environment bems in a blackberry uem · 2019-10-28 · about this guide this guide describes how to...
TRANSCRIPT
BEMS in a BlackBerry UEMenvironmentConfiguration Guide
2.12
2019-10-28Z
| | 2
Contents
About this guide................................................................................................6
Steps to configure BEMS.................................................................................. 7
Configuring BEMS-Core.................................................................................... 8Importing CA Certificates for BEMS.....................................................................................................................8
Create a trusted connection between BEMS and Microsoft Exchange Server.......................................8Import non-public certificates to BEMS.................................................................................................... 9
Importing and configuring certificates............................................................................................................... 10Replacing the auto-generated SSL certificate........................................................................................ 10Configuring HTTPS for BEMS to BlackBerry Proxy................................................................................13Assign the BEMS SSL certificate to users..............................................................................................15Import third-party server certificates into the BEMS Java keystore .................................................... 15Download certificates from the Cisco Unified Communications Manager and Cisco IM and
Presence servers into the BEMS Java keystore............................................................................... 16Keystore commands.................................................................................................................................16
Add dashboard administrators........................................................................................................................... 17Configure the BlackBerry Dynamics server in BEMS........................................................................................ 17Configure a web proxy server for the Push Notifications service....................................................................18Enable log file compression................................................................................................................................19Uploading BEMS log and statistical information...............................................................................................19
Specify log upload credentials................................................................................................................ 19Upload log files......................................................................................................................................... 20Enable BEMS to upload BEMS statistics................................................................................................20
Firebase Push Notifications................................................................................................................................ 21Create Firebase Cloud Messaging API keys.......................................................................................... 21
Enabling FIPS Mode in BEMS............................................................................................................................. 21Enable FIPS-compliance mode................................................................................................................ 22Verify that FIPS-compliance is enabled.................................................................................................. 22
Configuring BEMS services.............................................................................23Configuring the Push Notifications service....................................................................................................... 23
Configuring Push Notifications................................................................................................................23Configuring BlackBerry UEM for BlackBerry Work, BlackBerry Tasks, and BlackBerry Notes............. 33Set the detailed Notifications Cutoff Time.............................................................................................33Configuring the Push Notifications service for high availability........................................................... 33Configuring the Push Notifications service for disaster recovery........................................................ 35Push Notifications service logging and diagnostics..............................................................................35
Configuring the Connect service.........................................................................................................................36Configuring the Connect service in the BEMS dashboard.....................................................................36Configuring BlackBerry UEM for BlackBerry Connect............................................................................44Enabling persistent chat...........................................................................................................................44Configuring the Connect service for high availability............................................................................ 45
| | iii
Configuring the Connect service for disaster recovery......................................................................... 45Specify the BlackBerry Proxy the BlackBerry Connect service contacts in a cluster ..........................46Using friendly names for certificates in BlackBerry Connect................................................................47Configure the Connect service to receive SSL communications for a new installation...................... 48Configuring Windows Services................................................................................................................ 53Global catalog for Connect and Presence..............................................................................................53Troubleshooting BlackBerry Connect Issues..........................................................................................56
Configuring the BlackBerry Presence service....................................................................................................59Configuring the BlackBerry Presence service in the BEMS Dashboard................................................59Manually configure the Presence service for multiple application endpoints......................................66Configuring BlackBerry UEM for BlackBerry Presence.......................................................................... 67Configuring the Presence service for high availability...........................................................................67Configuring Presence service for disaster recovery.............................................................................. 67Using friendly names for certificates in Presence................................................................................. 68Troubleshooting BlackBerry Presence Issues........................................................................................ 69
Configuring the BlackBerry Docs service...........................................................................................................69Configure a web proxy server for the Docs service...............................................................................70Configure the database for the BlackBerry Docs service......................................................................70Repositories...............................................................................................................................................70Storage services........................................................................................................................................70Authentication providers.......................................................................................................................... 71Configure the Docs security settings......................................................................................................71Configure your Audit properties.............................................................................................................. 73Add an app server hosting the BlackBerry Docs app to a BlackBerry Dynamics connectivity profile...74Configuring BlackBerry UEM for the BlackBerry Docs service .............................................................74Configuring Docs for Rights Management Services..............................................................................74Configuring the Docs instance for high availability............................................................................... 77Configuring the Docs service for disaster recovery...............................................................................78Managing Repositories.............................................................................................................................79Add a CMIS storage service.................................................................................................................... 90Enable modern authentication for Microsoft SharePoint Online.......................................................... 90Windows Folder Redirection (Native)......................................................................................................91Local Folder Synchronization – Offline Folders (Native).......................................................................92Configuring support for Microsoft SharePoint Online and Microsoft OneDrive for Business............. 93Microsoft SharePoint Online authentication setup................................................................................ 94Configuring Microsoft Office Web Apps server for Docs service support........................................... 95Configuring resource based Kerberos constrained delegation for the Docs service...........................99Configuring Kerberos constrained delegation for Docs...................................................................... 102
Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service............................................................................106
Updating the Connect and Presence services using Lync Director................. 110Specify the Connect and Presence services to use a Lync Director..............................................................110
Configuring BlackBerry Dynamics Launcher..................................................111Configuring Good Enterprise Services in BlackBerry UEM............................................................................. 111
Verify that Good Enterprise Services are available in BlackBerry UEM.............................................. 112Add the BEMS instance to the Good Enterprise Services and BlackBerry Work entitlement app.....112
Setting a customized icon for the BlackBerry Dynamics Launcher............................................................... 113
| | iv
Specify a customized icon for the BlackBerry Dynamics Launcher................................................... 113Remove a customized icon for the BlackBerry Dynamics Launcher.................................................. 114
Monitoring.....................................................................................................115Monitoring the status of BEMS and users using the BEMS Lookout tool..................................................... 115
Install the BEMS Lookout tool...............................................................................................................115Monitoring probes...................................................................................................................................116Run the BEMS Lookout tool...................................................................................................................117
Java Management Extensions (JMX)-compliant monitoring tools................................................................118Monitoring the status of Push Notifications using JMX-compliant monitoring tools....................... 118Monitoring the status of the BEMS-Docs service using JMX-compliant monitoring tools................118Monitoring attributes.............................................................................................................................. 118Enable JMX ............................................................................................................................................ 120View statistics using the JMX tool....................................................................................................... 121
Appendix A: Understanding the BEMS-Connect configuration file................. 123
Appendix B: Understanding the Skype for Business Online Common Settingsconfiguration file....................................................................................... 129
Appendix C: Java Memory Settings.............................................................. 131
Appendix D: Setting up IIS on the BEMS....................................................... 132
Appendix E: BEMS Windows Event Log Messages.........................................133
Appendix F: File types supported by the BlackBerry Docs service..................138
Glossary........................................................................................................ 139
Legal notice.................................................................................................. 140
| | v
About this guideThis guide describes how to configure and administer BEMS in your BlackBerry UEM environment.
This guide is intended for senior and junior IT professionals who are responsible for configuring andadministering BEMS.
Note: For ease of following the instructions in this guide, the content refers to the suggested database namesthat are used in the installation guide.
After you complete the tasks in this guide, see to the following content to install and configure BlackBerryDynamics apps:
• BlackBerry Work, Notes and Tasks administration content• BlackBerry Connect administration content• BlackBerry Access administration content
| About this guide | 6
Steps to configure BEMSWhen you configure BEMS, you perform the following actions:
Step Action
Configure the BEMS-Core settings.
Configure one or more of the BEMS Services.
• Push Notifications (Mail)• Connect• Presence• Docs
Optional, enable the Connect service and the Presence service to use a global catalog.
Optional, set a customized icon for the BlackBerry Dynamics Launcher.
Optional, configure the BEMS Lookout tool to monitor the status of BEMS and users.
| Steps to configure BEMS | 7
Configuring BEMS-CoreWhen you configure BEMS-Core, you perform the following actions:
1. Install CA certificates2. Install the BEMS SSL certificate3. Add dashboard administrators4. Configure the BlackBerry Proxy server in BEMS5. Configure Web Proxy6. Optionally, enable log file compression7. Configure Firebase Push Notifications8. Optionally, enable FIPS Mode.
Importing CA Certificates for BEMSBy default, BEMS is only aware of public CA certificates. If BEMS must communicate with a server that doesnot have a public CA certificate, then you must import the non-public CA certificate into the BEMS host Javakeystore. BEMS may connect to the following servers in your environment:
• Microsoft Exchange Server• Active Directory Federation Service (ADFS)• BlackBerry Proxy• Microsoft SharePoint• Microsoft Office Web Apps
You can import the server’s SSL certificates (or the root or intermediate certificate chain) tothe BEMS database using the following methods:
• The BEMS Dashboard• The Java keytool
Create a trusted connection between BEMS and Microsoft Exchange ServerBy default, BEMS is only aware of public CA certificates. If you enable email notifications for BlackBerryWork and your organization’s Microsoft Exchange Server doesn’t use an SSL certificate issued by a trustedCA, the connection between your BEMS instance and Microsoft Exchange Server isn’t trusted. To createa trusted connection to the Microsoft Exchange Server by uploading the server’s SSL certificates (or the rootor intermediate certificate chain) to the BEMS database. You can include one or more certificates in the .pemor .crt file.
Before you begin:
• BEMS-Mail service is installed and configured in your environment.• Export the SSL certificate from the Microsoft Exchange Server in a .pem or .crt base64 encoded format and
store it in a network location that you can access from the management console. For more information aboutdigital certificates and encryption in Microsoft Exchange Server, visit https://docs.microsoft.com/en-us/exchange/architecture/client-access/certificates?view=exchserver-2016
• If you upload more than one SSL certificate, make sure that they are included in a single .pem or .crt file.Uploading more than one file replaces any existing SSL certificates in the BEMS database.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click BEMSConfiguration.
2. Click BEMS Configuration.
| Configuring BEMS-Core | 8
3. Click Upload Trust Certificate.4. Click Choose File and navigate to the location of the .pem file that you want to upload.5. Click OK to replace all of the SSL certificates in the database. 6. Click Save.
Replace or delete the trusted connection SSL certificates
When you replace the SSL certificate (for example, when the certificates expire), you replace all of the existing SSLcertificates in the BEMS database. If you included more than one SSL certificate in the .pem or .crt file, verify thatall of the certificates are included in the new upload as required.
Note: If you delete the SSL certificates, you delete all of the SSL certificates in the database and the trustedconnection.
Before you begin:
• Export the new SSL certificates from the Microsoft Exchange Server in a .pem or .crt base64 encoded formatand store it in a network location that you can access from the management console. For more informationabout digital certificates and encryption in Microsoft Exchange Server, visit https://docs.microsoft.com/en-us/exchange/architecture/client-access/certificates?view=exchserver-2016
• If you upload more than one SSL certificate, they must be in a single .pem or .crt file.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click BEMSConfiguration.
2. Click BEMS Configuration. 3. Click Upload Trust Certificate.4. Click Choose File and navigate to the location of the certificate that you want to upload.5. Click OK to replace all of the trust certificates in the database. 6. Click Save.
Import non-public certificates to BEMS1. If necessary, verify the Java bin directory is correctly specified in your environment PATH.
a) In a command prompt, type set | findstr "JAVA_HOME".b) Press Enter.c) In the command prompt, type set | findstr "Path"d) Press Enter.Verify that the JAVA_HOME System variable is set to the correct Java directory and that the PATH Systemvariable includes the path to the same Java directory. For instructions about setting the JAVA_HOME andPATH system variables, see Configure the Java Runtime Environment .
2. Obtain a copy of the non-public CA certificate from the server that BEMS must communiate with. For moreinformation, contact your administrator of your Microsoft Exchange Server, BlackBerry Proxy, or MicrosoftSharePoint servers.
3. On the BEMS host, make a backup of the Java keystore file. By default, the Java keystore file is locatedat %JAVA_HOME%\lib\security\cacerts, where JAVA_HOME is confirmed in step 1.
4. Copy the non-public CA certificate to the Java keystore directory in step 3.5. Open a command prompt and change directory to the Java keystore directory in step 3.6. Type the following command to import the non-public CA certificate into the Java keystore: keytool -
importcert -trustcacerts -alias <your_cert_alias> -file <your_cert>.cer -keystorecacerts -storepass changeit
| Configuring BEMS-Core | 9
• Where your_cert_alias is the unique name that you are assigning the certificate in the cacerts file. This aliascannot already exist in the cacerts file.
• Where your_cert is the file name of the non-public certificate. If this is the path to the file, add quotationmarks (" ") around the full path, filename, and extension.
7. Repeat Steps 2 to 6 for each non-public CA certificate.8. In the Windows Service Manager, restart the Good Technology Common Services service.
Importing and configuring certificatesConsider the following when you import certificates:
• Import a new SSL certificate, if you want to replace the BEMS auto-generated SSL certificate.• Import the BlackBerry Proxy and the BlackBerry UEM certificate chains into the BEMS Java keystore.• Assign the BEMS SSL certificate to users using a CA certificate profile, if necessary.
Replacing the auto-generated SSL certificateNote: To replace the BEMS SSL certificate or to replace or update the bems.pfx file, you must log in as the serviceaccount you used to install the BEMS software.
By default, BEMS is remotely accessible using HTTPS only. During installation, a BEMS Java keystore calledbems.pfx is created and located in <drive>\Program Files\BlackBerry\BlackBerry EnterpriseMobility Server\Good Server Distribution\gems-quickstart-<version>\etc\keystores\. If you previously created a self-signed certificate, then your existing certificate and certificate password areretained.
When you replace the auto-generated SSL certificate, you perform the following actions:
1. If you need to obtain a signed certificate for BEMS, Create a new keystore, generate a CSR request, and obtaina signed certificate from a CA.
2. If you have an existing certificate (.pfx), Import a previously issued certificate using a .pfx file3. Move the certificate into the BEMS keystore.4. Update the certificate passwords in BEMS.
Note: The browser will report that your SSL certificate is untrusted because it is a self-signed certificate.
Create a new keystore, generate a CSR request, and obtain a signed certificate from a CA
1. If necessary, verify that the PATH system variable includes the path to the Java bin directory.a) In a command prompt, type set | findstr "Path".b) Press Enter.For instructions to set the Path system variable, see Configure the Java Runtime Environment.
2. On the computer that hosts BEMS, create a temporary folder (for example, C:\bemscert).3. Create a new Java keystore and key pair.
a) Open a command prompt.b) Navigate to the folder that you created in step 1.c) Type keytool -genkeypair -alias serverkey -keyalg RSA -keystore bemsnew.pfx -
storetype PKCS12 -keysize 2048 -dname "CN=<FQDN of BEMS host>, OU=<BEMS name>,O=<domain>, L=<location>, S=<state or province>, C=<country>" -validity <numberof days before the certificate expires> -storepass <mystorepassword>.
| Configuring BEMS-Core | 10
For example, keytool -genkeypair -alias serverkey -keyalg RSA -keystorebemsnew.pfx -storetype PKCS12 -keysize 2048 -dname "CN=BEMShost.example.net,OU=BEMShost, O=example, L=Waterloo, S=Ontario, C=CA" -validity 730 -storepassmystorepasssword
For more information about keystore commands, see Keystore commands.d) Press Enter.e) Type a password for the serverkey certificate's private key. To set the serverkey password to be the same
as the keystore password, press Enter.f) Optionally, to view the contents of the certificate before you submit it to a CA, type keytool -list -v -
keystore bemsnew.pfx -storetype PKCS12 -storepass <mystorepassword>
4. Generate a CSR for the BEMS Java keystore. In the command prompt, type keytool -certreq -alias serverkey -file bemsnewcert.csr -keystore bemsnew.pfx -storetype PKCS12 -storepass <mystorepassword> -keypass <mykeypassword>
If the serverkey password and the keystore password are the same, type keytool -certreq -aliasserverkey -file bemsnewcert.csr -keystore bemsnew.pfx -storetype PKCS12 -storepass <mystorepassword> -keypass <mystorepassword>
5. Submit the CSR to a CA. 6. Receive the CA-signed certificate from the CA and save it to the folder that you created in step 1.7. Import the CA-signed certificate to the request. In the command prompt, type keytool -importcert
-keystore bemsnew.pfx -storetype PKCS12 -storepass <mystorepassword> -file<"certificate filename received in step 5"> -alias serverkey
For example, keytool -importcert -keystore bemsnew.pfx -storetype PKCS12 -storepassmystorepassword -file "bemsnew certnew.cer" -alias serverkey
8. View the new contents of the keystore, type keytool -list -v -keystore bemsnew.pfx -storetypePKCS12 -storepass <mystorepassword>
After you finish: Move the certificate into the BEMS keystore
Import a previously issued certificate using a .pfx file
Before you begin:
• Verify that you have the .pfx file for a previously issued certificate. Make sure that you know the password forthe .pfx file.
• If necessary, make sure that you know the password for the private key of the certificate within the .pfx file.
1. If necessary, verify that the PATH system variable includes the path to the Java bin directory.a) In a command prompt, type set | findstr "Path".b) Press Enter.For instructions to set the Path system variable, see Configure the Java Runtime Environment.
2. On the computer that hosts BEMS, create a temporary folder (for example, C:\bemscert). 3. Copy the .pfx certificate into the temporary folder. 4. Open a command prompt and navigate to the temporary folder that you created in step 2.5. Confirm the information of the existing certificate in the bems.pfx keystore. Type keytool -list -
keystore bems.pfx -storetype PKCS12 -storepass <password of the .pfx file>.The BEMS Dashboard keystore only supports one certificate in the bems.pfx keystore file. For moreinformation about keystore commands, see Keystore commands.
After you finish: Move the certificate into the BEMS keystore.
| Configuring BEMS-Core | 11
Move the certificate into the BEMS keystore
Complete one of the following tasks:
If the keystore filename is Task
not bems.pfx Copy the new keystore file, bemsnew.pfx, from C:\bemscert to <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good ServerDistribution\gems-quickstart-<version>\etc\keystores.
bems.pfx Copy the keystore file, bems.pfx, from C:\bemscert to <drive>:\Program Files\BlackBerry\BlackBerry EnterpriseMobility Server\Good Server Distribution\gems-quickstart-<version>\etc\keystores
a. Stop the Good Technology Common Services service fromthe Windows Service Manager.
b. Navigate to <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\GoodServer Distribution\gems-quickstart-<version>\etc\keystores.
c. Rename the bems.pfx file to bems_bak.pfx.d. Copy the bems.pfx file from C:\bemscert to <drive>:\Program
Files\BlackBerry\BlackBerry Enterprise MobilityServer\Good Server Distribution\gems-quickstart-<version>\etc\keystores.
After you finish: Update the certificate passwords in BEMS
Update the certificate passwords in BEMS
For BEMS to access your certificate private key, you must include the challenge password in the jetty.xmlfile. The password must be obfuscated. This can be done with the BEMS SSL Tech Tool. For instructions,visit support.blackberry.com/community to read article 41823.
Before you begin: On the computer that hosts BEMS, download the BEMS Tech Tools and extract the sslcertfolder. You can download the BEMS Tech Tools here.
1. Generate the obfuscated challenge password for your serverkey certificate private key and keystore password.
Note: When you run the BEMS SSL Tech Tool to obfuscate the password, the BEMS SSL Tech Tool generatesa new gems.jks file. You can then delete the gems.jks file that the tool generates. The BEMS SSL Tech Toolalso generates a log file, SelfSignCertificate.log.0, for review. This file contains the same information as thescreen outputs.
a) In a command prompt, navigate to the extracted sslcert utility folder.b) Type sslcert.bat <mykeypassword> <mystorepassword> <fqdn of BEMS host>
For example: sslcert.bat mykeypassword mystorepassword bemshost.example.comc) Copy the screen outputs to a text file for later reference.
2. Backup the jetty.xml file. By default the jetty.xml file is located at <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\etc.
| Configuring BEMS-Core | 12
3. Update the KeyStorePath, TrustStorePath, keyStorePassword, trustStorePassword,and keyManagerPassword in the jetty.xml file with the obfuscated password. For examples, see Jetty.xml filereference.a) In a text editor, open the jetty.xml file.b) Locate the <New class="org.eclipse.jetty.util.ssl.SslContextFactory" id="sslContextFactory"> section.c) If the new keystore filename has changed from the default gems.jks to bemsnew.jks, locate <Set
name=”KeyStorePath”> and <Set name=”TrustStorePath”> elements and update them as required.d) Locate the <Set name=”KeyStorePassword”> and <Set name=”TrustStorePassword”> elements and update
them with the obfuscated passwords from the sslcert text outputs, Key Store Password and Trust StorePassword, respectively. The text outputs are the obfuscated values of the keystore password, referencedas <mystorepassword> in step 1b.
e) Locate the <Set name=”KeyManagerPassword”> element and update it with the new obfuscated passwordfrom the sslcert text output, Key Manager Password. The text output is the obfuscated value of the keypasspassword, referenced as <mykeypassword> in step 1b.
4. Restart the Good Technology Common Services service from the Windows Service Manager.5. Test the new certificate by accessing the BEMS Dashboard in a browser. Its certificate information now
reflects the newly imported certificated.
Jetty.xml file reference
The keystore file is referenced in jetty.xml. Its default location of the jetty.xml file is on the computerhosting BEMS at <BEMS Machine Path>\BlackBerry\BlackBerry Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\etc\. You can access this folder using theservice account you used to install the BEMS software or the local system account.
The relevant snippet from jetty.xml referencing the location of the keystore file and its associated passwordwould look like the following:
<New class="org.eclipse.jetty.util.ssl.SslContextFactory" id="sslContextFactory"> <Set name="KeyStorePath"><SystemProperty default="." name="jetty.home"/>/etc/keystores/gems.jks</Set> <Set name="TrustStorePath"><SystemProperty default="." name="jetty.home"/>/etc/keystores/gems.jks</Set> <Set name="KeyStorePassword">OBF:1n7j1aip19pz1uh419q91....1thd1n411xtt</Set> <Set name="KeyManagerPassword">OBF:1n7j1aip19pz1uh419q91....1thd1n411xtt</Set> <Set name="TrustStorePassword">OBF:1n7j1aip19pz1uh419q91....1thd1n411xtt</Set> <Set name="KeyStoreType">PKCS12</Set> <Set name="TrustStoreType">PKCS12</Set>
The passwords are obfuscated. The KeyStorePassword and the TrustStorePassword are typically identical andrepresent the keystore password. The KeyManagerPassword is the challenge password for the certificate.
Certificate format
Any certificate used should be PKCS #12 and the private key must contain a challenge password. In addition,make sure that the certificate has the appropriate key chain. For example, the root and intermediate certificate.
Configuring HTTPS for BEMS to BlackBerry ProxyBy default, the Java keystore on the computer that hosts BEMS does not contain the CA root certificate forthe BlackBerry Proxy server. The BlackBerry Proxy server uses a certificate that is signed by the BlackBerryControl or BlackBerry UEM. This means that BEMS cannot verify the BlackBerry Proxy server’s SSL certificate; and,therefore, any HTTPS connection made from BEMS to the BlackBerry Proxy server fails.
| Configuring BEMS-Core | 13
Export the BlackBerry Proxy CA certificate chain to your desktop
If your environment enforces the use of SSL certificate validation when BEMS communicates with BlackBerryDynamics, you must export the root and intermediate BlackBerry UEM certificate chains used by the BlackBerryProxy and import them into the BEMS Java keystore.
Note: The following task is not browser-specific. For specific instructions, see the documentation for the browseryou are using in Windows Internet Explorer, Microsoft Edge, or Google Chrome.
1. In a browser, enter the FQDN of the BlackBerry Proxy server and port 17433 (for example, https://<BlackBerry_Proxy_server_FQDN>:17433). You may see a certificate error message because the certificatemight be signed by the BlackBerry UEM or Control CA or another internal CA, but the browser does notrecognize it as a well-known CA.
2. To open the Certificate dialog, click the certificate icon in the URL field.3. Click Certificate (Invalid).4. Click Certification Path.5. Click the root certificate. The root certificate is the first item in the Certificate hierarchy.6. Click View Certificate.7. Click the Details tab. 8. Click Copy to File. 9. Click Next. 10.Select Base-64 encoded X.509 (.CER).11.Click Next. 12.Enter name for the certificate and export it to your desktop (for example, bproot.cer).13.Click Save.14.Click Finish.15.Click OK.
After you finish: Import the BlackBerry Proxy CA certificate into the Java keystore on BEMS
Import the BlackBerry Proxy CA certificate into the Java keystore on BEMS
Before you begin: Save a copy of the bproot.cer certificate that you exported to a convenient location on thecomputer that hosts (for example, C:\bemscert). For instructions, see Export the BlackBerry Proxy CA certificatechain to your desktop.
1. On the computer that hosts BEMS, verify the Java directory is specified in the JAVA_HOME systemenvironment variable. In a command prompt, change to the %JAVA_HOME% folder. Type cd %JAVA_HOME%.For more information, see Configure the Java Runtime Environment.
2. Make a backup of the Java keystore file. The Java keystore file is located at %JAVA_HOME%\lib\security\cacerts, where JAVA_HOME is confirmed in Step 1.
3. Import the BlackBerry Proxy root certificate. In a command prompt, type bin\keytool.exe -importcert-trustcacerts -file"<drive>:\bemscert\bproot.cer" -keystore lib\security\cacerts-alias gdca -storepass changeit
The -alias value must be unique in the destination keystore. If it is duplicated, you might experience importerrors. You can output the cacerts keystore to a text file to manually confirm the existing certificates using atext editor. Type bin\keytool.exe -list -v -keystore lib\security\cacerts > c:\bemscert\cacertsoutput.txt
For more information about keystore commands, see Keystore commands.
Important: If you do not specify the -keystore parameter correctly or omit it, the keytool creates a newkeystore. BEMS services do not use the new keystore.”
| Configuring BEMS-Core | 14
4. If you did not import the BlackBerry Proxy root certificate into the Windows keystore, import it now. Forinstructions, see Import the BlackBerry Proxy CA certificate to the BEMS Windows keystore
5. Restart the Good Technology Common Services service in the Windows Service Manager.
After you finish: Configure the Core BEMS service for communicating to BlackBerry Dynamics. For instructions,see Configure the BlackBerry Dynamics server in BEMS.
Configure BEMS for the BlackBerry Connect app. For instructions, see Configure BEMS connectivitywith BlackBerry Dynamics.
Import the BlackBerry Proxy CA certificate to the BEMS Windows keystore
For the Connect service to trust the BlackBerry Proxy server’s certificate, you must import the BlackBerryProxy root CA certificate to the Connect service Windows keystore.
1. Open the Microsoft Management Console.2. Click Console Root.3. Click File > Add/Remove Snap-in.4. Click Certificates.5. Select Computer Account > Local computer > OK.6. Expand Certificates (Local Computer) > Trusted Root Certification Authorities.7. Right-click Certificates, and click All Tasks > Import.8. Click Next.9. Browse to where you saved the BlackBerry Proxy CA certificate that you exported (for example <drive>:
\bemscert\bproot.cer). Click Open.10.Click Next. 11.Click Finish. Click OK.
After you finish: Configure the Core BEMS service for communicating to BlackBerry Dynamics. For instructions,see Configure the BlackBerry Dynamics server in BEMS.
Assign the BEMS SSL certificate to usersBy default, BEMS uses a self-signed certificate that is generated by the BEMS installer. If the BEMS SSL certificateis CA signed, export the CA root and intermediates as described in Replacing the auto-generated SSL certificate.
1. On the computer hosting BEMS, export the SSL certificate to a file.a) In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click SSL
Certificate.b) Click Download SSL Certificate. By default, the BemsCert.cer file is saved to the Downloads folder.
2. In BlackBerry UEM, create a CA certificate profile for the BEMS Self-Signed certificate, or create individual CAcertificate profiles for the CA Root certificate and any CA Intermediate certificates. Assign the profiles to usersor user groups. For instructions on creating a CA certificate profile and assigning it to users or user groups,see the BlackBerry UEM administration content.
Note: In the Certificate file field, browse to the BemsCert.cer file you exported in step 1.
Import third-party server certificates into the BEMS Java keystore If your environment enforces the use of SSL certificate validation when BEMS communicates with the MicrosoftExchange Server, LDAP server or other third-party server, you must export the certificate and import it intothe BEMS Java keystore.
Before you begin: The third-party server certificate is saved to your desktop.
| Configuring BEMS-Core | 15
1. Open a command prompt.2. Import the third-party server certificate chain that you saved to your desktop. Type keytool -importcert
-trustcacerts -alias <your_server_cert_alias> -file <your_cert>.cer -keystore"%JAVA_HOME%\lib\security\cacerts".
3. Restart the Good Technology Common Services from the Windows Service Manager.
Download certificates from the Cisco Unified Communications Manager and Cisco IM and Presenceservers into the BEMS Java keystoreYou must import the following certificates from the Cisco Unified Communications Manager (CUCM)and Cisco IM and Presence (CIMP) servers. For multi-server certificates, only one certificate per cluster mustbe imported. If the certificate is not a multi-server certificate, a copy must be downloaded from each CUCM andCIMP server in a cluster and imported separately.
• Tomcat.der
• If your environment uses a multi-server certificate, a single copy of the certificate downloaded from theCUCM Publisher and CIMP Publisher servers is required.
• If your environment does not use a multi-server certificate, a copy of the certificate downloaded from eachCUCM and CIMP node is required.
• Cup.der
• A copy of the certificate downloaded from each CIMP node is required.• Cup-xmpp.pem and Cup-xmpp-ECDSA.pem (in a Cisco 11.5 environment environment)
• If using a multi-server certificate, a single copy of the certificate downloaded from the CIMP Publisher isrequired.
• If not using a multi-server certificate, a copy of the certificate downloaded from each CIMP node isrequired.
1. Log on to the appropriate CUCM server.2. In the top-right Navigation drop-down list, click Cisco Unified OS Administration.3. Click Security > Certificate Management.4. Download the certificate named tomcat as a .der file.5. Log on to the appropriate CIMP server.6. In the top-right Navigation drop-down list, click Cisco Unified IM and Presence OS Administration.7. Click Security > Certificate Management.8. Download the cup-xmpp certificate and cup-xmpp-ECDSA certificate as a .pem file.9. Download the cup certificate as .der file.
After you finish: Import these certificates into the BEMS Java keystore. For instructions, see Import third-partyserver certificates into the BEMS Java keystore .
Keystore commandsThe following table lists the keystore commands that are available at the command line. For more informationabout using the Java keytool, visit docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html.
Action Command
Check which certificates arecurrently in the keystore
keytool -list -v -keystore <keystore file>
| Configuring BEMS-Core | 16
Action Command
Export a list of the certificates thatare currently in the keystore
keytool.exe -list -v -keystore lib\security\cacerts >c:\bemscert\cacertsoutput.txt
Export a certificate from thekeystore
keytool -exportcert -alias <alias_name> -file<file_name>.crt -keystore <keystore file>
Check a standalone certificate keytool -printcert -v -file <filename>.crt
Delete a certificate from thekeystore
keytool -delete -alias <alias_name> -keystore<keystore file>
Import a signed primary certificateto an existing BEMS Java keystore
keytool -importcert -trustcacerts -alias <alias_name>-file <file_name>.crt -keystore <keystore file>
Import a certificateinto BEMS Java keystore
One of the following based on the JRE installed in your environment:
keytool -importcert -trustcacerts -alias<cert_alias_name> -file <your_cert>.cer -keystore“%JAVA_HOME%\lib\security\cacerts”
Add dashboard administratorsYou add groups using Microsoft Active Directory groups to the Dashboard Administrators setting and givemembers of the group dashboard login and configuration permissions. You can add one or more groups, but thegroup must be a part of the security groups. Users who are members of the Local Administrators group can alsolog in to BEMS Dashboard and have configuration rights.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click BEMSConfiguration.
2. Click Dashboard Administrators.3. Click Add Group.4. In the Active Directory Security Group field, type the name of the Microsoft Active Directory security group.5. Click Save.6. Repeat steps 3 to 5 to add additional security groups.
Configure the BlackBerry Dynamics server in BEMSYour BEMS environment must be configured to trust the Root CA for the BlackBerry Proxy HTTPS configuration orimplement the Karaf workaround. For instructions, see Importing and configuring certificates.
The BlackBerry Dynamics server information in the following instructions refers to the FQDN of the serverthat hosts the BlackBerry Proxy service. The BlackBerry Proxy service is installed on on-premises BlackBerryUEM servers that have the BlackBerry Connectivity Node. The BlackBerry Connectivity Node is requiredfor some BlackBerry UEM Cloud deployments when they link a company directory to the BlackBerry UEMCloud tenant, and to offer on-premises connectivity to BlackBerry Dynamics users activated using the BlackBerryUEM Cloud. For more information about the BlackBerry Connectivity Node, see the BlackBerry UEM Planningcontent.
| Configuring BEMS-Core | 17
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click BEMSConfiguration.
2. Click BlackBerry Dynamics.3. Complete one of the following actions:
Task Steps
If a BlackBerry Proxy server is not defined a. Click Add BlackBerry Proxy.b. In the Host Name field, type the FQDN of the
server that hosts the BlackBerry Proxy service. c. In the Protocol drop-down list, select the protocol
used to communicate with the BlackBerryProxy server.
• If you select HTTPS, the Port fieldprepopulates to 17433.
• If you select HTTP, the Port field prepopulatesto 17080.
d. Click Test to test the connection.e. Repeat steps 1 to 4 to add additional BlackBerry
Proxy servers for redundancy continuity.
If one or more BlackBerry Proxy servers are defined No action is required. Previously defined BlackBerryProxy servers are listed.
4. Select the Apply to other nodes in the BEMS cluster check box to communicate the BlackBerry Proxy serverinformation to all of the BEMS nodes in the cluster.
5. Optionally, select the Enforce the SLL Certificate validation when communicating with BlackBerryDynamics check box when you use the https protocol to communicate with the BlackBerry Proxy server.
6. Click Save.
Configure a web proxy server for the Push Notifications serviceBecause APNS pushes are sent using the BlackBerry Dynamics NOC, which resides outside of your enterprisenetwork, a proxy server might be required to access the BlackBerry Dynamics NOC.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings click BEMSConfiguration.
2. Click Web Proxy.3. Select the Use Web Proxy checkbox.4. In the Proxy Address field, enter the FQDN of the web proxy server.5. In the Proxy Port field, type the port number.6. Optionally, depending on your environment configuration you can specify URLs or domains that you want to
pass through the web proxy server or bypass the web proxy server. If you enter multiple URLs or domains,separate them with a comma (,). You can use wildcards (*) when listing the URLs or domains. The URLs ordomains that you list are not case-sensitive.
