environment bems in a blackberry uem · 2020. 8. 14. · configuring https for bems to blackberry...

BEMS in a BlackBerry UEMenvironmentConfiguration Guide

3.1

2020-12-08Z

| | 2

Contents

About this guide................................................................................................6

Steps to configure BEMS.................................................................................. 7

Configuring BEMS-Core.................................................................................... 8Importing CA Certificates for BEMS.....................................................................................................................8

Configuring HTTPS for BEMS to BlackBerry Proxy..................................................................................8Download certificates from the Cisco Unified Communications Manager and Cisco IM and

Presence servers into the BEMS Java keystore................................................................................. 9Create a trusted connection with Microsoft Exchange and other servers that BEMS must

communicate with............................................................................................................................... 10Import the CA certificate into the Java certificate store.......................................................................11Import the BlackBerry Proxy CA certificate to the BEMS Windows keystore.......................................12Keystore commands.................................................................................................................................12

Replacing the autogenerated SSL certificate.....................................................................................................13Steps to replace the autogenerated SSL certificate with a SAN or wildcard certificate for use by

all nodes in a cluster...........................................................................................................................13Steps to replace the autogenerated SSL certificate with a self-signed certificate for

one BEMS node................................................................................................................................... 14Assign the BEMS SSL certificate to users..............................................................................................17Jetty.xml file reference.............................................................................................................................17

Add dashboard administrators........................................................................................................................... 18Replace or delete the user credential certificates for certificate-based authentication...................... 19

Configure the BlackBerry Dynamics server in BEMS........................................................................................ 19Configure a web proxy server............................................................................................................................. 20Enable log file compression................................................................................................................................21Uploading BEMS log and statistical information...............................................................................................21

Specify log upload credentials................................................................................................................ 21Upload log files......................................................................................................................................... 22Enable BEMS to upload BEMS statistics................................................................................................22

Firebase Push Notifications................................................................................................................................ 23Enabling FIPS Mode in BEMS............................................................................................................................. 23

Enable FIPS-compliance mode................................................................................................................ 23Verify that FIPS-compliance is enabled.................................................................................................. 24

Configuring BEMS services.............................................................................25Changing users' SMTP addresses......................................................................................................................25Configuring the Push Notifications service....................................................................................................... 25

Configuring Push Notifications................................................................................................................25Configuring BlackBerry UEM for BlackBerry Work, BlackBerry Tasks, and BlackBerry Notes............. 38Set the detailed Notifications Cutoff Time.............................................................................................39Configuring the Push Notifications service for high availability........................................................... 39Configuring the Push Notifications service for disaster recovery........................................................ 40

| | iii

Push Notifications service logging and diagnostics..............................................................................41Configuring the Connect service.........................................................................................................................41

Configuring the Connect service in the BEMS dashboard.....................................................................42Configuring BlackBerry UEM for BlackBerry Connect............................................................................51Enabling persistent chat...........................................................................................................................51Configuring the Connect service for high availability............................................................................ 51Configuring the Connect service for disaster recovery......................................................................... 52Specify the BlackBerry Proxy the BlackBerry Connect service contacts in a cluster ..........................53Using friendly names for certificates in BlackBerry Connect................................................................54Configure the Connect service to receive SSL communications for a new installation...................... 55Configuring Windows Services................................................................................................................ 60Global catalog for Connect and Presence..............................................................................................60Troubleshooting BlackBerry Connect Issues..........................................................................................64

Configuring the BlackBerry Presence service....................................................................................................67Configuring the BlackBerry Presence service in the BEMS Dashboard................................................67Manually configure the Presence service for multiple application endpoints......................................74Configuring BlackBerry UEM for BlackBerry Presence.......................................................................... 75Configuring the Presence service for high availability...........................................................................75Configuring Presence service for disaster recovery.............................................................................. 75Using friendly names for certificates in Presence................................................................................. 76Troubleshooting BlackBerry Presence Issues........................................................................................ 77

Configuring the BlackBerry Docs service...........................................................................................................77Configure a web proxy server for the Docs service...............................................................................78Configure the database for the BlackBerry Docs service......................................................................78Repositories...............................................................................................................................................78Storage services........................................................................................................................................78Authentication providers.......................................................................................................................... 80Configure the Docs security settings......................................................................................................80Configure your Audit properties.............................................................................................................. 82Add an app server hosting the BlackBerry Docs app to a BlackBerry Dynamics connectivity profile...83Configuring BlackBerry UEM for the BlackBerry Docs service .............................................................84Configuring Docs for Rights Management Services..............................................................................84Configuring the Docs instance for high availability .............................................................................. 86Configuring the Docs service for disaster recovery...............................................................................87Managing Repositories.............................................................................................................................88Enable modern authentication for Microsoft SharePoint Online.......................................................... 99Windows Folder Redirection (Native)....................................................................................................100Local Folder Synchronization – Offline Folders (Native).....................................................................101Configuring support for Microsoft SharePoint Online and Microsoft OneDrive for Business........... 102Microsoft SharePoint Online authentication setup.............................................................................. 103Configuring Microsoft Office Web Apps server for Docs service support......................................... 104Configuring resource based Kerberos constrained delegation for the Docs service.........................107Configuring Kerberos constrained delegation for Docs...................................................................... 110

Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service............................................................................115

Updating the Connect and Presence services using Lync Director................. 119Specify the Connect and Presence services to use a Lync Director..............................................................119

| | iv

Configuring BlackBerry Dynamics Launcher..................................................120Configuring Good Enterprise Services in BlackBerry UEM............................................................................. 120

Verify that Good Enterprise Services are available in BlackBerry UEM.............................................. 121Add the BEMS instance to the Good Enterprise Services and BlackBerry Work entitlement app.....121

Setting a customized icon for the BlackBerry Dynamics Launcher............................................................... 122Specify a customized icon for the BlackBerry Dynamics Launcher................................................... 122Remove a customized icon for the BlackBerry Dynamics Launcher.................................................. 123

Monitoring.....................................................................................................124Monitoring probes..............................................................................................................................................124Monitoring the status of BEMS and users using the BEMS Lookout tool..................................................... 125

Install the BEMS Lookout tool...............................................................................................................125Run the BEMS Lookout tool...................................................................................................................126

Java Management Extensions (JMX)-compliant monitoring tools................................................................127Monitoring the status of Push Notifications using JMX-compliant monitoring tools....................... 127Monitoring the status of the BEMS-Docs service using JMX-compliant monitoring tools................127Monitoring attributes.............................................................................................................................. 127Enable JMX ............................................................................................................................................ 129View statistics using the JMX tool....................................................................................................... 130

Monitoring the health status of a node........................................................................................................... 131Configure the node for BEMS to authenticate with the authentication source..................................131Enable the health service servlet.......................................................................................................... 132Run the health checks on a node......................................................................................................... 132

Additional information...................................................................................133

Appendix A: Understanding the BEMS-Connect configuration file................. 134

Appendix B: Understanding the Skype for Business Online Common Settingsconfiguration file....................................................................................... 140

Appendix C: Java Memory Settings.............................................................. 141

Appendix D: BEMS Windows Event Log Messages........................................ 142

Appendix E: File types supported by the BlackBerry Docs service..................147

Appendix F: Server-side services.................................................................. 148

Legal notice.................................................................................................. 150

| | v

About this guideThis guide describes how to configure and administer BEMS in your BlackBerry UEM environment.

This guide is intended for senior and junior IT professionals who are responsible for configuring andadministering BEMS.

Note: For ease of following the instructions in this guide, the content refers to the suggested database namesthat are used in the installation guide.

After you complete the tasks in this guide, see to the following content to install and configure BlackBerryDynamics apps:

• BlackBerry Work, Notes and Tasks administration content• BlackBerry Connect administration content• BlackBerry Access administration content

| About this guide | 6

https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-work/current/

https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/current/blackberry-connect-administration-guide-html/

https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-access/current/blackberry-access-administration-guide/

Steps to configure BEMSWhen you configure BEMS, you perform the following actions:

Step Action

Configure the BEMS-Core settings.

Configure one or more of the BEMS Services.

• Push Notifications (Mail)• Connect• Presence• Docs

Optional, enable the Connect service and the Presence service to use a global catalog.

Optional, set a customized icon for the BlackBerry Dynamics Launcher.

Optional, configure the BEMS Lookout tool to monitor the status of BEMS and users.

| Steps to configure BEMS | 7

Configuring BEMS-CoreWhen you configure BEMS-Core, you perform the following actions: If you installed the BEMS services on multiplecomputers, you must complete these tasks on each computer.

1. Install CA certificates2. Install the BEMS SSL certificate3. Add dashboard administrators4. Configure the BlackBerry Proxy server in BEMS5. Configure Web Proxy6. Optionally, enable log file compression7. Configure Firebase Push Notifications8. Optionally, enable FIPS Mode.

Importing CA Certificates for BEMSBy default, BEMS is only aware of public CA certificates. If BEMS must communicate with a server that doesnot have a certificate issued by a public Certificate Authority (CA), then you must import the non-public CA rootcertificate from the server's certificate chain into the BEMS host Java keystore or BEMS database using theDashboard. In this section, non-public CA certificates refers to a certificate that is not trusted by BEMS. BEMSmay connect to the following servers in your environment:

• Microsoft Exchange Server• Active Directory Federation Service (ADFS)• BlackBerry Proxy• Microsoft SharePoint• Microsoft Office Web Apps• Microsoft SQL Server• Microsoft Active Directory using LDAP/LDAPS

You can import the server’s SSL certificates (or the root or intermediate certificate chain) to BEMS using thefollowing methods:

• The BEMS Dashboard• The Java keytool

Configuring HTTPS for BEMS to BlackBerry ProxyBy default, the CA root certificate of the BlackBerry Proxy server is not located in the Java keystore that hostsBEMS or in the BEMS database. The BlackBerry Proxy server uses a certificate that is signed by BlackBerry UEM.This means that BEMS cannot verify the BlackBerry Proxy server’s SSL certificate; and, therefore, any HTTPSconnection made from BEMS to the BlackBerry Proxy server fails.

Export the BlackBerry Proxy CA certificate chain to your desktop

If your environment enforces the use of SSL certificate validation when BEMS communicates with BlackBerryDynamics, you must export the root and intermediate BlackBerry UEM certificate chains used by the BlackBerryProxy and import them into the BEMS Java keystore or upload them into the BEMS database using the BEMSDashboard.

| Configuring BEMS-Core | 8

Note: The following task is not browser-specific. For specific instructions, see the documentation for the browseryou are using in Mozilla Firefox, Windows Internet Explorer, Microsoft Edge, or Google Chrome. If you encounterissues when exporting the certificate, visit support.blackberry.com/community to read article 64803.

