key ports that the Communication Module uses.
Communication Module
Connection type
Default port
number
Where to
configure
HTTPS
9081
HTTPS
33443
Connection type
Default port
number
Where to
configure
BlackBerry Infrastructure
TCP
3101
10
721-08877-123
10.2
Connection type
Default port
number
Where to
configure
HTTPS
33443
HTTPS
38081
APNs
The APNs is a service for iOS devices provided by Apple that BlackBerry Enterprise Service 10 uses to inform iOS devices to
contact the Communication Module for configuration updates (such as Wi-Fi profile, VPN profile, or Microsoft ActiveSync
profile updates) and to provide information for your organizations device inventory.
The following are the key ports that the APNs uses.
APNs
Connection type
Default port
number
Where to
configure
TCP
5223
HTTPS
9081
Management Database
The Management Database is a relational database that contains user account information and configuration information
(such as connection details) that BlackBerry Enterprise Service 10 components use to manage iOS devices and Android
devices.
Note: The Management Database and the BlackBerry Configuration Database must be installed on the same database
server. If they are not, issues can arise with functionality, including such as issues with single sign-on functionality and the
reporting services.
The following are the key ports that the Management Database uses.
Management Database
Connection type
Default port
number
Where to
configure
BES10
Configuration Tool
721-08877-123
10.2
11
The following are the key ports that the BlackBerry Work Connect Notification Service uses.
BlackBerry Work Connect Notification Service
Connection type
Default port
number
Where to
configure
HTTPS
443
HTTP
8088
During installation
only
TCP proxy
The TCP proxy is an optional, customer provided, component that is used to meet installation specific networking
requirements. The TCP proxy acts as an intermediary for requests that allows the BlackBerry Secure Connect Service to
route TCP traffic from port 3101 to the BlackBerry Infrastructure, providing connectivity to iOS devices and Android
devices.
The following are the key ports that the TCP proxy uses.
TCP proxy
Connection type
Default port
number
Where to
configure
TCP
3101
12
721-08877-123
10.2
Accepts the challenge response and sends a confirmation to the BlackBerry Device Service to complete the
authentication process and configure an authenticated SRP connection
If the BlackBerry Infrastructure rejects the challenge response, the authentication process is not successful. The
BlackBerry Infrastructure and BlackBerry Device Service close the SRP connection.
If the BlackBerry Device Service uses the same SRP authentication key and SRP identifier to connect to (and then
disconnect from) the BlackBerry Infrastructure five times in one minute, the BlackBerry Infrastructure deactivates the
SRP identifier to help prevent an attacker from using the SRP identifier to create conditions for a DoS attack.
721-08877-123
10.2
13
3. The Universal Device Service verifies that the authentication certificate is signed by a trusted authority and verifies the
name of the server in the BlackBerry Infrastructure to establish the TLS connection.
4. The Universal Device Service sends a data packet that contains its unique SRP identifier and SRP authentication key to
the BlackBerry Infrastructure.
5. The BlackBerry Infrastructure authenticates the SRP identifier and SRP authentication key. The BlackBerry
Infrastructure now only allows traffic for this instance of the Universal Device Service, uniquely identified by its SRP
identifier, to flow over the connection.
14
721-08877-123
10.2
1. In BlackBerry Management Studio, or the BlackBerry Device Service console, the administrator creates a local or a
directory user account.
Note: If creating a local user account, the account must be created in the BlackBerry Device Service console.
2. The administrator creates an activation password for the user account. The BlackBerry Administration Service stores
the activation password in the BlackBerry Configuration Database.
3. The BlackBerry Administration Service sends the email address or username information to the BlackBerry
Infrastructure to register the user account.
4. The BlackBerry Infrastructure notifies the BlackBerry Administration Service whether the account registration is
successful or not.
5. If the option to email the activation information to the user is selected, the BlackBerry Administration Service sends the
activation information to the user's email address. If the option is not selected, the administrator must communicate
the information to the user directly. The activation information includes the account information (email address or
domain\username), account activation password, and server information (SRP ID of the BlackBerry Device Service)
that the user needs to type on the BlackBerry device.