7. In the Proxy Server Authentication Type drop-down list, select an authentication type. By default, theauthentication is set to None.If you choose Basic or NTLM authentication, enter the credentials and, optionally, the Domain.
| Configuring BEMS-Core | 18
8. Select the Use the same web proxy settings to connect to an externally hosted Exchange checkbox, if youwant to use the web proxy to communicate with a hosted Microsoft Exchange Server (cloud deployed).
9. Select the Apply to other nodes in the BEMS cluster check box to communicate the BlackBerry Proxy serverinformation to all of the BEMS nodes in the cluster.
10.Click Test to verify the connection to the proxy server.11.Click Save.
Enable log file compressionYou can compress the log files that are generated and saved in the default log folder or folder you specifiedduring the installation of BEMS. Currently, log files are generated and rotated when they reach 100 MB in size,once a day at midnight, or when the server is restarted. When you enable log compression, log files can be largerthan 100 MB. When a log file exceeds 100 MB, it is compressed and saved to the appropriate log file folder. Bydefault, log file compression is disabled.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings click BEMSConfiguration.
2. Click log Log Settings. 3. Select the Enable Log Compression.4. Click Save.
Uploading BEMS log and statistical informationThe BEMS Dashboard provides several aids for collecting troubleshooting data.
Troubleshooting aid Description
Log Upload Credentials Enter your username and password that you use to log on tothe BlackBerry Online Portal.
Note: These credentials are not stored, and are only used to ensure thatthis BEMS is authorized for log uploads.
Upload Logs Use this tool to send logs directlyto BlackBerry Support. Mail and Docs services logs are supported.
Note: When you specify the date range, the time zone displayed is thatof the BEMS server and the dates selected are used in reference to thattime zone.
Upload BEMS statistics Use this tool to send BEMS statistics to the BlackBerryInfrastructure and BlackBerry Dynamics NOC periodically.
By default, uploading diagnostic information is enabled.
Specify log upload credentialsBefore you begin: Make sure you have the login credentials you use to access the BlackBerry Online Portal.These credentials are not stored, they are used to verify that the BEMS server is authorized for log uploadsto BlackBerry technical support for review. If you configured the Upload Credentials screen during the softwareinstallation or upgrade, the BlackBerry Online Portal Username field is prepopulated with the username that
| Configuring BEMS-Core | 19
you provided. If you didn't provide the credentials during the software installation or upgrade, but the Allow thisBEMS server to send diagnostic information to BlackBerry Support check box was selected, BEMS automaticallyconfigures the Upload BEMS statistics information.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click Troubleshootimg.2. Click Log Upload Credentials.3. If necessary, in the BlackBerry Online Portal Username field, type the username that you use to access the
Online Portal.4. In the BlackBerry Online Portal Password field, type the password that you use to access
the BlackBerry Online Portal.5. Click Test.6. Click Save.
Upload log filesYou can upload log files for the Mail service and Docs service.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click Troubleshooting.2. Click Upload Logs.3. Specify a date range for the logs to include.
The time zone displayed is that of the BEMS server and the date range you specify is in reference to that timezone.
4. Click Upload Logs.
Enable BEMS to upload BEMS statisticsPeriodically, BEMS sends diagnostic information to BlackBerry technical support. The statistical informationmight include the following information:
• Name of the cluster• Version of BEMS• JVM Version• Last restart time• System bugs• Operating system• Schema version• System health
The following information might be sent if the Mail service is installed:
• Number of users assigned to the instance• Name of instance• List of instances• Feature set for instance• Feature set for cluster• Services installed, status of the instance
If you provided the upload credentials during the software installation or upgrade, this page is prepopulated witha default upload interval of 30 minutes. If you didn't provide the upload credentials information and didn't clearthe Allow this BEMS server to send diagnostic information to BlackBerry Support check box, BEMS generates arandom cluster name and configures these settings when you specify the Log Upload Credentials.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click Troubleshooting.2. Click Upload BEMS statistics.
| Configuring BEMS-Core | 20
3. Select the Allow this BEMS server to send diagnostic information to BlackBerry Support check box. If youclear this check box, you disable this feature and are prompted to complete the Upload Credentials when youupgrade BEMS instance.
4. Type a cluster name and domain name.5. If necessary, in the Upload interval field, specify an Upload interval. You can specify an upload interval between
0 and 65355 minutes. By default, the upload interval is 30 minutes. 6. Click Save.
Firebase Push NotificationsConfigure FCM to send notifications to Android devices when the BlackBerry Work 2.13 or later appand BlackBerry Connect 2.7 or later app are in the background. If you configured your environment for GoogleCloud Messaging, no additional configuration is required after you upgrade. The BEMS Dashboard automaticallyassociates the GCM configuration with the FCM configuration.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings click BEMSConfiguration.
2. Click Firebase Push Notification. 3. In the FCM Sender ID field, type the Sender ID value of the project you created in Firebase. For instructions,
see Create Firebase Cloud Messaging API keys4. In the FCM API key field, enter the Server key value of the project you created in Firebase.5. Click Save.
Create Firebase Cloud Messaging API keysThese are the details for obtaining keys for the Firebase Cloud Messaging (FCM) API, which is used by BEMS tobe able to send new mail notifications to Android devices. Google now uses the new service Firebase, replacingthe Google Cloud Messaging (GCM) API site and project spaces. For more information about creatingthe Firebase Cloud Messaging API Keys, visit http://support.blackberry.com/community to read article 44617.
Before you begin: You must have a Google account.
1. In a browser, open https://console.firebase.google.com/ and log in with a valid account.2. Click Create New Project. 3. In the Create a project dialog box, type a project name and select the Country/region you are located in. 4. Click Create Project.5. In the upper left-hand side of the screen, click > Project settings.6. Click Cloud Messaging.7. Copy the value of Server key. This is used as the FCM API Key value in the BEMS Dashboard. 8. Copy the value of Sender ID. This is used as the FCM Sender ID value in the BEMS Dashboard.
Enabling FIPS Mode in BEMSBEMS-Core, BEMS-Mail, BEMS-Docs, BEMS-Connect, and BEMS-Presence services can be configured to useFIPS 140-2 (U.S. Federal Information Processing Standards) compliant algorithms for cryptographic operations.When FIPS-compliance mode is enabled on one BEMS instance in a cluster, all instances in the cluster areenabled. To enable this feature in the cluster, all BEMS nodes must be running the same version of BEMS (forexample, BEMS 2.12 or later). By default, FIPS 140-2 compliant mode is disabled. BEMS doesn't verify if the OSthat hosts the BEMS-Docs service is running in FIPS 140-2 compliant mode.
| Configuring BEMS-Core | 21
Enable FIPS-compliance modeBefore you begin: Confirm that all BEMS nodes in the cluster are running the same version of BEMS. When youenable FIPS 140-2 compliance mode on one node in the cluster, all the nodes in the cluster are enabled.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click BEMSConfiguration.
2. Click FIPS Mode. 3. Select the Enable FIPS Mode for Cluster check box. 4. Click Save.5. To enable FIPS-compliance mode for BEMS-Connect, complete the following steps:
a) In a text editor, open the GoodConnectServer.exe.config file. By default, the file is located in <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Connect\.
b) In the <appSettings> section, add the following key and value to the file: type <addkey="MESSAGE_ENCODING_TYPE” value="NON-SHIFT" />.
c) Save the file.d) In the Windows Manager, restart the Good Technology Connect service.
Verify that FIPS-compliance is enabledWhen FIPS-compliance mode is enabled, the BEMS log file logs the action. The log files also log when anadministrator accesses the FIPS mode configuration screen and saves the settings without making a change andwhen the feature is disabled. The following log lines are logged:
Logging Description
Changed FIPS mode to true FIPS-compliance mode is enabled.
Changed FIPS mode to false FIPS-compliance mode is disabled.
No change for FIPS mode FIPS-compliance mode settings were saved withoutchanges.
| Configuring BEMS-Core | 22
Configuring BEMS servicesYou can configure one or more services and in any order based on your organization's requirements. When youconfigure the BEMS services, you configure one or more of the following services:
• BlackBerry Push Notifications• BlackBerry Connect• BlackBerry Presence• BlackBerry Docs• BlackBerry Dynamics Launcher• BlackBerry Certificate Lookup
Configuring the Push Notifications serviceWhen you configure BEMS for Push Notifications support of the BlackBerry Work app, which includes mail,contacts, and calendar, you perform the following:
• Configure the Mail service in the BEMS dashboard• Configure BlackBerry UEM for BlackBerry Work• Optionally, configure the Push Notifications service for high availability
Configuring Push NotificationsWhen you configure the Mail service, you perform the following actions:
Important: Complete the configuration in the following order to avoid connectivity issues.
1. Database2. Microsoft Exchange Server3. Stop Notifications4. User Directory Lookup5. Certificate Directory Lookup
Configure the Microsoft SQL Server database for Push Notifications service
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Mail. 2. Click Database. 3. In the Server field, verify the Microsoft SQL Server host name and instance. This field is prepopulated with
the information you provided during the BEMS installation. The Microsoft SQL Server must be in the followingformat: <SQLServer_hostname>\<instance_name>. If you configured the database for an AlwaysOn Availability Group, set the server to the AlwaysOn ListenerFQDN. Do not use the cluster name or host name of the server in the cluster.
4. In the Database field, verify the database name. For example, BEMS-Core. If you configured the database for an AlwaysOn Availability Group, set the database to the name of thedatabase added to the AlwaysOn Availability Group.
5. In the Authentication Type drop-down list, complete one of the following tasks:
• If you select Windows Authentication, the Push Notifications service uses the Windows credentials toaccess the Microsoft SQL Server database.
• If you select SQL Server Login, type the username and password used to access the Microsoft SQLServer database.
| Configuring BEMS services | 23
6. If your organization uses AlwaysOn support for SQL Server, in the Additional Properties field,type MultiSubnetFailover=true.
7. Click Test.8. Click Save. 9. Restart the Good Technology Common Services in the Windows Services Manager.
Configure BEMS to communicate with the Microsoft Exchange Server or Microsoft Office 365
You must allow BEMS to authenticate to Microsoft Exchange Server or Microsoft Office 365 to access users’mailboxes and send notifications to users’ devices when new email is received on the device.
Before you begin:
• Verify that the service account has impersonation rights on the Microsoft Exchange Server. Forinstructions, see Grant application impersonation permission to the BEMS service account.
• In a Microsoft Office 365 environment, if you plan to enable Modern Authentication, verify that you completedthe following:• If you enable Modern Authentication using Credential, the Client Application ID.• If you enable Modern Authentication using a Client Certificate,
• the Client Application ID with certificate based authentication• request and associate the .pfx certificate with the Azure app ID for BEMS
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Mail.2. Click Microsoft Exchange. 3. In the Select Authentication type section, select an authentication type based on your environment
and complete the associated tasks to allow BEMS to communicate with the Microsoft ExchangeServer or Microsoft Office 365:
Authenticationtype Environment Description Task
Integrated Microsoft ExchangeServer on-premises
This optionuses Windows authenticationcredentials toauthenticate tothe MicrosoftExchange Server.
No additional actions are required.
Credential • MicrosoftExchangeServer on-premises
• Microsoft Office365
This option usesthe BEMS usernameand passwordto authenticateto the MicrosoftExchangeServer or MicrosoftOffice 365.
a. In the Username field, enter the usernameof the BEMS service account.
• For Microsoft Office 365, enter theservice account's User Principal Name(UPN).
• For on-premises Microsoft ExchangeServer, use the format <domain>\<username>.
b. In the Password field, enter the passwordfor the service account.
| Configuring BEMS services | 24
Authenticationtype Environment Description Task
ClientCertificate
• MicrosoftExchangeServer on-premises
• Microsoft Office365
This optionuses a clientcertificate to allowthe BEMS serviceaccount toauthenticate tothe MicrosoftExchangeServer or MicrosoftOffice 365.
a. For the Upload PFX file, click ChooseFile and select the client certificatefile. For instructions on obtaining the .PFXfile, see Associate a certificate withthe Azure app ID for BEMS
b. In the Enter PFX file Password field, enterthe password for the client certificate.
4. Optional, in a Microsoft Office 365 environment that uses Credential or Client certificate authentication, do thefollowing to enable Modern Authentication: a) Select the Enable Modern Authentication checkbox.b) In the Authentication Authority field, enter the Authentication Server URL that BEMS accesses
and retrieve the OAuth token for authentication with Microsoft Office 365 (for example, https://login.microsoftonline.com/<tenantname>). By default, the field is prepopulated with https://login.microsoftonline.com/common.
c) In the Client Application ID field, enter one of the following Azure app IDs depending on the authenticationtype you selected: one of the following.
• Obtain an Azure app ID for BEMS with credential authentication• Obtain an Azure app ID for BEMS with certificate-based authentication
d) In the Server Name field, enter the FQDN of the Microsoft Office 365 server. By default, the field isprepopulated with https://outlook.office365.com.
Note: When you configure Modern Authentication, all nodes use the specified configuration. 5. Under the Autodiscover and Exchange Options section, complete one of the following actions:
Task Steps
Override Autodiscover URL If you select to override the autodiscover process, BEMS uses theoverride URL to obtain user information from the Microsoft ExchangeServer or Microsoft Office 365.
a. Select the Override Autodiscover URL checkbox. b. In the Autodiscover URL Override Autodiscover field, type the
autodiscover endpoint (for example, https://example.com/autodiscover/autodiscover.svc).
| Configuring BEMS services | 25
Task Steps
Autodiscover and MicrosoftExchange Server options
a. Select the Swap ordering of <domain.com>/autodiscover andautodiscover. <domain.com>/autodiscover check box to assist inresolving the autodiscover URL. Consider selecting this option if theorder results in timeouts or other failures.
b. Optionally, modify the TCP Connect timeout for Autodiscoverurl (milliseconds) field as required to prevent failures whenautodiscovery takes too long. By default, the timeout is set to120000. The recommended timeout for the Autodiscover url isbetween 5000 milliseconds (5 seconds) and 120000 milliseconds(120 seconds).
c. By default, the Enable SCP record lookup checkbox is selected. Ifyou clear the checkbox, BEMS does not perform a Microsoft ActiveDirectory lookup of Autodiscover URLs. This option is not availablewhen Override Autodiscover URL is selected.
d. Optionally, select the Use SSL connection when doing SCPlookup check box to allow BEMS to communicate withthe Microsoft Active Directory using SSL. If you enable this feature,you must import the Microsoft Active Directory certificate to eachcomputer that hosts an instance of BEMS. This option is notavailable when Override Autodiscover URL is selected.
e. By default the Enforce SSL Certificate validation whencommunicating with Microsoft Exchange and LDAP server checkbox is selected. If you clear this setting and use an un-trustedcertificate, then the connection to the on-premises MicrosoftExchange Server fails.
f. By default, the Allow HTTP redirection and DNS SRV record checkbox is selected. If you clear the checkbox, you disable HTTPRedirection and DNS SRV record lookups for retrieving theAutodiscover URL when discovering users for BlackBerryWork Push Notifications.
g. Optionally, select the Force re-autodiscover of user on allMicrosoft Exchange errors checkbox to force BEMS to performthe autodiscover again for the user when the Microsoft ExchangeServer or Microsoft Office 365 returns an error message.
6. In the End User Email Address field, type an email address to test connectivity to the Microsoft ExchangeServer or Microsoft Office 365 using the service account. You can delete the email address after you completethe test.If the service account is correctly configured and the test fails, BEMS is attempting to communicate withan Microsoft Exchange Server that is not using a trusted SSL Certificate. If your Microsoft Exchange Server isnot set up to use a trusted SSL certificate, see Importing CA Certificates for BEMS.
7. Click Save.
After you finish: If you selected Client Certificate authentication, you can view the certificate information.Click Mail. The following certificate information is displayed:
• Subject• Issuer• Validation period• Serial number
| Configuring BEMS services | 26
Obtain an Azure app ID for BEMS with credential authentication
1. Sign in to portal.azure.com.2. In the left column, click Azure Active Directory.3. Click App registrations.4. Click New registration.5. In the Name field, enter a name for the app.6. Select a supported account type. 7. In the Redirect URI section, in the drop-down list, select Web and enter https://localhost:84438. Click Register. The new registered app appears.9. In the Manage section, click API permissions.10.Click Add a permission.11.In the Select an API section, click Microsoft APIs tab. 12.Click Exchange.13.Set the following permissions for Microsoft Exchange Web Services:
• Delegated permissions: Access mailboxes as the signed-in user via Exchange Web Services (EWS >EWS.AccessAsUser.All)
14.Select the Add permissions. 15.Click Add a permission. 16.Click Microsoft Graph. If the Microsoft Graph API permission is not listed, add Microsoft Graph. 17.Set the following permissions for Microsoft Graph.
• Delegated permissions: Sign in and read user profile (User > User.Read).18.Click one of the following:
• If the Microsoft Graph API permission existed in the API permissions list, click Update permissions.• If you needed to add the Microsoft Graph API permission, click Create.
19.Click Add a permissions.20.Click Grant admin consent. Click Yes.
Important: This step requires tenant administrator privileges. 21.To allow autodiscovery to function as expected, set the authentication permissions.
a) In the Manage section, click Authentication. b) Under the Implicit grant section, select the ID Tokens checkbox.c) In the Default client type, select Yes. d) Click Save.
22.Click Overview. Copy the Application (client) ID. The Application (client) ID is displayed in themain Overview page for the specified app. This is used as the Client application ID when you enable modernauthentication and configure BEMS to communicate with Microsoft Office 365.
Obtain an Azure app ID for BEMS with certificate-based authentication
1. Sign in to portal.azure.com.2. In the left column, click Azure Active Directory.3. Click App registrations.4. Click New registration.5. In the Name field, enter a name for the app.
| Configuring BEMS services | 27
6. Select a supported account type. 7. In the Redirect URI section, in the drop-down list, select Public/client (mobile & desktop)and enter http://
<name of the app given in step 5>.This app is a daemon, not a web app, and does not have a sign-on URL.
8. Click Register. The new registered app appears.9. In the Manage section, click Expose an API. The scope restricts access to data and functionality protected by
the API. a) Click Add a scope.b) Click Save and continue. c) Complete the following fields and options:
• Scope name: Provide a unique name for the scope. • Who can consent: Click Admins and user. • Admin consent display name: Enter a descriptive name. • Admin consent description: Enter a description for the scope.• State: Click Enable.
10.Copy the Application ID URI. This is used to associate a certificate with the Azure app ID for BEMS. TheApplication ID URI appears in the format of api://{appID}.
11.In the Manage section, click API permissions.12.Click Add a permission.13.In the Select an API section, click Microsoft APIs tab. 14.Click Exchange. 15.Set the following permissions for Microsoft Exchange Web Services:
• Application permissions: Use Exchange Web Service with full access to all mailboxes (full_access_as_app)16.Click Add permissions.17.Click Microsoft Graph. If the Microsoft Graph API permission is not listed, add it. 18.Set the following permission for Microsoft Graph.
• Delegated permissions: Sign in and read user profile (User > User.Read)19.Click Add permissions.20.Click Grant admin consent.21.Click Yes. 22.To allow autodiscovery to function as expected, set the authentication permissions.
a) In the Manage section, click Authentication. b) Under the Implicit grant section, select the ID Tokens checkbox.c) In the Default client type, select No. d) Click Save.
23.Click Overview to view the app that you created in step 5. Copy the Application (client) ID. The Application(client) ID is displayed in the main Overview page for the specified app. This is used as the Client applicationID in the BEMS dashboard when you enable modern authentication and configure BEMS to communicatewith Microsoft Office 365.
After you finish: Associate a certificate with the Azure app ID for BEMS
Associate a certificate with the Azure app ID for BEMS
You can request and export a new client certificate from your CA server or use a self-signed certificate.
| Configuring BEMS services | 28
1. Complete one of the following tasks:
Certificate Task
If you are using anexisting CA server
a. Request the certificate. The certificate that you request must include theapp name in the subject of the certificate. Where <app name> is the nameyou assigned the app in step 5 of Obtain an Azure app ID for BEMS withcertificate-based authentication.
b. Export the public key of the certificate as a .cer or .pem file. The public key isused for the Azure app ID that is created.
c. Export the private key of the certificate as a .pfx file. The private key isimported to the BEMS dashboard.
| Configuring BEMS services | 29
If you are using a self-signed certificate
a. Create a self-signed certificate using the New-SelfSignedCertificatecommand. For more information, visit docs.microsoft.com and read New-SelfSignedCertificate.
1. On the computer running Microsoft Windows, open the WindowsPowerShell.
2. Enter the following command: $cert=New-SelfSignedCertificate-Subject "CN=<app name>" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpecSignature. Where <app name> is the name you assigned the app in step5 of . The certificate that you request must include the Azure app namein the subject field.
3. Press Enter. b. Export the public key from the Microsoft Management Console (MMC). Make
sure to save the public certificate as a .cer or .pem file. The public key isused for the Azure app ID that is created.
1. On the computer running Windows, open the Certificate Manager for thelogged in user.
2. Expand Personal. 3. Click Certificates.4. Right-click the <user>@<domain> and click All Tasks > Export.5. In the Certificate Export Wizard, click No, do not export private key. 6. Click Next. 7. Select Base-64 encoded X.509 (.cer). Click Next. 8. Provide a name for the certificate and save it to your desktop.9. Click Next.10.Click Finish. 11.Click OK.
c. Export the private key from the Microsoft ManagementConsole (MMC). Make sure to include the private key and save it as a .pfxfile. For instructions, visit docs.microsoft.com and read Export a Certificatewith the Private Key. The private key is imported to the BEMS dashboard.
1. On the computer running Windows, open the Certificate Manager for thelogged in user.
2. Expand Personal. 3. Click Certificates.4. Right-click the <user>@<domain> and click All Tasks > Export.5. In the Certificate Export Wizard, click Yes, export private key.. 6. Click Next. 7. Select Personal Information Exchange – PKCS #12 (.pfx). Click Next. 8. Select the security method. 9. Provide a name for the certificate and save it to your desktop.10.Click Next.11.Click Finish. 12.Click OK.
2. Upload the public certificate that you exported in step 1 to associate the certificate credentials withthe Azure app ID for BEMS.
| Configuring BEMS services | 30
a) In portal.azure.com, open the <app name> you assigned the app in step 5 of Obtain an Azure app IDfor BEMS with certificate-based authentication.
b) Click Certificates & secrets.c) In the Certificates section, click Upload certificate.d) In the Select a file search field, navigate to the location where you exported the certificate in step 2. e) Click Add.
Troubleshooting the Push Notifications database
BEMS cannot connect to the Push Notifications database
Possible cause
The Microsoft Exchange configuration information was applied before the Database information.
Possible solution
1. Restart the Good Technology Common Services.2. Verify the Database information. For instructions, see Configure the Microsoft SQL Server database for Push
Notifications service3. Repopulate the Microsoft Exchange Server information. For instructions, see Configure BEMS to communicate
with the Microsoft Exchange Server or Microsoft Office 365
Configure Stop Notifications
By default, notifications are sent to a user's device and are regulated by timers. The Stop Notifications featureallows you to immediately stop notification for all devices associated with a particular user. A user canresubscribe to notifications, but only if the user is entitled to an app that can subscribe to notification services.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Mail.2. Click Stop Notifications.3. In the User Email Address field, type the email address of the user you want to stop notifications for.4. Click Save.
Configure User Directory Lookup
The User Directory Lookup service allows client apps to look up first name, last name, and the associated photoor avatar from your company directory. A User ID Property Name determines whether query results from varioussources, such as Microsoft Exchange Web Services (EWS) and LDAP, correspond to the same user and maytherefore be consolidated into a single result.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Mail.2. Click User Directory Lookup.3. In the User ID Property Name field, type the name of the property that identifies the user. By default, this is
"Alias".4. Select the Enable GAL Lookup checkbox, the Enable LDAP Lookup checkbox, or both.5. If you enable LDAP lookup, you can use it to validate digital certificate connections to the LDAP server.
a) In the LDAP Server Name field, type the name of the LDAP Server. For example, ldap.<DNS_domain_name>.b) In the LDAP Server port field, type the port number of the LDAP Server. By default, the port number is 389.
| Configuring BEMS services | 31
c) Optionally, select the Enable SSL LDAP checkbox to tunnel data through an SSL-encrypted connection. Ifyou enable SSL LDAP, the port number defaults to 636.
d) Optionally, edit the LDAP User Name Query Template field. The LDAP user name query searches for a userby their user name. BEMS replaces the "{key}" with the user name when performing the query. By default,the template is
(&(|(mail=*{key}*)(name=*{key}*)(displayName=*{key}*)(sAMAccountName=*{key}*) (givenName=*{key}*)(sn=*{key}*))(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
e) Optionally, in the LDAP Base DN field, provide a base DN for the LDAP search. If this field is not completed,BEMS tries to find the base DN in the namingContexts attribute.
f) In the Authentication Type drop-down list, select an authentication type. By default the Authentication Typeis Anonymous.
• If you select Basic, enter the LDAP Logon User name and password.• If you selected the Enable SSL LDAP checkbox, and select Certificate authentication, enter the keystore
password and add the certificate file.g) In the User search key field, type a username or email address to search for.h) Click Test.
6. Click Save.
Configure the Certificate Directory Lookup
The Certificate Directory Lookup service retrieves S/MIME digital certificates from the user's Microsoft ActiveDirectory. These certificates enable email encryption and signature functionality in BlackBerry Work apps. Formore information about configuring and using S/MIME on devices, see the BlackBerry Work Tasks, and NotesAdministration Guide.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Mail. 2. Click Certificate Directory Lookup. 3. Optionally, select the Include expired certificates in results checkbox.4. By default, the Enable Contact Lookup checkbox and Enable GAL Lookup checkbox are selected.5. Optionally, select the Enable LDAP Lookup checkbox. 6. If you select LDAP lookup, you can use it to validate digital certificate connections to the LDAP server.
a) In the LDAP Server Name field, type the name of the LDAP Server. For example, ldap.<DNS_domain_name>. b) In the LDAP Server port field, type the port number of the LDAP Server. By default, the port number is 389.c) Optionally, select the Enable SSL LDAP checkbox to tunnel data through an SSL-encrypted connection. If
you enable SSL LDAP, the port number defaults to 636. d) Optionally, edit the LDAP User Name Query Template field. The LDAP user name query searches for a user
by their user name. BEMS replaces the "{key}" with the user name when performing the query. The defaulttemplate is
(&(|(mail=*{key}*)(name=*{key}*)(displayName=*{key}*)(sAMAccountName=*{key}*) (givenName=*{key}*)(sn=*{key}*))(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
e) Optionally, in the LDAP Base DN field, provide a base DN for the LDAP search. BEMS will try to find the baseDN in the namingContexts attribute if this entry is not set. If this field is not completed, BEMS tries to findthe base DN in the namingContexts attribute.
f) In the Authentication Type drop-down list, select an authentication type. By default the Authentication Typeis Anonymous.
| Configuring BEMS services | 32
• If you select Basic, enter the LDAP Logon User name and password. • If you selected the Enable SSL LDAP checkbox, and select Client Certificate authentication, enter the
keystore password and certificate file.g) In the End User Email Address field, type an enduser email address to search for.h) Click Test.
7. Click Save.
After you finish: If you selected Certificate authentication, you can view the certificate information.Click Certificate Directory Lookup. The following certificate information is displayed:
• Subject• Issuer• Validation period• Serial number
Configuring BlackBerry UEM for BlackBerry Work, BlackBerry Tasks, and BlackBerry NotesWhen you use BEMS in a BlackBerry UEM environment, you must prepare the BlackBerry UEM by completing thefollowing tasks:
• If required, synchronize your existing Good Control server information, such as policies and profiles,to BlackBerry UEM.
• Manage BlackBerry Dynamics apps, such as BlackBerry Work, by adding them to BlackBerry UEM. • Manage users and groups.• Activate devices.
For more information about configuring BlackBerry UEM for BlackBerry Work, BlackBerry Tasks, and BlackBerryNotes, see the BlackBerry Work, BlackBerry Tasks, and BlackBerry Notes Administration content.
Set the detailed Notifications Cutoff TimeIf BlackBerry Work has not been unlocked and actively used on a device after a specified time, the BEMS PushNotifications service removes details about individual email messages from Notifications that are displayed onthe device. Message details in Notifications sent by the BEMS Push Notifications service resumes the next timeBlackBerry Work is unlocked and used on the device.
1. Open a browser and go to the Apache Karaf Web Console Configuration web site located at http://<fqdn_of_the_bems_host:8443/system/console/configMgr and login as administrator with theappropriate Microsoft Active Directory credentials.
2. On the menu, click OSGi > Configuration.3. Click Good Technology Email Push Coalescing.4. In the pushDowngradeCutoffSec field, increase or decrease the value, in seconds, as required. The default
value is 43200 seconds or 12 hours. The maximum value is 259200 seconds, or 3 days.5. Click Save.
Configuring the Push Notifications service for high availabilityHigh availability for the Push Notifications service is based on clustering. The Push Notifications servicesupports high availability by adding additional servers running Push Notifications. The BEMS instances thathost the Push Notifications services that you designate to participate in high availability must share the samedatabase. If a BEMS instance is unavailable, other instances in the high availability environment perform a checkapproximately every minute to verify whether all of the instances are available. If a BEMS instance is offline, usersare distributed among the available instances. Consider the following scenario:
| Configuring BEMS services | 33
Your BEMS environment is configured for high availability and includes four BEMS instances whichsupport 10000 users. BEMS_name1 is taken offline for maintenance. The other BEMS instances routinely performa search of available BEMS.
• If the BEMS instance is available, the log files display the instance with a state of GOOD:
<YYYY-MM-DD>T14:16:59.385-0500 CEF:1 | pushnotify-ha-dbwatcher | pushnotify-ha-dbwatcher | 0.13.21 | INFO | unknown | 5 | ID=297 THR=DbWatcher-0 CAT=ProducerTasksRunner MSG=Worker BTS110U01APP10 is in state GOOD with 1/10000 users (0.01% capacity). Last status was updated at "<YYYY-MM-DD> T19:16:59.359 UTC". FeatureSet:AgingStaleUser, RichPush, VIPNotification, apnsPayload2k, badgeCount, subFolderNotification, pushSettings, smimeCertificateLookup, soundSettings, badgeCount2, autodiscover, notificationsSettings, localizedPush, delayWriteSyncState, RightToDisconnect, FCMRelayService updated at "1532523850857"
• If the BEMS instance is unavailable, the log files display the instance with a state of BAD andusers are distributed as required. In the following log example, two BEMS instances, BEMS_name1and BEMS_name2, are checked and the BEMS_name1 instance that is unavailable is flagged as BAD.
<YYYY-MM-DD>T14:42:33.874+0100 CEF:1 | pushnotify-ha-comm | pushnotify-ha-comm | 0.15.3 | INFO | unknown | 5 | ID=309 THR=DbWatcher-0 CAT=HaProducerImpl MSG=BAD!! Last known status of HaWorker "BEMS_name1" is "<YYYY-MM-DD>T10:45:47.831 UTC". It is before cut-off time "<YYYY-MM-DD> T13:37:33.860 UTC"
<YYYY-MM-DD>T14:42:33.874+0100 CEF:1 | pushnotify-ha-dbwatcher | pushnotify-ha-dbwatcher | 0.15.3 | INFO | unknown | 5 | ID=310 THR=DbWatcher-0 CAT=ProducerTasksRunner MSG=Got status of 2 workers
<YYYY-MM-DD>T14:42:33.874+0100 CEF:1 | pushnotify-ha-dbwatcher | pushnotify-ha-dbwatcher | 0.15.3 | INFO | unknown | 5 | ID=310 THR=DbWatcher-0 CAT=ProducerTasksRunner MSG=Worker BEMS_name2 is in state GOOD with 359/10000 users (3.59% capacity). Last status was updated at "<YYYY-MM-DD> T13:42:33.693 UTC". FeatureSet:AgingStaleUser, RichPush, VIPNotification, apnsPayload2k, badgeCount, subFolderNotification, pushSettings, smimeCertificateLookup, soundSettings, badgeCount2, autodiscover, notificationsSettings, localizedPush, delayWriteSyncState, RightToDisconnect, FCMRelayService, Delegate updated at "1545046557729"
<YYYY-MM-DD>T14:42:33.875+0100 CEF:1 | pushnotify-ha-dbwatcher | pushnotify-ha-dbwatcher | 0.15.3 | INFO | unknown | 5 | ID=310 THR=DbWatcher-0 CAT=ProducerTasksRunner MSG=Worker BEMS_name2 is idle 359/10000 (3.59% capacity)
<YYYY-MM-DD>T14:42:33.875+0100 CEF:1 | pushnotify-ha-dbwatcher | pushnotify-ha-dbwatcher | 0.15.3 | INFO | unknown | 5 | ID=310 THR=DbWatcher-0 CAT=ProducerTasksRunner MSG=Worker BEMS_name1 is in state BAD with 0 users. Last status was updated at "<YYYY-MM-DD> T10:45:47.831 UTC"
When you configure the Push Notifications service for high availability, you complete the following actions:
1. During the installation of additional Push Notifications service instances, on the Database Information screenyou specify the same database for each instance. For example, BEMS-Core.
2. Add the new computer that hosts the Push Notifications service instance to BlackBerry UEM.
| Configuring BEMS services | 34
Configuring the Push Notifications service for disaster recoveryRecommended disaster recovery measures for Push Notifications service are based on an active/warm standbyclustering model. For more information on configuring your environment for disaster recovery, see the BlackBerryUEM Disaster Recovery content.
Before adding a Push Notifications service instance for disaster recovery, you complete the following actions:
1. Install the Push Notifications service in the disaster recovery site. 2. Configure database replication for the Push Notifications service database (BEMS-Core) from your primary
site to your disaster recovery site. SQL log shipping is recommended. Consult your database administrator forassistance.
3. Make sure that the appropriate network ports are open to allow the Push Notifications service servers withinyour disaster recovery site to communicate with the database, Microsoft Exchange Server, and BlackBerryProxy servers in your disaster recovery and primary site.
When you configure a disaster recovery Push Notifications service instance, you complete the following actions:
1. Configure the disaster recovery Push Notifications service instance to use the primary database (for example,DBPrimaryCluster) in the cluster. For instructions, see Configure the Microsoft SQL Server database for PushNotifications service.
2. Allow the disaster recovery Push Notifications service server and port in BlackBerry UEM. For instructions,see Allow the disaster recovery server that hosts the BlackBerry Push Notifications instance in BlackBerryUEM .