1. In a browser, enter the FQDN of the BlackBerry Proxy server and port 17433 (for example, https://<BlackBerry_Proxy_server_FQDN>:17433). You may see a certificate error message because the certificatemight be signed by the BlackBerry UEM or Control CA or another internal CA, but the browser does notrecognize it as a well-known CA.

2. To open the Certificate dialog, click the certificate icon in the URL field.3. Click Certificate (Invalid).4. Click Certification Path.5. Click the root certificate. The root certificate is the first item in the Certificate hierarchy.6. Click View Certificate.7. Click the Details tab.8. Click Copy to File.9. Click Next.10.Select Base-64 encoded X.509 (.CER).11.Click Next.12.Enter a name for the certificate and export it to your desktop.13.Click Save.14.Click Finish.15.Click OK.

After you finish: Create a trusted connection with Microsoft Exchange and other servers that BEMS mustcommunicate with

Download certificates from the Cisco Unified Communications Manager and Cisco IM and Presenceservers into the BEMS Java keystoreYou must import the following certificates from the Cisco Unified Communications Manager (CUCM) and CiscoIM and Presence (CIMP) servers. For multi-server certificates, only one certificate per cluster must be imported. Ifthe certificate is not a multi-server certificate, a copy must be downloaded from each CUCM and CIMP server in acluster and imported separately.

• Tomcat.der

• If your environment uses a multi-server certificate, a single copy of the certificate downloaded from theCUCM Publisher and CIMP Publisher servers is required.

• If your environment does not use a multi-server certificate, a copy of the certificate downloaded from eachCUCM and CIMP node is required.

• Cup.der

• A copy of the certificate downloaded from each CIMP node is required.• Cup-xmpp.pem and Cup-xmpp-ECDSA.pem (in a Cisco 11.x or later environment)

• If using a multi-server certificate, a single copy of the certificate downloaded from the CIMP Publisher isrequired.

• If not using a multi-server certificate, a copy of the certificate downloaded from each CIMP node isrequired.

1. Log on to the appropriate CUCM server.2. In the top-right Navigation drop-down list, click Cisco Unified OS Administration.3. Click Security > Certificate Management.


https://support.blackberry.com/community/s/article/64803

4. Download the certificate named tomcat as a .der file.5. Log on to the appropriate CIMP server.6. In the top-right Navigation drop-down list, click Cisco Unified IM and Presence OS Administration.7. Click Security > Certificate Management.8. Download the cup-xmpp certificate and cup-xmpp-ECDSA certificate as a .pem file.9. Download the cup certificate as .der file.

After you finish: Import these certificates into the BEMS Java keystore. For instructions, see Import the CAcertificate into the Java certificate store.

Create a trusted connection with Microsoft Exchange and other servers that BEMS must communicatewithBy default, BEMS is only aware of public CA certificates. If you enable email notifications for BlackBerry Workand your organization’s Microsoft Exchange Server doesn’t use an SSL certificate issued by a trusted CA, theconnection between your BEMS instance and Microsoft Exchange Server isn’t trusted. To create a trustedconnection to the Microsoft Exchange Server upload the server’s SSL certificates (or the root or intermediatecertificate chain) to the BEMS database. You can upload a base64-encoded or binary-encoded file that includesone or more SSL certificates. When you upload a single file that includes multiple SSL certificates, the certificatesare displayed in the dashboard and can be deleted and replaced individually as required. BEMS supports thefollowing file extensions: .der, .cer, .pem, and .crt. For information about creating a .pem file that includes multiplecertificates, visit http://support.blackberry.com/community to read article 57259. You import the certificatesusing one of the following methods:

• Upload the SSL certificate from Microsoft Exchange to the BEMS Dashboard• Import the CA certificates into the JAVA certificate store

Upload the Microsoft Exchange Server SSL certificate to the BEMS database

Before you begin:

• Make sure that the BEMS-Mail (Push Notifications) service is installed and configured in your environment.• Export the SSL certificate from the Microsoft Exchange Server in a base64-encoded or binary-encoded format

and store it in a network location that you can access from the management console. For more informationabout digital certificates and encryption in Microsoft Exchange Server, visit https://docs.microsoft.com/en-us/exchange/architecture/client-access/certificates?view=exchserver-2016

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click BEMSConfiguration.

2. Click Upload Trust Certificate.3. Click Choose File and navigate to the location of the certificate file that you want to upload.4. Click Add.5. If you upload individual SSL certificates, repeat steps 3 and 4 for each additional file.

Replace or delete the trusted connection SSL certificates

When you replace the SSL certificate (for example, when the certificate expires), you replace the existingSSL certificates in the BEMS database. You can chose to upload individual SSL certificates or includemultiple SSL certificates in a single file. If you uploaded a single file that includes multiple SSL certificates, thecertificates are listed in the management console and can be removed individually. The following file types aresupported: .der, .cer, .pem, and .crt.

Before you begin: Export the new SSL certificates from the Microsoft Exchange Server in a base64-encodedor binary-encoded format and store it in a network location that you can access from the management console.



https://docs.microsoft.com/en-us/exchange/architecture/client-access/certificates?view=exchserver-2016


For more information about digital certificates and encryption in Microsoft Exchange Server, visit https://docs.microsoft.com/en-us/exchange/architecture/client-access/certificates?view=exchserver-2016


2. Click Upload Trust Certificate.3. In the Certificate Information section, select the Delete checkbox beside each certificate that you want to

delete. Click Delete.4. Add the new certificate files as required. For instructions, see Create a trusted connection with Microsoft

Exchange and other servers that BEMS must communicate with.

Import the CA certificate into the Java certificate storeYou can use the following steps to import certificate authority certificates into the Java cacerts keystore as analternative to uploading certificate authority certificates into the BEMS database using the Dashboard. SomeBEMS features may not support verifying certificate trusts using certificates stored in the database (for example,the Presence service for on-premises Skype for Business using non-trusted application mode).

Before you begin: Save a copy of the exported certificate to a convenient location on the computer that hostsBEMS (for example, C:\bemscert). For instructions, see Export the BlackBerry Proxy CA certificate chain to yourdesktop.

1. If necessary, verify the Java bin directory is correctly specified in your environment PATH.a) In a command prompt, type set | findstr "JAVA_HOME".b) Press Enter.c) In the command prompt, type set | findstr "Path"d) Press Enter.Verify that the JAVA_HOME System variable is set to the correct Java directory and that the PATH Systemvariable includes the path to the same Java directory. For instructions about setting the JAVA_HOME andPATH system variables, see Configure the Java Runtime Environment.

2. Obtain a copy of the non-public CA certificate and any necessary intermediate certificates from the server thatBEMS must communicate with. For more information, contact your administrator of the servers that BEMSneeds to have trusted SSL connections to.

3. On the BEMS host, make a backup of the Java keystore file. The Java keystore file is located at %JAVA_HOME%\lib\security\cacerts, where JAVA_HOME is confirmed in Step 1.

4. Copy the non-public CA certificate to a convenient location on the computer that hosts BEMS (for example, C:\bemscert).

5. Open a command prompt and change directory to the Java_HOME folder (for example, type cd %JAVA_HOME%).

6. Import the root certificate. Consider the following guidelines:

• The -alias value must be unique in the destination keystore. If it is duplicated, you might experience importerrors. You can output the cacerts keystore to a text file to manually confirm the existing certificates usinga text editor. Type keytool.exe -list -v -keystore lib\security\cacerts > c:\bemscert\cacertsoutput.txt

• Where the -file value is the path and the file name of the non-public certificate. If this is the path to the file,add quotation marks (" ") around the full path, filename, and extension.

• The following is an example of importing the certificate using keystore commands: keytool.exe -importcert -trustcacerts -file "c:\bemscert\cacert1.cer" -keystore lib\security\cacerts -alias myalias1 -storepass changeit

• There are no spaces between the dash (-) and the parameter name.• You must specify the -keystore parameter correctly. If it is incorrect or it is omitted, the keytool creates a

new keystore. BEMS services do not use the new keystore.




https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/bems-blackberry-installation-html/qhd1475781841461/bems-jre

For more information about keystore commands, see Keystore commands.7. Repeat step 6 for any additional certificates that you want to import into the Java keystore.8. If you have Connect installed and configured, and did not import the BlackBerry Proxy root certificate into

the Windows keystore, import it now. For instructions, see Import the BlackBerry Proxy CA certificate tothe BEMS Windows keystore.

9. In the Windows Service Manager, restart the Good Technology Common Services service.

After you finish: Configure the Core BEMS service for communicating to BlackBerry Dynamics. For instructions,see Configure the BlackBerry Dynamics server in BEMS.

Import the BlackBerry Proxy CA certificate to the BEMS Windows keystoreFor the Connect service to trust the BlackBerry Proxy server’s certificate, you must import the BlackBerryProxy root CA certificate to the Connect service Windows keystore.

1. Open the Microsoft Management Console.2. Click Console Root.3. Click File > Add/Remove Snap-in.4. Click Certificates.5. Select Computer Account > Local computer > OK.6. Expand Certificates (Local Computer) > Trusted Root Certification Authorities.7. Right-click Certificates, and click All Tasks > Import.8. Click Next.9. Browse to where you saved the BlackBerry Proxy CA certificate that you exported (for example <drive>:

\bemscert\bproot.cer). Click Open.10.Click Next. 11.Click Finish. Click OK.

After you finish: Configure the Core BEMS service for communicating to BlackBerry Dynamics. For instructions,see Configure the BlackBerry Dynamics server in BEMS.

Keystore commandsThe following table lists the keystore commands that are available at the command line. For more informationabout using the Java keytool, visit docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html.

Action Command

Check which certificates arecurrently in the keystore

keytool -list -v -keystore lib\security\cacerts

Export a list of the certificates thatare currently in the keystore

keytool.exe -list -v -keystore lib\security\cacerts >c:\bemscert\cacertsoutput.txt

Export a certificate from thekeystore

keytool -exportcert -alias <alias_name> -file<file_name>.crt -keystore lib\security\cacerts

Check a standalone certificate keytool -printcert -v -file <filename>.crt

Delete a certificate from thekeystore

keytool -delete -alias <alias_name> -keystore lib\security\cacerts


http://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html

Action Command

Import a signed primary certificateto an existing BEMS Java keystore

keytool -importcert -trustcacerts -alias <alias_name>-file <file_name>.crt -keystore lib\security\cacerts

Replacing the autogenerated SSL certificateBy default, BEMS is remotely accessible using HTTPS only. During installation, a BEMS Java keystore calledbems.pfx is created and located in <drive>\Program Files\BlackBerry\BlackBerry EnterpriseMobility Server\Good Server Distribution\gems-quickstart-<version>\etc\keystores\. If you previously created a self-signed certificate, then your existing certificate and certificate password areretained. You can replace the previously self-signed certificate using a SAN certificate or a Wildcard servercertificate and assign the certificate to be used by all nodes in a cluster. When you replace the previously self-signed certificate with a SAN or Wildcard server certificate, makes sure that the certificate is trusted by allBlackBerry Dynamics apps that communicate with BEMS on port 8443.For instructions, see Assign the BEMS SSLcertificate to users.