Note: If BlackBerry Enterprise Service 10 is set to register activation information, the user is registered with the BlackBerry
Infrastructure, whether the device they are activating is a BlackBerry 10 device or a BlackBerry PlayBook tablet.
721-08877-123
10.2
15
16
721-08877-123
10.2
721-08877-123
10.2
17
1. The Enterprise Management Agent on the device sends a message requesting activation details to the Enterprise
Management Web Service.
2. The Enterprise Management Agent receives the activation details from the Enterprise Management Web Service. If the
activation is a "Work and personal - Regulated" or a "Work space only" activation type, the device displays a
notification requesting user acceptance to proceed with the activation.
3. The Enterprise Management Agent sends a message back to the Enterprise Management Web Service to confirm the
Enterprise Management Agent has completed the activation and created the work space.
4. The Enterprise Management Web Service and the Enterprise Management Agent configure IT policies, software
configurations, and more, on the device.
Connectivity through the BlackBerry Infrastructure to the mail server that is running Microsoft ActiveSync to
provide security for devices that are not connected to the organization's internal network or do not have a VPN
connection
Direct connection from the device to the mail server that is running Microsoft ActiveSync, through the VPN or over
the work Wi-Fi network
1. The device issues an HTTPS request to the mail server and requests that the mail server notifies the device if any items
change in the folders that are configured to synchronize.
18
721-08877-123
10.2
2. The device stands by. You can adjust the synchronization time, depending on your mail server.
3. The mail server checks for any new or changed items and notifies the device when items change or new items come
into the user's mailbox. The notification contains the name of the folder that has the new or changed item.
Changed items include marking an email as read, moving an email into a sub folder, or updating organizer data
New items include receiving a new email or creating a new organizer data entry
721-08877-123
10.2
19
1. You complete one of the following actions in the BlackBerry Device Service console:
2. If data conflicts exist, the BlackBerry Device Service console uses predefined reconciliation rules to resolve the
conflicts. Updates are applied in the BlackBerry Enterprise Service 10 and the BlackBerry Device Service console
identifies objects that must be shared with the device.
3. The Enterprise Management Web Service notifies the Enterprise Management Agent on the device that there is an
update.
20
721-08877-123
10.2
Note: The Enterprise Management Web Service can only notify the Enterprise Management Agent on the device that
there is an update over the IPPP pathway through the BlackBerry Infrastructure.
4. The Enterprise Management Agent polls the Enterprise Management Web Service for the update.
5. The Enterprise Management Web Service sends the configuration updates to the Enterprise Management Agent.
6. The Enterprise Management Agent retrieves the configuration updates and applies the new or updated configuration
on the work space of the device.
721-08877-123
10.2
21
1. You complete one of the following actions in the BlackBerry Device Service console:
Create a software configuration and assign it to a user account or a group the user account belongs to
2. If data conflicts exist, the BlackBerry Device Service console uses predefined reconciliation rules to resolve the
conflicts. Updates are applied in BlackBerry Enterprise Service 10 and the BlackBerry Device Service console identifies
objects that must be shared with the device.
3. The Enterprise Management Web Service notifies the Enterprise Management Agent on the device that there is an
update.
4. The Enterprise Management Agent on the device polls the Enterprise Management Web Service for updates.
5. The Enterprise Management Web Service sends the update to the Enterprise Management Agent.
6. If a required app was added or updated, the Enterprise Management Agent accesses the URL that is specified in the
app information to download and install the required app to the work space.
7. If the list of optional apps changed, the Work tab in the BlackBerry World storefront on BlackBerry PlayBook tablets, or
the BlackBerry World for Work app for BlackBerry 10 devices, displays the updated list and the user can download and
install the optional apps.
22
721-08877-123
10.2
1. In BlackBerry Management Studio, or the Universal Device Service console, the administrator creates a local or a
directory user account, and does one of the following:
If the account is a local account, the administrator specifies an activation password (the local account
password cannot be used for device activation).