Note: After the disaster recovery Push Notifications service instance is installed and configured, stop the GoodTechnology Common Services to place the Push Notifications service instance in warm standby.
In a disaster recovery situation in which you want to failover, you complete the following actions:
1. Stop the BlackBerry Common service on all your primary Push Notifications service instances. For example,DBPrimaryCluster.
2. Failover your Push Notifications service database (BEMS-Core) on your database server. For example, makethe Push Notifications service database active.
3. Failover your database FQDN DNS to your disaster recovery database server. 4. If you cannot failover your database FQDN DNS, log in to the BEMS Dashboard and update the Push
Notifications service database information to point to your disaster recovery database server, then restartthe Good Technology Common Services.
5. Start the Good Technology Common Services on your disaster recovery Push Notifications service instance.
Push Notifications service logging and diagnosticsPerformance logs and diagnostic information for BEMS and the BlackBerry Push Notifications service are locatedin the BEMS Web Console. To set and change the administrator's password, see Changing the BEMS servicesaccount password.
The log files are stored in the BEMS installation directory. By default, the log files are located in: C:\blackberry\bemslogs.
View relevant logs in the BEMS Web Console
The BEMS Web Console provides advanced configuration and tuning options for BEMS. It should be used withcare as it offers advanced maintenance capabilities intended for expert users of the system.
1. Open a browser and go to the Apache Karaf Web Console Configuration web site located at http://<fqdn_of_the_bems_host:8443/system/console/configMgr and login as administrator with theappropriate Microsoft Active Directory credentials.
| Configuring BEMS services | 35
2. On the menu, click OSGi > Log Service.3. Scroll through the log activity. It's listed in chronological order.
After you finish: You can view the logs from the BEMS installation directory.
Configuring the Connect serviceThe Connect service governs instant messaging and presence capabilities of the BlackBerry Connect app.
When you configure the Connect service, you perform the following actions.
1. Configure the Connect service in the BEMS Dashboard.2. Configure BlackBerry UEM for BlackBerry Connect.3. Configure the Connect service for SSL communications using BlackBerry Proxy.4. Optionally, enable the Connect service to use a global catalog.
Configuring the Connect service in the BEMS dashboardThe Connect service components are not accessible until you enter the service account credentialsfor BEMS. BEMS uses this information to securely connect to Microsoft Services like Microsoft ActiveDirectory, Microsoft Lync Server, Microsoft Exchange Server, Skype for Business server, and Microsoft SQLServer. The service account credentials are not stored after the browser session ends and must be entered eachtime you access the Connect service. The service account must have RTCUniversalReadOnlyAdmins rights. If anaccount has not yet been created, contact your Windows domain administrator to request an account.
Before you configure the BlackBerry Connect service, if you have an on-premises Microsoft Lync Server or Skypefor Business server make sure you prepare the Microsoft Lync Server or Skype for Business topology for BEMS.For instructions, see Preparing the Microsoft Lync Server and Skype for Business topology for BEMS.
Note: If you make changes to the BEMS dashboard, you must first stop the Good Technology Connect service,make the changes, and then start the Good Technology Connect service for the changes to take affect.
When you configure the Connect service, you configure the following components:
• Database• BlackBerry Dynamics• Microsoft Lync Server 2010, Microsoft Lync Server 2013, Skype for Business, or Cisco Jabber• Optionally, Microsoft Exchange Server• Optionally, Web proxy
Configure the Microsoft SQL Server database for the Connect service
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Connect.
2. If necessary, click Service Account and enter the BEMS service account credentials. 3. Click Database4. Enter the Microsoft SQL Server and database name. 5. In the Authentication Type drop-down list, select one of the following options:
• If you select Windows Authentication, the Connect service uses the Windows credentials accessthe Microsoft SQL Server database.
• If you select SQL Server Login, type the username and password used to access the Microsoft SQLServer database.
| Configuring BEMS services | 36
6. If your organization uses AlwaysOn support for SQL Server, in the Additional Properties field,type MultiSubnetFailover=true.
7. Click Test to verify the connection with the database.8. Click Save.
Configure BEMS connectivity with BlackBerry Dynamics
The BlackBerry Dynamics server information in the following instructions refers to the FQDN of the serverthat hosts the BlackBerry Proxy service. The BlackBerry Proxy service is installed on on-premises BlackBerryUEM servers that have BlackBerry Connectivity Node. The BlackBerry Connectivity Node is required forsome BlackBerry UEM Cloud deployments when they link a company directory to the BlackBerry UEMCloud tenant and to offer on-premises connectivity to BlackBerry Dynamics users activated using the BlackBerryUEM Cloud. For more information about the BlackBerry Connectivity Node, see the BlackBerry UEM Planningcontent.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Connect.
2. Click Service Account. 3. Enter the service account username and password. 4. Click Save. 5. Click BlackBerry Dynamics.6. In the Hostname field, type the FQDN of the server hosting the BlackBerry Proxy service.7. In the Port field, the port number is prepopulated based on the communication type that you select.
• If you select HTTP, the Port field prepopulates to 17080.• If you select HTTPS, the Port field prepopulates to 17433.
Note: If you select HTTPS, you must import the trusted certificate to the Windows keystore. For instructions,see Import the BlackBerry Proxy CA certificate to the BEMS Windows keystore.
8. Click Test to verify the connection to the BlackBerry Proxy server. 9. Click Save.
After you finish: If you selected HTTPS, you must configure the BlackBerry Connect app to use SSLcommunications. For instructions, see "Configuring BlackBerry Connect app settings" for your environment inthe BlackBerry Connect Administration content.
Configure Microsoft Lync Server 2010, Microsoft Lync Server 2013, Skype for Business, or Skype for Business Online forthe Connect service
You can configure your environment to work with Microsoft Lync Server, Skype for Business and Skype forBusiness Online.
Before you begin:
• If your environment uses multiple Skype for Business on-premises servers using trusted application modeor non-trusted application mode, have the Skype for Business servers load balanced with a load balanceserver. For more information about load balancing requirements, visit https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/network-requirements/load-balancing.
• If you configure your environment to use Skype for Business Online, have the following information:• Skype for Business Online tenant name• Connect service app ID and app Key• BlackBerry Connect app ID
| Configuring BEMS services | 37
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Connect.
2. If necessary, click Service Account and enter the BEMS service account credentials. 3. Click Lync 2010, Lync 2013, or Skype for Business. The system queries the instant messaging server to verify
that the appropriate BEMS instant messaging server topology is added. This can take a few moments.4. Complete one of the following tasks:
Instant messaging server inenvironment Tasks
Microsoft Lync Server 2010or Microsoft Lync Server 2013
a. In the Application ID drop-down list,select <appid_connect.mycompany.com>.
If the drop-down list is empty, either the BEMS <instant messagingserver type> topology is not set up correctly or the service accountdoes not have permissions to query these settings.
Skype for Business Online a. Select the Skype for Business Online checkbox.b. In the Tenant name/ID field, enter the tenant name for your Skype
for Business Online. If you need to connect to more than onetenant, enter common.
c. In the BlackBerry BEMS Connect/Presence Service App ID field,enter the BlackBerry BEMS Connect service App ID. For instructionson obtaining the app ID, see Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.
d. In the BlackBerry BEMS Connect/Presence Service AppKey field, enter the BlackBerry BEMS Connect service appkey. For instructions on obtaining the App Key, see Obtainan Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.
e. In the BlackBerry Connect Client App ID field, enter the BlackBerryConnect client app ID. For instructions, see Obtain an Azure app IDfor the Connect client.
Skype for Business on-premisesusing trusted application mode
Note: Using this configuration,the Connect service is trustedby Skype for Business and canimpersonate a user. End userauthentication is not required onthe device to access BlackBerryConnect.
a. Select the Skype for Business On-Premises check box.b. Select Trusted Application Mode. c. Beside the Application ID dropdown list, click Browse. This step
can take up to a minute to complete. d. In the Application ID drop-down list, select the app ID. For
example, <appid_connect.mycompany.com>.
If the drop-down list is empty, either the BEMS <instant messagingserver type> topology is not set up correctly or the service accountdoes not have permissions to query these settings.
e. If you enable persistent chat in your environment, in the PersistentChat Default Category field, enter the default category. For moreinformation on enabling persistent chat, see the BlackBerryConnect Administration content.
| Configuring BEMS services | 38
Instant messaging server inenvironment Tasks
Skype for Business on-premisesusing non-trusted applicationmode
Note: Using this configuration,the Connect service is not trustedby Skype for Business and cannotimpersonate a user. End userauthentication on the device isrequired to access BlackBerryConnect.
a. Select the Skype for Business On-Premises check box.b. Select Non-trusted Application Mode. c. Complete one or both of the following actions:
• Select the Auto discover servers checkbox tohave BEMS discover the Skype for Business servers in theenvironment.
• Enter the default Skype for Business on-premises FQDN or thecomplete URL to the Skype for Business server for BEMS to useif autodiscovery is not enabled or fails. For example, http(s)://<BEMS-FQDN>/Autodiscover/AutodiscoverService.svc/root/oauth/user.
Skype for Business and Skype forBusiness Online
• Complete the tasks for Skype for Business Online and Skype forBusiness on-premises using trusted application mode or non-trusted mode.
5. Click Test to verify that the Azure information is accurate.6. Complete one or both of the following actions to log in to the user account:
• If you configure the environment to use Skype for Business On-Premises
a. Click Test.b. Enter a user email address and password. c. Click Test.
• If you configure the environment to use Skype for Business Online
a. Click Test.b. Sign in to a user account.
7. Click Save.
After you finish:
Depending on your environment configuration, you can configure BEMS to allow users to provision the BlackBerryConnect app using an email address that is different from the email address used to login to Skype forBusiness Online. For more information about setting the ucwa.appresource.uservalidation.skip parameter andunderstanding the settings in the common settings configuration file, see Appendix B: Understanding the Skypefor Business Online Common Settings configuration file.
For more information about available settings in the BEMS-Connect configuration files, see Appendix A:Understanding the BEMS-Connect configuration file.
Obtain an Azure app ID for the Connect client
Before you begin: To grant permissions, you must use an account with tenant administrator privileges.
1. Log on to portal.azure.com.2. In the left column, click Azure Active Directory.3. Click App registrations.4. Click New registration.5. In the Name field, enter a name for the application.
| Configuring BEMS services | 39
6. Select a supported account type. 7. In the Redirect URI drop-down list, select Public client (mobile & desktop) and
enter urn:ietf:wg:oauth:2.0:oob8. Click Register.9. Add an additional Redirect URI.
a) In the App that you registered, on the Overview page, click Redirect URIs. b) In the Redirect URIs section, click the Type column drop-down list, select Public client (mobile & desktop),
and enter com.blackberry.connect://ADAL/ c) Click Save.
10.To allow autodiscovery to function as expected, set the authentication permissions.a) In the Manage section, click Authentication.b) Under the Implicit grant section, select the ID Tokens checkbox.c) In the Default client type, select Yes. d) Click Save.
11.Click API permissions.12.Click Add a permission. 13.In the Select an API section, click APIs my organization uses.14.Click Add permissions.15.Complete only one of the following tasks:
Important: These tasks requires tenant administrator privileges.
• In the API permissions screen, click Grant admin consent for <organizational directory name>. Click Yes. • Click Azure Active Directory > Users > User settings. Click Manage how end users launch and view their
applications. Set the Users can consent to apps accessing company data on their behalf to No. Click Save.
Complete this option to present each BlackBerry Connect user with a prompt to approve that their useraccount is used to access the Connect service when they log in.
16.Copy the Application (client) ID. The Application (client) ID is displayed in the main Overview. This is usedfor the following:
• Client ID in the Azure portal, Expose an API > Add a client application screen• BlackBerry Connect Client App ID in the BEMS dashboard for BlackBerry Connect• BlackBerry Presence Client App ID in the BEMS dashboard for BlackBerry Presence
Configuring the BEMS-Presence and BEMS-Connect services in a multi-cluster Cisco Unified Communications Manager for IMand Presence environment
You can configure the BEMS-Presence and BEMS-Connect services for users that are located in multi-clusterCisco Unified Communications Manager for IM and Presence deployments to locate and communicate with eachother.
Configuring your Cisco Unified Communications Manager for IM and Presence multi-cluster environment with theBEMS Presence and Connect service allows users to connect and communicate with users in the same Presencedomain and located in separate clusters.
Steps to configure a multicluster Cisco Unified Communications Manager IM and Presence environments for BlackBerryConnect and BlackBerry Presence services
When you configure a multicluster Cisco Unified Communications Manager IM and Presence environmentfor BlackBerry Connect and BlackBerry Presence services, you perform the following actions:
| Configuring BEMS services | 40
Step Action
Make sure your multi-cluster environment has the following configured:
• DNS SRV records for Cisco Jabber Service Discovery. For instructions, see " ServiceDiscovery" in the Cisco Jabber Planning Guide for your version of Cisco Jabber.
• Cisco Intercluster Lookup Service (ILS) between the CUCM clusters in your environment.For instructions, see "Intercluster Lookup Service" in the Cisco Unified CommunicationsManager Features and Services Guide for your version of Cisco Unified CommunicationsManager.
• Intercluster Peering between the CIMP clusters in your environment. For instructions,see " Intercluster Peer Configuration" in the Cisco Unified CommunicationsManager Configuration and Administration Guide for your version of the Cisco UnifiedCommunications Manager.
Create the following users and passwords on each CUCM server in each multi-cluster domain. These must be the same, including case sensitivity on eachserver. BEMS uses these users and password to authenticate to the CUCM server foruser Presence information.
For BlackBerry Connect
• AXL application user username and password. The AXL application user must be auser that is in a group that is assigned the Standard AXL API Access role. For moreinformation, see your Cisco documentation.
For BlackBerry Presence
• Application user and password. For instructions, see Create an Application User.• UDS Username (Dummy user). For instructions, see Create a Dummy User.
Download the required certificates from each cluster.
• Tomcat.der • Cup.der• Cup-xmpp.pem and Cup-xmpp-ECDSA.pem (in a Cisco 11.5 environment environment) • CUCM SSL certificate. Visit the Cisco Devnet to see Download the Cisco Unified CM SSL
Certificate
Import the certificates into the Java keystore. For instructions, see Import the BlackBerryProxy CA certificate into the Java keystore on BEMS.
Configure the BlackBerry Connect service.
Configure the BlackBerry Presence service.
Configure the BEMS-Connect service for Cisco Unified Communications Manager IM and Presence
With BEMS installed, the initial configuration dashboard URL used will not match the self-signed certificate thatwas created. You can replace localhost with the FQDN that you specified during the installation, and bookmarkthis for future use.
| Configuring BEMS services | 41
Before you begin: Stop the Good Technology Connect service.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Connect.
2. If necessary, click Service Account and enter the BEMS service account credentials. 3. Click Jabber.4. In the IM and Presence SIP domain field, enter the SIP domain.5. If your environment consists of multiple IM and Presence service clusters, select the Enable Service
Discovery checkbox and enter the following information:
• Enter the AXL Application user username and AXL Application password. The AXL Application usermust be in a group that is assigned the Standard AXL API Access role. For more information, seeyour Cisco documentation.
• If the voice service and XMPP service domains are not the same in your environment, in the ServiceDomain field, enter the domain where the SRV records are located.
6. In the Cisco Unified Communications Manager User Data Service (UDS) FQDN field, enter the FQDN ofthe Cisco Unified Communications Manager server that Jabber Presence Provider (JPP) needs to access andquery the contact cards.
7. In the Cisco Unified Communications Manager User Data Service (UDS) port field, enter the Cisco UnifiedCommunications Manager server port number that JPP uses with the ciscoUDSServer to query the contactcards. For example, 8443.
8. In the Cisco Unified Communications Manager IM and Presence XMPP client service FQDN field, enter theFQDN of the Cisco Unified Communications Manager IM and Presence server. Cisco Jabber uses CUCM LDAP only. It does not use directory lookup.
9. In the Cisco Unified Communications Manager IM and Presence XMPP client service port field, enterthe outbound port that points to the Cisco Jabber XMPP Service. By default this 5222.
10.Start the Good Technology Connect service.
Configure BEMS to access on-premises Microsoft Exchange Server conversation histories
Note: Complete this task only if your environment includes an on-premises Microsoft Exchange Server. If yourenvironment uses Microsoft Exchange Online, complete the instructions in Configure BEMS to access MicrosoftExchange Online conversation histories.
You can enable the conversation history to allow users to access conversations that are saved in theConversation History folder of the user's Microsoft Exchange mailbox. Saving the conversation history issupported in the following environments:
• Users in a Skype for Business on-premises and have mailboxes on an on-premises Microsoft Exchange Server.• Users in a Skype for Business Online environment and have mailboxes on an on-premises Microsoft Exchange
Server.• Users in a Skype for Business Online environment and have mailboxes on Microsoft Office 365.
Saving the conversation history is not supported in an on-premises Skype for Business environment where usershave mailboxes on Microsoft Office 365.
Before you begin:
• Enable Autodiscovery on the Microsoft Exchange Server. For instructions, see your Microsoft ExchangeServer documentation.
• Integrate the Microsoft Lync Server or Skype for Business integration with the Microsoft ExchangeServer. For instructions, see your Microsoft Exchange Server and Microsoft Lync Server or Skype forBusiness documentation.
| Configuring BEMS services | 42
• Install the Microsoft Exchange Server SSL certificates on the computer that hosts the Connect service.Failing to correctly install the SSL certificate on the computer that hosts the Connect service results in thehistory logging to the Microsoft Exchange Server to fail. For instructions, see your Microsoft ExchangeServer documentation.
• The conversation history is enabled on the enterprise Microsoft Lync Server 2010, Microsoft Lync Server 2013,or Skype for Business for which you configure BlackBerry Connect.
• You prepared the Microsoft Lync Server or Skype for Business topology for BEMS. For instructions,see Preparing the Microsoft Lync Server and Skype for Business topology for BEMS
• Grant application impersonation permission to the BEMS service account on the Microsoft Exchange Server.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Connect.
2. If necessary, click Service Account and enter the BEMS service account credentials. 3. Click Microsoft Exchange. 4. Select the Enable Conversation History checkbox. Complete the following actions:
• In the Please enter the Microsoft Exchange Server information field, type the web address ofyour Microsoft Exchange Server.
• In the Exchange Server Type drop-down list, select the Microsoft Exchange Server version that is in yourenvironment.
• In the Server Write Interval field, type the frequency, in minutes, that each unique conversation is sent tothe Microsoft Exchange Server.
• If required, select the Requires Credential checkbox. Type the user name and password used to accessthe Microsoft Exchange Server.
5. Click Test.6. Click Save.
Grant application impersonation permissions to the BEMS service account
Complete this task only if your environment has an on-premises Microsoft Exchange Server. Forthe Connect service to save instant messaging chats to the Microsoft Exchange Server Conversation History,the Connect service account must have impersonation permissions. Complete this task if you use a differentservice account for Connect.
Execute the following Microsoft Exchange Management Shell command to apply Application Impersonationpermissions to the Connect service account. This task enables application impersonation for all users tothe Connect service account.
1. On the Microsoft Exchange Server open the Microsoft Exchange Management Shell.2. Type New-ManagementRoleAssignment -Name:<ImpersonationAssignmentName>
-Role:ApplicationImpersonation -User:<ConnectServiceAccount> (forexample, New-ManagementRoleAssignment -Name:BlackBerryAppImpersonation -Role:ApplicationImpersonation -User ConnectAdmin).
Configure BEMS to access Microsoft Exchange Online conversation histories
Note: Complete this task only if your environment includes a Microsoft Exchange Online. If your environmentuses an on-premises Microsoft Exchange Server, complete the instructions in Obtain an Azure app ID forthe BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.
If you configure the Connect service, you can enable the conversation history to allow users to accessconversations that are saved in the Conversation History folder of the user's Microsoft Exchange mailbox. Savingthe conversation history is supported in the following environments:
| Configuring BEMS services | 43
• Users in a Skype for Business on-premises and have mailboxes on an on-premises Microsoft Exchange Server.• Users in a Skype for Business Online environment and have mailboxes on an on-premises Microsoft Exchange
Server.• Users in a Skype for Business Online environment and have mailboxes on Microsoft Office 365.
Saving the conversation history is not supported in an on-premises Skype for Business environment where usershave mailboxes on Microsoft Office 365.
Configure the BEMS Internet connection using a proxy server
Complete this task if your company uses a web proxy server to connect to the Internet.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, clickConnect.
2. If necessary, click Service Account and enter the BEMS service account credentials.3. Click Web Proxy.4. Select the Use Web Proxy checkbox.5. Type the proxy web address and port number.6. In the Proxy Authentication Type drop-down list, select one of the following authentication types:
• Basic authentication requires a user name and password by the Connect service to authenticate a request.• Digest authentication is more secure because it applies a hash function to the password before sending it
over the network.• None, if no authentication is required.
Note: If you specify an authentication type, the Connect service username and password are automaticallypopulated based on the Windows domain service account you assigned to the Connect service underConfiguring Windows Services.
7. Optionally, specify a domain.8. Optionally, click Test to verify the connection to the web proxy.9. Click Save.
Configuring BlackBerry UEM for BlackBerry ConnectWhen you use BEMS in a BlackBerry UEM environment, you must prepare the BlackBerry UEM by completing thefollowing tasks:
• If required, synchronize your existing Good Control server information, such as policies and profiles,to BlackBerry UEM.
• Manage BlackBerry Dynamics apps, such as BlackBerry Connect, by adding them to BlackBerry UEM. • Manage users and groups.• Activate devices.
For more information about configuring BlackBerry UEM for BlackBerry Connect, see the BlackBerryConnect Administration content.
Enabling persistent chatThe persistent chat feature allows users to create topic-based discussion rooms and participate in rooms.If you enable persistent chat in Microsoft Lync Server 2013 or Skype for Business, you can enable it inyour BEMS environment.
For more information about enabling persistent chat for BlackBerry Connect, see the BlackBerryConnect Administration content.
| Configuring BEMS services | 44
Configuring the Connect service for high availabilityConfiguring Connect for high availability is not supported for Connect using Cisco Jabber.
When you configure the Connect service for high availability, you perform the following actions:
1. Configure each new Connect instance to use the existing database.2. In the BEMS Dashboard, configure each new Connect instance to point to the same BlackBerry Proxy server.3. In the BlackBerry UEM console, add the new computer hosting the Connect service instance to BlackBerry
UEM.4. Add each new computer hosting the Connect instance to the BlackBerry Connect app settings.
Configuring the Connect service for disaster recoveryDisaster Recovery for the BlackBerry Connect service is based on an active/warm standby clustering model.Disaster recovery is not supported for BlackBerry Connect using Cisco Jabber.
Before you add a BlackBerry Connect instance for disaster recorvery, you complete the following actions:
1. Evaluate your Microsoft Lync Server or Skype for Business disaster recovery strategy.
If you have separate Front End pools for disaster recovery, create a separate Trusted Application Pool for yourConnect instances. This separate Trusted Application Pool should be associated with the disaster recoveryFront End pool. Associate all disaster recovery BlackBerry Connect instances to this Trusted Application Pool.If you don’t have separate Front End pools for disaster recovery, then using a single Trusted Application Pool,but make sure your Lync or Skype for Business disaster recovery strategy properly preserves the TrustedApplication Pool in event of a failover.
Consider the following for Microsoft Lync Server or Skype for Business front-end pool:
Your environment has the following Microsoft Lync Server or Skype for Business Front-End pools:
• Pool1 is for general use• Pool2 is for high availabilty use
You create a Trusted Application Pool for Pool1. It is recommended you create an additonal TrustedApplication Pool for the high availability instances. The additional Trusted Application Pool is created in yourfront-end high availability pool.
2. Make sure that the appropriate network ports are open to allow BlackBerry Connect servers in your disasterrecovery site to communicate with database, Microsoft Lync Server or Skype for Business Server, MicrosoftLync Server or Skype for Business database, and BlackBerry Proxy servers in your disaster recovery andprimary site.
Add a new Connect service instance for disaster recovery
1. Install a new Connect service instance and turn off the service.2. Do not provide the name of the Connect database during the disaster recovery Connect installation. 3. After the installation, configure Connect to use the database in the disaster recovery site.4. Configure your disaster recovery Connect instance to use the secondary BlackBerry Proxy server in the cluster.5. Allow the disaster recovery server hosting the BlackBerry Connect instance in BlackBerry UEM. Make sure you
set the priority setting to Secondary or Tertiary.
After you finish: After the disaster recovery Connect instance is installed and configured, stop the GoodTechnology Connect service. This places the disaster recovery Connect instance in warm standby.
| Configuring BEMS services | 45
Allow the disaster recovery server hosting the BlackBerry Connect instance in BlackBerry UEM
1. On the menu bar, click Policies and Profiles.2. Click Networks and Connections > BlackBerry Dynamics connectivity.3.
Click to create a new connectivity profile or click on the Default connectivity profile to edit it.4.
In the Additional servers section, click .5. In the Server field, specify the FQDN of the BlackBerry Enterprise Mobility Server.6. In the Port field, specify the port for the BlackBerry Enterprise Mobility Server. By default, the port number is
8080 or 8443.7. In the Primary BlackBerry Proxy cluster drop-down list, specify the name of the BlackBerry Proxy cluster that
you want to set as the primary cluster.8. In the Secondary BlackBerry Proxy cluster drop-down list, specify the name of the BlackBerry Proxy cluster
that you want to set as the secondary cluster.9. Click Save.10.In the App servers section, click Add.11.Search for and select BlackBerry Work.12.Click Save.13.
In the table for the app, click .14.In the Server field, specify the FQDN of the BlackBerry Enterprise Mobility Server that is hosting the BlackBerry
Connect service..15.In the Port field, specify the port of the BlackBerry Proxy cluster that is used to access the BlackBerry
Enterprise Mobility Server.16.In the Priority drop-down list, specify the priority of the BlackBerry Proxy cluster that must be used to reach the
domain. Select Secondary or Tertiary.17.Click Save.
Failover in disaster recovery
1. Stop the Good Technology Connect service on all your primary Connect instances.2. Start the Good Technology Connect service on your disaster recovery Connect instance.
Specify the BlackBerry Proxy the BlackBerry Connect service contacts in a cluster You can specify the BlackBerry Proxy server that the Connect service contacts first. When you specifythe BlackBerry Proxy, it forces BEMS to always communicate with this BlackBerry Proxy server first forany BlackBerry Dynamics messages. The Connect service uses the BlackBerry Proxy server to create a listof BlackBerry Proxy servers to use. If the BlackBerry Proxy server that you specified in the BEMS Dashboard fails,then the Connect service contacts the next primary BlackBerry Proxy server in the list.
By default, this feature is disabled.
Before you begin:
• More then one BlackBerry Proxy is installed and configured in clusters in your environment.• BEMS is configured to use a BlackBerry Proxy.
1. On the computer that hosts BEMS, in a text editor, open the GoodConnectServer.exe.config file. By default,the file is located in <drive>:\Program Files\BlackBerry\BlackBerry Enterprise MobilityServer\Good Connect\.
| Configuring BEMS services | 46
2. Add the following key and value to the file: type <add key="ENABLE_CONFIGURED_GP_PIN”value="true" />.
3. Save the file.4. Restart the Good Technology Connect service.
Using friendly names for certificates in BlackBerry ConnectThe friendly name of a certificate can be helpful when multiple certificates with similar subjects exist ina certificate store. Friendly names are properties in the X.509 certificate store that associate aliases withcertificates so they can be easily identified.
You can restrict certificates used for BlackBerry Connect to a Friendly Name by completing the following actions
1. If you do no have one, create and enroll a certificate. 2. Change the certificate friendly name and description.3. Setting the new certificate friendly name string value in the BlackBerry Connect Server configuration file
(GoodConnectServer.exe.config).
If you do not already have a certificate, you can create and verify a BEMS SSL certificate for Lync. For moreinformation, see Create and add the BEMS SSL certificate for Microsoft Lync Server 2010, Microsoft LyncServer 2013, and Skype for Business.
Change the certificate friendly name description
1. Open the Microsoft Management Console (MMC).2. Click Console Root.3. Click File > Add/Remove Snap-in.4. In the Available snap-ins column, click Certificates > Add.5. Select Computer account. Click Next.6. Select Local Computer. Click Finish.7. Click OK.8. Click Certificates (Local Computer) > Personal > Certificates.9. Double-click the certificate you want to change.10.Click the Details tab.11.In the Show drop-down list, click <All>.12.Click Edit Properties.13.In the Friendly name field, type a friendly name.14.In the Description field, type a description.15.Click Apply.16.Click OK. Click OK again.
After you finish: Specify the certificate's friendly name in the configuration file for the Connect service.
Add the certificate friendly name to the BlackBerry Connect server configuration file
Before you begin: Specify the certificate friendly name.
1. In a text editor, open the GoodConnectServer.exe.config file. By default, the GoodConnectServer.exe.config fileis located in <install path>\Program Files\BlackBerry\BlackBerry Enterprise MobilityServer\Good Connect\.
| Configuring BEMS services | 47
2. At the end of the file, type <add key="RESTRICT_CERT_BY_FRIENDLY_NAME"value="<cert_friendly_name>"/>. The key value is case sensitive.
3. Save your changes.4. Restart the Good Technology Connect service.
Configure the Connect service to receive SSL communications for a new installationBy default, SSL is enabled when you install the Connect service and runs securely using SSL/TLS (HTTPS)to communicate with the BlackBerry Connect app over port 8082. By default, the BEMS installer generatesa secure certificate that is bound to port 8082. Optionally, you can choose to manually create a securecertificate that you must import to BEMS and bind to port 8082 or another available port. If you upgradefrom BEMS 2.10 or earlier, see Options to configure the Connect service to receive SSL communications from anupgraded BEMS instance for available options.
For SSL support, you perform one of the following actions based on your environment:
• Use the default BEMS-Connect SSL certificate that is generated by the BEMS installer and the default portnumber. In this scenario, you must Assign the BEMS SSL certificate to users.
• Use the default BEMS-Connect SSL certificate that is generated by the BEMS installer, but your environmentrequires that you use a different port number. In this scenario, you must complete the following steps:
1. Unbind the SSL certificate from port 8082.2. Bind the SSL certificate to the Connect service SSL port. 3. Update the port number to enable SSL for BEMS Common and Connect service. 4. In BlackBerry UEM, assign the BEMS SSL certificate to users.5. Configure the BlackBerry Connect app to send requests over SSL
• Use your own SSL certificate and the default port number. In this scenario you must complete the followingsteps:
1. Create a CSR request.2. Submit a CSR request to a certificate authority. You must install the certificate on the server that generated
the CSR.3. Import the signed certificate to the computer that hosts the Connect service.4. Import the certificate into the Java keystore.5. Bind the SSL certificate to the Connect service SSL port6. Add the certificate friendly name to the BlackBerry Connect server configuration file.7. Configure the BlackBerry Connect app to send requests over SSL.8. In BlackBerry UEM, assign the BEMS SSL certificate to users.
Options to configure the Connect service to receive SSL communications from an upgraded BEMS instance
If you upgraded from BEMS version 2.10 or earlier, select one of the following scenarios:
• You want to upgrade your BEMS instance, don't have the Connect service configured for secure connections,and don't require secure connections. In this scenario, you are not required to complete any additional upgradesteps.
• You want to upgrade my BEMS instance and am already using secure connections and want to keep thisconfiguration. In this scenario, you are not required to complete any additional upgrade steps.
• You want to configure a non-secure connection environment to a secure connection environment. In thisscenario, you must choose one of the following options:
• Configure BEMS to use a secure connection using the default installation SSL certificate generated bythe BEMS installer
• Configure BEMS to use a secure connection using your own SSL certificate
| Configuring BEMS services | 48
Configure BEMS to use a secure connection using the default installation SSL certificate generated by the BEMS installer
1. Bind the SSL certificate to the Connect service SSL port.2. Enable SSL communications.3. Configure the BlackBerry Connect app to send requests over SSL.4. In BlackBerry UEM, assign the BEMS SSL certificate to users.
Configure BEMS to use a secure connection using your own SSL certificate
1. Create a CSR request.2. Submit a CSR request to a certificate authority. You must install the certificate on the server that generated the
CSR.3. Import the signed certificate to the computer that hosts the Connect service.4. Import the certificate into the Java keystore.5. Bind the SSL certificate to the Connect service SSL port.6. Enable SSL communications.7. Configure the BlackBerry Connect app to send requests over SSL.8. In BlackBerry UEM, assign the BEMS SSL certificate to users.
Assign the BEMS-Connect SSL certificate to users in BlackBerry UEM
By default, BEMS-Connect uses a self-signed certificate that is generated by the BEMS installer.
1. Complete one of the following tasks:
• If you use the default SSL certificate generated by the BEMS installer,
a. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click SSLCertificate.
b. Click Download SSL Certificate. By default, the BemsCert.cer file is saved to the Downloads folder.• If you use your own SSL certificate,export the SSL certificate chain from the Microsoft Management
Console (MMC). If you don't know which certificate chain to download, in a command prompt type netshhttp show sslcert to confirm the certificate hash, then use the MMC to locate the certificate where thecertificate thumbprint is the same as the certificate hash.
a. Open the Microsoft Management Console (MMC).b. Click Console Root.c. Click File > Add/Remove Snap-in.d. In the Available snap-ins column, click Certificates > Add. e. In the Certificates snap-in wizard, select Computer account. Click Next.f. On the Computer > Select Computer screen, select Local Computer. Click Finish.g. Click OK. h. In the MMC, expand Certificates (Local Computer) > Personal .i. Double-click the SSL certificate.j. Click Certification Path. k. Click the root certificate. The root certificate is the first item in the Certificate hierarchy. l. Click View Certificate. m. Click the Details tab.
| Configuring BEMS services | 49
n. Click Copy to File. o. Click Next. p. Enter name for the certificate and export it to your desktop.q. Click Save. r. Click Finish. s. Click OK.
2. In BlackBerry UEM, create a CA certificate profile for the BEMS Self-Signed certificate, or create individual CAcertificate profiles for the CA Root certificate and any CA Intermediate certificates. Assign the profiles to usersor user groups. For instructions on creating a CA certificate profile and assigning it to users or user groups,see the BlackBerry UEM administration content.