When you replace the auto-generated SSL certificate, you perform one of the following actions:

• Upload and replace the auto-generated SSL certificate with a self-signed certificate for a single node.• Upload and replace the auto-generated SSL certificate and with a SAN or Wildcard certificate and assign the

certificate for use by all nodes in the cluster.

Steps to replace the autogenerated SSL certificate with a SAN or wildcard certificate for use by all nodesin a clusterWhen you replace the autogenerated SSL certificate and assign the same certificate to all BEMS nodes in acluster, you perform the following actions:

Step Action

Create a SAN certificate or wildcard certificate and save it to your desktop.

Note: If you create a SAN certificate, it must include all of the BEMS nodes's FQDNs in theSubject Alternative Names property.

Upload and replace the self-signed BEMS SSL certificate with a SAN or wildcard certificatefor use by all nodes in a cluster.

Upload and replace the self-signed BEMS SSL certificate with a SAN or wildcard certificate for use by all nodes in a cluster

You can replace all of the self-signed SSL certificates with a SAN certificate or wildcard certificate usingthe BEMS dashboard (for example, when the certificates expire). The BEMS Dashboard can upload the SSLcertificate to each BEMS node and enable the certificate to be used by all nodes in the cluster. The certificate filetype must have a .pfx or .p12 extension. If you imported the certificate manually prior to upgrading BEMS, BEMScontinues to use the previous certificate.

Before you begin: Verify that you obtained a SAN or wildcard certificate. Make sure that you know the passwordfor the certificate file.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click SSL Certificate.2. In the Upload SSL Certificate section, click Choose File.


3. Navigate to the certificate file that you want to upload. Click Open.4. In the Password field, enter the password for the certificate.5. Optional, select the Use the uploaded Server SSL Certificate for all nodes in the cluster check box. The BEMS

Dashboard logs you out and all of the nodes in the cluster use the same certificate.

Note: If this is the first time that you upload a certificate, this check box displays after the password isentered.

Steps to replace the autogenerated SSL certificate with a self-signed certificate for one BEMS nodeWhen you replace the autogenerated SSL certificate with a self-signed certificate for one BEMS node, you performthe following actions.

Note: The browser will report that your SSL certificate is untrusted because it is a self-signed certificate.

Steps Action

If you need to obtain a signed certificate for BEMS, Create a new keystore, generate a CSRrequest, and obtain a signed certificate from a CA.

If you have an existing certificate (.pfx), Import a previously issued certificate using a .pfxfile

Move the certificate into the BEMS keystore.

Update the certificate passwords in BEMS.

Create a new keystore, generate a CSR request, and obtain a signed certificate from a CA

1. If necessary, verify that the PATH system variable includes the path to the Java bin directory.a) In a command prompt, type set | findstr "Path".b) Press Enter.For instructions to set the Path system variable, see Configure the Java Runtime Environment.

2. On the computer that hosts BEMS, create a temporary folder (for example, C:\bemscert).3. Create a new Java keystore and key pair.

a) Open a command prompt.b) Navigate to the folder that you created in step 1.c) Type keytool -genkeypair -alias serverkey -keyalg RSA -keystore bemsnew.pfx -

storetype PKCS12 -keysize 2048 -dname "CN=<FQDN of BEMS host>, OU=<BEMS name>,O=<domain>, L=<location>, S=<state or province>, C=<country>" -validity <numberof days before the certificate expires> -storepass <mystorepassword>.For example, keytool -genkeypair -alias serverkey -keyalg RSA -keystorebemsnew.pfx -storetype PKCS12 -keysize 2048 -dname "CN=BEMShost.example.net,OU=BEMShost, O=example, L=Waterloo, S=Ontario, C=CA" -validity 730 -storepassmystorepasssword

For more information about keystore commands, see Keystore commands.d) Press Enter.



e) Type a password for the serverkey certificate's private key. To set the serverkey password to be the sameas the keystore password, press Enter.

f) Optionally, to view the contents of the certificate before you submit it to a CA, type keytool -list -v -keystore bemsnew.pfx -storetype PKCS12 -storepass <mystorepassword>

4. Generate a CSR for the BEMS Java keystore. In the command prompt, type keytool -certreq -alias serverkey -file bemsnewcert.csr -keystore bemsnew.pfx -storetype PKCS12 -storepass <mystorepassword> -keypass <mykeypassword>

If the serverkey password and the keystore password are the same, type keytool -certreq -aliasserverkey -file bemsnewcert.csr -keystore bemsnew.pfx -storetype PKCS12 -storepass <mystorepassword> -keypass <mystorepassword>

5. Submit the CSR to a CA.6. Receive the CA-signed certificate from the CA and save it to the folder that you created in step 1.7. Import the CA-signed certificate to the request. In the command prompt, type keytool -importcert

-keystore bemsnew.pfx -storetype PKCS12 -storepass <mystorepassword> -file<"certificate filename received in step 5"> -alias serverkey

For example, keytool -importcert -keystore bemsnew.pfx -storetype PKCS12 -storepassmystorepassword -file "bemsnew certnew.cer" -alias serverkey

8. View the new contents of the keystore, type keytool -list -v -keystore bemsnew.pfx -storetypePKCS12 -storepass <mystorepassword>

After you finish: Move the certificate into the BEMS keystore

Import a previously issued certificate using a .pfx file

Before you begin:

• Verify that you have the .pfx file for a previously issued certificate. Make sure that you know the password forthe .pfx file.

• If necessary, make sure that you know the password for the private key of the certificate within the .pfx file.• Make sure that the certificate entry in the source .pfx file has the alias of "serverkey".

1. If necessary, verify that the PATH system variable includes the path to the Java bin directory.a) In a command prompt, type set | findstr "Path".b) Press Enter.For instructions to set the Path system variable, see Configure the Java Runtime Environment.

2. On the computer that hosts BEMS, create a temporary folder (for example, C:\bemscert).3. Copy the .pfx certificate into the temporary folder.4. Open a command prompt and navigate to the temporary folder that you created in step 2.5. Confirm the information of the existing certificate in the bems.pfx keystore. Type keytool -list -

keystore bems.pfx -storetype PKCS12 -storepass <password of the .pfx file>.The BEMS Dashboard keystore only supports one certificate in the bems.pfx keystore file. For moreinformation about keystore commands, see Keystore commands. The following is a sample output:

Keystore type: PKCS12Keystore provider: SunJSSE Your keystore contains 1 entrserverkey, <month> <day>, <year>, PrivateKeyEntry,Certificate fingerprint (SHA1): EA:A2:57:AB:30:09:DC:2A:F5:0A:EA:D9:D0:7A:3D:EB:95:A2:4C:7D

6. If the certificate alias isn't "serverkey", change the alias. Type the following command andpress enter: keytool -changealias -alias <alias from previous output> -



destalias "serverkey" -keystore "C:\bemscert\bemsnew.pfx" -storetype PKCS12 -storepass <password of the .pfx file>.

After you finish: Move the certificate into the BEMS keystore.

Move the certificate into the BEMS keystore

1. Copy the keystore file to the BEMS keystore. The keystore filename is bems.pfx or a non bems.pfx filename(for example, bemsnew.pfx).

2. Stop the Good Technology Common Services service from the Windows Service Manager.3. Navigate to <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server

\Good Server Distribution\gems-quickstart-<version>\etc\keystores.4. In the keystores folder, rename the bems.pfx file to bems_bak.pfx.5. Copy the bems.pfx or the new keystore file (for example, bemsnew.pfx), file from C:\bemscert to <drive>:

\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good ServerDistribution\gems-quickstart-<version>\etc\keystores.

6. Rename the file to bems.pfx.

After you finish: Update the certificate passwords in BEMS

Update the certificate passwords in BEMS

For BEMS to access your certificate private key, you must include the challenge password in the jetty.xmlfile. The password must be obfuscated. This can be done with the BEMS SSL Tech Tool. For instructions,visit support.blackberry.com/community to read article 41823.

Before you begin: On the computer that hosts BEMS, download the BEMS Tech Tools and extract the sslcertfolder. You can download the BEMS Tech Tools here.

1. Generate the obfuscated challenge password for your serverkey certificate private key and keystore password.

Note: When you run the BEMS SSL Tech Tool to obfuscate the password, the BEMS SSL Tech Tool generatesa new gems.jks file. You can then delete the gems.jks file that the tool generates. The BEMS SSL Tech Toolalso generates a log file, SelfSignCertificate.log.0, for review. This file contains the same information as thescreen outputs.

a) In a command prompt, navigate to the extracted sslcert utility folder.b) Type sslcert.bat <mykeypassword> <mystorepassword> <fqdn of BEMS host>

For example: sslcert.bat mykeypassword mystorepassword bemshost.example.comc) Copy the screen outputs to a text file for later reference.

2. Backup the jetty.xml file. By default the jetty.xml file is located at <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\etc.

3. Update the keyStorePassword, trustStorePassword, and keyManagerPassword in the jetty.xml file with theobfuscated password. For examples, see Jetty.xml file reference.a) In a text editor, open the jetty.xml file.b) Locate the <New class="org.eclipse.jetty.util.ssl.SslContextFactory" id="sslContextFactory"> section.c) Locate the <Set name=”KeyStorePassword”> and <Set name=”TrustStorePassword”> elements and update

them with the obfuscated passwords from the sslcert text outputs, Key Store Password and Trust StorePassword, respectively. The text outputs are the obfuscated values of the keystore password, referencedas <mystorepassword> in step 1b.

d) Locate the <Set name=”KeyManagerPassword”> element and update it with the new obfuscated passwordfrom the sslcert text output, Key Manager Password. The text output is the obfuscated value of the keypasspassword, referenced as <mykeypassword> in step 1b.



https://www.blackberry.com/blackberrytraining/web/Knowledge/gems_tech_tools_1.2.zip

4. Start the Good Technology Common Services service from the Windows Service Manager.5. Test the new certificate by accessing the BEMS Dashboard in a browser. Its certificate information now

reflects the newly imported certificated.

Assign the BEMS SSL certificate to usersBy default, BEMS uses a self-signed certificate that is generated by the BEMS installer. If the BEMS SSL certificateis CA signed, export the CA root and intermediates as described in Replacing the autogenerated SSL certificate.

1. If the BEMS SSL certificate has not been replaced, export the SSL certificate to a file.a) In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click SSL

Certificate.b) Click Download SSL Certificate. By default, the BemsCert.cer file is saved to the Downloads folder.