If the account is a directory account, the administrator can choose whether to specify an activation password
or use the login information for the account instead. The administrator can select the option to send an
activation email to the user, assign group membership, and specify other device activation settings such as
activation expiry date and time, maximum number of activations per device, device platform and device
version.
Note: If the option to send an activation email to the user is selected, the administrator can customize the email
message to reflect company specific details.
2. The Core Module performs one of the following actions:
If the account is a local account, the Core Module generates a hash of the user account password and stores it
along with the account information in the Management Database.
721-08877-123
10.2
23
If the account is a directory account, the Core Module accesses Microsoft Active Directory, using LDAP, to
retrieve the user account information and keeps a copy of the user account information in the Management
Database. The Scheduler and Management Database periodically retrieve this information and keep it current.
3. If the option to send an activation email was selected, the Core Module generates the activation email and sends it to
the user using the SMTP settings configured by the administrator. The email message describes how to obtain the
BES10 Client from the App Store and additional information the user needs to enter on the client, such as the domain
name and SRP ID, the username, and the activation password for the user account if one was specified.
1. The user installs the BES10 Client on the iOS device. After launching the BES10 client, the user is prompted to enter
the URL provided by the administrator (which consists of the BlackBerry Infrastructure URL followed by the SRP ID of
the customer, for example <cc>.bbsecure.com/S1234567, where <cc> is the country code), and accept the
BlackBerry Enterprise Service 10 certificate. This prompt includes information about the SSL certificate, including the
Common Name, fingerprint, and whether the certificate is trusted or untrusted. Once the user accepts the certificate,
they enter the username specified in the activation email and their password, and clicks Activate My Device.
If the user clicks Decline, they are returned to the previous activation screen and the activation process stops.
If the user clicks Accept, the certificate is installed on the device and the activation process continues.
2. The client sends an activation request over a secured channel, to the BlackBerry Infrastructure, which sends it to the
server name specified by the user. The activation request includes the username, password, device operating system,
and unique device identifier.
3. The BlackBerry Secure Connect Service receives the activation request from the BlackBerry Infrastructure and sends it
to the Communication Module.
4. The Communication Module receives the activation request and queries the Core Module to validate the activation
request.
5. The Core Module checks if the activation request is valid and performs one of the following actions:
24
721-08877-123
10.2
If the activation request does not meet the criteria defined in the activation settings (for example, the
username is not valid, the password has expired, or the device type or version is not allowed for the user
account), the Core Module responds with an error message.
If the activation request meets all the activation criteria, the Core Module creates a device instance, associates
it with the specified user account in the Management Database, sets the activation status for the device as
unknown, and responds with a successful authentication to the Communication Module.
If the response from the Core Module is an error, the Communication Module sends the error message to the
BlackBerry Secure Connect Service to send to the BlackBerry Infrastructure. The BlackBerry Infrastructure
passes the error message to the device and the activation stops.
If the response from the Core Module is a successful authentication, the Communication Module generates a
unique identifier for the device. This identifier is used to verify the authenticity of the device in every
subsequent communication. The Communication Module sends a response to the BlackBerry Secure Connect
Service that includes the identifier, the MDM profile of the device (these are the specific permissions that the
BES10 Client can request to manage on the device such as Wi-Fi, VPN, Microsoft ActiveSync profile
configuration, IT policy configuration, activation type and so on), a command to provide device information and
configuration, and a link to the BlackBerry Secure Connect Service to initiate the MDM Daemon enrollment
process. The BlackBerry Secure Connect Service sends this information to the BlackBerry Infrastructure,
which sends it to the device.
1. After receiving a successful response, the client displays a message to inform the user that a certificate must be
installed to complete the activation. The user clicks OK and is redirected to the BlackBerry Secure Connect Service link
for the MDM Daemon enrollment.
2. The BlackBerry Secure Connect Service connects to the Communication Module for the MDM Daemon enrollment.
721-08877-123
10.2
25
3. A certificate is provided by the Communication Module and the user is presented with the option to install it. The user
clicks Install Now and Done.