Create a CSR request
1. Log in to the computer hosting BEMS with the service account.2. Open the Microsoft Management Console (MMC).3. Click Console Root.4. Click File > Add/Remove Snap-in5. In the Available snap-ins column, click Certificates > Add.6. In the Certificates snap-in wizard, select Computer account. Click Next.7. On the Computer > Select Computer screen, select Local Computer. Click Finish.8. Click OK.9. In the Microsoft Management Console, expand Certificates (Local Computer).10.Right-click Personal and click All Tasks > Advanced Operations > Create Custom Request.11.In the Certificate Enrollment wizard, click Next.12.On the Select Certificate Enrollment Policy screen, select Proceed without enrollment policy. Click Next.13.On the Custom request screen, select the following settings:
• In the Template field, select (No template) Legacy key• In the Request format option, select PKCS #10
14.Click Next.15.On the Certificate Information screen, expand Details for the custom request.16.Click Properties.17.Click the Subject tab.18.On the Subject tab, in the Subject name section, complete the following actions:
a) In the Type drop-down list, select Common Name.b) In the Value field, type the <BEMSFQDN> of the computer that hosts the Connect service (for example,
BEMSHost.mycompany.com).c) Click Add.
19.In the Alternative name section, add two values by completing the following actions:a) In the Type drop-down list, select DNS.b) In the Value field, type the <BEMSFQDN> of the computer that hosts the Connect service (for example,
BEMSHost.mycompany.com).c) Click Add.
20.On the Extensions tab, complete the following actions:a) In the Extended Key Usage (application policies) drop-down list, in the Available options column, click
Server Authentication.
| Configuring BEMS services | 50
b) Click Add.21.On the Private Key tab, complete the following actions:
a) In the Cryptographic Service Provider drop-down list, in the Select cryptographic service provider(CSP)section, clear all the check boxes.
b) Select the Microsoft RSA SChannel Crytographic Provider (Encryption) check box.c) In the Key size field, type 2048.d) In the Key options drop-down list, in the Key type drop-down list, select Exchange.
22.Click Apply.23.Click OK.24.Click Next.25.Enter a name for the certificate request and save it to your desktop.26.In the File format section, select Base 64.27.Click Finish.
After you finish:
1. Submit the certificate request that you created to the certificate authority to obtain a certificate.2. Import the signed certificate to the computer that hosts the Connect service
Import the signed certificate to the computer that hosts the Connect service
Make sure that you install the certificate on the server that generated the CSR.
1. If necessary, open the Microsoft Management Console (MMC).2. Expand Certificates (Local Computer).3. Right-click Personal and click All Tasks > Import.4. Click Next.5. Navigate to the certificate file that you obtained from the certificate authority.6. Click Next. 7. On the File to Import screen, select the file and click Open8. Click Next.9. In the Certificate Store screen, click Browse and click Trusted Root Certification Authorities.10.Click Next.11.Click Finish.
After you finish: Bind the signed certificate to the Connect service SSL port.
Bind the SSL certificate to the Connect service SSL port
Before you begin: Import the CA-signed certificate to the computer that hosts the Connect service.
1. Copy the thumbprint of the imported certificate.
a. Double-click the imported certificate.b. Click the Details tab.c. In the Show dropdown list, click Properties Only.d. In the Field column, click Thumbprint.e. Copy the hexidecimal values into a text editor. Delete the spaces between the hexadecimal values. For
example, if you copied 80 82 41 2f..., it becomes 8082412f...
| Configuring BEMS services | 51
f. Keep the text editor open. 2. If required, login to the computer that hosts the Connect service with the service account.3. Open a command prompt (run as administrator). 4. Check that a certificate is not already bound to port 8082. Type netsh http show sslcert. If you use a
new certificate, document the hash information for port 8082. The certificate hash is used in step 4. If a certificate is bound to port 8082 or a port that you want to use, type netstat -abn >netstatoutput.txt to output the list of ports and processes to which they are bound. You must first deletethe certificate before binding the new certificate or select a new port to bind the SSL. If you choose to bindthe certificate to another port, consider this modification when configuring the Connect service. To delete theexisting certificate, type netsh http delete sslcert ipport=0.0.0.0:8082 or the port that you wantto bind the certificate to.
For more information about netsh, visit the Technet Library to see Netsh Commands for Hypertext TransferProtocol (HTTP).
5. Bind the certificate to the SSL port. In a command prompt (run as administrator), type netshhttp add sslcert ipport=0.0.0.0:<port> certhash=<thumbprint>appid={AD67330E-7F41-4722-83E2-F6DF9687BC71} Where <thumbprint> is the thumbprint of the signed certificate that you exported to the text editor. Forinstructions, see Import the signed certificate to the computer that hosts the Connect service.
6. Press Enter.7. To verify the certificate binding, type netsh http show sslcert.
After you finish:
1. Enable SSL communications.2. Configure the BlackBerry Connect to send requests over SSL.
Enable SSL communications
You must enable SSL in two locations; the BlackBerry Connect server configuration file and the BEMS Commonto Connect communications.
Before you begin: Backup the BlackBerry Connect server configuration file.
1. Enable SSL communications in the Connect service.a) To modify the server configuration to use the correct SSL certificate, navigate to
the GoodConnectServer.exe.config file. By default, the file is located in <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Connect\.
b) In a text editor (run as administrator), edit the GoodConnectServer.exe.config file. c) Locate the BASE_URL line (for example, <add key="BASE_URL" value="http://*:8080/"/>).d) Change the line to <add key="BASE_URL" value="https://*:8082/"/>. If required, update the port
to the port that you are using. e) Save your changes.f) Restart the Good Technology Connect service.
2. Enable SSL for BEMS Common to Connect communicationsa) On the computer that hosts BEMS, open the Apache Karaf Web Console. Open a browser window and
navigate to https://<fqdn_of_the_bems_host>:8443/system/console/configMgr. To modifythe adaptor notify service to use the correct port, on the computer that hosts
b) Scroll to and click Good Technology Core Adaptor Service. c) In the connect.websocket.uri field, vierify that URI is wss://localhost:8082/
AdapterNotifyService/Notify/ws. If necessary, change the port to the port you want to use.
| Configuring BEMS services | 52
d) Click Save.
After you finish: Configure the BlackBerry Connect to send requests over SSL.
Configure the BlackBerry Connect app to send requests over SSL in BlackBerry UEM
Before you begin: If you configured the BlackBerry Connect app configuration to use the default port of 8080, youcan update the app configuration to use the SSL port information.
Complete the instructions in the Configure BlackBerry Connect app settings in the BlackBerry Connect Administrationcontent. For the Connect Server Hosts field, make sure you type the FQDN of the computers that hostthe BlackBerry Connect server and use the SSL port 8082. For example, if you have multiple servers,separate the names using commas, no spaces. For example, https://domain01.example.com:8082,https://domain02.example.com:8082,https://domain03.example.com:8082.
Configuring Windows ServicesThe BlackBerry Connect server is now listed in Windows Services. You can view the service status and the serviceaccount user you entered for the Connect service.
For Connect to run as another domain user, the alternate domain user must:
• Have access to the private key of the computer certificate.• Be enabled to “Log on as a service” through the Local Security Policy tool.
Configure permissions for the service account
1. On the computer that hosts BlackBerry Connect, run the Local Security Policy administrative tool.2. In the left pane, expand Local Policies.3. Click User Rights Agreement.4. Configure the BlackBerry Connect service account for the Log on as a service permission.
Global catalog for Connect and PresenceThe global catalog is a distributed data repository that contains a searchable, partial representation of everyobject in every domain in a multi-domain Active Directory Domain Services (AD DS) forest. Global catalogsare typically used in a single AD DS forest that has more than one domain. A global catalog provides a way forproducts and services to access data that is available in other domains in the same forest. For more informationabout global catalogs, visit the Technet Library to see What Is the Global Catalog?.
You can configure the Connect service to use the global catalog so that the Connect service can find users whoexist in other domains within your AD DS forest. This enables the BlackBerry Connect app to search for people inthose other domains and start conversations with them, or add them to the contact list.
You can also configure the Presence service to use the global catalog so that the Presence service can subscribethe receive presence information for Lync users who exist in other domains within your AD DS forest. This ishelpful if you are using a Presence client, such as BlackBerry Work, by users who email with others who reside inother domains in your AD DS forest.
In addition to configuring the Connect and Presence services to use the global catalog, you must replicatesome additional Microsoft Lync Server or Skype for Business attributes to the global catalog. You mustperform this set up only once, whether the global catalog is used for one or both services. Some environmentsmight require some Active Directory attributes to be correctly replicated to the global catalog in the otherdomains. For more information about enabling replication of user attributes to the global catalog server,visit support.blackberry.com/community to read article 46152.
| Configuring BEMS services | 53
Enable the Connect service to use a global catalog
The instructions in this topic use the environment example.com to configure the Connect service to use a globalcatalog.
1. In a text editor, open the GoodConnectServer.exe.config file. By default, the file is located in <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Connect folder.
2. In the <appSettings> section of the file, locate the following values:
• <addkey = "AD_USERS_SOURCE" value= "" />• <addkey = "AD_USERS_SOURCE_DOMAIN" value="" />
3. Update the values as required for your environment. For example, to configure the Connect service to accessActive Directory domains outside of the local domain that the BEMS is located in, complete the followingsteps:a) In the value double quotation marks of the <addkey = "AD_USERS_SOURCE" value= "" /> key, enter GC.b) In the value double quotation marks of the <addkey = "AD_USERS_SOURCE_DOMAIN" value="" /> key,
enter DC=EXAMPLE,DC=COM or the fully qualified domain name EXAMPLE.COM. Make sure that you usethe distinguished name of the domain. For more information, see Appendix A: Understanding the BEMS-Connect configuration file.The following example shows the GoodConnectServer.config file configured to access a global catalog:
.
.<!-- valid values are: GC - Global Catalog; LDAP - Active Directory (default) --><add key="AD_USERS_SOURCE" value="GC" /><!-- valid values are: "DC=GOOD,DC=COM" - GC/AD at good.com (example only, change to your domain); No value attribute (default) - Domain the Good Connect resides; --><add key="AD_USERS_SOURCE_DOMAIN" value="DC=EXAMPLE,DC=COM" />..
4. In the Windows Manager, restart the Good Technology Connect service.
Revert the Connect service settings to use the local Active Directory
If you configured the Connect service to use a global catalog, you can modify the GoodConnectServer.exe.configfile to have the Connect service use the local Active Directory domain that the BEMS is located in. In the followingexample, the Connect service was configured to use the global catalog in the example.com environment.
1. In a text editor, open the GoodConnectServer.exe.config file. By default, the file is located in <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Connect folder.
2. In the <appSettings> section of the file, locate the following values:
• <addkey = "AD_USERS_SOURCE" value= "GC" />• <addkey = "AD_USERS_SOURCE_DOMAIN" value="DC=EXAMPLE,DC=COM" />
3. Remove the specified values from the double quotation marks. The following example shows theGoodConnectServer.exe.config file configured to use the local Active Directory domain where the BEMS islocated:
.
.<!-- valid values are: GC - Global Catalog; LDAP - Active Directory (default) -->
| Configuring BEMS services | 54
<add key="AD_USERS_SOURCE" value="" /><!-- valid values are: "DC=GOOD,DC=COM" - GC/AD at good.com (example only, change to your domain); No value attribute (default) - Domain the Good Connect resides; --><add key="AD_USERS_SOURCE_DOMAIN" value="" />..
4. In the Windows Manager, restart the Good Technology Connect service.
Enable the Presence service to use a global catalog
The instructions in this topic use the environment example.com to configure the Presence service to use a globalcatalog.
1. In a text editor, open the LyncPresenceProviderService.exe.config file. By default, the file is located in<drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\GoodPresence folder.
2. In the <appSettings> section of the file, locate the following values:
• <addkey = "AD_USERS_SOURCE" value= "" />• <addkey = "AD_USERS_SOURCE_DOMAIN" value="" />
3. Update the values as required for your environment. For example, if your environment (example.com) requiresaccess to a global catalog, complete the following steps:a) In the value double quotation marks of the <addkey = "AD_USERS_SOURCE" value= "" /> key, enter GC.b) In the value double quotation marks of the <addkey = "AD_USERS_SOURCE_DOMAIN" value="" /> key, enter
the distinguished domain name using DC=EXAMPLE,DC=COM or the fully qualified domain name usingEXAMPLE.COM. Make sure that you use the the distinguished name of the domain. For more information,see Appendix A: Understanding the BEMS-Connect configuration file.The following example shows the LyncPresenceProviderService.exe.config file configured to access aglobal catalog:
.
.<!-- valid values are: GC - Global Catalog; LDAP - Active Directory (default) --><add key="AD_USERS_SOURCE" value="GC" /><!-- valid values are: "DC=GOOD,DC=COM" - GC/AD at good.com (example only, change to your domain); No value attribute (default) - Domain the Good Presence resides; --><add key="AD_USERS_SOURCE_DOMAIN" value="DC=EXAMPLE,DC=COM" />..
4. In the Windows Manager, restart the Good Technology Presence service.
Revert the Presence service settings to use the local Active Directory
If you configured the Presence service to use a global catalog, you can modify theLyncPresenceProviderService.exe.config file to have the Presence service use the local Active Directory domainthat the BEMS is located in. In the following example, the Presence service was configured to use the globalcatalog in the example.com environment.
1. In a text editor, open the LyncPresenceProviderService.exe.config file. By default, the file is located in<drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\GoodPresence folder.
| Configuring BEMS services | 55
2. In the <appSettings> section of the file, locate the following values:
• <addkey = "AD_USERS_SOURCE" value= "GC" />• <addkey = "AD_USERS_SOURCE_DOMAIN" value="DC=EXAMPLE,DC=COM" />
3. Remove the specified values from the double quotation marks. The following example shows theLyncPresenceProviderService.exe.config file configured to use the local Active Directory domain where theBEMS is located:
.
.<!-- valid values are: GC - Global Catalog; LDAP - Active Directory (default) --><add key="AD_USERS_SOURCE" value="" /><!-- valid values are: "DC=GOOD,DC=COM" - GC/AD at good.com (example only, change to your domain); No value attribute (default) - Domain the Good Connect resides; --><add key="AD_USERS_SOURCE_DOMAIN" value="" />..
4. In the Windows Manager, restart the Good Technology Presence service.
Enable Microsoft Lync Server or Skype for Business related attributes in the global catalog
Complete this task on the Domain controller in your environment.
1. Open the Run command.2. Type schmmgmt.msc. Press Enter.3. In the left navigator window, click Active Directory Schema.4. In the middle window, double-click Attributes.5. Double-click Mail.6. Select the Replicate this attribute to the Global Catalog checkbox. Click OK.7. Repeat steps 5 and 6 for the following attributes:
• msRTCSIP-PrimaryUserAddress• msRTCSIP-UserEnabled• msRTCSIP-DeploymentLocator• telephoneNumber• displayname• title• mobile• givenName• sn• sAMAccountName
Troubleshooting BlackBerry Connect IssuesBEMS-Connect service logs information in different log files and saves them to the different folder locationsdepending on the installation configuration of the BEMS-Connect service. These log files are requiredwhen troubleshooting Connect issues. The log files contain critical information for the instant messagingserver that is used in your environment (for example, Microsoft Lync Server, Cisco Unified CommunicationsManager for communications, Skype for Business Online, and Skype for Business using non-trusted applicationmode or trusted application mode).
| Configuring BEMS services | 56
Finding log files
By default, a server log file is created for each BEMS server and is stored daily on the computer that hosts BEMS.
BEMS-Core log files are displayed as gems_<server_name_date_time stamp>.log. By default, the BEMS log files arestored daily in C:\BlackBerry\bemslogs.
Note: The timestamp for each file is reset daily at 0:00 (midnight). It is also reset each time that the BEMS-Connect service is restarted and when a maximum file size is reached.
The following table summarizes the log files that are generated by the BEMS-Connect service.
Log file Default log file location Description
Connect_<server_name>
_<date_time_stamp>.log
C:\Program Files\BlackBerry\BlackBerryEnterprise MobilityServer\Good Connect\Logs
• This log file logs BlackBerryConnect app connections data.
• In Microsoft Lync Server or Skype forBusiness on-premises using trustedapplication mode environments, thislog also logs all of the service log dataincluding communications with theinstant messaging platform.
• The log file is reset when it reachesa maximum of 20 MB and a newlog file is started. The log files areautomatically deleted after three days.
• The BEMS-Connect servicelog4net.config file controls theinformation that is logged in the logfile. For more information, visit http://support.blackberry.com/community toread article 41080.
Connect-LongTerm_<server
_name>_<date_time
_stamp>.log
C:\Program Files\BlackBerry\BlackBerryEnterprise MobilityServer\Good Connect\Logs
• This log file logs similar informationto the Connect_<server_name>
_<date_time_stamp>.log file(above) over a longer duration,but with less details. For example,this log file only logs some INFOlevel logging, all ERROR andWARN level logging. It doesn't logDEBUG level logging. By default,the Connect_<server_name>
_<date_time_stamp>.log logfile logs additional INFO logging andDEBUG log lines.
• The log file is reset when it reachesa maximum of size 20 MB and a newlog file is started. The log files areautomatically deleted after 20 days.
| Configuring BEMS services | 57
Log file Default log file location Description
Connect_MSMData_<date
_stamp>.log
C:\Program Files\BlackBerry\BlackBerryEnterprise MobilityServer\Good Connect\Logs
• This log file logs BEMS-Connect appMSM-specific data that is used bythe Good Mobile Service Manager.
• This log file isn't reset after amaximum size or deleted after aspecified number of days.
• This log file is not requiredfor troubleshooting BEMS-Connect issues.
gems_<server_name>_<date
_time_stamp>.log
C:\BlackBerry\bemslogs
• This log file logs BEMS-Connect interaction informationwith Skype for Business on-premises using non-trustedapplication mode, Skype forBusiness Online or Cisco UnifiedCommunications Manager that isconfigured in your environment.
• This log file is reset when it reaches amaximum size of 100 MB.
• The log file is automatically purgedafter 10 days.
Failed to start BlackBerry Connect server
Possible cause Possible solution
If the Application-log displays Failed to start GoodConnectServer:Microsoft.Rtc.Signaling.ConnectionFailureException:Unable to establish a connection. --->System.Net.Sockets.SocketException: No such host is known,then the hostname value in the configuration file for the key OCS_SERVER doesnot exist or is not recognized as a valid server.
Correct the OCS_SERVERvalue in the configurationfile.
If the Application-log displays Failed tostart BlackBerryConnectServer:Microsoft.Rtc.Signaling.ConnectionFailureException: Failedto listen on any address and port supplied, then the port numberspecified for UCMA_APPLICATION_PORT in the configuration file is either blockedby a firewall or used by another application.
Unblock port if it is afirewall issue or chooseanother port number.
If the Application-log displays Failed tostart BlackBerryConnectServer:WCFGaslampServiceLibrary.OCSCertificateNotFoundException:Certificate not found, then the certificate's subjectName doesn't containthe local host's FQDN and the private key for the certificate isn't enabled for theuser which executes the BEMS software.
Enable private keysfor this certificatefor the user runningthe BEMS machine.
| Configuring BEMS services | 58
Error message: The process was terminated due to an unhandled exception. Microsoft.Rtc.Internal.Sip.TLSException
Possible cause
The SSL certificate was not created with the correct cryptographic service provider and key spec. The KeySpecproperty sets or retrieves the type of key generated. Valid values are determined by the cryptographic serviceprovider in use, typically Microsoft RSA.
Possible solution
Verify that the Provider, ProviderType, and KeySpec values are the same as the examples below or the CA mustreissue a new SSL and appropriate provider and key spec values.
1. On the computer that hostsBEMS, open the Windows PowerShell and type the following command:certutil.exe –v –store “my” <name of ssl cert>” > c:\temp\ssl.txt
2. In a text editor, open the ssl.txt file. By default, the ssl.txt file is located in <drive>:\temp.3. Search for CERT_KEY_PROV_INFO_PROP_ID.4. The SSL certificate information should return the following information:
CERT_KEY_PROV_INFO_PROP_ID(2):Key Container = 9ad85141c0b791ad17f0687d00358b70_dd7675d5-867d-479c-90b0-cd24435fe903Provider = Microsoft RSA SChannel Cryptographic ProviderProviderType = cFlags = 20KeySpec = 1 -- AT_KEYEXCHANGE
Configuring the BlackBerry Presence serviceWhen you configure the BlackBerry Presence service to support BlackBerry Work, you perform one of thefollowing actions.
• If your environment includes a Microsoft Lync Server or Skype for Business:
• Configure BlackBerry Presence in the BEMS Dashboard.• Manually configure the Presence service for multiple application endpoints.• Optionally, Configure BlackBerry UEM for Presence.• Optionally, enable the Presence service to use a global catalog.• Optionally, configure BlackBerry UEM for high availability.• Optionally, configure BlackBerry UEM for disaster recovery.
• If your environment includes a Cisco Unified Communications Manager (Cisco Jabber):
• Configure BlackBerry Presence in the BEMS Dashboard.• Configure Jabber for the Presence service • Configure BlackBerry UEM for Presence.• Optionally, configure BlackBerry UEM for high availability. • Optionally, configure BlackBerry UEM for disaster recovery.
Configuring the BlackBerry Presence service in the BEMS DashboardThe BlackBerry Presence service API allows BlackBerry Work and other third-party BlackBerryDynamics applications to access users' presence statuses or availability.
| Configuring BEMS services | 59
When you configure the BlackBerry Presence service, you complete the following actions:
• If not completed, configure BlackBerry Dynamics• If your environment uses a Microsoft Lync Server or Skype for Business, log in with the service account
credentials• Optionally, configure the BlackBerry Presence service settings• Configure Microsoft Lync Server 2010, Microsoft Lync Server 2013, and Skype for Business for the BlackBerry
Presence service• Configure Jabber for the BlackBerry Presence service
Logging in to the Presence service
The BlackBerry Presence service components are unavailable until you provide the correct service accountcredentials for BEMS. BEMS uses this information to securely connect to Microsoft Services like MicrosoftActive Directory, Microsoft Lync Server, Microsoft Exchange Server, Skype for Business server, and MicrosoftSQL Server. The service account must have RTCUniversalReadOnlyAdmins rights. If an account has not yet beencreated, contact your Windows domain administrator to request an account.
Note: The service account credentials are not stored after the current browser session ends and must be enteredeach time you access the Presence service. Stop the Good Technology Presence service before you configure theservice account for BEMS.
Configure the BlackBerry Presence service settings
You can specify the settings for the BlackBerry Presence service or keep the default settings.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Presence.
2. If your environment uses a Microsoft Lync Server or Skype for Business, click Service Account and type thelogin credentials for the Good Technology Presence service account.
3. Click Settings. 4. Optionally, in the Subscription Expiration Time field, type an expiration time in seconds. The Subscription
Expiration Time is the time interval when BlackBerry Work contacts the Presence service for user presencestatus updates. By default, this is 180 seconds. If you experience issues with the Presence status notdisplaying, increase the subscription expiration time (for example, 1000 seconds). Increasing the expirationtime allows the subscriptions to remain active for a longer time.
5. Optionally, select the Enable domain whitelisting checkbox. For more information,see Allow Presence subscriptions to users in specified domains.a) In the Domains whitelist dialog box, click .b) In the Domains whitelist text box, type the email domains for which you want to allow presence
subscriptions. When adding multiple domains, you can add the domains using one or more of the followingformats to separate the domains.
• Comma, followed by a space• Semi-colon, followed by a space• Space• New line
For example, example.com, example1.com, and so forth.c)
Click .6. Click Test.7. Click Save.
| Configuring BEMS services | 60
Allow Presence subscriptions to users in specified domains
Your organization can use whitelisting to control which users in internal and federated Microsoft LyncServer 2010, Microsoft Lync Server 2013, Skype for Business, Skype for Business Online, or Cisco UnifiedCommunications Manager environments can be subscribed to. By allowing specific domains to be subscribedto, you can improve the performance of the Presence service and exclude domains that are not part of theinternal or federated domains. You can also limit presence subscriptions to specific internal and federateddomains. By default, the whitelisting feature is disabled and all internal and external domain subscriptions areattempted. When this feature is configured, you can manage the allowed list from all BEMS servers that hostthe Presence service.
When your organization enables whitelisting, contacts in an email domain that is not listed are restricted and nopresence subscriptions are attempted to that domain. Consider the following scenarios when you enable domainwhite listing:
• If you enable domain whitelisting, but do not specify one or more email domains, all email domains arerestricted from requesting Presence subscriptions.
• If you enable domain whitelisting and specify one or more email domains, only contacts in the specified emaildomains are included in the subscription request to the instant messaging server. If a contact is not a user inthe whitelisted email domains, the user presence is not displayed.
• If you do not enable domain whitelisting, then contacts in any email domain are included in the subscriptionrequest to the instance messaging server.
Remove a domain and restrict users from requesting subscription requests
You can remove domains and restrict users of that domain from requesting subscription requests
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, clickPresence.
2. If necessary, click Service Account and type the login credentials for the BEMS service account.3. Click Settings.4. In the Domains whitelist dialog box, click the X beside the domain you want to remove from the list.5. Click Save.
Configure Microsoft Lync Server 2010, Microsoft Lync Server 2013, Skype for Business, or Skype for Business Online forthe Presence service
Before you begin:
• If your environment uses Skype for Business on-premises using non-trusted application mode or Skype forBusiness Online Good Technology Presence is not used.
• If your environment uses multiple Skype for Business on-premises servers using trusted application modeor non-trusted application mode, have the Skype for Business servers load balanced with a load balanceserver. For more information about load balancing requirements, visit https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/network-requirements/load-balancing.
• If you configure your environment to use Skype for Business Online, have the following information. If youconfigured the Connect service, reuse the tenant name and app ID and app Key. For instructions, see Obtainan Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.• Tenant name• Service app ID and app Key• BlackBerry Work app ID
| Configuring BEMS services | 61
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Presence.
2. If necessary, click Service Account and type the login credentials for the BEMS service account. 3. Click Lync 2010, Lync 2013, or Skype for Business. The system queries the instant messaging server to verify
that the appropriate BEMS instant messaging server topology is added. This can take a few moments tocomplete.
4. Complete one of the following tasks:
Instant messaging server in environment Tasks
Microsoft Lync Server 2010 or MicrosoftLync Server 2013
a. In the Application ID drop-down list,select <appid_connect.mycompany.com>.
If the drop-down list is empty, either the BEMS <instantmessaging server type> topology is not set up correctly orthe service account does not have permissions to querythese settings.
b. In the Application Endpoint drop-down list, select thecorresponding application endpoint.
Skype for Business Online a. Select the Skype for Business Online checkbox.b. In the Tenant name/ID field, enter the name of
your Skype for Business Online tenant. If you need toconnect to more than one tenant, enter common.
c. In the BlackBerry BEMS Connect/Presence ServiceApp ID field, enter the BlackBerry Presence service appID. For instructions on obtaining the app ID, see Obtainan Azure app ID for the BEMS-Connect, BEMS-Presence,and BEMS-Docs component service.
d. In the BlackBerry BEMS Connect/Presence Service AppKey field, enter the BlackBerry Presence service app key.
e. In the BlackBerry Presence Client App ID field, enterthe BlackBerry Work app ID. For instructions, see Obtainan Azure app ID for BlackBerry Work.
Skype for Business on-premises usingtrusted application mode
Note: Using this configuration,the Presence service is trusted by Skype forBusiness and can impersonate a user. Enduser authentication is not required on thedevice to view the presence status
a. Select the Skype for Business On-Premises check box. b. Select Trusted Application Mode. c. Beside the Application ID drop-down list, click Browse.
This step can take up to a minute to complete. d. In the Application ID drop-down list, select the app ID.
For example, <appid_connect.mycompany.com>.
If the drop-down list is empty, either the BEMS <instantmessaging server type> topology is not set up correctly orthe service account does not have permissions to querythese settings.
| Configuring BEMS services | 62
Instant messaging server in environment Tasks
Skype for Business on-premises using non-trusted application mode
Note: Using this configuration,the Presence service is not trusted by Skypefor Business and cannot impersonate auser. End user authentication on the deviceis required.
a. Select the Skype for Business On-Premises check box.b. Select Non-trusted Application Mode. c. Complete one or both of the following actions:
• Select the Auto discover servers checkbox tohave BEMS discover the Skype for Business servers inthe environment.
• Enter the default Skype for Business on-premisesFQDN or the complete URL to the Skype forBusiness server for BEMS to use if autodiscovery isnot enabled or fails. For example, http(s)://<BEMS-FQDN>/Autodiscover/AutodiscoverService.svc/root/oauth/user.
5. Click Test to verify that the Azure information is valid.6. Complete one or both of the following actions to log in to the user account:
• If you configure the environment to use Skype for Business on-premises:
a. Enter a user email address and password.b. Click Test.
• If you configure the environment to use Skype for Business Online:
a. Click Test.b. Sign in to a user account.
7. Click Save. 8. Complete one of the following actions:
• If you configured the Presence service for Microsoft Lync Server 2010, Microsoft Lync Server 2013,or Skype for Business on-premises using trusted application mode, start the Good TechnologyPresence service. Make sure that you save the configuration in the Dashboard prior to starting the service.
• If you configured the Presence service for Skype for Business Online or Skype for Business on-premises using non-trusted application mode only, you do not need to start the Good TechnologyPresence service. Skype for Business Online and Skype for Business on-premises using non-trustedapplication mode don't require the Presence service to view users' presence status. If you try to start theservice, the following error message is displayed. Windows could not start the Good Technology Presenceservice on Local Computer. Error 5: Access denied.
• If you configured the Presence service for Skype for Business Online or Skype for Business on-premises using non-trusted application mode only, restart the Good Technology Common Services toenable the BEMS cache to use memory instead of Redis.
Obtain an Azure app ID for BlackBerry Work
If you are configuring Office 365 settings in the app configuration for BlackBerry Work, you may need to obtainand copy the Azure app ID for BlackBerry Work.
1. Log on to portal.azure.com.2. In the left column, click Azure Active Directory.3. Click App registrations.4. Click New registration.5. In the Name field, enter a name for the app. This is the name that users will see.
| Configuring BEMS services | 63
6. Select a supported account type.7. In the Redirect URI drop-down list, select Public client (mobile & desktop) and
enter com.blackberry.work://connect/o365/redirect8. Click Register. 9. In the Manage section, click API permissions. 10.Click Add a permission. 11.In the Select an API section, click the Microsoft APIs tab. 12.Complete one or more of the following tasks:
Environment Permissions
If your environmentis configured touse Microsoft Office365
a. Click Microsoft Graph. If Microsoft Graph is not listed, add Microsoft Graph. b. Set the following permissions:
• In delegated permissions, select the following permissions:
• Sign in and read user profile checkbox (User > User.Read)• Send mail as a user checkbox (Mail > Mail.Send)
c. Click one of the following:
• If Microsoft Graph existed in the API permissions, click Updatepermissions.
• If you needed to add Microsoft Graph, click Create. d. Click Add permissions.
If your environmentis configured touse Microsoft ExchangeOnline for email
a. Click the Exchange. b. Set the following permissions:
• In delegated permissions, select Access mailboxes as the signed-in uservia Exchange Web Services checkbox (EWS > EWS.AccessAsUser.All).
c. Click Add permissions.
If your environmentis configuredfor Microsoft ExchangeOnline and uses Skypefor Business Online formeetings
a. Click Exchange.b. Select all delegated permissions.
1. Click Delegated permissions.2. Click expand all. Make sure that all options are selected.
c. Click Add permissions.d. Click Skype for Business.e. Select all delegated permissions.
1. Click Delegated permissions.2. Click expand all. Make sure that all options are selected.
f. Click Add permissions.
| Configuring BEMS services | 64
Environment Permissions
If your environmentis configured touse MicrosoftSharePointOnline or Azure-IPto enable modernauthentication forthe BlackBerryWork client
a. Click the APIs my organization uses tab.b. Search for and click the BEMS app that you created in Obtain an Azure app
ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs componentservice. For example, AzureAppIDforBEMS.
c. Select all delegated permissions.
1. Click Delegated permissions.2. Click expand all. Make sure that all options are selected.
d. Click Add permissions.
13.Click Grant Permissions to apply the permissions for the app. These settings will not be applied to the appuntil you have granted the updated permissions.
14.Click Yes. 15.Allow BlackBerry Work implicit grant to request the token directly from the authorization end point.
a) In the Manage section, click Authentication. b) Under the Implicit grant section, select the ID Tokens checkbox. c) In the Default client type, select Yes. d) Click Save.
16.Click Yes. You can now copy the Application ID for the app that you created. In the Manage section,click Overview. It is located under the name of the app, in the Application (client) ID field.
Configure Jabber for the Presence service
Complete this task only if you have a Cisco CM IM and Presence server in your environment.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Presence.
2. If necessary, click Service Account and type the login credentials for the BEMS service account. 3. Click Jabber.4. In the Cisco Unified Communications Manager User Data Service (UDS) FQDN field, enter the FQDN of
the Cisco Unified Communications Manager server that Jabber Presence Provider (JPP) needs to access andquery the contact cards.
5. In the Cisco Unified Communications Manager User Data Service (UDS) port field, enter the Cisco UnifiedCommunications Manager server port number that JPP uses with the ciscoUDSServer to query the contactcards. For example, 8443.
6. In the Presence SIP domain field, enter the domain that the Cisco Unified CM IM and Presence server islocated in.
7. In the Cisco Unified Communications Manager Server User field, enter the Cisco Unified CommunicationsManager enduser. This is the user you created in Create a Dummy User. If you install multiple BEMS instances,you must use the same user account for each instance.
8. In the REST-based Client Configuration Web Service Endpoint field, enter the web address of the computerhosting the REST-based Presence Web Service. This must be the Cisco IM and Presence server that thedummy user is assigned to. For example, https://<Cisco IM and Presence FQDN>:8443/EPASSoap/service.
9. In the REST-based Presence Web Service Endpoint field, enter the web address of the computer hosting theREST-based Presence Web Service. This must be the Cisco IM and Presence server that the dummy user isassigned to. For example, https://<Cisco IM and Presence FQDN>:8083/presence-service.
10.In the Application Username field, enter the username of the application user. If you installmultiple BEMS instances, you must use a different username for each instance.
| Configuring BEMS services | 65
11.In the Application Password field, enter the password of the application user. 12.In the BEMS Presence Keystore File Location field, enter the Java keystore file location that you imported
the Cisco certificates into when you completed the task Import non-public certificates to BEMS. Forexample, %JAVA_HOME%\lib\security\cacerts
13.Click Test to verify the fields are completed. The test does not verify that the information in the fields areaccurate.