2. In BlackBerry UEM, create a CA certificate profile for the BEMS Self-Signed certificate, or create individual CAcertificate profiles for the CA Root certificate and any CA Intermediate certificates. Assign the profiles to usersor user groups. For instructions on creating a CA certificate profile and assigning it to users or user groups,see the BlackBerry UEM administration content.

Note: In the Certificate file field, browse to the BemsCert.cer file you exported in step 1 or the root andintermediate certificates of the replacement BEMS certificate.

Jetty.xml file referenceThe keystore file is referenced in jetty.xml. Its default location of the jetty.xml file is on the computer hostingBEMS at <BEMS Machine Path>\BlackBerry\BlackBerry Enterprise Mobility Server\GoodServer Distribution\gems-quickstart-<version>\etc\. You can access this folder using the serviceaccount you used to install the BEMS software or the local system account.

The relevant snippet from jetty.xml referencing the location of the keystore file and its associated passwordwould look like the following. If you import the certificate for one node, the CertAlias displays "serverkey". If youupdate the certificate and select the "Use the uploaded Server SSL Certificate for all nodes in a cluster" in theBEMS Dashboard, the CertAlias displays "server_cert".

<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server"> <Set name="KeyStorePath"> <SystemProperty name="jetty.home" default="."/> /etc/keystores/bems.pfx </Set> <Set name="TrustStorePath"> <SystemProperty name="jetty.home" default="."/> /etc/keystores/bems.pfx </Set> <Set name="KeyStorePassword">OBF:1mik1w8d1ugi1x841....1x8q1uh81w9d1mma</Set> <Set name="KeyManagerPassword">OBF:1mik1w8d1ugi1x841....1x8q1uh81w9d1mma</Set> <Set name="TrustStorePassword">OBF:1mik1w8d1ugi1x841....1x8q1uh81w9d1mma</Set> <Set name="KeyStoreType">PKCS12</Set> <Set name="TrustStoreType">PKCS12</Set> <Set name="wantClientAuth">true</Set> <Set name="CertAlias">server_cert</Set>

The passwords are obfuscated. The KeyStorePassword and the TrustStorePassword are typically identical andrepresent the keystore password. The KeyManagerPassword is the challenge password for the certificate.


https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/administration/profiles-variables-email-templates/

Certificate format

Any certificate used should include the following:

• Be PKCS #12• The private key must contain a challenge password• Has the appropriate key chain (for example, the root and intermediate certificate)• The Subject or Subject Alternative Names properties includes the FQDN of the BEMS node. This is required for

BEMS to be trusted by web browsers and BlackBerry Dynamics apps.

Add dashboard administratorsYou add groups using Microsoft Active Directory groups to the Dashboard Administrators setting and givemembers of the group dashboard login and configuration permissions. You can add one or more groups, but thegroup must be a part of the security groups. Users who are members of the Local Administrators group can alsolog in to BEMS.

You can also configure BEMS to require users to log in to the BEMS Dashboard using certificate-basedauthentication. When you enable certificate-based authentication, BEMS contacts the LDAP server and verifies thefollowing information for the BEMS administrator:

• The user account is enabled. • The user belongs to a security group that can log in to the BEMS Dashboard.

Before you begin: If you choose to enable certificate-based authentication, verify the following:

• You have access to the root and intermediate certificates from the certificate authority (CA). You can uploada base64-encoded or binary-encoded format certificate file that includes one or more trusted certificatesto the BEMS Dashboard. When you upload one or more certificate files, the certificates are displayed in thedashboard. BEMS supports the following file extensions: .cer, .der, .pem, and .crt. For information aboutcreating a .pem file that includes multiple certificates, visit http://support.blackberry.com/community to readarticle 57259.

• Do not save the certificate file with a .pfx extension. PFX file extensions are not supported. • Have BEMS administrators import the user credential certificates in the Personal Windows certificate store on

the computer that is used to login to the BEMS Dashboard.


2. Click Dashboard Administrators. 3. Click Add Group.4. In the Active Directory Security Group field, type the name of the Microsoft Active Directory security group. 5. Click Save. 6. Repeat steps 3 to 5 to add additional security groups.7. Optionally, complete the following steps to require users to use certificate based authentication to login to

the BEMS Dashboard. a) Select the Enable Client Certificate Authentication checkbox. b) Click Choose File. Navigate to and select the client certificate file. c) Click Open.d) Enter the LDAP server information details.

• In the LDAP Server Name field, type the name of the LDAP server. For example,ldap.<DNS_domain_name>.



• In the LDAP Server port field, type the port number of the LDAP server. By default, the port number is389.

• Optionally, select the Enable SSL LDAP checkbox to tunnel data through an SSL-encryptedconnection. If you enable SSL LDAP, the port number defaults to 636.

• Enter the LDAP username and password. In a Microsoft Active Directory environment, enter theusername in the format domain\username.

e) Click Save.f) Restart each instance of BEMS.

After you finish: If you configured your environment for BEMS administrators to use certificate basedauthentication, verify that users are prompted to select a certificate when they log in to the BEMS Dashboard.If BEMS Administrators experience an issue logging in to the dashboard using certificate authentication, they canlog in with their user credentials.

Replace or delete the user credential certificates for certificate-based authenticationWhen you replace the user credential certificates (for example, when the certificate expires)that BEMS administrators use to authenticate to the Dashboard, you replace the existing certificates (root orintermediate certificate chain) in the BEMS database. You can upload a base64-encoded or binary-encodedfile that includes one or more certificates. When you upload a single file that includes multiple certificates, thecertificates are listed in the management console and can be deleted and replaced individually as required.

Before you begin: You have access to updated root and intermediate certificates from the certificate authority(CA) in a base64-encoded or binary-encoded format and they are stored in a network location that you can accessfrom the management console.


2. Click Dashboard Administrators.3. In the Certificate Information section, select the Delete checkbox beside each certificate that you want to

delete. Click Delete. 4. Add the new certificate files as required. For instructions, see Add dashboard administrators.

Configure the BlackBerry Dynamics server in BEMSYour BEMS environment must be configured to trust the Root CA for the BlackBerry Proxy HTTPS configuration orimplement the Karaf workaround. For instructions, see Importing CA Certificates for BEMS.

The BlackBerry Dynamics server information in the following instructions refers to the FQDN of the server thathosts the BlackBerry Proxy service. The BlackBerry Proxy service is installed on on-premises BlackBerry UEMservers that have the BlackBerry Connectivity Node. The BlackBerry Connectivity Node is required for someBlackBerry UEM Cloud deployments when they link a company directory to the BlackBerry UEM Cloud tenant, andto offer on-premises connectivity to BlackBerry Dynamics users activated using the BlackBerry UEM Cloud. Formore information about the BlackBerry Connectivity Node, see the BlackBerry UEM Planning content.


2. Click BlackBerry Dynamics.3. Complete one of the following actions:


https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/planning-architecture/planning/Hardware-requirements

Task Steps

If a BlackBerry Proxy server is not defined a. Click Add BlackBerry Proxy.b. In the Host Name field, type the FQDN of the

server that hosts the BlackBerry Proxy service.c. In the Protocol drop-down list, select the protocol

used to communicate with the BlackBerry Proxyserver.

• If you select HTTPS, the Port fieldprepopulates to 17433.

• If you select HTTP, the Port field prepopulatesto 17080.

d. Click Test to test the connection.e. Repeat steps 1 to 4 to add additional BlackBerry

Proxy servers for redundancy continuity.

If one or more BlackBerry Proxy servers are defined No action is required. Previously defined BlackBerryProxy servers are listed.

4. Select the Apply to other nodes in the BEMS cluster check box to communicate the BlackBerry Proxy serverinformation to all of the BEMS nodes in the cluster.

5. Optionally, select the Enforce the SLL Certificate validation when communicating with BlackBerry Dynamicscheck box when you use the https protocol to communicate with the BlackBerry Proxy server.

6. Click Save.

Configure a web proxy serverApple Push notifications for iOS devices are sent by the BlackBerry Dynamics NOC to the Apple PushNotification Service (APNs). Push notifications for Android devices are sent directly to Firebase CloudMessaging (FCM). Because the APNS and FCM reside outside of your enterprise network, a proxy server might berequired.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings click BEMSConfiguration.

2. Click Web Proxy.3. Select the Use Web Proxy checkbox.4. In the Proxy Address field, enter the FQDN of the web proxy server.5. In the Proxy Port field, type the port number.6. Optionally, depending on your environment configuration you can specify URLs or domains that you want to

pass through the web proxy server or bypass the web proxy server. If you enter multiple URLs or domains,separate them with a comma (,). You can use wildcards (*) when listing the URLs or domains. The URLs ordomains that you list are not case-sensitive.

7. In the Proxy Server Authentication Type drop-down list, select an authentication type. By default, theauthentication is set to None.If you choose Basic or NTLM authentication, enter the credentials and, optionally, the Domain.

8. Select the Use the same web proxy settings to connect to an externally hosted Exchange checkbox, if youwant to use the web proxy to communicate with a hosted Microsoft Exchange Server (cloud deployed).


9. Select the Apply to other nodes in the BEMS cluster check box to communicate the BlackBerry Proxy serverinformation to all of the BEMS nodes in the cluster.

10.Click Test to verify the connection to the proxy server.11.Click Save.

Enable log file compressionYou can compress the log files that are generated and saved in the default log folder or folder you specifiedduring the installation of BEMS. Currently, log files are generated and rotated when they reach 100 MB in size,once a day at midnight, or when the server is restarted. When you enable log compression, log files can be largerthan 100 MB. When a log file exceeds 100 MB, it is compressed and saved to the appropriate log file folder. Bydefault, log file compression is disabled. If you installed the BEMS services on multiple computers, you mustcomplete this task on one BEMS instance in the same database.


2. Click log Log Settings. 3. Select the Enable Log Compression.4. Click Save.

Uploading BEMS log and statistical informationThe BEMS Dashboard provides several aids for collecting troubleshooting data.

Troubleshooting aid Description

Log Upload Credentials Enter your username and password that you use to log on tothe BlackBerry Online Portal.

Note: These credentials are not stored, and are only used to ensure thatthis BEMS is authorized for log uploads.

Upload Logs Use this tool to send logs directlyto BlackBerry Support. Mail and Docs services logs are supported.

Note: When you specify the date range, the time zone displayed is thatof the BEMS server and the dates selected are used in reference to thattime zone.

Upload BEMS statistics Use this tool to send BEMS statistics to the BlackBerryInfrastructure and BlackBerry Dynamics NOC periodically.

By default, uploading diagnostic information is enabled.