4. The client communicates with the BlackBerry Secure Connect Service to notify the successful installation of the MDM
profile and certificate.
5. The BlackBerry Secure Connect Service informs the Communication Module of the successful installation of the MDM
profile and certificate.
6. The Communication Module informs the Core Module of this success.
7. After successfully confirming the MDM enrollment of the device, the Core Module sets the device activation status to
active on the Management Database.
8. The client continually checks with the Communication Module through the BlackBerry Secure Connect Service to verify
the activation status. When the activation is set to active, the device requests all IT policy and configuration information
from, and sends device information to, BlackBerry Enterprise Service 10.
9. The BlackBerry Secure Connect Service receives the device information and sends it to the Communication Module.
10. The Communication Module receives the information, converts it to a device-agnostic format and forwards it to the
Core Module.
11. The Core Module stores the device information in the Management Database and sends the IT policy and configuration
information back to the device.
If the activation type for the device is "Work and personal - user privacy" or "Work and personal - full control", after the
activation is completed, the user is prompted to create a work space password. Additionally, the user may be prompted
to install some or all of the following apps:
Work Connect
Work Browser
Documents To Go
Note: If the device is activated with the "Work and personal - user privacy" activation type, the users are not prompted
to install the work space apps and must go to a website provided by their administrator to download the apps.
26
721-08877-123
10.2
1. In BlackBerry Management Studio, or the Universal Device Service console, the administrator creates a local or a
directory user account, and does one of the following:
If the account is a local account, the administrator specifies an activation password (the local account
password cannot be used for device activation).
If the account is a directory account, the administrator can choose whether to specify an activation password
or use the login information for the account instead. The administrator can select the option to send an
activation email to the user, assign group membership, and specify other device activation settings such as
activation expiry date and time, maximum number of activations per device, device platform and device
version.
Note: If the option to send an activation email to the user is chosen, the administrator can customize the email
message to reflect company specific details.
2. The Core Module performs one of the following actions:
If the account is a local account, the Core Module generates a hash of the user account password and stores it
along with the account information in the Management Database.
If the account is a directory account, the Core Module accesses Microsoft Active Directory, using LDAP, to
retrieve the user account information and keeps a copy of the user account information in the Management
721-08877-123
10.2
27
Database. The Scheduler and Management Database periodically retrieve this information and keep it up to
date.
3. If the option to send an activation email was selected, the Core Module sends the activation email using the SMTP
settings configured by the administrator. The email message describes how to obtain the BES10 Client from Google
Play and additional information the user needs to type in the client, such as the company server name, the username,
and the activation password for the user account if one was specified.
1. The user installs the BES10 Client on the Android device. After launching the BES10 Client, the user is prompted to
enter the URL provided by the administrator (which consists of the BlackBerry Infrastructure URL followed by the SRP
ID of the customer, for example <cc>.bbsecure.com/S1234567, where <cc> is the country code), and accept the
BlackBerry Enterprise Service 10 certificate. This prompt includes information about the SSL certificate, including the
Common Name, fingerprint, and whether the certificate is trusted or untrusted. Once the user accepts the certificate,
they enter the username specified in the activation email and their password, and clicks Activate My Device.
If the user clicks Decline, they are returned to the previous activation screen and the activation process stops.
If the user clicks Accept, the certificate is installed on the device and the activation process continues.
2. The client sends an activation request over a secured channel, to the BlackBerry Infrastructure, which sends it to the
server name specified by the user. The activation request includes the username, password, device operating system,
and unique device identifier.
3. The BlackBerry Secure Connect Service receives the activation request from the BlackBerry Infrastructure and sends it
to the Communication Module.
4. The Communication Module receives the activation request and queries the Core Module to validate the activation
request.
5. The Core Module checks if the activation request is valid and performs one of the following actions:
28
721-08877-123
10.2
If the activation request does not meet the criteria defined in the activation settings, for example, the
username is not valid, the password has expired, or the device type or version is not allowed for the user
account, the Core Module responds with an error message.