14.Click Save.
Manually configure the Presence service for multiple application endpointsYou can manually configure multiple application endpoints for BlackBerry Presence to loadbalance Presence requests between multiple endpoints on a single BEMS instance. Cisco Jabber or Skype forBusiness Online do not support multiple application endpoints.
Before you begin: You must have a Microsoft Lync Server 2010, Microsoft Lync Server 2013, or Skype forBusiness setup in your environment.
1. On the computer that hosts BEMS, navigate to the LyncPresenceProviderService.exe.config file. By default,the LyncPresenceProviderService.exe.config file is located in <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Presence.
2. In a text editor, open the LyncPresenceProviderService.exe.config and record the values for the followingproperties:
• UCMA_APPLICATION_NAME• LYNC_TRUSTED_APPLICATION_POOL• UCMA_ENDPOINT_SIP
3. Determine a naming convention for the additional Trusted Application Endpoints (virtual SIP addresses).By default, the format for the existing SIP Addresses is sip:presence_<BEMSFQDN>@<SIPDomain>.For example, sip:[email protected],sip:[email protected], and so on.
4. Create the additional Trusted Application Endpoints in the Microsoft Lync Server or Skype forBusiness topology using the information from steps 2 and 3 above. For instructions on creating additionalTrusted Application Endpoints, see Prepare additional computers hosting BEMS.
5. In a text editor, open LyncPresenceProviderService.exe.config. 6. Locate the <ucmaEndpointSips> section. Add the value of the new additional application endpoints that you
published in step 4.For example,
<ucmaEndpointSips> <collection> <add item="sip:[email protected]" /> <add item="sip:[email protected]" /> <add item="sip:[email protected]" /> </collection> </ucmaEndpointSips>
7. Specify the maximum contact subscriptions that each application endpoint can manage. By default, theMAX_SUBSCRIPTIONS_PER_ENDPOINT is 1000. You can specify a subscription value between 1 and 5000.For example, if you specify that each application endpoint can manage 2000 contact subscriptions, you wouldlocate the MAX_SUBSCRIPTIONS_PER_ENDPOINT key and change the value as required.
<add key="MAX_SUBSCRIPTIONS_PER_ENDPOINT" value="2000" />
| Configuring BEMS services | 66
Note: Specifying the MAX_SUBSCRIPTIONS_PER_ENDPOINT, doesn't load balance the subscriptions acrossall endpoints, it assigns 2000 subscriptions to the first endpoint before assinging the next 2000 subscriptionsto the next endpoint.
8. Save the file. 9. Restart the Good Technology Presence service from the Windows Service Manager.
Configuring BlackBerry UEM for BlackBerry PresenceBlackBerry Presence is one of three services, along with BlackBerry FollowMe and BlackBerry Directory Lookup,enabled through BlackBerry UEM using the Good Enterprise Services entitlement app. You add BEMS as theapplication server to the Good Enterprise Services entitlement once to enable all three services.
If you configured Configuring BlackBerry UEM for BlackBerry Work, BlackBerry Tasks, and BlackBerry Notes whenyou configured the BlackBerry Push Notifications no additional configuration is required.
Configuring the Presence service for high availabilityThe BlackBerry Presence service supports high availability by adding additional BEMS servers runningthe Presence service.
When you configure Presence for high availability, you perform the following actions:
1. Configure each new Presence instance to use the same BlackBerry Proxy server.2. Add the new computer hosting the Presence service instance to BlackBerry UEM.3. Configure each new Presence instance in BlackBerry UEM for the Good Enterprise Services
(com.good.gdservice-entitlement.enterprise) app.
Your environment has the following Microsoft Lync Server or Skype for Business front-end pools:
• Pool1 is for general use• Pool2 is for high availabilty use
If you create a Trusted Application Pool for Pool1, it is recommended you create an additional Trusted ApplicationPool for the high availability instances. The additional Trusted Application Pool is created in your front-end highavailability pool.
Configuring Presence service for disaster recoveryDisaster recovery for BlackBerry Presence is based on an active/warm standby clustering model.
Before you add a Presence instance for disaster recovery, you complete the following actions:
1. Evaluate your Microsoft Lync Server or Skype for Business disaster recovery strategy.
If you have separate Front End pools for disaster recovery, it is recommended that you create a separateTrusted Application Pool for your BlackBerry Connect instances. This separate Trusted Application Poolshould be associated with the disaster recovery Front End pool. Associate all disaster recovery BlackBerryConnect instances to this Trusted Application Pool. If you don’t have separate Front End pools for disasterrecovery, then using a single Trusted Application Pool is fine, although you must make sure your Lync disasterrecovery strategy properly preserves the Trusted Application Pool in event of a failover.
Note: Presence and Connect can use the same Trusted Application Pool for disaster recovery.2. Ensure that the appropriate network ports are open to allow Connect servers in your disaster recovery site to
communicate with with database, Microsoft Lync Server or Skype for Business Server, Microsoft Lync Serveror Skype for Business database, and BlackBerry Proxy servers in your disaster recovery and Primary site.
| Configuring BEMS services | 67
Add a new Presence service instance for disaster recovery
Complete this task only if you installed the Presence service on a separate computer.
Allow your disaster recovery BlackBerry Presence instance server host and port in BlackBerry UEM. Make sure tospecify the BlackBerry Proxy cluster of the new site as the primary proxy cluster for these services.
After you finish: After the disaster recovery Presence instance is installed and configured, stop the GoodTechnology Presence service. This places the Presence instance for disaster recovery in warm standby.
Failover in disaster recovery
1. Stop the Good Technology Connect service on all your primary Connect instances.2. Start the Good Technology Connect service on your disaster recovery Connect instance.
Using friendly names for certificates in PresenceNote: Friendly names for certificates only apply to environments that use a Microsoft Lync Server or Skype forBusiness on-premises using trusted application mode.
The friendly name of a certificate can be helpful when multiple certificates with a similar subject exist ina certificate store. Friendly names are properties in the X.509 certificate store that associate aliases withcertificates so they can be easily identified.
You can restrict certificates used for BlackBerry Presence to a friendly name by completing the following actions
1. If you do no have one, create and enroll a certificate. 2. Change the certificate friendly name description.3. Setting the new certificate friendly name string value in the BEMS Lync Presence Provider (LLP) service
configuration file (LyncPresenceProviderService.exe.config).
If you do not already have a certificate, you can create and verify a BEMS SSL certificate for Lync. For moreinformation, see Create and add the BEMS SSL certificate for Microsoft Lync Server 2010, Microsoft LyncServer 2013, and Skype for Business.
Change the certificate friendly name description
1. Open the Microsoft Management Console (MMC).2. Click Console Root.3. Click File > Add/Remove Snap-in.4. In the Available snap-ins column, click Certificates > Add.5. Select Computer account. Click Next.6. Select Local Computer. Click Finish.7. Click OK.8. Click Certificates (Local Computer) > Personal > Certificates.9. Double-click the certificate you want to change.10.Click the Details tab.11.In the Show drop-down list, click <All>.12.Click Edit Properties.13.In the Friendly name field, type a friendly name.14.In the Description field, type a description.15.Click Apply.
| Configuring BEMS services | 68
16.Click OK. Click OK again.
After you finish: Specify the certificate's friendly name in the configuration file for the Connect service.
Add the certificate friendly name to the Presence server configuration file
Before you begin: Specify the certificate friendly name.
1. In a text editor, open the LyncPresenceProviderService.exe.config file. By default, theLyncPresenceProviderService.exe.config file is located in <install path>\Technology\BlackBerryEnterprise Mobility Server\BlackBerry Presence\.
2. At the end of the file, type <add key="RESTRICT_CERT_BY_FRIENDLY_NAME"value="<cert_friendly_name>"/>. The cert_friendly_name is case sensitive.
3. Save your changes.4. Start the Good Technology Presence service.
Troubleshooting BlackBerry Presence IssuesBEMS-Presence logs information in the log files and saves them to the bemslogs folder. These log filesare required when troubleshooting Presence issues. If your environment is configured for Microsoft LyncServer or Skype for Business on-premises using trusted application mode, additional log text files, LPP-log.txt, arecreated.
Finding log files
By default, a server log file is created for each BEMS server and is stored daily on the computer that hosts BEMS.
BEMS-Core names the log files gems_<server_name_time stamp>.log.
By default, the BEMS log files are stored daily in C:\BlackBerry\bemslogs.
Note: The timestamp is reset daily at 0:00. It is also reset each time that the Presence service is restarted andwhen the file size is a maximum of 100 MB.
A new log file is not generated when the Presence service is restarted. When the log file reaches 10 MB, a new logis created. When 20 log files are created, the older log files are automatically deleted.
When using BEMS-Presence for Microsoft Lync Server or Skype for Business on-premises using trustedapplication mode, the Presence service also writes Lync Presence Provider log files and names files LPP-log.txt. By default, the BEMS Presence log files are stored in C:\Program Files\BlackBerry\BlackBerryEnterprise Mobility Server\Good Presence\Logs\
Configuring the BlackBerry Docs serviceYou use the BEMS dashboard to configure and maintain document/file repositories (for example, file shares,Microsoft SharePoint, Box, and CMIS-supported content management systems) and user access policies formobile app users of the service.
When you configure the BlackBerry Docs service, you configure the following components:
1. Configure the Web Proxy.2. Configure the Database.3. Confirm the Repositories.4. Configure storages.5. Configure the Settings.
| Configuring BEMS services | 69
6. Configure Audit.
Configure a web proxy server for the Docs serviceIf you use a web proxy to connect your enterprise servers to the Internet for Microsoft SharePoint, MicrosoftSharePoint Online, and Microsoft Office Web Apps (OWAS), you must enable Use Web Proxy and configure itsaddress, port, and authentication type for the Docs service.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Web Proxy.3. Select the Use Web Proxy.4. In the Proxy Address field, type the FQDN of the web proxy server. 5. In the Proxy port field, type the port number of the proxy server. 6. In the Proxy Server Authentication Type drop-list, click an authentication type. If you select Basic or NTLM
authentication, enter the required login credentials. 7. Click Test to verify the connection to the proxy server.8. Click Save.
Configure the database for the BlackBerry Docs serviceIn configuring your Microsoft SQL Server database for BEMS-Docs, you have a choice of usingeither Windows Authentication or SQL Authentication for granting access to the database by BEMS. Afterrestarting the Good Technology Common Services, perform the steps below for either Windows Authentication orSQL Authentication.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Database3. Enter the Microsoft SQL Server name and password. 4. In the Authentication Type drop-down list, select one of the following options:.
• If you select Windows Authentication, the credentials for the Windows service account configured forthe BlackBerry Connect service are used.
• If you select SQL Server Login, enter the Microsoft SQL Server username and password.5. If your organization uses AlwaysOn support for SQL Server, in the Additional Properties field,
type MultiSubnetFailover=true.6. Click Test to verify the connection with the Microsoft SQL Server database.7. Click Save. 8. Restart the Good Technology Common Services service.
RepositoriesThe Docs service furnishes your end users with access to stored enterprise data from their mobile devices.A Docs repository (also called a "share") lives on an enterprise server containing files shared by authorized users.
Before you configure your repositories, configure the Docs security settings, and then configure BlackBerryUEM to entitle your users so that they can access the repositories you add and define from their devices. Formore information about setting up and maintaining your enterprise shares in BEMS and the associated useraccess, see Managing Repositories.
Storage servicesThe Docs service supports a number of storage services, including File Share, Microsoft SharePoint, Box, andCMIS-based providers.
| Configuring BEMS services | 70
The Docs service supports the ability to add or delete access to storage providers and their repositoriesfrom BEMS. By default, BEMS allows corporate box.com cloud storage users to view the Box repositoriesusing BlackBerry Work Docs. If you delete the predefined Box storage, the hidden authentication parameters arealso removed. For more information about determining if you are using a non-default Box storage and how to re-add the default Box storage, visit support.blackberry.com/community to read article 48469.
Note: Only Microsoft Active Directory users are supported for CMIS. That is, the content management systemmust be connect to a Microsoft Active Directory for user authentication for Docs to support it.
Authentication providersThe following table lists the available authentication providers and the storage provider that each can be used for.For instructions on adding storage services, see Add a CMIS storage service and Enable modern authenticationfor Microsoft SharePoint Online
Authentication Provider Storage provider
Windows - Explicit Credentials FileShare, SharePoint
Windows - Kerberos Constrained Delegation FileShare, SharePoint
OAuth2 Box
Explicit Credentials Workspaces
Modern SharePoint Online
Configure the Docs security settingsDocs security settings control acceptable Microsoft SharePoint Online domains, the URL of theapproved Microsoft Office Web Apps (OWAS), the appropriate LDAP domains to use, whether you want to useKerberos constrained delegation for user authentication, and Azure-IP authentication. Delegation allows a serviceto impersonate a user account to access resources throughout the network. Constrained delegation limits thistrust to a select group of services explicitly specified by a domain administrator.
Before you begin: Verify that one or more of the following are configured in your environment:
• Kerberos constrained delegation for the BlackBerry Docs service is configured in your environment. Forinstructions, see Configuring Kerberos constrained delegation for the Docs service.
• Resource-based Kerberos constrained delegation for the BlackBerry Docs service is configured in yourenvironment. For instructions, see Configuring resource based Kerberos constrained delegation for the Docsservice.
• Your environment is configured to use Azure-IP, have the following information. For instructions, see Obtainan Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.• Azure Tenant Name• BEMS Service Azure Application ID• BEMS Service Azure Application Key
• Optionally, you can configure BEMS to allow users to authenticate to Microsoft SharePoint Online with anemail address that is different from the email address that was used to install and activate BlackBerry Work.For instructions, see Enable the use of an alternate email address to authenticate to BEMS-Docs.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Settings.
| Configuring BEMS services | 71
3. Select the Enable Kerberos Constrained Delegation checkbox to allow Docs to use Kerberos constraineddelegation.
4. Separated by a comma, enter each of the Microsoft SharePoint Online domains you plan to make available.For more information, see Configuring support for Microsoft SharePoint Online and Microsoft OneDrive forBusiness.
5. Enter the URL for your approved Office Web App Server. 6. Provide your Microsoft Active Directory user domains (separated by commas), then enter the
corresponding LDAP Port. LDAP (Lightweight Directory Access Protocol) is used to look up users and theirmembership in user groups.
7. Select the Use SSL for LDAP checkbox for secure communication with your Microsoft Active Directory servers.8. Add the Workspaces Public Key. Adding the public key allows BEMS and the BlackBerry Workspaces server
to communicate with each other. For more information about locating the public key, contact BlackBerryTechnical Support Services.
9. Select the Enable Azure Information Protections check box to allow Docs to authenticate to Azure-IP.Complete the Azure registration fields to authenticate Docs to Azure-IP to allow the Docs to decrypt protecteddocuments and confirm the rights any given user has on a document.
10.Click Save. 11.Restart the Good Technology Common Services for the changes to take effect.
Enable the use of an alternate email address to authenticate to BEMS-Docs
You can configure BEMS to allow users to authenticate to Microsoft SharePoint Online with an email address thatis different from the email address that was used to install and activate BlackBerry Work. Complete this task onlyif your environment is configured to use one of the following:
• If your environment is configured to use Windows authentication, you can configure BEMS to usethe UserPrincipalName (UPN), email address or any other Active Directory attribute to authenticateto Microsoft SharePoint Online. By default, the UserPrincipalName attribute is used.
• If your environment uses modern authentication, you can configure BEMS to disable validating the emailaddress when users authenticate to Microsoft SharePoint Online or the environment uses Azure-IP.
1. Sign in to the computer that is running the BEMS-Docs service.2. In a browser, open the Apache Karaf Web Console Configuration web site. Type https://
localhost:8443/system/console/configMgr and login as administrator with the appropriate MicrosoftActive Directory credentials.
3. On the menu, click Main > Gogo. 4. In the command, type one of the following commands:
Task Attribute Description
Authenticate to MicrosoftSharePoint Online using mail
docs:configSAMLUsernameAttributemail
Allows users to use their emailaddress to authenticate to MicrosoftSharePoint Online instead of the user'suserPrincipalName.
To use the users' UPN again toauthenticate, type docs:configSAMLUsernameAttributeUserPrincipalName
| Configuring BEMS services | 72
Task Attribute Description
Disable user validation whenauthenticating to one of thefollowing:
• Microsoft SharePointOnline configured formodern authentication
• Azure-IP
docs:configadal.uservalidation.skip1
Disables validation of the user's emailaddress.
5. Close the browser.
Configure your Audit propertiesYour Audit settings enable or disable the Docs service audit logs. When you enable audit logs, actions are loggedto the database (for example, user downloads, deletions, browsing history, and files created).
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Audit.3. On the Audit Settings tab, select the Enable Audit Logs checkbox.4. In the Audit Operations section, select the audit operations you want the log files to include logging for. 5. Click Save. It can take up to two minutes for the changes to take effect. 6. Optionally, on the Audit Purge tab, in the Purge audit logs from the database before field, select a purge-
before date. Click Purge to remove audit records logged to the database earlier than the purge date selected.
After you finish:
• Configure BlackBerry UEM to entitle your users, using user groups, to use the Docs service. Following userentitlement, see Managing Repositories to set up your file shares, SharePoint sites, and Box storage.
• View the Docs service audit report
View the Docs service audit report
These steps require that you have Microsoft SQL Server and permissions to access it, and the Microsoft SQLServer Reporting Services are available. For more information, see your SQL Server documentation or contactyour SQL Server administrator.
Before you begin: .
1. With SQL Server administrator permissions, in a browser, open Microsoft SQL Server Reporting Services. Bydefault, the web address is http://<SQL Server hostname>/reports
2. Start the Report Builder.3. Create a new report.4. Create a data source connection. Specify the following fields:
• Name field: Enter a descriptive name for the report (for example, docs_audit_report_date) • Select Connection type drop-down: Select Microsoft SQL Server.• Connection string field: If required, enter a string that points to the Docs DB FSBAudit table.
5. Design the query. Specify the following settings:
• Database view column: under Tables, select FSBAudit and AuditActionType. • Select fields section: make a relationship between the two tables. Click ActionName > AutoDetect.
| Configuring BEMS services | 73
• Arrange fields screen: arrange the fields to group the data and values to how you want them to display. Forexample, if you create a report that is based on the username, you would specify the following:
• Available fields column: select ActionPath. • Row groups column: select Username to display the username that completes the action in the report.• Values column: specify the values to display in the table (for example, action time, action type, and
action path).
• ActionTime provides information for when the action occurred.• ActionType details the action (for example, accessing or downloading a file). • ActionPath provides the path to the file for which the action was completed.
6. Save the settings and run the report. The report is saved to the Microsoft SQL Server Reporting Services. 7. Double-click the report that you want to view.
Add an app server hosting the BlackBerry Docs app to a BlackBerry Dynamics connectivity profileIf you have a BlackBerry Docs app that is served from an app server or web server, you can specify the name ofthat server and the priority of the BlackBerry Proxy clusters used for communication with it.
1. On the menu bar, click Policies and Profiles.2. Click Networks and Connections > BlackBerry Dynamics connectivity.3.
Click to create a new connectivity profile or click the BlackBerry Dynamics connectivity profile that youwant to add an app server to.
4. If necessary, click .5. Under App servers, click Add.6. Select the Feature - Docs Service Entitlement app that you want to add an app server for. 7. Click Save.8.
In the table for the app, click .9. In the Server field, specify the FQDN of the BEMS server. 10.In the Port field, specify the port of the BlackBerry Proxy cluster that is used to access the server. By default,
the port is 8443. 11.In the Priority drop-down list, specify the priority of this or these servers as primary.12.In the Primary BlackBerry Proxy cluster drop-down list, specify the name of the BlackBerry Proxy cluster
(primary cluster 1) that you want to set as the primary cluster.13.In the Secondary BlackBerry Proxy cluster drop-down list, specify the name of the BlackBerry Proxy cluster
that you want to set as the secondary cluster.14.Click Save.
Configuring BlackBerry UEM for the BlackBerry Docs service For users to access, synchronize, and share documents natively using their enterprise file server, SharePoint, Box,and content management systems supporting CMIS, without the need for VPN software, firewall reconfiguration,or duplicate data stores, app entitlements must be assigned to the organization before the users canuse the BlackBerry Docs app. For more information about managing BlackBerry Work, see the BlackBerryWork, BlackBerry Notes, and BlackBerry Tasks Administration content.
Configuring Docs for Rights Management ServicesActive Directory Rights Management Services (AD RMS) and Azure-IP RMS from Microsoft allows documents tobe protected against access by unauthorized people by storing permissions to the documents in the document
| Configuring BEMS services | 74
file itself. Access restrictions can be enforced wherever the document resides or is copied or forwarded to. Fordocuments to be protected with AD RMS or Azure-IP RMS, the app that the document is associated with must beRMS aware. For more information about AD RMS and Azure-IP RMS, visit Comparing Azure Information Protectionand AD RMS.
Note: For this release, BEMS doesn't support both the AD RMS and Azure-IP RMS in the same environment.
Support for RMS protected documents is provided through two methods:
• In Docs and BlackBerry Work, support for RMS protected documents is provided through the MicrosoftOffice Web Apps server with viewing and editing enabled through the BlackBerry Access browser. Note thatwhile BlackBerry Access browser is a BlackBerry Dynamics app with all the secure features it provides, it hasonly partial support for RMS features.
• In BlackBerry Work, support for RMS protected documents is provided directly in BlackBerry Work andthrough BlackBerry Work.
The following table compares the features of RMS protected documents in BlackBerryWork and through BlackBerry Access. These features require a client that is RMS aware.
RMS protected documents directlyin BlackBerry Work
RMS protected documentsthrough BlackBerry Access
Features • View protected documents directlyin BlackBerry Work. This featurerequires BEMS 2.10 or later.
• Protect unprotected documentsin BlackBerry Work. This featurerequires BEMS 2.12 or later.
• Change permissions for documentsin BlackBerry Work. This featurerequires BEMS 2.12 or later.
• Upload a new file and saveit as protected. This featurerequires BEMS 2.12 or later and BlackBerryWork app 2.18 or later.
• View and edit protected documents in Docs and BlackBerry Work throughthe BlackBerry Access browser.
| Configuring BEMS services | 75
RMS protected documents directlyin BlackBerry Work
RMS protected documentsthrough BlackBerry Access
Security • Users can save what is on screen as a webclip and this screenshot file can be sharedwith other BlackBerry Dynamics apps.Mitigation is to disable web clips inthe BlackBerry Access policy.
• Share the Microsoft Office Web Apps URLthat is used to render the documentviewing or editing with other BlackBerryDynamics apps. The URL expires inthirty minutes but during this time,other BlackBerry Dynamics appsmight be able to access it without anyauthentication. For example, if it is sharedwith BlackBerry Work, the URL can beemailed to others. If it is shared witha BlackBerry Dynamics app that allowsprinting, then the page that is renderedmight be printed. Mitigation would beto enable user agent in the BlackBerryAccess policy and then use it to createfiltering rules in the Microsoft OfficeWeb Apps server so that only BlackBerryAccess is able to access the URL.The Microsoft IIS URL Rewrite extensioncan be used to create the rules.
• Users can save what is on screen asa web clip and this screenshot filecan be shared with other BlackBerryDynamics apps. Mitigation is to disableweb clips in BlackBerry Access policy.
• When editing a document, by default, copyand paste of content would be possible bydefault polices only within the BlackBerryDynamics secure container environment.Ensure that the protection providedis adequate given these limitationsand satisfies your RMS protectionrequirements before enabling this support.
Rights Management Services restrictions
The following Rights Management Services (RMS) restrictions are respected by the Docs service:
• View right is required to view documents.• Edit right is required to edit documents.• Print or Export rights are required to convert documents to PDF.• If a user is the owner of a document and the "Grant owner full control" right is set, then viewing, editing, and
converting to PDF is allowed.• If the current date is beyond the content expiry date, then no access to the document is allowed except when
the user is owner and the "Grant owner full control" right is set.• Revocation of rights is respected.• Use licenses are acquired on every use of the document.• Both template-based and custom protection on documents are honored.
| Configuring BEMS services | 76
Docs deployment for Active Directory Rights Management Services support
1. On the computer that hosts BEMS, install the Rights Management Services Client 2.1. To download the client,visit www.microsoft.com/downloads and search for ID=38396.
2. If using self-signed certificates in AD RMS server, add the SSL certificate for https://<AD RMS server URL> totrusted CA list.
3. In Internet Explorer, add https://<AD RMS server URL> to the Local Intranet site list.4. Install the Docs service with BEMS common services service running as a domain user.5. If a super users group is not already configured in AD RMS server, configure one. Then add BEMS process user
(BEMS common services service user) to this AD RMS super users group.6. On the AD RMS server, find the file %systemdrive%\Inetpub\wwwroot\_wmcs\Certification
\ServerCertification.asmx and add Read and Read & Execute permissions for the following:
• the "AD RMS Service Group”.
Note: The AD RMS Service Group is a local group and not a domain group.• the computer account for each of the BEMS servers.• The BEMS common services service user.
Steps to deploy Azure IP Rights Management Services support for the Docs service
When you configure Azure IP RMS support for the Docs service, you complete the following steps:
Step Action
On the computer that hosts BEMS, install the Rights Management Services Client 2.1. Todownload the client, visit www.microsoft.com/downloads and search for ID=38396.
Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs componentservice.
If necessary, migrate any labels that you need in the environment.
Note: BEMS-Docs service only supports migrated unified labels. For instructions to migratelabels, visit https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-migrate-labels.
Convert protections templates to labels. For more information about converting templatesto labels, visit https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-templates and read "To convert templates to labels".
Configure the Docs security settings
Configuring the Docs instance for high availabilityWhen you configure Docs for high availability, you perform the following actions:
1. Configure each new Docs instance to use the existing database.
| Configuring BEMS services | 77
2. Configure each new Docs instance to point to the same BlackBerry Proxy server.3. Add the computer that hosts the Docs service, to the entitlement.
Configuring the Docs service for disaster recoveryDisaster Recovery for Docs is based on an active/warm standby clustering model.
Before you add a Docs instance for disaster recovery, you complete the following actions:
1. Evaluate the disaster recovery strategy for your network resources such as File Share, Microsoft SharePoint,Microsoft Office Web Apps (OWAS), and so forth, then make sure your network resources are accessible fromyour disaster recovery site in the event a disaster recovery situation arises.
2. Configure database replication for the Docs database from your primary site to your disaster recovery site.SQL log shipping is recommended. Consult your database administrator for assistance.
3. Ensure that the appropriate network ports are open to allow Docs servers in your disaster recovery site tocommunicate with the database, network resources, and Good Proxy servers in your disaster recovery andPrimary sites.
Add a new Docs instance for disaster recovery
1. Configure your disaster recovery Docs instance to use the Docs database in your primary site.2. Allow the disaster recovery server that hosts the BlackBerry Docs instance in BlackBerry UEM. Make sure your
disaster recovery Docs instance uses the primary BlackBerry Proxy server in the cluster.3. Configure your disaster recovery Docs instance in BlackBerry UEM for the BlackBerry Work App. Make sure the
Priority is set to Secondary or Tertiary.4. Add the server, or servers if the Docs service is installed on a separate computer, to the entitlement. Make sure
to specify the BlackBerry Proxy cluster of the new site as the primary proxy cluster for these services.
After you finish: After the disaster recovery Docs instance is installed and configured, stop the Good TechnologyCommon Services. This places the disaster recovery Docs instance in warm standby.
Allow the disaster recovery server that hosts the BlackBerry Docs instance in BlackBerry UEM
1. On the menu bar, click Policies and Profiles.2. Click Networks and Connections > BlackBerry Dynamics connectivity.3.
Click to create a new connectivity profile or click on the Default connectivity profile to edit it.4.
In the Additional servers section, click .5. In the Server field, specify the FQDN of the BlackBerry Enterprise Mobility Server.6. In the Port field, specify the port for the BlackBerry Enterprise Mobility Server. By default, the port number is
8443.7. In the Primary BlackBerry Proxy cluster drop-down list, specify the name of the BlackBerry Proxy cluster that
you want to set as the primary cluster. Make sure you set the priority of the server to be secondary. 8. Click Save.9. In the App servers section, click Add.10.Search for and select BlackBerry Work.11.Click Save.12.
In the table for the app, click .13.In the Server field, specify the FQDN of the BlackBerry Enterprise Mobility Server.
| Configuring BEMS services | 78
14.In the Port field, specify the port of the BlackBerry Proxy cluster that is used to access the BlackBerryEnterprise Mobility Server.
15.In the Priority drop-down list, specify the priority of the BlackBerry Proxy cluster that must be used to reach thedomain. Select Secondary or Tertiary. Make sure you select the BlackBerry Proxy cluster of the new cluster.
16.Click Save.
Failover in disaster recovery
1. Stop the BlackBerry Common Services on all your Primary Docs instances2. Failover your Docs database on your database server (for example, make the Docs database in your disaster
recovery site active).3. Failover your database FQDN DNS to your disaster recovery database server.
If you were not able to failover the database DNS, then you must login to the BEMS Dashboard and update theDocs database information to point to your disaster recovery database server. Restart the BlackBerry CommonServices for the new database settings to take effect.
4. Start the Good Technology Common Services on your disaster recovery Docs instance.5. If you also failed over your BlackBerry Proxy servers in this process, you must update the BlackBerry Proxy
information in the BEMS Dashboard for the Docs service.
Managing RepositoriesBEMS has the following repository storage providers:
Storagerepository Description
File Share A secure directory on an enterprise file server containing shared files and sub-directorieswhich can be remotely accessed.
SharePoint
SharePointOnline
A secure web server containing shared files which are accessed via the Internet.
If your environment is configured for Microsoft OneDrive for Business the SharePointOnline storage repository is used.
Box A secure cloud storage account furnished by box.com containing shared files which can beaccessed via the Internet.
CMIS-based Content Management Interoperability Services (CMIS) is an open standard that allowsdifferent content management systems to inter-operate over the Internet.
A repository is further categorized in the Docs service by who added and defined.
Storagerepository Description
Admin-defined Storage provider sites added and maintained by BEMS administrators to which individualusers and user groups are granted access.
User-defined Sites added by individual end users from their mobile devices to which you, asthe BEMS administrator, may rescind and reinstate mobile-based access in accordancewith your enterprise IT acceptable-use policies.
| Configuring BEMS services | 79
Configuring repositories
The Repository configuration page has the following three tabs that you can configure:
Tabs Description
Admin defined Allows you to create and manage repositories, add and remove users and user groups,and assign users and user groups file access and use permissions.
User defined Allows you to add and remove users and user groups, enable and disable user and usergroup the ability to create user-defined repositories, and grant and rescind permissionsto perform a range of file-related actions on their user-defined repositories.
Users Allows you to search for a user in a Microsoft Active Directory domain to view therepositories permitted by path or override, and who defined the share (for example,administrator or user).
Admin-defined shares
Shares are document repositories for a particular storage provider. You can further organize your administrator-defined shares into lists. A named (defined) share, however, can only belong to one list. This is enforced to helpyou avoid unwanted or unintended duplication.
When you define repositories and lists, you perform the following actions:
Step Action
Define a repository.
Define a repository list.
Define user and user group access permissions.
Granting User Access Permissions
Access permissions are defined for a single repository or inherited from an existing list of repositories.Permissions can be selectively granted to existing Microsoft Active Directory domain users and user groups. Atleast one user or user group must be added to the repository definition to configure access permissions.
The following table lists the access permissions and the default setting that are available.
Permission Permissions Attributes Default setting
List (Browse) View and browse repository content (for example, subfolders andfiles) in a displayed list, and sort lists by Name, Date, Size, or Kind
Enabled
Delete Files Remove files from the repository Enabled
| Configuring BEMS services | 80
Permission Permissions Attributes Default setting
Read (Download) Download repository files to the user's device and open them toread
Enabled
Write (Upload) Upload files (new/modified) from user's device to the repositoryfor storage
Enabled
Cache (OfflineFiles)
Temporarily store a cache of repository files on the device foroffline access
Enabled
Open In Open a file in a format-compatible app on the device Enabled
Create Folder Add new folders to the repository Enabled
Copy/Paste Copy repository file content and paste it into a different file or app Enabled
Check In/CheckOut
When a file is checked out, the user can edit, close, reopen, andwork with the file offline. Other users cannot change the file or seechanges until it is checked back in
Enabled
(SharePoint only)
Generate SharedLink
Users can generate a link to a file and folder and send the link torecipients
The Generate Shared Link requires an updated BlackBerryWork app.
Enabled
(Box only)
Change access permissions
1. On the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Docs.
2. Click Repositories.3. Click the Admin defined tab.4. Click a repository or list. 5. Under Access Permissions, beside the user or user group, select or clear the permission checkbox that you
want to change.6. Click beside a user or user groups that you want to remove. 7. Click Save.
Define a repository
Microsoft Active Directory users and groups must be added to a repository definition or a list definition beforeaccess permissions can be configured. Users and groups added automatically receive the default accesspermissions.
Before you begin: For users to access their Microsoft SharePoint repositories on their devices, make sure thatthey have the "Read" permission level and the "Browse Directories" permission assigned.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Repositories.
| Configuring BEMS services | 81
3. Click the Admin defined tab.4. Click New Repository.5. In the Display Name field, type the name of the repository to that will be displayed to users granted mobile
access to the repository.The repository name must be unique and can contain spaces. The following special characters cannot be useddue to third-party limitations:
• Microsoft SharePoint 2010, 2013, and 2016: ~ " # % & * : < > ? / \ { | }• File Share: \ / : * ? " < > |• Box: \ /|
6. In the Storage drop-down list, select a storage provider. If you select SharePoint or SharePoint Online, and the share is running SharePoint 2013 or later, select the Addsites followed by users on this site check box to make this feature available to users of this share. This settingonly applies for personal (my) SharePoint or OneDrive for Business sites.
If your environment is configured for Microsoft OneDrive for Business, select the SharePoint Online storageprovider.
7. In the Path field, specify the path to the share. Complete one of the following tasks based on the storage typethat you selected in step 6.
Storage type Description
Box Enter a fully qualified URL with or without Microsoft Active Directory attributes.
FilesShare The Path can include Microsoft Active Directory attributes.
For example, \\fileshare1\<SAMAccountName> or <homeDirectory>.
SharePoint
SharePoint Online
If your storage provider is Microsoft OneDrive for Business, complete this task.
Enter a fully qualified URL with or without Microsoft Active Directory attributes.