Specify log upload credentialsBefore you begin: Make sure you have the login credentials you use to access the BlackBerry Online Portal.These credentials are not stored, they are used to verify that the BEMS server is authorized for log uploadsto BlackBerry technical support for review. If you configured the Upload Credentials screen during the softwareinstallation or upgrade, the BlackBerry Online Portal Username field is prepopulated with the username thatyou provided. If you didn't provide the credentials during the software installation or upgrade, but the Allow this


BEMS server to send diagnostic information to BlackBerry Support check box was selected, BEMS automaticallyconfigures the Upload BEMS statistics information.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click Troubleshootimg.2. Click Log Upload Credentials.3. If necessary, in the BlackBerry Online Portal Username field, type the username that you use to access the

Online Portal.4. In the BlackBerry Online Portal Password field, type the password that you use to access

the BlackBerry Online Portal.5. Click Test.6. Click Save.

Upload log filesYou can upload log files for the Mail service and Docs service. Complete this task on each computerthat hosts the Mail service and Docs service.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click Troubleshooting.2. Click Upload Logs.3. Specify a date range for the logs to include.

The time zone displayed is that of the BEMS server and the date range you specify is in reference to that timezone.

4. Click Upload Logs.

Enable BEMS to upload BEMS statisticsPeriodically, BEMS sends diagnostic information to BlackBerry technical support. The statistical informationmight include the following information:

• Name of the cluster• Version of BEMS• JVM Version• Last restart time• System bugs• Operating system• Schema version• System health

The following information might be sent if the Mail service is installed:

• Number of users assigned to the instance• Name of instance• List of instances• Feature set for instance• Feature set for cluster• Services installed, status of the instance

If you provided the upload credentials during the software installation or upgrade, this page is prepopulated witha default upload interval of 30 minutes. If you didn't provide the upload credentials information and didn't clearthe Allow this BEMS server to send diagnostic information to BlackBerry Support check box, BEMS generates arandom cluster name and configures these settings when you specify the Log Upload Credentials.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click Troubleshooting.2. Click Upload BEMS statistics.


3. Select the Allow this BEMS server to send diagnostic information to BlackBerry Support check box. If youclear this check box, you disable this feature and are prompted to complete the Upload Credentials when youupgrade BEMS instance.

4. Type a cluster name and domain name.5. If necessary, in the Upload interval field, specify an Upload interval. You can specify an upload interval between

0 and 65355 minutes. By default, the upload interval is 30 minutes. 6. Click Save.

Firebase Push NotificationsConfigure FCM to send notifications to Android devices when the BlackBerry Work 2.13 or later appand BlackBerry Connect 2.7 or later app are in the background. If you configured your environment for GoogleCloud Messaging, no additional configuration is required after you upgrade. The BEMS Dashboard automaticallyassociates the GCM configuration with the FCM configuration.


2. Click Firebase Push Notification. 3. In the FCM Sender ID field, type the Sender ID value of the project you created in Firebase. For more

information about creating the Firebase Cloud Messaging API Keys, visit support.blackberry.com/community to read article 44617.

4. In the FCM API key field, enter the Server key value of the project you created in Firebase.5. Click Save.

Enabling FIPS Mode in BEMSBEMS-Core, BEMS-Mail, BEMS-Docs, BEMS-Connect, and BEMS-Presence services can be configured to useFIPS 140-2 (U.S. Federal Information Processing Standards) compliant algorithms for cryptographic operations.When FIPS-compliance mode is enabled on one BEMS instance in a cluster, all instances in the cluster areenabled. To enable this feature in the cluster, all BEMS nodes must be running the same version of BEMS (forexample, BEMS 2.12 or later). By default, FIPS 140-2 compliant mode is disabled. BEMS doesn't verify if the OSthat hosts the BEMS-Docs service is running in FIPS 140-2 compliant mode.

Enable FIPS-compliance modeBefore you begin: Confirm that all BEMS nodes in the cluster are running the same version of BEMS. When youenable FIPS 140-2 compliance mode on one node in the cluster, all the nodes in the cluster are enabled. service.


2. Click FIPS Mode. 3. Select the Enable FIPS Mode for Cluster check box. 4. Click Save.5. To enable FIPS-compliance mode for BEMS-Connect, complete the following steps on each computer that

hosts an instance of the BEMS-Connect service:a) In a text editor, open the GoodConnectServer.exe.config file. By default, the file is located in <drive>:

\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Connect\.b) In the <appSettings> section, add the following key and value to the file: type <add

key="MESSAGE_ENCODING_TYPE” value="NON-SHIFT" />.




c) Save the file.d) In the Windows Manager, restart the Good Technology Connect service.

Verify that FIPS-compliance is enabledWhen FIPS-compliance mode is enabled, the BEMS log file logs the action. The log files also log when anadministrator accesses the FIPS mode configuration screen and saves the settings without making a change andwhen the feature is disabled. The following log lines are logged:

Logging Description

Changed FIPS mode to true FIPS-compliance mode is enabled.

Changed FIPS mode to false FIPS-compliance mode is disabled.

No change for FIPS mode FIPS-compliance mode settings were saved withoutchanges.


Configuring BEMS servicesYou can configure one or more services and in any order based on your organization's requirements. When youconfigure the BEMS services, you configure one or more of the following services. If you installed the serviceson multiple computers, configure the service on one BEMS instance for each cluster.

• BlackBerry Push Notifications• BlackBerry Connect• BlackBerry Presence• BlackBerry Docs• BlackBerry Dynamics Launcher• BlackBerry Certificate Lookup

Changing users' SMTP addressesBEMS supports changing users’ SMTP addresses without requiring the user to provision their BlackBerryWork app and BlackBerry Connect app. Previously, if a user changed their primary email address:

• The user needed to reprovision their BlackBerry Work app if they missed email notifications and notificationsfor email marked as VIP, were unable to access repositories using BlackBerry Work Docs, or could not changeother settings on their device.

• The user needed to reprovision their BlackBerry Connect app if they were unable to log in to the BlackBerryConnect app, if they missed message notifications, and the presence status didn’t update for other users.

BEMS now detects the primary SMTP address change and updates the BEMS database with the new SMTPaddress without the user having to reprovision.

Configuring the Push Notifications serviceWhen you configure BEMS for Push Notifications support of the BlackBerry Work app, which includes mail,contacts, and calendar, you perform the following:

• Configure the Mail service in the BEMS dashboard• Configure BlackBerry UEM for BlackBerry Work• Optionally, configure the Push Notifications service for high availability

Configuring Push NotificationsWhen you configure the Mail service, you perform the following actions:

Important: Complete the configuration in the following order to avoid connectivity issues.

1. Database2. Microsoft Exchange Server3. Stop Notifications4. User Directory Lookup5. Certificate Directory Lookup

Configure the Microsoft SQL Server database for Push Notifications service

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Mail.

| Configuring BEMS services | 25

2. Click Database. 3. In the Server field, verify the Microsoft SQL Server host name and instance. This field is prepopulated with

the information you provided during the BEMS installation. The Microsoft SQL Server must be in the followingformat: <SQLServer_hostname>\<instance_name>. If you configured the database for an AlwaysOn Availability Group, set the server to the AlwaysOn ListenerFQDN. Do not use the cluster name or host name of the server in the cluster.

4. In the Database field, verify the database name. For example, BEMS-Core. If you configured the database for an AlwaysOn Availability Group, set the database to the name of thedatabase added to the AlwaysOn Availability Group.

5. In the Authentication Type drop-down list, complete one of the following tasks:

• If you select Windows Authentication, the Push Notifications service uses the Windows credentials toaccess the Microsoft SQL Server database.

• If you select SQL Server Login, type the username and password used to access the Microsoft SQLServer database.

6. If your organization uses AlwaysOn support for SQL Server, in the Additional Properties field,type MultiSubnetFailover=true.

7. Click Test.8. Click Save. 9. Restart the Good Technology Common Services in the Windows Services Manager.

Best practice: Enabling autodiscovery

When you enable autodiscovery to automatically discover the Microsoft Exchange ActiveSync server in yourenvironment, consider the following guidelines:

• Make sure that Microsoft Exchange Autodiscover is set up correctly. For more information, seethe Microsoft documentation for Microsoft Exchange.

• In a Microsoft Exchange environment: Make sure that the autodiscover URL routes to one of theExchange client access server (CAS) servers. If your environment uses a load balancer, make sure that theAuto Discover URL routes to the load balancer and then route it to your group of CAS servers.

• In a mixed Microsoft Exchange environment (for example, Microsoft Exchange Server 2013 and 2016)environment: Make sure that the autodiscover URL routes to the latest version of the CAS servers (for example,the Microsoft Exchange Server 2016).

• In a cloud-based Microsoft Exchange environment: the autodiscover URLs are typically managedby Microsoft, however if your environment migrated your domain to a cloud-based Microsoft Exchange,make sure that the domain autodiscover URL routes to Microsoft's autodiscover URL (for example, https://autodiscover.outlook.com). In the DNS admin portal, make sure a CNAME record is created and that itredirects https://autodiscover.<domain>/autodiscover/autodiscover.svc to https://autodiscover.outlook.com.

• In a cloud-based Microsoft Exchange environment: the autodiscover URLs are typically managedby Microsoft, however if your environment migrated your domain to a cloud-based Microsoft Exchange,make sure that the domain autodiscover URL routes to Microsoft's autodiscover URL (for example,https://autodiscover.outlook.com). On the DNS admin portal, make sure a CNAME record is createdand that it redirects https://autodiscover.<mydomain>/autodiscover/autodiscover.xml to https://autodiscover.outlook.com.

• In a cloud-based Microsoft Exchange hybrid environment: mailboxes can exist in both on-premises MicrosoftExchange and cloud-based Microsoft Exchange. Make sure that the autodiscover URL routes to the on-premises Microsoft Exchange Server.

Note: All autodiscover URLs must be whitelisted on BlackBerry UEM. For more information on how to use third-party tools to test autodiscover, visit support.blackberry.com/community to read article 40351.



Configure BEMS to communicate with the Microsoft Exchange Server or Microsoft Office 365

You must allow BEMS to authenticate to Microsoft Exchange Server or Microsoft Office 365 to access users’mailboxes and send notifications to users’ devices when new email is received on the device.

Before you begin: Verify that you have the following information and completed the appropriate tasks.

• Verify that the service account has impersonation rights on the Microsoft Exchange Server. For instructions,see Grant application impersonation permission to the BEMS service account.

• In a Microsoft Office 365 environment, if you plan to enable Modern Authentication, verify that you completedthe following:• If you enable Modern Authentication using Credential, obtain the Client Application ID.• If you enable Modern Authentication using a Client Certificate:

• Obtain the Client Application ID with certificate based authentication• Request and associate the .pfx certificate with the Azure app ID for BEMS

• In environments where the metadata endpoint is protected by mutual TLS authentication, make surethat you imported the mutual TLS certificate in to the BEMS keystore. For instructions, see Import thetrusted mutual TLS certificates into the BEMS keystore. This feature requires that you enable modernauthentication using Credential or Client Certificate.