If the activation request meets all the activation criteria, the Core Module creates a device instance, associates
it to the specified user account in the Management Database, sets the activation status for the device as
unknown, and responds with a successful authentication to the Communication Module.
If the response from the Core Module is an error, the Communication Module sends the error message to the
BlackBerry Secure Connect Service to send to the BlackBerry Infrastructure. The BlackBerry Infrastructure
sends the error message and the activation stops.
If the response from the Core Module is a successful authentication, the Communication Module generates a
unique identifier for the device. This identifier is used to verify the authenticity of the device in every
subsequent communication. The Communication Module sends a response to the BlackBerry Secure Connect
Service that includes the identifier, the MDM profile of the device (these are the specific permissions that the
BES10 Client requests to manage on the device such as, Wi-Fi, VPN, IT policy configuration, and so on), and a
command to provide device information and configuration. The BlackBerry Secure Connect Service sends this
information through the BlackBerry Infrastructure to the device.
1. After receiving a successful response, the BES10 Client requests all IT policy and configuration information and sends
the device information and software information through the BlackBerry Infrastructure to the BlackBerry Secure
Connect Service, which sends this information to the Communication Module.
2. The Communication Module receives the information, converts it to a device-agnostic format and sends it to the Core
Module.
721-08877-123
10.2
29
3. The Core Module stores the device information in the Management Database and sends the IT policy and configuration
information back to the device.
If the activation type for the device is "Work and personal - user privacy" or "Work and personal - full control", after the
activation is completed, the user is prompted to create a work space password. Additionally, the user may be prompted
to install some or all of the following apps:
Documents To Go
1. The device issues an HTTPS request to the mail server and requests that the mail server notify the device if any items
change in the folders that are configured to synchronize.
2. The device stands by. You can adjust the synchronization time, depending on your mail server.
3. The mail server checks for any new or changed items and notifies the device when items change or new items come
into the user's mailbox. The notification contains the name of the folder that has the new or changed item.
Changed items include marking an email as read, moving an email into a sub folder, or updating organizer data
New items include receiving a new email or creating a new organizer data entry
30
721-08877-123
10.2
6. When the synchronization is complete, the device issues another request to restart the process.
7. If there are no new or changed items during this interval, the mail server sends a "HTTP 200 OK" message to the
device.
8. The device issues a new PING request.
1. At defined intervals, the mail server checks for any new or changed items and notifies the iOS device or Android device,
through BlackBerry Enterprise Service 10, when there are new or changed items.
If the device is an iOS device:
The BlackBerry Work Connect Notification Service receives the notification and passes it to the BlackBerry
Secure Connect Service for forwarding
The notification is received by the BlackBerry Secure Connect Service for forwarding
2. BlackBerry Secure Connect Service notifies the BlackBerry Infrastructure that there are new or changed items in the
user's mailbox over port 3101.
3. The BlackBerry Infrastructure passes a notification to the device that there are new or changed items in the user's
mailbox.
721-08877-123
10.2
31
The BlackBerry Infrastructure contacts the APNs over port 2195 to notify the user that there is an item
waiting to be synchronized.
The APNs notifies the device that there is a new or changed item waiting to be synchronized.
When the app receives the notification, it displays an icon that indicates that there are new updates
available for the user.
The BlackBerry Infrastructure contacts the device to notify the user that there is an item waiting to be
synchronized.
When the app receives the notification, it displays an icon that indicates that there are new updates
available for the user.
4. The device contacts the BlackBerry Infrastructure to request the new or changed items.
5. The BlackBerry Infrastructure contacts the BlackBerry Secure Connect Service and requests the new or changed
items.
6. The BlackBerry Secure Connect Service contacts the mail server and requests the new or changed items be sent to the
device.
7. The mail server sends the items to the device, through the BlackBerry Secure Connect Service and the BlackBerry
Infrastructure.
8. The device sends confirmation back to the mail server, through the BlackBerry Secure Connect Service and the
BlackBerry Infrastructure, that the updates have been received.