To add "my" or personal SharePoint sites, specify the URL for the "my" site. Forexample,
• If your environment uses SharePoint and SharePoint Online, https://<MicrosoftSharePoint server>/my.
• If your environment uses Microsoft OneDrive for Business, https://<yourO365 domain>-my.sharepoint.com/personal/admin_<domain>_onmicrosoft_com/_layouts/15/onedrive.aspx
If the personal site includes usernames or other Microsoft ActiveDirectory attributes, enter the path including these attributes. For example, https://<Microsoft SharePoint server>/my/<SAMAccountName>.
Optionally, to automatically add followed sites, complete the following steps:
a. Add a repository for the "my" or personal SharePoint site.b. Select the Add sites followed by users on this site for the repository. c. On the User-defined tab, enable a user-defined repository permission. Make
sure that you select the Enable 'User Defined Shares' and Automatically addsites followed by users check boxes. For instructions, see Enable user-definedrepository permissions.
| Configuring BEMS services | 82
Storage type Description
CMIS-based For storage providers using CMIS support that you have added to BEMS, bothAtomPub and Web Services web addresses are supported. A repository ID maybe optionally specified and a path inside the repository may also be optionallyspecified.
If no repository ID is specified, then all repositories that a user has access to arelisted to the user. If no path is specified, then the listing starts at the repositoryroot.
Following is the format of the paths for BEMS Docs repositories for accessingCMIS repositories:
• <ATOM-PUB-URL>?RepositoryId=<REPOSITORY-ID>&RelativePath=<REPOSITORY-PATH>
• <WEB-SERVICES-URL>?RepositoryId=<REPOSITORY-ID>&RelativePath=<REPOSITORYPATH>&BindingType=WebService
• Where ATOM-PUB-URL and WEB-SERVICES-URL is specific to the CMISvendor. Contact your CMIS vendor for more information.
• Where REPOSITORY-ID is the CMIS repository ID (optional).• Where REPOSITORY-PATH is the path inside the CMIS repository (optional).
8. Optionally, in the List drop-down list, select an existing list that you want this repository to belong to. If no list isdefined, you can create one later or leave this field blank.If a List is selected, select the Enable inheriting of access control of repository list checkbox to apply theAccess Permissions of the List to the repository. If the check box is not selected, you must define specificaccess permissions for this share (repository).
9. Select Manage access through WatchDox if you have a BlackBerry Workspaces server in your environment,have configured the Unified Content Connector, and you want to manage access permissions fromthe BlackBerry Workspaces server. For more information about the Unified Content Connector,contact BlackBerry Technical Support Services.
10.In the Access permissions section, click Add Users/Groups.11.In the Search In field, enter a new domain or keep the default domain.12.In the Search for Users in Active Directory field, type a full or partial search string. Click Search.13.In the search results, select one or more entries. 14.Optionally, select the Use Different Credentials and enter a username and password to configure a different
Username and Password for accessing this repository by these users.15.Click Add. 16.Click Save.
Edit a repository
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Repositories.3. Click the Admin defined tab.4. Click a repository you want to edit. 5. Make the required changes. 6. Click Save.
| Configuring BEMS services | 83
Define a repository list
Use Lists to assign users to multiple repositories and to organize your repositories by common characteristics.This allows you to batch-configure user access permissions. Included repositories can inherit the configured useraccess permissions of the list or maintain permissions independent of the list.
Microsoft Active Directory users and groups must be added to a repository definition or a list definition beforeaccess permissions can be configured. Users and groups added automatically receive the default accesspermissions.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Repositories.3. Click the Admin Defined tab.4. Click New List.5. In the Display Name, enter the name that will be displayed to authorized users on their mobile devices. 6. In the Select Repositories to include field, select the defined repositories to include. 7. Select Manage access through WatchDox if you have a BlackBerry Workspaces server in your environment,
have configured the Unified Content Connector, and want to manage access permissions from the BlackBerryWorkspaces server. For more information about the Unified Content Connector, contact BlackBerry TechnicalSupport Services.
8. Click Save.
After you finish:
If you don't use a BlackBerry Workspaces server in your environment, complete the following tasks:
1. Add new users and groups to the list definition. 2. Grant user access permissions.
Add users and user groups to repositories and list definitions
You must add Microsoft Active Directory users and groups to a repository definition or a list definition before youcan configure access permissions. Users and groups that are added automatically receive the default accesspermissions.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Repositories.3. On the Repositories Configuration page, click the Admin defined tab.4. Click a repository or list. 5. Under Access permissions, click Add users/groups.6. In the Search In field, enter a new domain or keep the default domain.7. Select Users or Groups.8. In the Search for Users in Active Directory field, type a full or partial search string. Click Search.9. In the search results, select one or more entries. 10.Optionally, select the Use Different Credentials checkbox and enter a username and password to configure a
different username and password for accessing this repository by these users.11.Click Add. 12.Click Save.
After you finish: Grant user and user groups access permissions.
| Configuring BEMS services | 84
Allow user-defined repositories
You can allow users to define their own "named" data sources on admin-defined repositories for which they havealready been granted permission.
When you allow users to define their own repositories, you perform the following actions:
1. Enable user-defined repository permissions2. Change user access permissions
Enable user-defined repository permissions
Before you begin: For users to access their Microsoft SharePoint repositories on their devices, make sure thatthey have the "Read" permission level and the "Browse Directories" permission assigned.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Repositories.3. Click the User defined tab.4. Select the Enable 'User Defined Shares' checkbox to allow your mobile users to define their own data sources.5. Optionally, select the Automatically add sites followed by users checkbox for authorized Microsoft
SharePoint repositories with the required MySite plugin enabled.To automatically add followed sites, complete the following steps:
a. On the Admin-defined tab, add a repository for the "my" or personal SharePoint site. For instructions,see Define a repository.
b. Select the Add sites followed by users on this site for the repository. c. On the User-defined tab, make sure that you select the Enable user-defined shares and Automatically add
sites followed by users check boxes.6. In the Storage section, select one or more storage services.
If you do not select at least one storage option,the user-defined option is disabled.7. In the Access Permissions section, click Add users/groups.8. In the Search In field, enter a new domain or keep the default domain.9. Select Users or Groups.10.In the Search for Users in Active Directory field, type a full or partial search string. Click Search.11.In the search results, select one or more entries. 12.Optionally, select the Use Different Credentials and enter a username and password to configure a different
Username and Password for accessing this repository by these users.13.Click Add. The users and groups added automatically receive the default access permissions. 14.Click Save.
Access permissions
Permissions can be selectively granted to existing Microsoft Exchange ActiveSync domain users and user groups.The most restrictive permissions (admin-defined or user-defined) are applied.
The following table lists the permissions that are provided by default when you add users and groups to the User-defined repositories.
| Configuring BEMS services | 85
Permission Permissions Attributes Default setting
List (Browse) View and browse repository content (for example,subfolders and files) in a displayed list, and sort listsby Name, Date, Size, or Kind
Enabled
Delete Files Remove files from the repository Enabled
Read (Download) Download repository files to the user's device andopen them to read
Enabled
Write (Upload) Upload files (new/modified) from user's device to therepository for storage
Enabled
Cache (Offline Files) Temporarily store a cache of repository files on thedevice for offline access
Enabled
Open In Open a file in a format-compatible app on the device Enabled
Create Folder Add new folders to the repository Enabled
Copy/Paste Copy repository file content and paste it into adifferent file or app
Enabled
Check In/Check Out When a file is checked out, the user can edit, close,reopen, and work with the file offline. Other userscannot change the file or see changes until it ischecked back in
Enabled(SharePoint only)
Add New Repositories Permits new repositories to be added from the user'smobile device
Disabled
Generate Shared Link Users can generate a link to a file and folder and sendthe link to recipients
The Generate Shared Link requires anupdated BlackBerry Work app.
Enabled (Box only)
Change user access permissions
1. On the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Docs.
2. Click Repositories.3. Click the User defined tab.4. Under Access Permissions, beside the user or user group, select or clear the permission checkbox that you
want to change.5. Click beside a user or user groups that you want to remove. 6. Click Save.
| Configuring BEMS services | 86
View user repository rights
In some scenarios, you may need to search for a particular user to review which repositories are configured fortheir access, as well as the specific permissions granted. For example, when a user is one member of a MicrosoftActive Directory group configured for repositories and is not listed individually in your admin-defined or user-defined repository configurations and you want to consider making specific changes to the user's accesspermissions.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs.2. Click Repositories.3. Click the Users tab.4. In the Search Users field, begin typing the user's Microsoft Active Directory account name. If you don't see
the user you want, extend or narrow the search string or click Switch Domains to search a different MicrosoftActive Directory domain.
5. Click the user name. The Defined by column specifies if the repository is admin-defined or user-defined.6. Click the name of the repository or on the row to view the user's access permissions. To modify the access
permissions, see Change user access permissions. 7. Optionally, in the Override Path for this user field, enter an override path.
Enable users to access Box repository using a custom Box email address
On the Home screen of the computer hosting BEMS, complete one of the following actions:
Attributes Task
The Box email address matches oneof the following Microsoft ActiveDirectory attributes:
• mail• userPrincipalName• proxyAddresses• targetAddress
No action is required.
| Configuring BEMS services | 87
Attributes Task
The Box email address matches a MicrosoftActive Directory attribute other than theattributes listed above.
Set the config value, LDAPUserCheckAttribute, to specifythe Microsoft Active Directory attribute that contains thecustom Box email address.
a. On the computer hosting BEMS, open a command promptand navigate to the client.bat file. By default, the file islocated at <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\bin.
b. Type client.bat -u domain name\username.Press Enter.
• Where domain name is the name of the domain BEMS islocated in.
• Where username is the name of an administratoraccount on BEMS.
c. Type the password for the BEMS user account.Press Enter.
d. Set the LDAPUserCheckAttribute.Type docs:config Config-Name Config-Value.
• Where Config-Name is LDAPUserCheckAttribute.• Where Config-Value is the name of the Microsoft Active
Directory attribute you want to add. For example,BoxLogin.
e. Optionally, confirm the Config-Value is set.Type docs:config Config-Name
| Configuring BEMS services | 88
Attributes Task
The Box email address does not matchany Microsoft Active Directory attribute.
Complete one of the following tasks:
• Add an attribute to contain the Box email address and usethe previous configuration. See the instructions above.
• Enable the EnablePersonalBoxAccess config value to allowusers to use personal Box email addresses without addingan attribute.
Warning: If you use this method to allowusers to use custom Box email addressesto access Box, users can copy documentsfrom your organization's network to theirprivate Box accounts.
a. On the computer hosting BEMS, open a commandprompt and navigate to the client.bat file. By default,the file is located at <drive>:\Program Files\BlackBerry\BlackBerry EnterpriseMobility Server\Good Server Distribution\gems-quickstart-<version>\bin.
b. Type client.bat -u domain name\username.Press Enter.
c. Type the password for the BEMS administratoraccount. Press Enter.
d. Set the EnablePersonalBoxAccess to 1 toenable the attribute. Type docs:configEnablePersonalBoxAccess 1.
e. Optionally, confirm EnablePersonalBoxAccessis enabled. Type docs:configEnablePersonalBoxAccess.
Using the Docs Self-Service web console
Similar to the method for adding user-defined repositories on and from the device (see "Add a new data source"in the respective BlackBerry Work User Guide for iOS or Android), authorized users can access the Docs Self-Service web console from a browser on their office workstation or laptop to add user-defined File Share, Box,and SharePoint repositories. The self-service console is included in your BEMS installation and automaticallyconfigured with the Docs service in the BEMS Dashboard.
The web address to access the Docs Self-Service web console can be one of the following webaddresses. Contact your BEMS or BlackBerry Work administrator for the specific web address in yourenvironment.
• If you configured single sign-on, navigate to https://<bems_fqdn>:<port>/docsconsole-sso• If you require a username and password, navigate to https://<bems_fqdn>:<port>/docsconsole
Add a repository using the Docs Self-Service web console
Before you begin: You must be authorized to access the Docs Self-Service web console. For instructions onauthorizing access to the Docs Self-Service web console, see Allow user-defined repositories. Users must havethe Add New Repositories permission to add a repository from the browser.
| Configuring BEMS services | 89
1. In your computer browser, open a browser and navigate to the Docs Self-Service console at one of thefollowing web addresses:
• If your environment is configured for single sign-on, go to https://<bems_fqdn>:<port>/docsconsole-sso (for example, https://bemsserver.example.com:8443/docsconsole-sso).If you are authorized, you are automatically logged in using your Microsoft Active Directory credentials.
• If your environment is configured to require a username and password, go to https://<bems_fqdn>:<port>/docsconsole (for example, https://bemsserver.example.com:8443/docsconsole). You must enter your Microsoft Active Directory credentials.
2. Click Add Repository to define a new data source.3. In the Display Name field, type a display name. This name is displayed in repository lists in the console and on
your device.4. In the Storage Type field, select a storage type (for example, File Share, SharePoint, or Box).5. In the Path field, enter the path.6. Click Save.
To remove a repository, click beside it.
Add a CMIS storage serviceBEMS is installed with support for a number of storage service providers: FileShare, SharePoint, and Box. You canalso add storage services that utilize the Content Management Interoperability Services (CMIS) protocol, an openstandard that allows different content management systems to inter-operate over the Internet.
If your environment is configured for a specific version of SMB or CIFS protocol to access a File Share, make surethat BEMS is installed on a compatible Windows operating system. Refer to your Microsoft documentation formore information on compatibility.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Storages. A list of storage providers is displayed. 3. Click New Storage. 4. In the Storage name field, type a name for the storage.5. In the Storage provider drop-down list, select an storage provider.6. In the Authentication Provider drop-down list, select an authentication provider. For information about
authentication providers and the storage provider that each can be used for, see Authentication providers. 7. To make the storage available on user devices, select the select the Enable Storage checkbox.
Note: It may take up to an hour or a restart of the apps for storage changes to take effect on user devices.It may take up to five minutes for the changes to take effect on the server. Enabling and disabling storageproviders on this page affects what storage resources are visible at any given time for users, but has no suchimpact on the server. If this option is not selected, users can't access the fileshare and receive the followingerror message on the device: Data sources could not be retrieved. Unable to connect to the server.
After you finish: Add repositories in the storage provider. For instructions, see Managing Repositories
Enable modern authentication for Microsoft SharePoint OnlineYou can also enable modern authentication for Microsoft SharePoint Online when you have MicrosoftSharePoint configured in your environment.
Before you begin: If you enable modern authentication, configured the Azure registration in the Docs >Settings screen. For more information, see Configure the Docs security settings.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Storages.
| Configuring BEMS services | 90
3. Click the storage name SharePoint Online.4. If this is a new installation, the following settings are selected by default:
• Authentication Provider drop-down list: Modern. For information about authentication providers andthe storage provider that each can be used for, see Authentication providers.
• Use Azure registration from Settings check box is selected. SharePoint uses the Azure registration settingsthat are specified in the Docs > Settings screen. For more information, see Configure the Docs securitysettings.
5. If you upgraded from BEMS 2.10 or earlier and modern authentication was configured, no additional actionsare required. Optionally, select the Use Azure registration from Settings check box for SharePoint to usethe Azure registration settings that are specified in the Docs > Settings screen. For more information,see Configure the Docs security settings.
6. To make the storage available on user devices, select the select the Enable Storage checkbox.
Note: It may take up to an hour or a restart of the apps for storage changes to take effect on users' devices.It may take up to five minutes for the changes to take effect on the server. Enabling and disabling storageproviders on this page affects what storage resources are visible at any given time for users, but it has no suchimpact on the server. If this option is not selected, users can't access the fileshare and receive the followingerror message on the device: Data sources could not be retrieved. Unable to connect to the server.
After you finish:
Add repositories in the storage added. For instructions, see Managing Repositories
Windows Folder Redirection (Native)This feature gives administrators the ability to redirect the path of a folder to a new location, which can be onthe local computer or a directory on a network file share. Users can work with documents on a server as if thedocuments were based on a local drive. The documents in the folder are available to the user from any computeron the network.
Folder Redirection is located under Windows Settings in the console tree when you edit a domain-based GroupPolicy using the Group Policy Management Console (GPMC). The path is <Group Policy Object Name>\User Configuration\Policies\Windows Settings\Folder Redirection.
Offline File technology (turned on by default) gives users access to the folder even when they are not connectedto the network, and is especially useful on laptops and mobile devices. Offline folders do not, however, workout of the box with Samba network drives. See Offline Folders (Native) for details. Otherwise, Windows FolderRedirection can be enabled for any of the predefined folders in the Group Policy Management Editor.
In Windows Server 2008, a total of 13 different folders can be redirected.
• AppData (Roaming)• Desktop• Start Menu• Documents• Pictures• Music• Favorites• Contacts• Downloads• Links• Saved Games• Searches• Videos
| Configuring BEMS services | 91
As an administrator, you must create the root folder for the destination location. This folder can be created on alocal or remote machine (NAS).
Note: All members of the group who have Windows Folder Redirection enabled must have full access to the rootfolder.
Enable folder redirection and configure access
When you enable folder redirection the user’s folder will have exclusive user permissions. Other users cannot seethe files. The user can update, add new, and delete files. When the user connects to the corporate network, thefiles are automatically synchronized with the redirected location.
If modifications are made on the file in both locations at the same time, an alert is issued, and the user isresponsible for resolving the conflict; for example, keep the source, keep the destination, or keep both files).
If a user uploads a file through a mobile app directly to the share, the file is visible on the local computer in theDocuments folder. Moreover, when the Docs service is configured with “User Private Shares” pointing to theredirected root folder—for example, C:\RedirectShare\— users can automatically use their own folders inside themobile app from the “Home Directory” on their phone or tablet.
Note: Users with their home folder defined in Microsoft Active Directory, Folder Redirection works when theredirection path is the same as the user’s home folder in Microsoft Active Directory.
1. Create a root folder (for example, RedirectShare) for the redirect destination.2. In the Group Policy Management Editor, select a specific folder (for example, Documents) and add one or
more rules to determine which users and user groups can redirect the selected folder to the root folder.3. Set an environment variable %USERNAME% to the path [Root]\<username>\Documents\.
Local Folder Synchronization – Offline Folders (Native)Users who work remotely on content creation and save files locally for offline access, can now access thesefiles on-the-go from their mobile devices without having to open their local machine. The Docs service providesauthorized users access to their Home Directory hosted on network-attached storage (NAS) shares and exposedthrough Microsoft Active Directory. This synchronization feature, synching folders on the user’s remote laptop ordesktop with their home directory, is only available on local machines running Microsoft Windows.
When you select a network file or folder to make it available offline, Windows automatically creates a copy of thatfile or folder on your computer. Thereafter, any time you reconnect to the network folder, Windows synchronizesthese files with those in the network folder. You can also synchronize them manually any time you want. Aspointed out above, this feature does not work out of the box with a Samba network drive, and workarounds are notcurrently supported by Microsoft. Otherwise, the feature can be enabled from Windows Explorer and used for anyshared folder as pictured.
Now that the shared folder is available offline, it can be used offline. Users can even make a shortcut to theshared folder on their desktop for convenience. When working offline and changes are made to offline files ina network folder, Windows automatically synchronizes the changes the next time you connect to that networkfolder. You can also manually synchronize changes by clicking the Sync Center tool .
Additionally, there are more advanced synchronization scheduling controls available in the Windows Sync Center.
If the user is working offline while someone else changes a file in a shared network folder, Windows synchronizesthose changes with the offline file on the local computer the next time it connects to that network folder. If asynchronization conflict occurs, for example, changes were made to both the network and offline versions of thefile between syncups, Windows prompts the user to confirm which change takes precedence.
Files that were cached automatically are removed on a least-recently used basis once the maximum cache sizeis reached. Files cached manually are never removed from the local cache. When the total cache size limit isreached and all files that were cached automatically have already been removed, files cannot be made available
| Configuring BEMS services | 92
offline until you specify a new limit or delete files from the local cache by using the Offline Files control panelapplet.
The default size limit for the Offline Files cache is 25-percent of the total disk space of the drive where the cacheis located. The cache size can be configured through the Group Policy by setting the limit on disk space used byOffline Files—go to Computer Configuration > Policies > Administrative Templates > Network > Offline Files—oneach client separately.
Synchronization takes place a few minutes after the user logs in and connects/opens a shared network foldercontaining offline files and is schedule- or event-based. However, this must still be enabled manually by eachuser. Even so, through the Group Policy editor, the domain administrator can set various synchronization triggers;e.g., On Logon, On Logoff, Sync Interval, etc.
these settings are available in User Configuration\Administrative Templates\Network\Offline Files and inComputer Configuration\Administrative Templates\Network\Offline Files in the Group Policy Object Editor snap-in. For more information about policy settings, see the Explain tab on the Properties page of each policy.
Folder Redirection and Offline Folders, provide the following advantages compared to a proprietary laptop/desktop agent furnished by Good:
• IT does not have to manage and deploy another desktop agent• Microsoft Folder Redirection is integrated with GPO and manages conflicts• Existing compliance tools and processes govern the data.
Once the files are synchronized to the “Home Directory,” IT administrators can make use of the Docs servicefeature in which Microsoft Active Directory attributes can be specified in the path to expose the user’s “HomeDirectory” to the BlackBerry Work app running on provisioned mobile devices. It is also important to rememberthat for users who have their home folder defined in Microsoft Active Directory, Folder Redirection works when thefolder redirection path is the same as the user’s home folder in Microsoft Active Directory.
Configuring support for Microsoft SharePoint Online and Microsoft OneDrive for BusinessMicrosoft SharePoint Online locations can be added as repositories in the Docs service just like an on-premise Microsoft SharePoint site to support both admin-defined and user-defined data sources. This is also truefor Microsoft OneDrive for Business.
Microsoft SharePoint Online provides the following ways for users to authenticate andperform SharePoint operations:
• Using on-premises Microsoft Active Directory
• DirSync with Password Hash: Users and their passwords on Microsoft Active Directory are synchronizedwith Microsoft Office 365. Users are presented with a login page where they can enter their credentials toaccess Microsoft SharePoint Online.
• Active Directory Federation Service (ADFS): ADFS serves as a Secure Token Service. Behind the scenes (inbackground), users are redirected to ADFS for authentication and are issued security tokens that are thenused by Microsoft SharePoint Online to sign in. Microsoft SharePoint Online users do not need to entercredentials when accessing from the corporate network, which typically enables sign sign-on scenarios.
• Using modern authentication
• Enable modern authentication in the BEMS Dashboard.
These authentication mechanisms are supported by the Docs service and all preparations take place on theserver side exclusively. No device changes are required to use the on-premises Active Directory. The followingprerequisites are required for users to authenticate to Microsoft SharePoint Online:
• For users to authenticate to Microsoft SharePoint Online using Microsoft Active Directory, MicrosoftSharePoint Online is deployed in your environment based on DirSync with Password Hash or ADFS authentication mechanisms.
| Configuring BEMS services | 93
• For users to authenticate to Microsoft SharePoint Online using modern authentication, Microsoft SharePointOnline is deployed in your environment and enabled for modern authentication in the BEMS Dashboard.
Configure Microsoft SharePoint Online and Microsoft OneDrive for Business
For instructions on enabling modern authentication for Microsoft SharePoint Online, see Enable modernauthentication for Microsoft SharePoint Online.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Settings.3. In the SharePoint Online section, in the SharePoint Online Domain field, type the FQDN for your
primary Microsoft SharePoint Online domain. Then, separated by a comma, type your FQDNfor Microsoft OneDrive for Business. For example, goodshare.sharepoint.com,goodshare-my.sharepoint.com.
4. Click Save. 5. Restart Good Technology Common Services.6. Click Repositories.7. Click New Repository.8. In the Display Name field, type a name for the repository,9. In the Storage Type drop-down list, click SharePoint.10.In the Path field, type path for your primary Microsoft SharePoint Online site from Step 211.Click Save.12.Optionally, click New Repository for Microsoft OneDrive for Business and repeat steps 8 to 11 using the path
for the Microsoft OneDrive for Business. You can use the username wild card in the web address. For example, https://goodshare-my-sharepoint.com/personal<username>_goodshare_us.
You can lookup the path web address by logging in to theMicrosoft SharePoint Online website and clickthe Microsoft OneDrive option. Copy the web address into the Path field.
13.Click Save. Both repositories are listed in the repository list.
Microsoft SharePoint Online authentication setupThe following instructions do not apply when you configure Microsoft SharePoint Online using ModernAuthentication. For Kerberos constrained delegation (KCD), which allows for single sign-on credential-less accessto network resources from devices, only Active Directory Federation Service (ADFS) authentication to MicrosoftSharePoint Online is supported.
Note: Configure delegation using the BEMS service account (for example, BEMSAdmin). When adding Kerberosdelegation constraints for Docs service users, add the ADFS server HTTP service. Do not add MicrosoftSharePoint Online servers for delegation here.
For non-KCD configurations, where users enter their credentials on the device, both DirSync with Password Hashand ADFS authentication mechanisms to Microsoft SharePoint Online are supported. No extra authentication-related steps are required to use this configuration.
ADFS version and location
ADFS 2.0 is recommended. You can install ADFS on either Microsoft Windows 2008 R2 and MicrosoftWindows 2012. The ADFS server is automatically identified by the Docs service based on theMicrosoft SharePointOnline location and does not need to be specified.
| Configuring BEMS services | 94
ADFS HTTPS certificate
If your ADFS server uses a self-signed certificate for HTTPS communication, the certificate must be added as atrusted CA on the computer hosting BEMS.
To add the certificate, navigate to the Microsoft IIS Manager on the computer hosting ADFS, then go to ServerCertificates and export the certificate to a file. On the computer hosting BEMS, import this certificate into thetrusted CA list.
Once you deploy Microsoft SharePoint Online, you’re ready to configure the Docs service for your MicrosoftSharePoint Online users.
Troubleshooting Microsoft SharePoint Issues
BlackBerry Work Docs fails to find a Microsoft SharePoint view by name
Possible cause
Maximum HTTP URL length is set to short.
Possible solution
Increase the maxUrlLength setting.
1. In Microsoft IIS, under site or server, open Configuration Editor.2. In the drop-down at the top, expand system.web and select httpRuntime.3. Change the maxUrlLength property to 2048. By default, the maxUrlLength is 260 characters.
Configuring Microsoft Office Web Apps server for Docs service supportMicrosoft Office Web Apps (OWAS) is an Office server product from Microsoft that delivers browser-basedversions of Microsoft Word, Microsoft PowerPoint, Microsoft Excel, and Microsoft OneNote. A single MicrosoftOffice Web Apps server farm can support Docs service users who access Office files through MicrosoftSharePoint and File Shares. The new stand-alone deployment model means that you can manage updates to yourMicrosoft Office Web Apps server farm independently of other Office Server products that are deployed in yourorganization.
Supported file types
Docs support for Microsoft Office Web Apps (OWAS) gives your users the ability to view and edit Officedocuments and convert them to PDF format in BlackBerry Work and other BlackBerry Dynamics-powered appsthat use the Docs service. This is all done within the secure BlackBerry Dynamics container. The BlackBerryWork Docs component is used to browse and select the files. BlackBerry Access is used to view and edit thedocuments.
The following table lists the supported file types for Microsoft Word.
File format View Edit
Open XML (.docx)√
√
iPad only
Binary (.doc) √ —
| Configuring BEMS services | 95
File format View Edit
Macro (.docm)√
—
Macrosdon't work
Templates (.dotm, .dotx) √ —
Other file formats
(.dot, .mht, .mhtml, htm, .html, .odt, .rtf, .txt, .xml, .wps, .wpd)— —
The following table lists the supported file types for Microsoft Excel.
File format View Edit
Open XML (.xlsx) √ √
Binary (.xlsb) √ √
Binary (.xls) — —
Macro (.xlsm)
√
√
However, you areprompted to create
a copy of the filethat has the macrosremoved when yousave the changes
that you have made
Other file formats
(.xltx, .xltm, .xlam, .xlm, .xla, .xlt, .xml, .xll, .xlw,ods, .prn, .txt, .csv, .mdb, .mde, .accdb, .accde, .dbc, .igy, .dqy, .rqy, .oqy, .cub, .uxdc, .dbf, .slk, .dif, .xlk, .bak, .xlb)
— —
The following table lists the supported file types for Microsoft PowerPoint.
File format View Edit
Open XML (.pptx, .ppsx)√
√
iPad only
| Configuring BEMS services | 96
File format View Edit
Binary (.ppt, .pps)
√
√
PowerPoint Onlineor PowerPoint
Web App convertsthe .ppt or .pps fileto a .pptx or .ppsxfile to allow you to
edit the file, but youmust save the file asa .pptx or .ppsx file to
save your changes.
Macro (.pptm, .potm, .ppam, .potx, .ppsm) √ —
Other file formats
(.pot, .htm, .html, .mht, .mhtml, .txt, .rtf, .wpd, .wps, .ppa, .odp,
.thmx)
— —
The following table lists the supported file types for PDF and OpenDocument.
File format View Edit
PDF (.pdf) √ —
OpenDocument Text (.odt) √ —
OpenDocument Spreadsheet (.ods) √ √
OpenDocument Presentation (.odp) √ √
For more information on the file types supported with Microsoft Office Web Apps,visit support.microsoft.com and read article 2028380.
Supported files and storage types
Documents in a supported file format can reside on any of the following storage types:
• File Shares• Microsoft SharePoint 2007, Microsoft SharePoint 2010, Microsoft SharePoint 2013, and Microsoft
SharePoint 2016• Microsoft SharePoint Online
Supported devices
• iOS devices
• iPad: view and edit• iPhone: view only
• Android devices
| Configuring BEMS services | 97
• Phones: view only• Tablets: view only
Configure the Docs service for Microsoft Office Web Apps access
Before you begin:
• A Microsoft Office Web Apps server is installed and configured in your environment.• Add a registry key to enable strong cryptography on the Office Online Server. If this key is not added to the
registry, users can't view or edit Microsoft Office Web Apps files in BlackBerry Access and the Office OnlineServer log files log the error message Could not create SSL/TLS secure channel. For instructions, see theKnown issues section of the BEMS Release Notes content.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs.2. Click Settings.3. Under Office Web App Server, in the Office Web App Server URL field, type the web address of the Microsoft
Office Web Apps server. 4. Click Save.5. On the Office Web App Server server, in the Windows folder, copy Microsoft.CobaltCore.dll file. By default, the
file is located in <drive>:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.CobaltCore\.
6. On the BEMS, browser to and paste the file into the lib folder at <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\lib.
7. Restart the Good Technology Common Services. 8. On BEMS, export the SSL certificate to a file.
a) In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click SSLCertificate.
b) Click Download SSL Certificate. By default, the BemsCert.cer file is saved to the Downloads folder.9. On the Office Web App Server server, add the SSL certificate to the Trusted Root CA of the computer account.
a) Open the Microsoft Management Console.b) Click File > Add/Remove Snap-in.c) In the Available snap-ins column, click Certificates > Add.d) Select Computer account. Click Next. e) Select Local Computer. Click Finish.f) Click OK.g) In the Microsoft Management Console, expand Certificates (Local Computer).h) Right-click Trusted Root Certificate Authorities. Select All Tasks.i) Click Import.j) In the Certificate Import Wizard, click Next.k) Browse to the SSL certificate file you exported in step 8.
10.Obtain the Microsoft Office Web Apps server SSL certificate.11.Add the Microsoft Office Web Apps server SSL certificate to BEMS. For instructions, see Importing CA
Certificates for BEMS.12.Repeat steps 8 to 11 for each BEMS server in your environment.
| Configuring BEMS services | 98
Configuring resource based Kerberos constrained delegation for the Docs serviceYou can configure the Docs service to use resource based Kerberos constrained delegation (KCD) to accessresources, such as Microsoft SharePoint servers and File Share servers, and remove the requirement for usersto provide their network credentials to access resources within the domain, and between domains and forests.When you configure resource based KCD for your Docs service, the resource authorizes the service accountsthat can delegate against the resource. If you need to enable KCD in your environment, it is recommended youenable resource based KCD, if your environment meets the minimum requirements. This is also recommended inenvironments that do not use multiple domains or forests. If your environment does not meet the requirementsfor resource based KCD, you can configure Kerberos constrained delegation (KCD).
Configuring the Docs service with resource based KCD allows users to access resources in the same domain orbetween domains and forests.
When you configure resource based Kerberos constrained delegation, you perform the following actions:
1. Configure resource based Kerberos constrained delegation2. Optionally, Verify the delegation is configured correctly3. Turn on resource based Kerberos constrained delegation
Configure resource based Kerberos constrained delegation
You can configure the Docs service with resource based Kerberos constrained delegation (KCD) to allows usersto access resources in the same domain and between domains and forests.
Before you begin:
• All BEMS instances in your environment are hosted on a computer that is running Windows 2012 or later.• Each domain in your environment has one or more Domain Controllers on a computer that is running Windows
2012 or later.• The BEMS service account is a member of the local Administrators group and has the Act as part of the
Operating System privilege.• If you are configuring resource based KCD for Microsoft SharePoint, make sure that Microsoft SharePoint
server uses Integrated Windows Authentication – Negotiate (Kerberos) for the authentication provider.• You identified the file share servers and Microsoft SharePoint servers that the Docs service requires access to.
1. On the Domain Controller or another computer in your environment, open Windows PowerShell (run asadministrator) and set up delegation.a) Import the ServerManager module. Type Import-Module ServerManager. Press Enter.b) Install the Microsoft Active Directory module for Windows PowerShell and the Microsoft Active Directory
Services. Type Add-WindowsFeature RSAT-AD-PowerShell. Press Enter.c) Import the Microsoft Active Directory module. Type import-module activedirectory. Press Enter.
2. Find the application pool identity for the Microsoft SharePoint servers in your environment. The applicationpool identity is located in the Microsoft Internet Information Services (IIS) Manager, on the Application Poolsscreen.
3. If the Microsoft SharePoint web application is running on a non-default port (the default port is 80 and 443) oris not running under the network service, create SPNs. Complete one or more of the following tasks:
Note: If you have multiple Microsoft SharePoint web applications, you must create an SPN for each webapplication that is available in the scenarios below.
| Configuring BEMS services | 99
Task Steps
Create SPNs for aMicrosoft SharePointweb application runningon a non-default portand as a specific user
a. Type setspn -S HTTP/<Sharepoint server name>:<Sharepointapp port> <Sharepoint domain>\<Sharepoint app user>. PressEnter.
• Where <Sharepoint server name> is the name of the computer hosting theMicrosoft SharePoint web application.
• Where <Sharepoint app port> is the port number of the MicrosoftSharePoint web application server.