• In a Microsoft Office 365 environment, if you use Passive Authentication, verify that you have the App ID forBEMS using credential authentication.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Mail.2. Click Microsoft Exchange.3. In the Select Authentication type section, select an authentication type based on your environment and

complete the associated tasks to allow BEMS to communicate with the Microsoft Exchange Server orMicrosoft Office 365:

Authenticationtype Environment Description Task

Integrated Microsoft ExchangeServer on-premises

This optionuses Windowsauthenticationcredentials toauthenticate to theMicrosoft ExchangeServer.

No additional actions are required.

Credential • MicrosoftExchange Serveron-premises

• Microsoft Office365

This option uses theBEMS usernameand password toauthenticate to theMicrosoft ExchangeServer or MicrosoftOffice 365.

a. In the Username field, enter theusername of the BEMS service account.

• For Microsoft Office 365, enter theservice account's User PrincipalName (UPN).

• For on-premises Microsoft ExchangeServer, use the format <domain>\<username>.

b. In the Password field, enter thepassword for the service account.


https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/bems-blackberry-installation-html/qhd1475781841461/rvz1475880016885/bzd1476113904727


ClientCertificate

• MicrosoftExchange Serveron-premises

• Microsoft Office365

This option usesa client certificateto allow the BEMSservice account toauthenticate to theMicrosoft ExchangeServer or MicrosoftOffice 365.

a. For the Upload PFX file, click ChooseFile and select the client certificatefile. For instructions on obtainingthe .PFX file, see Associate a certificatewith the Azure app ID for BEMS

b. In the Enter PFX file Password field,enter the password for the clientcertificate.



PassiveAuthentication

Microsoft Office 365 This option uses anidentity provider(IDP) to authenticatethe user andprovide BEMS with OAuth tokens toauthenticate toMicrosoft Office365.

a. In the Authentication Authority field,enter the Authentication Server URLthat BEMS accesses and retrieve theOAuth token for authentication withMicrosoft Office 365 (for example,https://login.microsoftonline.com/<tenantname>). By default, thefield is prepopulated with https://login.microsoftonline.com/common.

b. In the Client Application ID field, enterthe Azure app ID for the credentialauthentication. For instructions, seethe App ID for BEMS using credentialauthentication.

c. In the Server Name field, enterthe FQDN of the Microsoft Office365 server. By default, the fieldis prepopulated with https://outlook.office365.com .

d. In the Redirect URI field, enterthe URL that the IDP redirects theadministrator to when the client appID is authorized and the authenticationtokens are provided. If you remotelylog in to the computer that hosts theBEMS and perform the configurationfrom the computer's browser, enterhttps://localhost:8443/dashboard/views/dashboard.jsp),otherwise enter https://<FQDNof the computer that hoststhe BEMS instance>/views/dashboard.jsp.

Note: The URI must be the same URIas the BEMS URI and whitelisted in theAzure portal for the application ID.

e. Click Login.f. Enter the credentials for the service

account.g. Click OK to acknowledge that the

authentication tokens were obtained.h. Important: BEMS doesn't automatically

refresh the OAuth tokens. Repeat stepse to g to refresh the OAuth tokens. Thetokens expiration time depends onyour tenant policy. When the OAuth tokens expire, email notifications on theusers' devices stop. The OAuth tokenexpiration is displayed after you log in tothe IDP.


4. In a Microsoft Office 365 environment that uses Credential or Client certificate authentication, enable ModernAuthentication and use mutual TLS authentication.a) Select the Enable Modern Authentication checkbox.b) If your environment uses Client certificate authentication, in the Authentication Authority field,

enter the Authentication Server URL that BEMS accesses and retrieve the OAuth token forauthentication with Microsoft Office 365 (for example, https://login.microsoftonline.com/<tenantname>or https://login.microsoftonline.com/<tenantid>). By default, the field is prepopulated with https://login.microsoftonline.com/common.

c) In the Client Application ID field, enter one of the following Azure app IDs depending on the authenticationtype you selected:

• Obtain an Azure app ID for BEMS with credential or passive authentication• Obtain an Azure app ID for BEMS with certificate-based authentication

d) In the Server Name field, enter the FQDN of the Microsoft Office 365 server. By default, the field isprepopulated with https://outlook.office365.com.

e) Optionally, select the Use Credentials if Modern Authentication fails check box to allow BEMS tocommunicate with Microsoft Office 365 in the event that BEMS can't access the modern authenticationsource. When you select this check box, you must provide the BEMS service account credentials.

f) Optionally, select the Use Mutual TLS Authentication check box to allow BEMS to respond to mutual TLSauthentication requests. This steps requires that the mutual TLS certificate is imported into BEMS. Forinstructions, see Import the trusted mutual TLS certificates into the BEMS keystore.

Note: When you configure Modern Authentication, all nodes use the specified configuration.5. Under the Autodiscover and Exchange Options section, complete one of the following actions:

Task Steps

Override Autodiscover URL If you select to override the autodiscover process, BEMS uses theoverride URL to obtain user information from the Microsoft ExchangeServer or Microsoft Office 365. For more information about bestpractices when enabling autodiscover, see Best practice: Enablingautodiscovery.

a. Select the Override Autodiscover URL checkbox.b. In the Autodiscover URL Override Autodiscover field,

type the autodiscover endpoint (for example, https://autodiscover<domain>.com/autodiscover/autodiscover.svc).


Task Steps

Autodiscover and MicrosoftExchange Server options

a. Select the Swap ordering of <domain.com>/autodiscover andautodiscover. <domain.com>/autodiscover check box to assist inresolving the autodiscover URL. Consider selecting this option if theorder results in timeouts or other failures.

b. Optionally, modify the TCP Connect timeout for Autodiscoverurl (milliseconds) field as required to prevent failures whenautodiscovery takes too long. By default, the timeout is set to120000. The recommended timeout for the Autodiscover url isbetween 5000 milliseconds (5 seconds) and 120000 milliseconds(120 seconds).

c. By default, the Enable SCP record lookup checkbox is selected. Ifyou clear the checkbox, BEMS does not perform a Microsoft ActiveDirectory lookup of Autodiscover URLs. This option is not availablewhen Override Autodiscover URL is selected.

d. Optionally, select the Use SSL connection when doing SCP lookupcheck box to allow BEMS to communicate with the Microsoft ActiveDirectory using SSL. If you enable this feature, you must import theMicrosoft Active Directory certificate to each computer that hostsan instance of BEMS. This option is not available when OverrideAutodiscover URL is selected.

e. By default the Enforce SSL Certificate validation whencommunicating with Microsoft Exchange and LDAP server checkbox is selected. If you clear this setting and use an un-trustedcertificate, then the connection to the on-premises MicrosoftExchange Server fails.

f. By default, the Allow HTTP redirection and DNS SRV recordcheck box is selected. If you clear the checkbox, you disableHTTP Redirection and DNS SRV record lookups for retrieving theAutodiscover URL when discovering users for BlackBerry WorkPush Notifications.

g. Optionally, select the Force re-autodiscover of user on allMicrosoft Exchange errors checkbox to force BEMS to performthe autodiscover again for the user when the Microsoft ExchangeServer or Microsoft Office 365 returns an error message.

6. In the End User Email Address field, type an email address to test connectivity to the Microsoft ExchangeServer or Microsoft Office 365 using the service account. Click Test. You can delete the email address afteryou complete the test.If the service account is correctly configured and the test fails, BEMS is attempting to communicate with anMicrosoft Exchange Server that is not using a trusted SSL Certificate. If your Microsoft Exchange Server is notset up to use a trusted SSL certificate, see Importing CA Certificates for BEMS.

7. Click Save.

After you finish:

If you selected Client Certificate authentication, you can view the certificate information. Click Mail. The followingcertificate information is displayed:

• Subject• Issuer• Validation period


• Serial number

Obtain an Azure app ID for BEMS with credential or passive authentication

If you need to obtain multiple Azure app IDs (for example, Docs, BlackBerry Work, and BlackBerry Connect), it isrecommended that you create a separate app ID for each app.

1. Sign in to portal.azure.com.2. In the left column, click Azure Active Directory.3. Click App registrations.4. Click New registration.5. In the Name field, enter a name for the app.6. Select a supported account type.7. In the Redirect URI section, in the drop-down list, complete one of the following tasks. The Redirect URI is the

URL that the user is redirected to after they successfully authenticate to the identity provider (IDP). Important:Make sure that the Redirect URL matches the URL to the dashboard or authentication might not work asexpected.

• For credential authentication, select Web and enter https://localhost:8443.• For passive authentication, select Public client/native (mobile & desktop) and enter the URL that you use to

access the BEMS Dashboard.

• If you access the BEMS Dashboard from the computer that hosts the BEMS instance, enter https://localhost:8443.

• If you access the BEMS Dashboard remotely, enter https://<FQDN of the computer thathosts the BEMS instance>:8443.

8. Click Register. The new registered app appears.9. In the Manage section, click API permissions.10.Click Add a permission.11.In the Select an API section, click Microsoft APIs tab.12.Click Exchange.13.Set the following permissions for Microsoft Exchange Web Services:

• Delegated permissions: Access mailboxes as the signed-in user via Exchange Web Services (EWS >EWS.AccessAsUser.All)

14.Select the Add permissions.15.Click Add a permission.16.Click Microsoft Graph. If the Microsoft Graph API permission is not listed, add Microsoft Graph.17.Set the following permissions for Microsoft Graph.

• Delegated permissions: Sign in and read user profile (User > User.Read).18.Click one of the following:

• If the Microsoft Graph API permission existed in the API permissions list, click Update permissions.• If you needed to add the Microsoft Graph API permission, click Create.

19.Click Add a permissions.20.Click Grant admin consent. Click Yes.

Important: This step requires tenant administrator privileges.21.To allow autodiscovery to function as expected, set the authentication permissions.

a) In the Manage section, click Authentication.


https://portal.azure.com

b) Under the Implicit grant section, select the ID Tokens checkbox.c) In the Default client type, select Yes.d) Click Save.

22.Click Overview. Copy the Application (client) ID. The Application (client) ID is displayed in the main Overviewpage for the specified app. This is used as the Client application ID when you enable modern authenticationand configure BEMS to communicate with Microsoft Office 365.

Obtain an Azure app ID for BEMS with certificate-based authentication

If you need to obtain multiple Azure app IDs (for example, Docs, BlackBerry Work, and BlackBerry Connect), it isrecommended that you create a separate app ID for each app.

1. Sign in to portal.azure.com.2. In the left column, click Azure Active Directory.3. Click App registrations.4. Click New registration.5. In the Name field, enter a name for the app.6. Select a supported account type.7. Optionally, in the Redirect URI section, in the drop-down list, select Public/client (mobile & desktop) and enter

http://<name of the app given in step 5>.This app is a daemon, not a web app, and does not have a sign-on URL.