9. When the synchronization of all items is complete, the mail server sends an "HTTP 200 OK" message to the device.
10. The device waits for the next notification from BlackBerry Enterprise Service 10 that there are new or changed items to
synchronize.
32
Using the Universal Device Service console, the administrator performs any of the following actions:
Lock device
Unlock device
Update an IT policy
721-08877-123
10.2
At defined intervals, the Scheduler contacts the Core Module and requests the list of devices that have an action or
command that need to be performed (for example, check jailbroken or rooted status or request the list of installed
applications). If an action or command needs to performed, the Scheduler adds it to the list of pending commands
or actions for the device.
At defined intervals, the BES10 Client contacts the Communication Module and provides device information and
the list of installed applications, based on the default polling cycle defined by the administrator.
Android devices use the BES10 Client to perform all actions and commands.
iOS devices use the BES10 Client to provide device information to BlackBerry Enterprise Service 10 such
as jailbroken status and displaying policy enforcement information. The MDM Daemon on iOS devices
supplements the BES10 Client protocol and performs the rest of the actions and commands on iOS
devices.
When BlackBerry Enterprise Service 10 receives device information or the list of installed applications, several
enforcement checks are performed on the device. The enforcement check may trigger one of the following:
Schedule an enforcement breach action (for example, delete all data, delete only work data, or inform the
user they are in breach and that there may be further enforcement action at a later time)
Android devices use the BES10 Client to perform all actions and commands.
iOS devices use the BES10 Client to provide device information to BlackBerry Enterprise Service 10 such as
jailbroken status and displaying policy enforcement information. The MDM Daemon on iOS devices supplements
the BES10 Client protocol and performs the rest of the actions and commands on iOS devices.
721-08877-123
10.2
33
1. At defined intervals, the BES10 Client contacts the BlackBerry Secure Connect Service, on port 3101 of the external
firewall, to check for any pending actions and commands that need to be performed on the device. Polling occurs every
15 minutes, by default, but the interval can be configured by the administrator.
2. The BlackBerry Secure Connect Service contacts the Communication Module, over internal port 33443 to request any
pending actions and commands.
3. The Communication Module contacts the Core Module, over internal port 9081, to verify the device authentication
information and get a list of pending actions and commands that need to be run on the device.
4. If there are no pending actions or commands for the device, the Communication Module replies to the device, through
the BlackBerry Secure Connect Service, with an idle command. If there are actions or commands pending for the
device, the Communication Module replies, through the BlackBerry Secure Connect Service, with the highest priority
action.
For Android devices, priority is given to IT administration commands, such as Delete device data and Lock device,
followed by request for device information, installed applications, and so on. The Communication Module sends only
one command at a time. If necessary, additional information is included in the response.
5. The client inspects the response, schedules the command to be processed, and waits for the command to be run.
6. The client sends a response to the Communication Module, through the BlackBerry Secure Connect Service, to update
the command status. The status indicates whether the command ran successfully and in the event of failure, it provides
an error message.
7. Steps 2 to 5 are repeated until there are no more pending actions or commands that need to be performed on the
device.
34
721-08877-123
10.2
Note: For secure work apps, the initial notification is sent to the iOS or Android device by the content server, through the
APNs for iOS devices, using whatever transport method the app developer specified. This may not involve BlackBerry
Enterprise Service 10. After the notification is delivered to the device, the device contacts the BlackBerry Secure Connect
Service to retrieve updated data.
1. The Core Module notifies the BlackBerry Secure Connect Service that there is an update pending for an iOS device.
2. The BlackBerry Secure Connect Service contacts the BlackBerry Infrastructure, over port 3101, to notify the APNs that
there is an update pending for an iOS device.
3. The BlackBerry Infrastructure, over port 2195, notifies the APNs that there is an update pending for an iOS device.
4. The APNs sends a notification to the MDM Daemon on the iOS device to contact the Communication Module.
5. When the MDM Daemon on the iOS device receives the notification, it contacts the BlackBerry Secure Connect
Service, on port 3101 of the external firewall, to retrieve any pending actions.