• Where <Sharepoint domain> is the domain where the Microsoft SharePointweb application server is located. For example, www.example.com.
• Where <Sharepoint app user> is the user or service account that is listedin the Identity column in step 2. If the service is set to run as a user, theidentity column displays <web application server name>/<username>. If theservice is set to run as a network, you will see Network service.
b. Type setspn -S HTTP/<Sharepoint server FQDN>:<Sharepointapp port> <Sharepoint domain>\<Sharepoint app user>. PressEnter.
• Where Sharepoint server FQDN is the FQDN of the computer hosting theMicrosoft SharePoint web application server.
Create SPNs for aMicrosoft SharePointweb application runningon a default port (80 or443) and as a specificuser
a. Type setspn -S HTTP/<Sharepoint server name> <Sharepointdomain>\<Sharepoint app user>. Press Enter.
b. Type setspn -S HTTP/<Sharepoint server FQDN> <Sharepointdomain>\<Sharepoint app user>. Press Enter.
Create SPNs for aMicrosoft SharePointweb application runningon a non-default portand under a networkservice
a. Type setspn -S HTTP/<Sharepoint server name>:<Sharepointapp port> <Sharepoint domain>\<Sharepoint server name>.Press Enter.
b. Type setspn -S HTTP/<Sharepoint server FQDN>:<Sharepointapp port> <Sharepoint domain>\<Sharepoint server name>.Press Enter.
4. Add the delegation to each file share server in your environment.
Task Steps
Add the delegation forone computer hostingBEMS.
a. Type $gems1 = Get-ADComputer -Identity <GEMS-SERVER-NAME>.Press Enter.
b. Type Set-ADComputer <File server name> -PrincipalsAllowedToDelegateToAccount $gems1. Press Enter.
| Configuring BEMS services | 100
Task Steps
Add the delegation formultiple computershosting BEMS.
a. Type $gems1 = Get-ADComputer -Identity <GEMS-SERVER1-NAME>. Press Enter.
b. Type $gems2 = Get-ADComputer -Identity <GEMS-SERVER1-NAME>. Press Enter.
For each additonal BEMS, increment the $gems# by one.c. Type Set-ADComputer <File server name> -
PrincipalsAllowedToDelegateToAccount $gems1,$gems2. PressEnter.
For each additional BEMS, add a comma and $gems# incrementing the # byone.
5. If you configure the delegation for file share servers in a DFS configuration, add delegations tothe name server and the file server. For domain based DFS, this requires adding delegations forall of the Domain Controllers in the domain. Type Set-ADComputer <DC-SERVER-NAME> -PrincipalsAllowedToDelegateToAccount $gems1. Press Enter.Where <DC-SERVER-NAME> is the name of the computer hosting the domain controller.
6. Add delegation to the Microsoft SharePoint servers in your environment. Complete one of the followingactions:
• If the application pool identity for Microsoft SharePoint application is NetworkService, type Get-ADComputer <Sharepoint server name> -PropertiesPrincipalsAllowedToDelegateToAccount.
• If the application pool identity for Microsoft SharePoint application is a specific domain user, type Get-ADUser <Sharepoint app user> -Properties PrincipalsAllowedToDelegateToAccount.
Where Sharepoint app user is the user name that is listed in the Identity column in step 2.7. Press Enter.
Verify the delegation is configured correctly
You can verify that the delegation property was set correctly.
1. On the Domain Controller or another computer in your environment, open Windows PowerShell (run asadministrator).
2. Complete one of the following actions to verify the delegation:
• If the delegation was set on the server name, type Get-ADComputer <server_name> -PropertiesPrincipalsAllowedToDelegateToAccount.
• If the delegation was set on the username, type Get-ADUser <user_name> -PropertiesPrincipalsAllowedToDelegateToAccount.
Turn on resource based Kerberos constrained delegation
When you configure resource based Kerberos constrained delegation (KCD) for the Docs service, consider thefollowing:
• Only Windows authentication in Microsoft SharePoint is supported. Forms-based and claims-basedauthentication are not supported.
• IP addresses are not allowed in the Microsoft SharePoint URLs and File Share paths that you configurein BEMS.
| Configuring BEMS services | 101
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Settings. 3. In the Kerberos Contrained Delegation section, select the Enable Kerberos Constrained Delegation checkbox.4. Restart the Good Technology Common Services.5. On the computer hosting the BEMS-Docs service, grant the Act as part of the operating system privilege to
the BEMS server account (for example, GoodAdmin).a) Run the Local Security Policy administrative tool.b) In the left pane, expand Local Policies.c) Click User Rights Agreement.d) Configure the service account for the Act as part of the operating system permission.
6. Click OK.
Remove resource based Kerberos constrained delegation
1. Open the Windows PowerShell (run as administrator).2. Complete one of the following tasks:
• To remove the delegation from a server, type Set-ADComputer <server_name> -PrincipalsAllowedToDelegateToAccount $null.
If you have multiple file share or Microsoft SharePoint servers in your environment, complete this step foreach server.
• To remove the delegation from a user, type Set-ADUser <user_name> -PrincipalsAllowedToDelegateToAccount $null.
If you use different usernames for the Microsoft SharePoint and file share servers, complete this step foreach username.
3. Press Enter.
Configuring Kerberos constrained delegation for DocsConfiguring the Docs service to use Kerberos constrained delegation (KCD) for accessing resources suchas Microsoft SharePoint and File Shares removes the requirement for end-users to provide their networkcredentials to access to network resources using the Docs service.
Before configuring the Docs service to use KCD, it is important to understand that configuring KCDfor Docs service is independent of configuring BlackBerry Dynamics KCD. This means, for example, that ifyour mobile app (for example, BlackBerry Work) requires use of the Docs service exclusively, you only need toconfigure KCD for the Docs service.
For example, the following diagram charts a sample KCD call flow for BlackBerry Work.
| Configuring BEMS services | 102
All KCD transactions are between the Docs service account and the key distribution center (KDC) and respectiveresources. No KCD information is cached on the mobile app. The Docs service uses Microsoft’s Servicefor User (S4U) specifications for KCD. For more information on S4U, visit the MSDN Library to see: https://msdn.microsoft.com/en-us/library/cc246071.aspx.
Configuring Kerberos constrained delegation for the Docs service
When you configure Kerberos constrained delegation (KCD) for Docs, you perform the following actions:
1. Find the SharePoint application pool identity and port.2. Create any required Service Principle Names (SPNs).3. Add Kerberos constrained delegation for Microsoft SharePoint servers.4. Add Kerberos constrained delegation for file shares.5. Turn on Kerberos constrained delegation.
If you want to configure KCD for File Share repositories only, you can skip the Microsoft SharePoint configurationguidance that follows and proceed directly to Add Kerberos constrained delegation for file shares.
Find the SharePoint application pool identity and port
Before you begin: Make sure that you create a list of web applications that are going to be shared through theDocs service.
1. Open Windows Internet Information Services (IIS) Manager.Make sure that you record any additional port numbers that are assigned if a web application was extended tocreate alternate access mappings.
2. Find the Application Pool identity in the Application Pools list view or in SharePoint Central Administration >Security > Configure service accounts.In most instances, for Kerberos constrained deleagtion (KCD) to work properly, the application pool identityuser must be the same for all application pools whose applications will be accessed by the Docs service. Thismeans you cannot have different application pools running under different users.
| Configuring BEMS services | 103
3. In SharePoint Central Administration, on the Web Applications tab, find the port for each of the webapplications listed. Look in the Alternate Access Mappings view as necessary.
4. In the Sharepoint Central Administration, open the Application Management, choose the web applicationand click Authentication Providers in the ribbon bar. Make sure that the authentication type for each webapplication is set to Windows and that Negotiate (Kerberos) is enabled under IIS Authentication Settings.In certain scenarios, switching to Negotiate (Kerberos) might require enabling Kernel-mode authentication inIIS for the corresponding IIS site. For more information, visit the MSDN Library to see Service Principal Name(SPN) checklist for Kerberos authentication with IIS 7.0/7.5.
Create Service Principal Names
Create a Service Principle Name (SPN) for each web application that needs to be shared as follows:
setspn –S HTTP/SPHOST:PORT <domain>\AppPoolUsersetspn –S HTTP/SPHOST.FQDN:PORT <domain>\AppPoolUsersetspn –S HTTP/SPHOST <domain>\AppPoolUsersetspn –S HTTP/SPHOST.FQDN <domain>\AppPoolUser
If the port is a default port, such as 80 or 443, omit the commands that include port above.
Note: Some of the lines only require a host name while others require a fully qualified host name. If theapplication pool identity is for a built-in user such as Network Service, then specify the host name as shown belowinstead of <domain>\AppPoolUser.
setspn –S HTTP/SPHOST:PORT <domain>\SPHOSTsetspn –S HTTP/SPHOST.FQDN:PORT <domain>\SPHOSTsetspn –S HTTP/SPHOST <domain>\SPHOSTsetspn –S HTTP/SPHOST.FQDN <domain>\SPHOST
Note: If you use SSL, the SPN must refer to HTTP instead of HTTPS.
Add Kerberos constrained delegation in Microsoft Active Directory for Microsoft SharePoint
Note:
There is a limit of 1300 services that can be delegated to one account.
If you want to configure Kerberos contrained delegation (KCD) for File Share repositories only, do not completethis task.
1. Open Microsoft Active Directory Users and Computers.2. In your domain, click Users.3. Right-click the BEMS service account. For example BEMSAdmin. Click Properties.4. In the Microsoft Active Directory account properties, on the Delegation tab, select the following options:
• Trust this user for delegation to specified services only• Use any authentication protocol
5. Click Add.6. Click Users or Computers.7. In the Enter the object names to select field, type one of the following:
• If the SharePoint web application is running under a domain user account, type the SharePoint ApplicationPool identity username.
| Configuring BEMS services | 104
• If SharePoint web application is running under the Network Service account, type the Microsoft SharePointserver name.
8. Click OK.9. In the Add Services dialog box, select the HTTP service that corresponds to the SharePoint web applications
running under the account specified in step 7.10.Click OK.11.Repeat Steps 4–9 for each application pool identity user and each Web Application identified.
Add Kerberos constrained delegation for file shares
The main difference between sharing files in File Share repositories, compared to sharing apps (for example,Microsoft SharePoint), is that here the delegation is to the computer hosting the BEMS instance account and notto the Docsservice process user, BEMSAdmin.
1. Open Microsoft Active Directory Users and Computers.2. In your domain, click Computers.3. Right-click the BEMS computer entry. Click Properties.4. Click the Delegation tab.5. In the Microsoft Active Directory account properties, on the Delegation tab, select the following options:
• Trust this user for delegation to specified services only• Use any authentication protocol
6. Click Add, select Users or Computers, type in the name of the server whose file share needs access and clickOK.
7. In the list of services, click cifs. Click OK.8. Repeat Step 3 to 6 for each server that has file shares needing access.9. Restart the BEMS server. Since Kerberos tokens are cached, restarting the BEMS server is the only way to
make sure all delegation changes are received on the machines.
Turn on Kerberos constrained delegation
When you configure Kerberos constrained delegation (KCD) for the Docs service, consider the following:
• Only Windows authentication in Microsoft SharePoint is supported. Forms-based and claims-basedauthentication are not supported.
• IP addresses are not allowed in the Microsoft SharePoint URLs and File Share paths that you configure inBEMS.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs.2. Click Settings.3. In the Kerberos Contrained Delegation section, select the Enable Kerberos Constrained Delegation checkbox.4. Restart the Good Technology Common Services.5. On the computer hosting the BEMS-Docs service, grant the Act as part of the operating system privilege to the
BEMS server account (for example, GoodAdmin).a) Run the Local Security Policy administrative tool.b) In the left pane, expand Local Policies.c) Click User Rights Agreement.d) Configure the service account for the Act as part of the operating system permission.
6. Click OK.
| Configuring BEMS services | 105
Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component serviceWhen your environment is configured for Skype for Business Online, Microsoft SharePoint Online, MicrosoftOneDrive for Business, or Microsoft Azure-IP you must register the BEMS component services in Azure. You canregister one or more of the services in Azure. In this task, the Connect, Presence, and Docs services and MicrosoftAzure-IP are registered in Azure.
If you configure the Connect service, you can enable the conversation history to allow users to accessconversations that are saved in the Conversation History folder of the user's Microsoft Exchange mailbox. Savingthe conversation history is supported in the following environments:
• Users in a Skype for Business on-premises environment that have mailboxes on an on-premises MicrosoftExchange Server
• Users in a Skype for Business Online environment that have mailboxes on an on-premises Microsoft ExchangeServer
• Users in a Skype for Business Online environment that have mailboxes on Microsoft Office 365
Saving the conversation history is not supported in an on-premises Skype for Business environment where usershave mailboxes on Microsoft Office 365.
Before you begin: To grant permissions, you must use an account with tenant administrator permissions.
1. Sign in to portal.azure.com.2. In the left column, click Azure Active Directory.3. Click App registrations.4. Click New registration.5. In the Name field, enter a name for the app. For example, AzureAppIDforBEMS.6. Select a supported account type. 7. In the Redirect URI drop-down list, select Web and enter https://localhost:8443.8. Click Register.9. Record the Application (client) ID.
This is used as the following in the BEMS dashboard:
• BlackBerry BEMS Connect/Presence Service App ID value the BEMS dashboard for the BlackBerryConnect service
• BlackBerry BEMS Connect/Presence Service App ID value for the Presence service• BEMS Service Azure Application ID value for the Docs > Settings service
10.In the Manage section, click API permissions.11.Click Add a permission. 12.In the Select an API section, click APIs my organization uses. 13.If your environment is configured for Azure-IP, search for and click Microsoft Information Protection Sync
Service. Set the following permission:
• In delegated permissions, select the Read all unified policies a user has access to checkbox (UnifiedPolicy> UnifiedPolicy.User.Read).
14.Click Add permissions.15.Click Add a permission.16.Complete one or more of the following tasks:
| Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service | 106
Service Permissions
If you configure BEMS-Connect to use Skypefor Business Online
a. Click the Microsoft APIs tab. b. Click Skype for Business. c. Set the following permissions:
• In application permissions, select all of the permissions.
1. Click Application permissions. 2. Click expand all. Make sure that all options are selected.
• In delegated permissions, select all of the permissions
1. Click Delegated permissions. 2. Click expand all. Make sure that all options are selected.
d. Click Add permissions.e. If you enable saving the conversation history, complete the following steps:
1. On the API permissions page, click Add a permission.2. In the Select an API section, click Microsoft APIs tab. 3. Click Exchange. 4. In delegated permissions, select the Access mailboxes as the
signed-in user via Exchange Web Services checkbox (EWS >EWS.AccessAsUser.All)
5. Click Add permissions.
If you configure BEMS-Presence to use Skypefor Business Online
a. Search for and click Skype for Business. b. Set the following permissions:
• In application permissions, select all of the permissions.
1. Click Application permissions. 2. Click expand all. Make sure that all options are selected.
• In delegated permissions, select all of the permissions.
1. Click Delegated permissions. 2. Click expand all. Make sure that all options are selected.
c. Click Add permissions.
If you configure BEMS-Docs to use MicrosoftSharePointOnline or MicrosoftOneDrive for Business
a. Click SharePoint.b. Set the following permissions:
• In application permissions, clear all of the permissions.
1. Click Application permissions. 2. Click expand all. Make sure that all options are cleared.
• In delegated permissions, select the Read and write items and lists in allsite collections checkbox (AllSite > AllSites.Manage)
c. Click Add permissions.
| Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service | 107
Service Permissions
If you use MicrosoftAzure-IP
a. Click Microsoft Graph. If Microsoft Graph is not listed, add Microsoft Graph. b. Set the following permissions:
• In application permissions, select the Read directory data checkbox(Directory > Directory.Read.All).
• In delegated permissions, select the Read directory data checkbox(Directory > Directory.Read.All).
c. Click Update permissions.
17.Click Grant admin consent. Click Yes.
Important: This step requires tenant administrator privileges. 18.To allow autodiscovery to function as expected, set the authentication permissions. Complete the following
steps:a) In the Manage section, click Authentication.b) Under the Implicit grant section, select the ID Tokens checkbox.c) In the Default client type, select No. d) Click Save.
19.Define the scope and trust for this API. In the Manage section, click Expose an API. Complete the followingtasks.
Task Steps
Add a scope The scope restricts access to data and functionality protected by the API.
a. Click Add a scope. b. Click Save and continue.c. Complete the following fields and settings:
• Scope name: Provide a unique name for the scope. • Who can consent: Click Admins and user.• Admin consent display name: Enter a descriptive name. • Admin consent description: Enter a description for the scope.• State: Click Enabled. By default, the state is enabled.
d. Click Add Scope.
Add a client application Authorizing a client application indicates that the API trusts the application andusers shouldn't be prompted for consent.
a. Click Add a client application. b. In the Client ID field, enter the client ID that you recorded in step 9 above. c. Select the Authorized scopes checkbox to specify the token type that is
returned by the service.d. Click Add application.
20.In the Manage section, click Certificates & secrets and add a client secret. Complete the following steps:a) Click New client secret.b) In the Description field, enter a key description up to a maximum of 16 characters including spaces. c) Set an expiration date (for example, In 1 year, In 2 years, Never expires). d) Click Add.
| Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service | 108
e) Copy the key Value.
Important: The Value is available only when you create it. You cannot access it after you leave thepage. This is used as the BlackBerry BEMS Connect/Presence Service App Key value in the BEMS-Connect and BEMS-Presence services and BEMS Service Application Key in the BEMS-Docs service inthe BEMS Dashboard.
| Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service | 109
Updating the Connect and Presence services using LyncDirectorThe Lync Director role provides functionality for users accessing the Microsoft Lync Server, internally andexternally. For more information about the Lync Director, visit the Technet Wiki and see Lync Director.
To support this capability, the Microsoft Lync Server is deployed as one or more pools, based on Standard Editionor Enterprise Edition Microsoft Lync Server. Users can be homed on only a single pool. Clients can be configuredto find their Lync pool automatically. However, the DNS records that support this functionality can point to only asingle pool. In a multi-pool environment, this "primary" pool will have to redirect users to their correct home pool.This is an overhead on the primary pool. The Lync Director is used to offload this redirection functionality. TheDirector does not home any users itself but instead redirects the user to their correct pool home. The requirementfor the Lync Director is therefore for multi-pool environments with high user numbers.
Once the user has been redirected to their correct pool, the Lync Director plays no further role in communicationsbetween the client and the pool server.
Specify the Connect and Presence services to use a Lync Director1. On the BEMS host, stop the BlackBerry Connect service and the BlackBerry Presence service.2. Complete the following actions:
Task Steps
Update the BlackBerry Connectconfiguration file
a. On the BEMS host, navigate to the GoodConnectServer.exe.configfile. By default, the GoodConnectServer.exe.config file is locatedin <drive>:\Program Files\BlackBerry\BlackBerryEnterprise Mobility Server\Good Connect.
b. In a text editor, open the GoodConnectServer.exe.config file.
Update the BlackBerry Presenceconfiguration file
a. On the BEMS host, navigate to theLyncPresenceProviderService.exe.config file. By default, theLyncPresenceProviderService.exe.config file is located in<drive>:\Program Files\BlackBerry\BlackBerryEnterprise Mobility Server\Good Presence.
b. In a text editor, open the LyncPresenceProviderService.exe.configfile.
3. Locate the LYNC_SERVER key and update the value with the FQDN of the Director pool that you want to use.4. On the BEMS host, start the Good Technology Connect service and Good Technology Presence service.
| Updating the Connect and Presence services using Lync Director | 110
Configuring BlackBerry Dynamics LauncherThe BlackBerry Dynamics Launcher is a UI component that is accessed in BlackBerry Dynamics apps (forexample, BlackBerry Work) with the BlackBerry Dynamics Launcher button. The BlackBerry Dynamics Launcher isa library module with numerous functions, currently comprising of the following. The BlackBerry DynamicsLauncher creates a placeholder location for app settings.
• The user's name, photo, presence, and status• A list of BlackBerry Dynamics-powered apps and modules installed on the device.• Quick create options to easily compose an email, create a note, schedule a calendar event, or add a contact,
regardless of which app is currently open.
To provide this rich user experience, the BlackBerry Dynamics Launcher library requires BEMS server-side servicesto:
• Synchronize policy-based sections (modules) between applications. For example, when Docs is enabledin BlackBerry Work, the Docs icon is enabled in the BlackBerry Dynamics Launcher, even when it is openedoutside of BlackBerry Work in apps like BlackBerry Access or BlackBerry Connect.
• Fetch company directory information about the user to display the correct name and picture.• Fetch presence information for the user and display the appropriate status (available, busy, away, do not
disturb) and the user's presence message.
The required server-side services for the BlackBerry Dynamics Launcher comprise of the following:
• Presence (service id = com.good.gdservice.enterprise.presence)• BlackBerry Directory Lookup (service id = com.good.gdservice.enterprise.directory)• BlackBerry Follow-Me Store (service id = com.good.gdservice.enterprise.followme)
The client entitlement app to use these services is Good Enterprise Services (AppID =com.good.gdserviceentitlement.enterprise).
BlackBerry Dynamics clients, like the BlackBerry Work app, check the server list for available BEMS instanceshosting these services. This means the list must be populated with at least one computer that hosts BEMS toenable Good Enterprise Services. In addition, the Good Enterprise Services entitlement app must be added to atleast one App Group in BlackBerry UEM like "All users".
Configuring Good Enterprise Services in BlackBerry UEMWhen you configure Good Enterprise Services in BlackBerry UEM, you perform the following actions:
1. Verify the Good Enterprise Services app is available in BlackBerry UEM.2. Add BEMS to the Good Enterprise Services entitlement app.3. Add the Good Enterprise Services entitlement app to users. You can use one or more of the following options.
For instructions, see the BlackBerry UEM Administration content.
• Apply the app directly by completing one of the following tasks:
• Assign the entitlement app to a user group• Assign the entitlement app to a user account
• Assign the entitlement app to an app group. Then complete one of the following tasks:
• Assign the app group to a user group• Assign the app group to a user account
| Configuring BlackBerry Dynamics Launcher | 111
Verify that Good Enterprise Services are available in BlackBerry UEM1. Log in to the BlackBerry UEM console.2. On the menu bar, click Apps.3. Search for Good Enterprise Services.
Add the BEMS instance to the Good Enterprise Services and BlackBerry Work entitlement appYou must add the BEMS instance to the Good Enterprise Services entitlement app to allow users to use theservices. You must also add the BEMS instance to allow users to receive email notifications. If the BEMS instanceis not added to the BlackBerry Work entitlement app, users receive email messages, but do not receive thenotifications when the email messages are received. For more information about configuring your environmentto support BlackBerry Dynamics apps, making the apps available to users, and configuring the app settings, seethe BlackBerry Work, Tasks, and Notes administration content.
1. On the menu bar, click Policies and Profiles.2. Click Networks and connections > BlackBerry Dynamics connectivity.3.
Click to create a new connectivity profile or click the Default connectivity profile to edit it.4.
In the Additional servers section, click .5. Complete one of the following tasks:
Task Steps
Route all traffic Select the Route all traffic checkbox to specify whether all BlackBerryDynamics app data is routed through the BlackBerry Proxy. For moreinformation about the BlackBerry Dynamics connectivity profilesettings, see the Managing BlackBerry Dynamics apps content.
Add the BEMS instance to theAdditional servers
a.In the Additional servers section, click .
b. In the Server field, specify the FQDN of the BlackBerry EnterpriseMobility Server.
c. In the Port field, specify the port for the BlackBerry EnterpriseMobility Server. By default, the port number is 8443.
d. In the Primary BlackBerry Proxy cluster drop-down list, select thename of the BlackBerry Proxy cluster that you want to set as theprimary cluster.
e. If necessary, in the Secondary BlackBerry Proxy cluster drop-downlist, select the name of the BlackBerry Proxy cluster that you wantto set as the secondary cluster.
6. Click Save.7. Add the BEMS instance to the Good Enterprise Services entitlement app.
a)In the App servers section, click .
b) Click Add.c) Search for and select Good Enterprise Services.d) Click Save.e)
In the App servers for Good Enterprise Services, click .f) In the Server field, specify the FQDN of the BlackBerry Enterprise Mobility Server.
| Configuring BlackBerry Dynamics Launcher | 112
g) In the Port field, specify the port of the BlackBerry Proxy cluster that is used to access the BlackBerryEnterprise Mobility Server.
h) In the Priority drop-down list, select the priority of the BlackBerry Proxy cluster that must be used to reachthe domain.
i) If necessary, in the Secondary BlackBerry Proxy cluster drop-down list, select the name of the BlackBerryProxy cluster that you want to set as the secondary cluster.
j) Click Save.8. Add the BEMS instance to the BlackBerry Work entitlement app.
a)In the App servers section, click .
b) Click Add.c) Search for and select BlackBerry Work.d) Click Save.e)
In the App servers for BlackBerry Work, click .f) In the Server field, specify the FQDN of the BlackBerry Enterprise Mobility Server.g) In the Port field, specify the port of the BlackBerry Proxy cluster that is used to access the BlackBerry
Enterprise Mobility Server.h) In the Priority drop-down list, select the priority of the BlackBerry Proxy cluster that must be used to reach
the domain.i) If necessary, in the Secondary BlackBerry Proxy cluster drop-down list, select the name of the BlackBerry
Proxy cluster that you want to set as the secondary cluster.j) Click Save.
9. To save the updates to the existing profile, click Save.10.To save the settings and add the new profile, click Add.
Setting a customized icon for the BlackBerry Dynamics LauncherYou can specify a default customized icon for the BlackBerry Dynamics Launcher on users' devices. When youspecify a customized icon, the icon replaces the BlackBerry Dynamics icon for all users managed by the BEMSinstance.
When you specify a customized icon, make sure that the file meets the following requirements:
• Less than 500kb.• Named using the following format: <file name>_<device_type>_<resolution>.png. For example, Icon_iOS_2x.png.
Where resolution is the supported resolution for the device. For example:
• Android devices: dpi, mdpi, hdpi, and xdpi• iOS devices: 1x, 2x, 3x, and so on
• Saved as a .png format
Specify a customized icon for the BlackBerry Dynamics LauncherBEMS allows you to specify a custom icon for users in your environment. When you add custom icons, BEMSverifies the validity of the uploaded images. For more information about customized icon requirements, seeSetting a customized icon for the BlackBerry Dynamics Launcher.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry System Settings, click LauncherBranding.
2. Select the Show customized icon in launcher checkbox.
| Configuring BlackBerry Dynamics Launcher | 113
3. Click the Device drop-down list, and select the device for which you want to specify the launcher icon. Bydefault, Android is selected.
4. Under Icon, click Choose File.5. Navigate to the icon file location. Click the file and then click Open.6. Click Save.7. Repeat steps steps 4 to 6 for each customized Android icon file resolution.8. Complete steps 3 to 7 for customized iOS device icon files.
Remove a customized icon for the BlackBerry Dynamics LauncherBefore you begin: You can choose to remove a customized icon you specified for the BlackBerry DynamicsLauncher. If you remove all of the customized icon files, the default Launcher icon is used on the client devices forthe Launcher app.
1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry System Settings, click LauncherBranding.
2. Click Delete beside the icon you want to remove.3. Click Save.
| Configuring BlackBerry Dynamics Launcher | 114
MonitoringYou can monitor the status of BEMS and users using the following montioring tools
• BEMS Lookout tool• Java Management Extensions (JMX)-compliant monitoring tools
Monitoring the status of BEMS and users using the BEMS LookouttoolYou can use the BEMS Lookout tool to view the status of the BEMS node and scan the logs for informationincluding the following:
• The state of devices and users. • Notification success and failure• The notifications received by a user during a specified time range
You can also use monitoring probes to report on the health metrics for the Push Notifications service. Forexample, number of successful and failed push notifications. You can run the Lookout tool on log files you savedlocally in a folder or on a shared drive. The analysis tool is included in your BEMS 2.4 or later installation packageand supports analyzing logs from BEMS 2.1.5 or later.
Install the BEMS Lookout toolBefore you begin: Install Python 2.7 on the computer that you use to analyse the BEMS logs. You can download itfrom www.python.org/downloads/windows/. Make sure that you download and install a version between 2.7.15and later and earlier than version 3.x.x.
1. Update the PATH system variable.a) On the computer that you use to run the Lookout tool, right-click Computer or This PC. Click Properties.b) Click Advanced system settings.c) Click the Advanced tab.d) Click Environment Variables.e) In the System variables list, click Path. Click Edit.f) In the Variable value field, add ;C:\Python27;C:\Python27\Scripts.g) Click OK. Click OK again.
2. Optionally, enable BEMS monitoring tools.a) On the computer that hosts BEMS, open the Apache Karaf Web Console. Open a browser window and
navigate to https://<BEMS instance hostname>:8443/system/console/configMgr.b) Scroll to and click com.good.gcs.monitor.MonitorComponent.name.c) In the default realm field, type gems-ad.d) In the default role field, type admin.e) Click Save.f) Verify the monitoring probes are successfully enabled. In a browser navigate to https://<BEMS
FQDN>:8443/monitor. Review the monitor content. If you are prompted to download the monitor.json file,download it to review the content. To view the data provided by each monitoring probe, see Monitoringprobes.
3. On the computer that hosts BEMS, navigate to the BEMS Lookout tool. By default, the BEMS Lookout toolis located in the BEMS installation folder at <drive>:\GoodEnterpriseMobilityServer<version>\GoodEnterpriseMobilityServer\bems-lookout.
| Monitoring | 115
4. Extract the bems-lookout<version>tools.zip file. 5. Double-click setup.bat to install the python libraries on the computer.6. In a text editor, open Config.cfg.
• ServerBaseUrls: Optionally, specify the BEMS https web addresses you want to connect to and include inyour analysis. If you want to run the Lookout tool on multiple BEMS instances, separate the instances usinga comma, no space.
• MonitorCredentials: If you configured ServerBaseURLs, you must include the user credentials specifiedduring BEMS monitoring setup. For example, gemsadmin:<password>.
• ServerLogDirectories: Specify the location of the logs for each computer that hosts a BEMS instance inthe BEMS cluster. You must include the BEMS instance name and location of the log files. For example,if the log files for BEMS1 are available on a network share and BEMS2 are located in C:\blackberry, andyou analyze the logs on BEMS2 you specify <bemshost1>:\\<bemshost1>\<bemslogs share>,<bemshost2>:C:\blackberry\bemslogs.
Note: You can list the BEMS log locations in any order. • DataDir: Create a folder to where the processed data is saved. For example, create a folder called 'bem-
lookout-data'. Update the DataDir property to DataDir=C:\blackberry\bems-lookout-data. • LogSyncIntervalSec: Optionally, specify the interval time, in seconds, that the analysis tool scans the log
directory for new logs. By default, the LogSyncIntervalSec is set to onetime. If logs are not available, youcan set the LogSyncIntervalSec=none to only view the user state.
• MaxLogScanAgeDays: Optionally, specify the oldest date that you want to synchronize the logs. By default,the MaxLogScanAgeDays is 14 days.
7. Save the Config.cfg file.
After you finish:
• Optionally, enable monitoring probes to view additional information for the the health of your BEMS server andusers
• Run the BEMS Lookout tool to analyze the BEMS logs.
Monitoring probesThe following table describes the monitoring probes you can use to view additonal information for the the healthof your BEMS server and users. You can use monitoring probes to view information for a BEMS instance locally orfrom a remote computer.
Note: To use monitoring probes in your environment, you must enable them. For instructions, see Installthe BEMS Lookout tool
Probe name cURL Command Output description
PushNotificationCounter
Type curl -k -i -X GET \ -H"Content-Type:application/json" \ -H "Authorization:BasicZG9tYWluXHVzZXI6cGFzc3dvcmQ="\ 'https://<BEMS instancename> :8443/monitor/push.notifications'
SuccessfulPushes
This probe specifies the number of pushnotifications, per push notification type(for example, APNS, GNP, and GCM)that have the instance sent for userssupported by this instance.
You want to see the number increaseover short intervals of time. If it stopsrising then BEMS is not sending anypush notifications.
| Monitoring | 116
Probe name cURL Command Output description
Total user count Type curl -k -i -X GET \ -H"Content-Type:application/json" \ -H "Authorization:BasicZG9tYWluXHVzZXI6cGFzc3dvcmQ=" \'https://<BEMS instance name>:8443/monitor/mail.users/UsersCount'
UsersCount
This probe specifies the total numberof users across the BEMS cluster whichsuccessfully registered a device and aresuccessfully auto discovered by BEMS.The UsersCount does not reflect thenumber of devices receiving pushnotifications.
Stale user count type curl -k -i -X GET \ -H"Content-Type:application/json" \ -H "Authorization:BasicZG9tYWluXHVzZXI6cGFzc3dvcmQ=" \'https://<BEMS instance name>:8443/monitor/mail.users/StaleUsersCount'
StaleUsersCount
This probe specifies the total numberof users across the BEMS cluster whichsuccessfully registered a device, but forwhich BEMS is no longer sending pushnotifications because the device hasn'tregistered in the past 72 hours.
EWS user count Type curl -k -i -X GET \ -H"Content-Type:application/json" \ -H "Authorization:BasicZG9tYWluXHVzZXI6cGFzc3dvcmQ=" \'https://<BEMS instance name>:8443/monitor/mail.ewslistener/EWSUserStats'
EWSConnectedUserCount
This probe specifies the number ofusers on the Microsoft ExchangeWeb Services instance, forwhich BEMS connects to the MicrosoftExchange Server, and is attemptingto monitor the users' mailboxes. ThisEWSConnectedUserCount reflectsthe number of users most likelyto be receiving push notificationsunless BEMS is experiencing errorswith its Microsoft Exchange WebServices connections to the MicrosoftExchange Server.
The EWSConnectedUserCount shouldbe equal across all Microsoft ExchangeWeb Services instances in a cluster. Ifthis count drops to 0 then the MicrosoftExchange Web Services instance is notservicing any user mailboxes.
Run the BEMS Lookout tool
Before you begin:
• Install Python 2.7 on the computer that you use to analyse the BEMS logs. You can download it from Python2.7 at www.python.org/downloads.
• Install the BEMS Lookout tool.
1. On the computer that you installed the BEMS Lookout tool, navigate to the bems-lookout-<version>.toolsfolder. By default, the folder is located at: <drive>:\Downloads\GoodEnterpriseMobilityServer.<version>\GoodEnterpriseMobilityServer\bems-lookout\bems-lookout-<version>.tools-all\bems-lookout-<version>.tools
| Monitoring | 117
2. Start the log analysis, double-click start.bat. The BEMS Lookout tool writes the log files it generates to theDataDir parameter that you specified when you installed the BEMS Lookout tool.