8. Click Register. The new registered app appears.9. In the Manage section, click API permissions.10.Click Add a permission.11.In the Select an API section, click Microsoft APIs tab.12.Click Exchange.13.Set the following permissions for Microsoft Exchange Web Services:

• Application permissions: Use Exchange Web Service with full access to all mailboxes (full_access_as_app)14.Click Add permissions.15.Click Microsoft Graph. If the Microsoft Graph API permission is not listed, add it.16.Set the following permission for Microsoft Graph.

• Delegated permissions: Sign in and read user profile (User > User.Read)17.Click Add permissions.18.Click Grant admin consent.19.Click Yes.20.Click Overview to view the app that you created in step 5. Copy the Application (client) ID. The Application

(client) ID is displayed in the main Overview page for the specified app. This is used as the Client applicationID in the BEMS dashboard when you enable modern authentication and configure BEMS to communicate withMicrosoft Office 365.

After you finish: Associate a certificate with the Azure app ID for BEMS

Associate a certificate with the Azure app ID for BEMS

You can request and export a new client certificate from your CA server or use a self-signed certificate. Theprivate key must be in .pfx format to upload to the BEMS dashboard. For more information, see Enable modern



authentication for the Mail service in BEMS. The public key can be exported as a .cer or .pem file to uploadto Microsoft Azure.

1. Complete one of the following tasks:

Certificate Task

If you are using anexisting CA server

a. Request the certificate. The certificate that you request must include theapp name in the subject of the certificate. Where <app name> is the nameyou assigned the app in step 5 of Obtain an Azure app ID for BEMS withcertificate-based authentication.

b. Export the public key of the certificate as a .cer or .pem file. The public key isused for the Azure app ID that is created.

c. Export the private key of the certificate as a .pfx file. The private key isimported to the BEMS dashboard.


If you are using a self-signed certificate

a. Create a self-signed certificate using the New-SelfSignedCertificatecommand. For more information, visit docs.microsoft.com and read New-SelfSignedCertificate.

1. On the computer running Microsoft Windows, open the WindowsPowerShell.

2. Enter the following command: $cert=New-SelfSignedCertificate-Subject "CN=<app name>" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature. Where <app name> is the name you assignedthe app in step 5 of Obtain an Azure app ID for BEMS with certificate-based authentication. The certificate that you request must includethe Azure app name in the subject field.

3. Press Enter. b. Export the public key from the Microsoft Management Console (MMC). Make

sure to save the public certificate as a .cer or .pem file. The public key isused for the Azure app ID that is created.

1. On the computer running Windows, open the Certificate Manager for thelogged in user.

2. Expand Personal. 3. Click Certificates.4. Right-click the <user>@<domain> and click All Tasks > Export.5. In the Certificate Export Wizard, click No, do not export private key. 6. Click Next. 7. Select Base-64 encoded X.509 (.cer). Click Next. 8. Provide a name for the certificate and save it to your desktop.9. Click Next.10.Click Finish. 11.Click OK.

c. Export the private key from the Microsoft ManagementConsole (MMC). Make sure to include the private key and save it as a .pfxfile. For instructions, visit docs.microsoft.com and read Export a Certificatewith the Private Key. The private key is imported to the BEMS dashboard.

1. On the computer running Windows, open the Certificate Manager for thelogged in user.

2. Expand Personal. 3. Click Certificates.4. Right-click the <user>@<domain> and click All Tasks > Export.5. In the Certificate Export Wizard, click Yes, export private key.. 6. Click Next. 7. Select Personal Information Exchange – PKCS #12 (.pfx). Click Next. 8. Select the security method. 9. Provide a name for the certificate and save it to your desktop.10.Click Next.11.Click Finish. 12.Click OK.

2. Upload the public certificate (.pem or .cer file) that you exported in step 1 to associate the certificatecredentials with the Azure app ID for BEMS.


https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754329(v%3dws.11)

a) In portal.azure.com, open the <app name> you assigned the app in step 5 of Obtain an Azure app ID forBEMS with certificate-based authentication.

b) Click Certificates & secrets.c) In the Certificates section, click Upload certificate.d) In the Select a file search field, navigate to the location where you exported the certificate in step 2. e) Click Add.

Import the trusted mutual TLS certificates into the BEMS keystore

In environments where the metadata endpoint is protected by mutual TLS authentication, you must import themutual TLS certificate into the BEMS keystore. Adding this certificate allows BEMS respond to mutual TLSverification requests as required. Use DBManager to import the certificates. By default, DBManager is located inthe installation folder at <drive>:\GoodEnterpriseMobilityServer\GoodEnterpriseMobilityServer\DBManager.

Before you begin: Save a copy of the .pfx certificate that you exported from the Certificate Authority to aconvenient location on the computer that hosts BEMS.

1. On the computer that hosts the on-premises BEMS, verify that the PATH System variable includes the path tothe JAVA directory.a) In a command prompt, type set | findstr "Path".b) Press Enter.

2. Make a backup of the Java keystore file. The Java keystore file is located at %JAVA_HOME%\lib\security\cacerts, where JAVA_HOME is confirmed in Step 1.

3. Import the mutual TLS certificate.a) On the computer that hosts BEMS, in a command prompt run as administrator, navigate to DBManager.b) Type, tools\dbmanager\target>java -classpath "*" com.good.tools.db.client.Client

-dbHost "localhost" -dbName "BEMS_DB_name" -dbType sqlserver -actionaddprivatekey -keyPassword "password" -p12File "<certificate_file-path>/<filename>.pfx" -alias "mutualTLS" -tenantId "default" -integratedAuth true

4. In the Windows Service Manager, restart the Good Technology Common Services service.

Troubleshooting the Push Notifications database

BEMS cannot connect to the Push Notifications database

Possible cause

The Microsoft Exchange configuration information was applied before the Database information.

Possible solution

1. Restart the Good Technology Common Services.2. Verify the Database information. For instructions, see Configure the Microsoft SQL Server database for Push

Notifications service3. Repopulate the Microsoft Exchange Server information. For instructions, see Configure BEMS to communicate

with the Microsoft Exchange Server or Microsoft Office 365



Configure Stop Notifications

By default, notifications are sent to a user's device and are regulated by timers. The Stop Notifications featureallows you to immediately stop notification for all devices associated with a particular user. A user canresubscribe to notifications, but only if the user is entitled to an app that can subscribe to notification services.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Mail.2. Click Stop Notifications.3. In the User Email Address field, type the email address of the user you want to stop notifications for.4. Click Save.

Configure User Directory Lookup

The User Directory Lookup service allows client apps to look up first name, last name, and the associated photoor avatar from your company directory. A User ID Property Name determines whether query results from varioussources, such as Microsoft Exchange Web Services (EWS) and LDAP, correspond to the same user and maytherefore be consolidated into a single result.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Mail.2. Click User Directory Lookup. 3. In the User ID Property Name field, type the name of the property that identifies the user. By default, this is

"Alias".4. Select the Enable GAL Lookup checkbox, the Enable LDAP Lookup checkbox, or both. 5. If you enable LDAP lookup, you can use it to validate digital certificate connections to the LDAP server.

a) In the LDAP Server Name field, type the name of the LDAP Server. For example, ldap.<DNS_domain_name>. b) In the LDAP Server port field, type the port number of the LDAP Server. By default, the port number is 389.c) Optionally, select the Enable SSL LDAP checkbox to tunnel data through an SSL-encrypted connection. If

you enable SSL LDAP, the port number defaults to 636.d) Optionally, edit the LDAP User Name Query Template field. The LDAP user name query searches for a user

by their user name. BEMS replaces the "{key}" with the user name when performing the query. By default,the template is

(&(|(mail=*{key}*)(name=*{key}*)(displayName=*{key}*)(sAMAccountName=*{key}*) (givenName=*{key}*)(sn=*{key}*))(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

e) Optionally, in the LDAP Base DN field, provide a base DN for the LDAP search. If this field is notcompleted, BEMS tries to find the base DN in the namingContexts attribute.

f) In the Authentication Type drop-down list, select an authentication type. By default the Authentication Typeis Anonymous.

• If you select Basic, enter the LDAP Logon User name and password. In a Microsoft ActiveDirectory environment, enter the username in the format domain\username.

• If you selected the Enable SSL LDAP checkbox, and select Certificate authentication, enter the keystorepassword and add the certificate file.

g) In the User search key field, type a username or email address to search for. h) Click Test.

6. Click Save.


Configure the Certificate Directory Lookup

The Certificate Directory Lookup service retrieves S/MIME digital certificates from the user's Microsoft ActiveDirectory. These certificates enable email encryption and signature functionality in BlackBerry Work apps. Formore information about configuring and using S/MIME on devices, see the BlackBerry Work Tasks, and NotesAdministration Guide.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Mail. 2. Click Certificate Directory Lookup. 3. Optionally, select the Include expired certificates in results checkbox.4. By default, the Enable Contact Lookup checkbox and Enable GAL Lookup checkbox are selected. If you clear

the Enable GAL Lookup checkbox, users can't send encrypted email messages to public distribution lists andprivate or personal distribution lists (for example, distribution lists in the user’s contact folder).

5. Select the Enable LDAP Lookup checkbox.6. If you select LDAP lookup, you can use it to validate digital certificate connections to the LDAP server.

a) In the LDAP Server Name field, type the name of the LDAP Server. For example, ldap.<DNS_domain_name>. b) In the LDAP Server port field, type the port number of the LDAP Server. By default, the port number is 389.c) Optionally, select the Enable SSL LDAP checkbox to tunnel data through an SSL-encrypted connection. If

you enable SSL LDAP, the port number defaults to 636. d) Optionally, edit the LDAP User Name Query Template field. The LDAP user name query searches for a user

by their user name. BEMS replaces the "{key}" with the user name when performing the query. The defaulttemplate is

(&(|(mail=*{key}*)(name=*{key}*)(displayName=*{key}*)(sAMAccountName=*{key}*) (givenName=*{key}*)(sn=*{key}*))(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

e) Optionally, in the LDAP Base DN field, provide a base DN for the LDAP search. BEMS will try to find the baseDN in the namingContexts attribute if this entry is not set. If this field is not completed, BEMS tries to findthe base DN in the namingContexts attribute.

f) In the Authentication Type drop-down list, select an authentication type. By default, the Authentication Typeis Anonymous.

• If you select Basic, enter the LDAP Logon User name and password. In a Microsoft ActiveDirectory environment, enter the username in the format domain\username.

• If you selected the Enable SSL LDAP checkbox and select Client Certificate authentication, enter thekeystore password and certificate file.

g) In the End User Email Address field, type an end-user email address to search for.h) Click Test.