6. The BlackBerry Secure Connect Service contacts the Communication Module, over internal port 33443, to request the
updates.
7. The Communication Module contacts the Core Module, over internal port 9081, to verify the device and get a list of
pending actions and commands that need to be run on the device.
8. If there are no pending actions or commands for the device, the Communication Module, through the BlackBerry
Secure Connect Service, replies to the device with an idle command. If there are actions or commands pending for the
device, the Communication Module, through the BlackBerry Secure Connect Service, replies with the highest priority
action. Priority is given to actions, such as Delete device data and Lock device, followed by requests for device
information, installed applications, etc. The Communication Module sends only one command at a time. If necessary,
additional information is included in the response.
9. The MDM Daemon on the iOS device inspects the response, schedules the command to be processed, and waits for
the command to be run.
721-08877-123
10.2
35
10. The MDM Daemon sends a response to the Communication Module, through the BlackBerry Secure Connect Service,
to update the command status. The status indicates whether the command ran successfully providing any additional
information, and in the event of failure, it provides an error message.
11. Steps 4 to 7 are repeated until there are no more pending actions or commands that need to be performed on the
device.
36
721-08877-123
10.2
Glossary
Glossary
APNs
BlackBerry
Enterprise Server
databases
The BlackBerry Enterprise Service 10 databases are the BlackBerry Configuration Database
(associated with the BlackBerry Device Service) and the Management Database (associated with
the Universal Device Service). By default, the databases are named BDSMgmt and
BDSMgmt_UDS, respectively, when you install BlackBerry Enterprise Service 10.
CA
certification authority
CAL
A BlackBerry Client Access License (BlackBerry CAL) limits how many users you can add to a
BlackBerry Enterprise Server.
DMZ
DNS
EMM
FQDN
HTTP
HTTPS
IP
Internet Protocol
IT policy
An IT policy consists of various IT policy rules that control the security features and behavior of
BlackBerry smartphones, BlackBerry PlayBook tablets, the BlackBerry Desktop Software, and
the BlackBerry Web Desktop Manager.
IT policy rule
An IT policy rule permits you to customize and control the actions that BlackBerry smartphones,
BlackBerry PlayBook tablets, the BlackBerry Desktop Software, and the BlackBerry Web
Desktop Manager can perform.
LAN
LDAP
MDM
messaging server
A messaging server sends and processes messages and provides collaboration services, such as
updating and communicating calendar and address book information.
MMS
The process of sending data over the wireless network is sometimes referred to as over the air
or OTA.
PAC
proxy auto-configuration
PIM
PIN
SCEP
SIM
721-08877-123
10.2
37
Glossary
S/MIME
SMS
SMTP
Simple Mail Transfer Protocol (SMTP) is a TCP/IP protocol used with POP or IMAP to send and
receive email messages over a network, such as the Internet.
space
A space is a distinct area of the device that enables the segregation and management of
different types of data, applications, and network connections. Different spaces can have
different rules for data storage, application permissions, and network routing. Spaces were
formerly known as perimeters.
SQL
SRP
SRP ID
The SRP ID is a unique identifier for the BlackBerry Enterprise Server that the BlackBerry
Enterprise Server uses to identify itself to the BlackBerry Infrastructure during SRP
authentication.
SSL
TCP
TCP/IP
UDP
UTF-8
VPN
WAN
38
721-08877-123
10.2
Legal notice
Legal notice
2013 BlackBerry. All rights reserved. BlackBerry and related trademarks, names and logos are the property of
BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. Android is a trademark of
Google Inc. iOS is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS is
used under license by Apple Inc. Microsoft, Active Directory, and ActiveSync are trademarks of Microsoft Corporation. WiFi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of their respective owners. This documentation
is provided "as is" and without condition, endorsement, guarantee, representation or warranty, or liability of any kind by
BlackBerry Limited and its affiliated companies, all of which are expressly disclaimed to the maximum extent permitted by
applicable law in your jurisdiction.
721-08877-123
10.2
39