After you finish: The BEMS Lookout tool log analysis results are saved to a database in the DataDir folder. Toview the analysis results, open a browser and go to http://localhost:5000.
Java Management Extensions (JMX)-compliant monitoring toolsYou can now use Java Management Extensions (JMX)-compliant monitoring tools to monitor the Mail (PushNotifications) and BEMS-Docs services. JMX is a Java Standard which is compatible with many tool suitesincluding JConsole which is distributed with every JDK installation.
Monitoring the status of Push Notifications using JMX-compliant monitoring toolsYou can view the status of the BEMS node on Push Notifications statistics including the following:
• The state of devices and users. • Notification success and failure• The time of the last notification received • The state of the BEMS infrastructure, such as processing time and response to database requests
Monitoring the status of the BEMS-Docs service using JMX-compliant monitoring toolsYou can view the status of the BEMS node on BEMS-Docs statistics including the following:
• The average completion time of upload and download requests • The average completion time of requests • The number of requests sent to supported storage providers (for example, CMIS and Microsoft SharePoint on-
premises and Microsoft SharePoint Online)• Request, upload, and download success and failure
Monitoring attributesThe following table describes the statistics that you can use to monitor the health of BEMS server, users,and BEMS-Docs using the monitoring tool.
Statistic Description
Push Notifications
RelayStats <notification type>RelayStats
This attribute specifies the number of push notifications for each pushnotification type (for example, APNS, GNP, and FCM). If this numberstops rising, then BEMS is not sending any push notifications.
The numbers should increase over short intervals.
| Monitoring | 118
Statistic Description
EWSStats EWSConnectedUserCount
This attribute specifies the number of users on the Microsoft ExchangeWeb Services instance that BEMS uses to connect to the MicrosoftExchange Server so that it can monitor the users' mailboxes. Thisattribute reflects the number of users most likely to be receiving pushnotifications unless BEMS is experiencing errors with its MicrosoftExchange Web Services connections to the Microsoft Exchange Server.
The EWSConnectedUserCount should be equal across all MicrosoftExchange Web Services instances in a cluster. If this count drops to 0,then the Microsoft Exchange Web Services instance is not servicing anyuser mailboxes.
UserStats UsersCount
This attribute specifies the total number of users acrossthe BEMS cluster which successfully registered a device and aresuccessfully autodiscovered by BEMS. The UsersCount does not reflectthe number of devices receiving push notifications.
StaleUsersCount
This attribute specifies the total number of users acrossthe BEMS cluster that BEMS is no longer sending push notifications tobecause the devices that were registered previously haven't registered inthe past 72 hours.
HealthStats HealthStats
This attribute specifies the overall health of the BEMS status, includinghealth of consumer threads, producer threads, ActiveMQ, and access tothe database.
ClientAPIStats ClientAPIStats
This attribute identifies generic problems with the BEMS service bymonitoring the average and maximum processing time of requeststo the BEMS database. This statistic is for the last minute only. Forexample, if the LookupUser is {Min:10, Max:90000, Average:50000,Count:26}, it means that BEMS received 26 LookupUser requests in thelast minute and the average duration is 50,000 milliseconds.
DatabaseStats DatabaseStats
This attribute can identify common failure points forthe BEMS Infrastructure. This attribute monitors statistics such asthe average, maximum, minimum, and number of requests to BEMS ifthe NumOfRequests is 25, it means BEMS received 25 databaserequests in the last minute. If the database stops, the processing timedisplays Infinity.
| Monitoring | 119
Statistic Description
AutodiscoverStats EAS
This attribute specifies the total number of successful or failed ActiveDirectory requests for EAS client requests.
EWS
This attribute specifies the total number of successful or failed ActiveDirectory requests for all EWS requests and client requests.
Tests
This attribute specifies the total number of successful or failed ActiveDirectory requests for both EWS and EAS tests.
BEMS-Docs
DocsConfigInfo This attribute specifies the overall BEMS-Docs configuration information,including the version of BEMS that is installed, the status of all bundles,and database status.
DocsServices This attribute specifies overall health of the BEMS-Docs service,including the total number of requests, downloads, and uploads with theaverage processing time. The success and failure of the statistics arealso included.
DocsStorageProviders This attribute specifies the total number of requests and downloadsto a specific fileshare (for example, Microsoft SharePoint, MicrosoftSharePoint Online, CMIS, and Box).
Enable JMX You must modify the GoodServerDistribution-wrapper.conf file on the computer that hosts the BEMS instance toallow jconsole to connect to BEMS and view the monitoring attributes. By default, this feature is disabled.
1. In a text editor, navigate to the GoodServerDistribution-wrapper.conf file. By default, this file is locatedin <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\etc. Make a backup of this file and save it to your desktop.
2. In the # Use the Garbage First (G1) Collector section, uncomment the following properties:
• wrapper.java.additional.<n>=-Dcom.sun.management.jmxremote.port=<port>• wrapper.java.additional.<n>=-Dcom.sun.management.jmxremote.authenticate=false• wrapper.java.additional.<n>=-Dcom.sun.management.jmxremote.ssl=false• If you want to allow remote access, uncomment wrapper.java.additional.<n>=-
Dcom.sun.management.jmxremote.local.only=false
Where <n> must be changed to the next unique, incremental identifier in the GoodServerDistribution-wrapper.conf file. For example, in the following example, you must change the <n> for jmxremote.port to 22.
# Needed for Certicom Security Providerwrapper.java.additional.19=-Dcerticom.keyagreement.ecdh=rawECDH# Use the Garbage First (G1) Collectorwrapper.java.additional.20=-XX:+UseG1GCwrapper.java.additional.21=-Djava.security.properties="%KARAF_ETC%/java.security"
| Monitoring | 120
# Uncomment to enable jmx#wrapper.java.additional.n=-Dcom.sun.management.jmxremote.port=1616#wrapper.java.additional.n=-Dcom.sun.management.jmxremote.authenticate=false
3. Record the port number. This port number is required to log in to jconsole.4. Save and close the file.5. Restart the Good Technology Common Services service.
View statistics using the JMX toolBefore you begin:
• Verify that jconsole is available on the computer that hosts the BEMS-Mail (Push Notifications) and BEMS-Docs. It is distributed with every JDK installation.
• Enable JMX and record the port number.
1. Open the jconsole app on the computer that hosts the service that you want to view statistics (PushNotifications service or BEMS-Docs service). By default, the app is located in <drive>:\%JAVA_HOME%\bin.
2. In the Remote Process field, enter the <hostname>:<port>. To obtain the hostname, complete one of theappropriate steps:
• Where the host name is one of the following:
• If you connect locally, enter 127.0.0.1.• If you connect remotely, complete the following steps to obtain the host name:
a. On the Apache Karaf Web Console, open a browser window and navigate to https://<BEMS instancehostname>:8443/system/console/configMgr.
b. Scroll to and click Apache Karaf JMX Management.c. Copy the RMI Registry Host.
• Where the port is one of the following:
• If you connect locally, the port number that you recorded from the GoodServerDistribution-wrapper.conffile when you enabled JMX or the port displayed in Karaf.
a. On the Apache Karaf Web Console, open a browser window and navigate to https://<BEMS instancehostname>:8443/system/console/configMgr.
b. Scroll to and click Apache Karaf JMX Management.c. Copy the RMI Registry Port.
• If you connect remotely, the port number that you recorded from the GoodServerDistribution-wrapper.conf file when you enabled JMX.
3. Click Connect.4. Click Insecure connection.5. In the Java Monitoring & Management Console, click the MBeans tab.6. Do any of the following:
View Statistics Steps
Push Notifications
View statistics about the FCM, GCM, APNS, andAPNS push notifications.
Click com.good.gcs.notifications > instance >RelayStats > Attributes.
View statistics about users on the MicrosoftExchange Web Services instance.
Click com.good.gcs.pushnotify > instance >EWSStats > Attributes.
| Monitoring | 121
View Statistics Steps
View statistics about users in the BEMS cluster thathave registered a device.
Click com.good.gcs.pushnotify > instance >UserStats > Attributes.
View the overall health of BEMS. Click com.good.gcs.core.health > instance >HealthStats > Attributes.
View the client API status statistics for the previousminute for requests received by BEMS.
Click com.good.gcs.clientapi > instance > ClientAPI Status > Attributes.
View the average, maximum, minimum, and numberof requests to the BEMS database.
Click com.good.gcs.database > instance >DatabaseStats > Attributes.
View statistics for EAS and EWS Autodiscover andadministrator functions.
Click com.good.gcs.pushnotify > instance >AutodiscoverStats.
BEMS-Docs
View the overall BEMS-Docs configurationinformation.
Click com.good.server.docs.monitoring > instance> DocsConfigInfo
View statistics about success and failure of BEMS-Docs uploads, downloads, requests, and the averageprocess duration.
Click com.good.server.docs.monitoring > instance> DocsServices
View statistics about the number of requests anddownloads by storage providers.
Click com.good.server.docs.monitoring > instance> DocsStorageProviders
| Monitoring | 122
Appendix A: Understandingthe BEMS-Connect configuration fileConfiguration settings can be manually updated in the BEMS Connect configuration file(GoodConnectServer.exe.config) located in <drive>\Program Files\BlackBerry\BlackBerryEnterprise Mobility Server\Good Connect. However, best practice for updating the file should usethe BEMS admin console.
Note: After updating the configuration parameters, you must restart the BEMS machine for the changes to takeeffect.
Parameter name Required Description Default setting
ACK_TIME_WAIT
—
Time (in milliseconds) thatthe BlackBerry Connect server waitsfor acknowledgment from client fora message received before sendingmessage failed to deliver.
90 000
ACTIVE_DIRECTORY_CACHE
_REFRESH_SECS
√
The number of secondsthe BlackBerry Connect serverwaits before synchronizing withthe Microsoft Active Directory (anyvalue smaller than 7200 isdisregarded in favor of 7200seconds).
86,400 (24hours)
ACTIVE_DIRECTORY_SEARCH
_RESULT_MAX √The upper limit on the number ofhits from a search of the companydirectory.
50
AD_USERS_SOURCE
—
Parameter indicates ifthe Connect service should connectto Microsoft Active Directory GlobalCatalog servers or use thedistinguished name to a local DomainController for loading SIP-enabledusers. This value can be “GC” or“LDAP”. By default, the value is LDAPif the value is empty.
AD_USERS_SOURCE_DOMAIN√
If userssourceis GC
The Active Directory Domain inthe Global Catalog to query. Thisvalue can be the distinguishedname of the domain or the fullyqualified domain name; forexample, DC=EXAMPLE,DC=COM orEXAMPLE.COM, respectively.
APN_BADGE√
Determines whether or not to usethe badge graphic for Apple pushnotifications.
True
| Appendix A: Understanding the BEMS-Connect configuration file | 123
Parameter name Required Description Default setting
APN_SLEEP_TIME
√
The number of millisecondsthe BlackBerry Connect server waitsin between queued Apple pushnotifications.
100
APN_SOUND √ Play sound when an Apple devicereceives a push notification.
BASE_URL
√
Web address for the Connect servicewhich takes one of the followingvalues:
• http://*:8080/• https://*:8082/
http://*:8080/
BUILD_VERSION √ The version number of the BlackBerryConnect server build.
Auto-populated
DB_PURGE_HOURS
—
Any IMs from invitations areobfuscated. In addition toobfuscation, the integer valuerepresenting the maximum age,in hours, of missed messagesand invitations before they areautomatically deleted (purged) is setwith DB_PURGE_HOURS.
For example, <addkey="DB_PURGE_HOURS" value="72" />
If Connect is started 7/8/2015@ 12:31pm, then on 7/9/2015@ 12:31pm a process removesall invitations and all missedmessages older than 72hours. Connect continues to run every24 hours thereafter.
0
DB_RECONNECT_TRY_NUM√
Number of times the Connect servertries reconnecting to the databaseafter a failure to connect to database.
3
DB_RECONNECT_WAITTIME_SEC√
Number of secondsthe Connect server waits before tryingto reconnecting to database.
300
DB_SESSION_TIMEOUT_SECS√
Time limit for search Lync/OCS database as defined byLYNC_DB_CONNECTIONSTRING.
300
| Appendix A: Understanding the BEMS-Connect configuration file | 124
Parameter name Required Description Default setting
DISABLE_MESSAGEUPDATE—
Disable message not delivered errorswhich may potentially be due clientand network latencies.
False
DISABLE_SSL_CERT_CHECKING
—
Disables certificate validation whenthe Connect service connects to theNotifications service.
For example, <addkey="DISABLE_SSL_CERT_CHECKING"value="true" />
False
ENABLE_SOURCE_NETWORK
—
Labels address book contactsas "external" if they do notbelong to your organization.These are federated contacts. Afederated contact is a member ofa company whose Microsoft LyncServer or Skype for Business serveris federated (connected) withyour company’s Microsoft LyncServer or Skype for Business server.
False
ENABLE_PERSISTENT_CHAT — Enables persistent chat featuresin BEMS, enabling users to createand participate in group discussions.Requires that the feature is enabledin Microsoft Lync Server 2013or Skype for Business server.
For more information about enablingpersistent chat, see the BlackBerryConnect Administration content.
False
EWS_HISTORY_INTERVAL
_MINUTES
—
Defines the number of intervalin minutes the BlackBerryConnect server waits before writingto Conversation history. 0 meansthat conversation history is writtenonly after conversation has beenterminated.
5
EWS_HOST
—
FQDN of the Microsoft ExchangeServer to which the BlackBerryConnect server writes conversationhistories.
| Appendix A: Understanding the BEMS-Connect configuration file | 125
Parameter name Required Description Default setting
EWS_VERSION
—
EWS_Version parameter number andcorresponding Microsoft ExchangeServer version
• 1 = Microsoft ExchangeServer 2010
• 2 = Microsoft ExchangeServer 2010 SP1
• 3 = Microsoft ExchangeServer 2010 SP2
• 4 = Microsoft ExchangeServer 2010 SP3
• 5 = Microsoft ExchangeServer 2013
• 6 = Microsoft ExchangeServer 2016
• 100 = Microsoft Exchange Online
2
GD_APN_HTTP_URL√
Web Service web addressfor BlackBerry Dynamics Apple PushNotifications Service (APNS).
GD_APN_PROXY_AUTH_DOMAIN — Web Proxy Domain Deprecated
GD_APN_PROXY_AUTH
_PASSWORD—
Web Proxy Password Deprecated
GD_APN_PROXY_AUTH
_USERNAME—
Web Proxy Username Deprecated
GD_APN_PROXY_HTTP_HOST — Web Proxy Host
GD_APN_PROXY_HTTP_PORT — Web Proxy Port
GD_APN_PROXY_TYPE
—
Web Proxy AuthenticationMechanisms. Acceptable values are:
"" (empty string for no proxy) "Basic No Auth" "Basic" "Digest"
""
GD_APNS_BLACKLIST_RETRY
_NO √Specifies the number retries after theserver receives APNS response wherethe token is blacklisted
3
| Appendix A: Understanding the BEMS-Connect configuration file | 126
Parameter name Required Description Default setting
GD_URL
√
Complete web address of the GoodProxy server, with protocol,fully qualified domain name,and port. For example: https://gp.myCompany.com:17433.
IS_ON_LINE_ENABLED—
This setting specifies thatthe Connect service is configured towork with Skype for Business Online.
False
IS_ON_PREM_ENABLED
—
This setting specifies thatthe Connect service is configuredto work with Skype for Business on-premise.
False
IS_TRUSTED_APP_MODE
—
This setting specifies thatthe Connect service is configuredto work with Skype for Business on-premises and uses trusted applicationmode to obtain user information.
True
LONG_INVITATION_TIME_DELAY
—
Time (in milliseconds) thata Connect client waits for invitationreceived to confirm or ignore arequest to a conversation.
60 000
LYNC_SERVER√
The FQDN ofthe Microsoft Lync Front-End serveror Front-End server pool.
LYNC FQDN
LYNC_PORT The port number ofthe Microsoft Lync Front-End serveror Front-End server pool.
5061
PCHAT_DEFAULT_CATEGORY_ID
—
Specifies the default persistent chatcategory for users.
For more information about enablingpersistent chat, see the BlackBerryConnect Administration content.
RESTRICT_CERT_BY_FRIENDLY
_NAME —
Allows naming of certificate so thatthe BlackBerry Connect can loadcorrect certificate; the certificatefriendly name must match the namespecified here.
SEND_TIME_WAIT
—
Time (in milliseconds) the BlackBerryConnect server waits after sendingmessage before reporting messagefailed to deliver.
120 000
| Appendix A: Understanding the BEMS-Connect configuration file | 127
Parameter name Required Description Default setting
SESSION_TIMEOUT_SECS
√
The number of seconds a client isallowed to remain idle
Note: The minimumSESSION_TIMEOUT_SECS is 600,even if you put in 60 seconds or 1second. This was done to mitigatestress related race conditions.
86,400 (24hours)
UCMA_APPLICATION_NAME
√
Name of application as definedthrough the installation provisioningprocess.
Generatedduringapplicationprovisioning
UCMA_APPLICATION_PORT√
The fixed port used by the BlackBerryConnect server to receive messagesfrom the enterprise IM server.
49555
UCMA_GRUU
√
GRUU = Globally Routable User-AgentURI that uniquely defines the SessionInitiation Protocol (SIP) URI for theapplication.
Generatedduringapplicationprovisioning
| Appendix A: Understanding the BEMS-Connect configuration file | 128
Appendix B: Understanding the Skype for BusinessOnline Common Settings configuration fileSkype for Business Online Common Settings configuration settings can be manuallyupdated in the BEMS Skype for Business Online Common Settings configuration file(com.good.gcs.common.ucwa.config.impl.UcwaCommonSettingsImpl.cfg) located in <drive>\ProgramFiles\BlackBerry\BlackBerry Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\etc. However, the best practice for updating the file is to usethe BEMS admin console.
Note: After you update the configuration parameters, you must restart the computer that hosts BEMS for thechanges to take effect.
Parameter name Description
sfb.isonprem This setting indicates that the environment isconfigured for Skype for Business on-premises. Bydefault, this setting is false.
sfb.defaultserverlocation This setting specifies the FQDN of the Skype forBusiness server.
sfb.online.bemsappid This setting specifies the Connect Service AppID that was created for Connect Service. Formore information, see Obtain an Azure app ID forthe BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.
sfb.online.tenantname This is the Skype for Business Online tenant name.
sfb.isonline This setting indicates that the environment isconfigured for Skype for Business Online. By default,this setting is false.
sfb.autodiscovery This setting indicates that the environment isconfigured for Skype for Business on-premises anduses autodiscovery to locate the BEMS servershosting the Connect service. By default, this setting isfalse.
sfb.online.bemsappkey This setting specifies the Connect Service App Keythat was created. For more information, see Obtainan Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.
sfb.online.clientappid This setting specifies the Connect Client App IDthat was created. For more information, see Obtainan Azure app ID for the Connect client.
| Appendix B: Understanding the Skype for Business Online Common Settings configuration file | 129
Parameter name Description
sfb.istrustedappmode This setting indicates that the environment isconfigured for Skype for Business on-premises and isconfigured for trusted application mode. By default,this setting is True.
ucwa.appresource.uservalidation.skip=true This setting allows the provisioned user emailaddress to be different from the email address usedto login to Skype for Business Online.
| Appendix B: Understanding the Skype for Business Online Common Settings configuration file | 130
Appendix C: Java Memory SettingsThe Java settings for BEMS are located in the GoodServerDistribution-wrapper.conf file. By default, this file islocated in the following location:
• In a new BEMS installation: C:\Program Files\BlackBerry\BlackBerry EnterpriseMobility Server\Good Server Distribution\gems-quickstart-<version>\etc\GoodServerDistribution-wrapper.conf
• In an environment upgraded from GEMS to BEMS: C:\Program Files\Good Technology\GoodEnterprise Mobility Server\Good Server Distribution\gems-quickstart-version>\etc\GoodServerDistribution-wrapper.conf
You can review or modify the default Java settings used by BEMS. However, in general, you won't need to makechanges to the following initial memory allocation settings:
• # Initial Java Heap Size (in MB)
wrapper.java.initmemory=2048
• # Maximum Java Heap Size (in MB)
wrapper.java.maxmemory=4096
| Appendix C: Java Memory Settings | 131
Appendix D: Setting up IIS on the BEMSSSL offloading takes all the processing of SSL encryption and decryption off the main Web server and moves it tothe computer that hosts BEMS.
1. Download and install the IIS Application Request Routing extension.2. When installation completes, click Start > IIS Manager.3. Under Connections, select Server > Server Certificates, then double-click Import to import a trusted third-party
certificate (the .PFX file received from your CA).4. After the certificate is added, click Server under Connections, double-click Application Request Routing, and
click Server Proxy Settings under Actions.5. Check Enable proxy, then click Apply.6. Next, click Server under Connection, double-click URL Rewrite, then click Add Rule(s) under Actions.7. Select Blank Rule and click OK.8. On the Edit Inbound Rule screen, in the Name field, type a name for the rule.9. In the Match URL section, in the Requested URL drop-down list, select Matches the Pattern.10.In the Using drop-down list, select Regular Expressions.11.In the Patterns drop-down list, select pushnotify/pushchannels.12.Under Conditions, click Add.13.In the Add Conditon dialog box, complete the following actions:
• In the Condition input field, type {REQUEST_METHOD}.• In the Check if input strings drop-down list, select Matches the Pattern.• In the Patterns field, type POST.
14.Click OK.15.Under Action, in the Action type drop-down list, click Rewrite.16.In the Rewrite URL field, type http://localhost:8181/{R:0}.17.Click Apply.18.Verify that you can access BEMS under its secure HTTPS port.
In a browser, type https://localhost:8443/dashboard.19.After the certificate is added, under click Connections, click Server.20.Double-click Application Request Routing.21.Under Actions click Server Proxy Settings.22.Select the Enable proxy checkbox.23.Click Apply.24.Under Connection, click Server.25.Double-click URL Rewrite.26.Under Actions, click Add Rule(s).27.Click Blank Rule. Click OK.28.On the Edit Inbound Rule screen, enter a Name for the rule. For exampe, "bems".29.In the Match URL section, in the Requested URL drop-down list, select Matches the Pattern.30.In the Using drop-down list, select Regular Expressions.31.In the Patterns drop-down list, select pushnotify/pushchannels.32.Expand Conditions. Click Add.
| Appendix D: Setting up IIS on the BEMS | 132
Appendix E: BEMS Windows Event Log MessagesTo view the BEMS Windows Event Log messages, open the Windows Event Viewer on the computer that hoststhe BEMS instance. Expand the Windows Logs and click Application. Search for Event ID 4096.
Message Component Level Context
Error Node exceeded capacity(100%). <number of usersincluding users over exceededcapacity>/<number of users formaximum capacity>
autodiscover/ewslistener
Error This error occurs whenthe BEMS instance reaches maximumuser capacity. BEMS features mightnot work as expected for any newusers added to the BEMS instance. Forexample, notifications.
Warn Node close to exceedcapacity (80%). <number ofusers>/<number of users formaximum capacity>
autodiscover/ewslistener
Warn This warning occurs whenthe BEMS instance reaches 80% ofuser capacity or if one BEMS instanceis working at overcapacity andone BEMS instance is workingunder capacity. BEMS automaticallyreassigns users between thetwo BEMS instances.
Error communicatingwith BlackBerry Proxy Server -HTTP code {}, Message {}
server-core/gd-core Error Could not connect to BlackBerryProxy server while verifyingauthorization token (during PushRegistration from G3 Mail context)
Failed to retrieve the listof BlackBerry Proxy servers -code {} - Reason {}
server-core/gd-core Error Used for high availability andload balancing of requeststo BlackBerry Proxy server. The list ofknown BlackBerry Proxy servers aremaintained in memory and requestsare load-balanced through this list.
Failed to retrieve the listof BlackBerry Proxy servers
server-core/gd-core Error Used for high availability andload balancing of requeststo BlackBerry Proxy server. The list ofknown BlackBerry Proxy servers aremaintained in memory and requestsare load-balanced through this list.
Incorrect BlackBerryProxy Server configuration
server-core/gd-spring Error Communicate with BlackBerryProxy server to verify Authorizationtoken using HTTP(s) protocol. If URLis syntactically wrong or configurationerror then error is logged in event log.
| Appendix E: BEMS Windows Event Log Messages | 133
Message Component Level Context
Autodiscover failed for {}users with exception {}
server-notifications/autodiscover
Warn Failed to retrieve user’s settingsthrough autodiscover. Needsadministrator attention to fix the issue.The user will not receive notificationsuntil issue is resolved. This is a batchrequest and the log only prints thenumber of users that failed autodiscover.
Invalid syntax for property {},must be a valid URL
server-notifications/autodiscover
Error Server is configured with an invalidURL used for bypassing the stepsto find the autodiscover endpoint. BEMS ignores this URL andfollows the regular steps to performautodiscover.
User {} being quarantinedafter {} attempts to performautodiscover
server-notifications/autodiscover
Warn BEMS can not autodiscover the user’ssettings for configured number ofattempts. The user mentioned ismarked as ‘QUARANTINED’ and doesnot receive notifications. The statuscan be reset through karaf command(user:reset).
No response from serverwhile performing autodiscoverfor user {}
server-notifications/autodiscover
Warn Autodiscover failed for the usermentioned.
Autodiscover failed for user {},error code: {}, Detail: {}
server-notifications/autodiscover
Warn Autodiscover failed for the usermentioned.
Failed to retrieve user settingswhile performing autodiscoverfor user {}
server-notifications/autodiscover
Warn Autodiscover failed for the usermentioned.
No valid EWS URL settingconfigured for the user {}
server-notifications/autodiscover
Warn Autodiscover failed for the usermentioned.
Error communicating withDatabase server - {error msg}
server-notifications/autodiscover
Error BEMS failed to connect to SQLdatabase. Needs immediate attention.
Database Error - {error msg} server-notifications/autodiscover
Error BEMS failed to connect to SQLdatabase. Needs immediate attention.
Lost connection withexchange server. Last knownerror {}
server-notifications/ewslistener
Error EWSListener: Lost connection withexchange server. This might be due toExchange server\Autodiscover servicedown.
| Appendix E: BEMS Windows Event Log Messages | 134
Message Component Level Context
Error subscribing user {} withexchange server {}
server-notifications/ewslistener
Error Subscribe to the user email addresswith exchange server to trackmodifications of user mailbox.
User {} marked forreautodiscover
server-notifications/ewslistener
Info Does a database call to mark the userfor reautodiscovery. This task is doneevery n interval of time.
Error communicating withDatabase server - {errordetails}
server-notifications/pushnotifydbmanager
Error Bootstrap database connection.
{} is no longer the master(producer) since databaseserver time {}
servernotifications/pushnotifyha-dbwatcher
Error High availability System: Checkwhether the node itself is Producer ornot. Prints the error in event log whenthe server has lost ownership of thehigh availability system (not masterany more).
{} is the master (producer)since database server time {}
servernotifications/pushnotifyha-dbwatcher
Info High availability System: Checkwhether the node itself is Producer ornot. If it was not master before; thefail-over is happening.
Detected Server {} is inactive.Users will be load balanced toother active servers
servernotifications/pushnotifyha-dbwatcher
Error High availability System: If serveris detected as inactive\heartbeatfails, the users of the bad server arereassigned to other active server.
Error communicating withDatabase server - {errordetails}
servernotifications/pushnotifyprefs
Error Database error due to server down\login error, etc.
{ Good Dynamic Proxy Serverconnection error details }
server-console/config Error Connect BlackBerry Dynamics Module– Test from dashboard with GP down,connection failure error.
Connection to Good DynamicProxy Server is successful
server-console/config Info Connect BlackBerry Dynamics – Testfrom dashboard when GP is up andrunning, successful test.
Connection Successful,Server: -{}: Database : {}
server-console/config Info Mail – DB – Test databaseconfigurations from dashboard.Connection successful.
Exception during connectiontest - {}
server-console/config Error Mail – DB – Test databaseconfigurations from dashboard.Connection issues due to badpassword or user or host info.
| Appendix E: BEMS Windows Event Log Messages | 135
Message Component Level Context
Invalid configurationproperties- {}
server-console/config Error Mail – DB – Test databaseconfigurations from dashboard.Validation of database configurationvalues.
{ Good Dynamic Proxy Serverconnection error details }
server-console/config Error Presence BlackBerry Dynamics –Test from dashboard with BlackBerryProxy down, connection failure error.
Connection to Good DynamicProxy Server is successful
server-console/config Info Presence BlackBerry Dynamics – Testfrom dashboard when BlackBerryProxy is up and running, successfultest.
Lync Presence Provider Pingfailed with error status {} and
reason - {}
server-presence/presencebundle
Error Connection to Presence server. Ifresponse received, log the reason forfailure.
Lync Presence Provider Pingfailed with exception {}: {} - setstatus {}
server-presence/presencebundle
Error Connection to Presence server. Mostlikely connection refused becausedown
Lync Presence Provider Pingfailed, cause unknown
server-presence/presencebundle
Error Connection to Presence server.
Presence Service failed toreset LPP, interrupted witherror: {}
server-presence/presencebundle
Error Reset all contacts presence status.
Presence Service failed toreset LPP, timed out witherror: {}
server-presence/presencebundle
Error Reset all contacts presence status.Timeout error.
Failed to reset LPP, {} witherror: {}
server-presence/presencebundle
Error Reset all contacts presence status.
Presence Service started server-presence/presencebundle
Info Presence service started.
Presence Service stopped server-presence/presencebundle
Info Presence service stopped.
Bad Lync Presence ProviderSubscription URI: {}
server-presence/presencebundle
Error Presence service provider subscriptionURI.
Bad Lync Presence Provider
Ping URI: {} Ping
server-presence/presencebundle
Error Presence service provider subscriptionURI.
| Appendix E: BEMS Windows Event Log Messages | 136
Message Component Level Context
Redis Cache & Queue servicesare not available at themoment.
server-presence/presencebundle
Error When cache provider is set to Redisand Redis service is unavilable.
GNP Relay Service notavailable
server-presence/presencebundle
Warn GNP service which sends GNPnotification is not available or down.
| Appendix E: BEMS Windows Event Log Messages | 137
Appendix F: File types supported by the BlackBerry DocsserviceThe following file types and extensions are currently supported by the BlackBerry Docs service and as mailattachments:
.goodsharefile .tiff .utf16-plain-text,
.doc, Docx .apple.pict .rtf
wordprocessingml.document .compuserve.gif .html
powerpoint.ppt, PPTx .png .xml
excel.xls, XLSX .quicktime-image .xhtml
spreadsheetml.sheet, .bmp .htm
adobe.pdf .camera-raw-image .data
apple.rtfd, .svg-image, .content
apple.webarchive .text .zip
.image .plain-text
.jpeg .utf8-plain-text
The following media file types are supported on iOS devices only:
.3gp .caf .au
.mp3 .aac .snd
.mp4 .adts .sd2
.m4a .aif .mov
.m4v .aiff
.wav .aifc
| Appendix F: File types supported by the BlackBerry Docs service | 138
GlossaryBEMS BlackBerry Enterprise Mobility Server
CAS Client Access Server
CSR certificate signing request
DFS distributed file system
FCM Firebase Cloud Messaging
FQDN fully qualified domain name
GCM Google Cloud Messaging
GPO Group Policy Object
IIS Internet Information Services
MTLS Mutual Transport Layer Security
NTLM NT LAN Manager
SPN Service Principal Name
SSL Secure Sockets Layer
| Glossary | 139
Legal notice ©2019 BlackBerry Limited. Trademarks, including but not limited to BLACKBERRY, BBM, BES, EMBLEM Design,ATHOC, CYLANCE and SECUSMART are the trademarks or registered trademarks of BlackBerry Limited, itssubsidiaries and/or affiliates, used under license, and the exclusive rights to such trademarks are expresslyreserved. All other trademarks are the property of their respective owners.
This documentation including all documentation incorporated by reference herein such as documentationprovided or made available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE"and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited andits affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical,or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary andconfidential information and/or trade secrets, this documentation may describe some aspects of BlackBerrytechnology in generalized terms. BlackBerry reserves the right to periodically change information that is containedin this documentation; however, BlackBerry makes no commitment to provide any such changes, updates,enhancements, or other additions to this documentation to you in a timely manner or at all.
This documentation might contain references to third-party sources of information, hardware or software,products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is notresponsible for, any Third Party Products and Services including, without limitation the content, accuracy,copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspectof Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in thisdocumentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the thirdparty in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALLCONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESSOR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES,REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE,MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, ORARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THEDOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE,SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED.YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAYNOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENTPERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TOTHE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TONINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THESUBJECT OF THE CLAIM.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALLBLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE,OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRDPARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THEFOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE,OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANYEXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESSOPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA,PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS ORSERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTIONTHEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES ORSERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES
| Legal notice | 140
WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OFSUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALLHAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TOYOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATUREOF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OFCONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE AFUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENTOR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIRSUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZEDBLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVEDIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR,EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANYAFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility toensure that your airtime service provider has agreed to support all of their features. Some airtime serviceproviders might not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service.Check with your service provider for availability, roaming arrangements, service plans and features. Installationor use of Third Party Products and Services with BlackBerry's products and services may require one or morepatent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. Youare solely responsible for determining whether to use Third Party Products and Services and if any third partylicenses are required to do so. If required you are responsible for acquiring them. You should not install or useThird Party Products and Services until all necessary licenses have been acquired. Any Third Party Products andServices that are provided with BlackBerry's products and services are provided as a convenience to you and areprovided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warrantiesof any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of ThirdParty Products and Services shall be governed by and subject to you agreeing to the terms of separate licensesand other agreements applicable thereto with third parties, except to the extent expressly covered by a license orother agreement with BlackBerry.
The terms of use of any BlackBerry product or service are set out in a separate license or other agreement withBlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESSWRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRYPRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.
BlackBerry Enterprise Software incorporates certain third-party software. The license and copyright informationassociated with this software is available at http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp.
BlackBerry Limited2200 University Avenue EastWaterloo, OntarioCanada N2K 0A7
BlackBerry UK LimitedGround Floor, The Pearce Building, West Street,Maidenhead, Berkshire SL6 1RLUnited Kingdom
Published in Canada
| Legal notice | 141