7. Click Save.

After you finish: If you selected Certificate authentication, you can view the certificate information.Click Certificate Directory Lookup. The following certificate information is displayed:

• Subject• Issuer• Validation period• Serial number

Configuring BlackBerry UEM for BlackBerry Work, BlackBerry Tasks, and BlackBerry NotesWhen you use BEMS in a BlackBerry UEM environment, you must prepare the BlackBerry UEM by completing thefollowing tasks:


https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-work/current


• If required, synchronize your existing Good Control server information, such as policies and profiles,to BlackBerry UEM.

• Manage BlackBerry Dynamics apps, such as BlackBerry Work, by adding them to BlackBerry UEM. • Manage users and groups.• Activate devices.

For more information about configuring BlackBerry UEM for BlackBerry Work, BlackBerry Tasks, and BlackBerryNotes, see the BlackBerry Work, BlackBerry Tasks, and BlackBerry Notes Administration content.

Set the detailed Notifications Cutoff TimeIf BlackBerry Work has not been unlocked and actively used on a device after a specified time, the BEMS PushNotifications service removes details about individual email messages from Notifications that are displayed onthe device. Message details in Notifications sent by the BEMS Push Notifications service resumes the next timeBlackBerry Work is unlocked and used on the device.

1. Open a browser and go to the Apache Karaf Web Console Configuration web site located at http://<fqdn_of_the_bems_host:8443/system/console/configMgr and login as administrator with theappropriate Microsoft Active Directory credentials.

2. On the menu, click OSGi > Configuration.3. Click Good Technology Email Push Coalescing.4. In the pushDowngradeCutoffSec field, increase or decrease the value, in seconds, as required. The default

value is 43200 seconds or 12 hours. The maximum value is 259200 seconds, or 3 days.5. Click Save.

Configuring the Push Notifications service for high availabilityHigh availability for the Push Notifications service is based on clustering. The Push Notifications service supportshigh availability by adding additional servers running Push Notifications. The BEMS instances that host the PushNotifications services that you designate to participate in high availability must share the same database. If aBEMS instance is unavailable, other instances in the high availability environment perform a check approximatelyevery minute to verify whether all of the instances are available. If a BEMS instance is offline, users are distributedamong the available instances. Consider the following scenario:

Your BEMS environment is configured for high availability and includes four BEMS instances which support 10000users. BEMS_name1 is taken offline for maintenance. The other BEMS instances routinely perform a search ofavailable BEMS.

• If the BEMS instance is available, the log files display the instance with a state of GOOD:

<YYYY-MM-DD>T14:16:59.385-0500 CEF:1 | pushnotify-ha-dbwatcher | pushnotify-ha-dbwatcher | 0.13.21 | INFO | unknown | 5 | ID=297 THR=DbWatcher-0 CAT=ProducerTasksRunner MSG=Worker BEMS_name1 is in state GOOD with 1/10000 users (0.01% capacity). Last status was updated at "<YYYY-MM-DD> T19:16:59.359 UTC". FeatureSet:AgingStaleUser, RichPush, VIPNotification, apnsPayload2k, badgeCount, subFolderNotification, pushSettings, smimeCertificateLookup, soundSettings, badgeCount2, autodiscover, notificationsSettings, localizedPush, delayWriteSyncState, RightToDisconnect, FCMRelayService updated at "1532523850857"

• If the BEMS instance is unavailable, the log files display the instance with a state of BAD and usersare distributed as required. In the following log example, two BEMS instances, BEMS_name1 andBEMS_name2, are checked and the BEMS_name1 instance that is unavailable is flagged as BAD.

<YYYY-MM-DD>T14:42:33.874+0100 CEF:1 | pushnotify-ha-comm | pushnotify-ha-comm | 0.15.3 | INFO | unknown | 5 | ID=309 THR=DbWatcher-0 CAT=HaProducerImpl MSG=BAD!! Last known status of HaWorker "BEMS_name1" is "<YYYY-MM-



DD>T10:45:47.831 UTC". It is before cut-off time "<YYYY-MM-DD> T13:37:33.860 UTC"

<YYYY-MM-DD>T14:42:33.874+0100 CEF:1 | pushnotify-ha-dbwatcher | pushnotify-ha-dbwatcher | 0.15.3 | INFO | unknown | 5 | ID=310 THR=DbWatcher-0 CAT=ProducerTasksRunner MSG=Got status of 2 workers

<YYYY-MM-DD>T14:42:33.874+0100 CEF:1 | pushnotify-ha-dbwatcher | pushnotify-ha-dbwatcher | 0.15.3 | INFO | unknown | 5 | ID=310 THR=DbWatcher-0 CAT=ProducerTasksRunner MSG=Worker BEMS_name2 is in state GOOD with 359/10000 users (3.59% capacity). Last status was updated at "<YYYY-MM-DD> T13:42:33.693 UTC". FeatureSet:AgingStaleUser, RichPush, VIPNotification, apnsPayload2k, badgeCount, subFolderNotification, pushSettings, smimeCertificateLookup, soundSettings, badgeCount2, autodiscover, notificationsSettings, localizedPush, delayWriteSyncState, RightToDisconnect, FCMRelayService, Delegate updated at "1545046557729"

<YYYY-MM-DD>T14:42:33.875+0100 CEF:1 | pushnotify-ha-dbwatcher | pushnotify-ha-dbwatcher | 0.15.3 | INFO | unknown | 5 | ID=310 THR=DbWatcher-0 CAT=ProducerTasksRunner MSG=Worker BEMS_name2 is idle 359/10000 (3.59% capacity)

<YYYY-MM-DD>T14:42:33.875+0100 CEF:1 | pushnotify-ha-dbwatcher | pushnotify-ha-dbwatcher | 0.15.3 | INFO | unknown | 5 | ID=310 THR=DbWatcher-0 CAT=ProducerTasksRunner MSG=Worker BEMS_name1 is in state BAD with 0 users. Last status was updated at "<YYYY-MM-DD> T10:45:47.831 UTC"

When you configure the Push Notifications service for high availability, you complete the following actions:

1. During the installation of additional Push Notifications service instances, on the Database Information screenyou specify the same database for each instance. For example, BEMS-Core.

2. Configure the BlackBerry Work connection settings. For instructions, see "Configure BlackBerry Workconnection settings" in the BlackBerry Work, Notes, and Tasks Administration content. If you have the Mailservice installed on multiple computers, repeat this step for each computer that hosts the service.

Configuring the Push Notifications service for disaster recoveryRecommended disaster recovery measures for Push Notifications service are based on an active/warm standbyclustering model. For more information on configuring your environment for disaster recovery, see the BlackBerryUEM Disaster Recovery content.

Before adding a Push Notifications service instance for disaster recovery, you complete the following actions:

1. Install the Push Notifications service in the disaster recovery site.2. Configure database replication for the Push Notifications service database (BEMS-Core) from your primary

site to your disaster recovery site. SQL log shipping is recommended. Consult your database administrator forassistance.

3. Make sure that the appropriate network ports are open to allow the Push Notifications service servers withinyour disaster recovery site to communicate with the database, Microsoft Exchange Server, and BlackBerryProxy servers in your disaster recovery and primary site.

When you configure a disaster recovery Push Notifications service instance, you complete the following actions:

1. Configure the disaster recovery Push Notifications service instance to use the primary database (for example,DBPrimaryCluster) in the cluster. For instructions, see Configure the Microsoft SQL Server database for PushNotifications service.

2. Add the server, or servers if the Mail service is installed on a separate computer, to the entitlement. Makesure to specify the BlackBerry Proxy cluster of the new site as the primary proxy cluster for these services.


https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-work/current/blackberry-work-administration-guide/lfd1484855554130


https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/planning-architecture/disaster-recovery/

https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/planning-architecture/disaster-recovery/

For instructions, see "Configure BlackBerry Work connection settings" in the BlackBerry Work administrationcontent.

Note: After the disaster recovery Push Notifications service instance is installed and configured, stop the GoodTechnology Common Services to place the Push Notifications service instance in warm standby.

In a disaster recovery situation in which you want to failover, you complete the following actions:

1. Stop the BlackBerry Common service on all your primary Push Notifications service instances. For example,DBPrimaryCluster.

2. Failover your Push Notifications service database (BEMS-Core) on your database server. For example, makethe Push Notifications service database active.

3. Failover your database FQDN DNS to your disaster recovery database server.4. If you cannot failover your database FQDN DNS, log in to the BEMS Dashboard and update the Push

Notifications service database information to point to your disaster recovery database server.5. Start the Good Technology Common Services on your disaster recovery Push Notifications service instance.

Push Notifications service logging and diagnosticsPerformance logs and diagnostic information for BEMS and the BlackBerry Push Notifications service are locatedin the BEMS Karaf Console. To give login and configuration permissions to members of the administration group,see Add dashboard administrators.

The log files are stored in the BEMSLogs directory. By default, the log files are located in: C:\blackberry\bemslogs.

View relevant logs in the BEMS Web Console

The BEMS Web Console provides advanced configuration and tuning options for BEMS. It should be used withcare as it offers advanced maintenance capabilities intended for expert users of the system.

1. Open a browser and go to the Apache Karaf Web Console Configuration web site located at http://<fqdn_of_the_bems_host:8443/system/console/configMgr and login as administrator with theappropriate Microsoft Active Directory credentials.

2. On the menu, click OSGi > Log Service.3. Scroll through the log activity. It's listed in chronological order.

After you finish: You can view the logs from the BEMS installation directory.

Configuring the Connect serviceThe Connect service governs instant messaging and presence capabilities of the BlackBerry Connect app.

When you configure the Connect service, you perform the following actions. If you installed the Connect serviceon multiple computers, complete this task on each computer that hosts the Connect service.

1. Configure the Connect service in the BEMS Dashboard.2. Configure BlackBerry UEM for BlackBerry Connect.3. Configure the Connect service for SSL communications using BlackBerry Proxy.4. Optionally, enable the Connect service to use a global catalog.5. Add the computer, or computers if the Connect service is installed on multiple computers to the

entitlement. For instructions, see "Configure BlackBerry Connect connection settings in BlackBerry UEM" in theBlackBerry Connect admin content.




https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/bems-blackberry-uem-configuration-html/ibz1474381569269/oof1474387535427

https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/3_1/blackberry-connect-administration-guide-html/wnb1495990451395/btn1497536357786/sgy1485950787289

https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/3_1/blackberry-connect-administration-guide-html/wnb1495990451395/btn1497536357786/sgy1485950787289

Configuring the Connect service in the BEMS dashboardThe Connect service components are not accessible until you enter the service account credentials for BEMS.BEMS uses this information to securely connect to Microsoft Services like Microsoft Active Directory, MicrosoftLync Server, Microsoft Exchange Server, Skype for Business server, and Microsoft SQL Server. The serviceaccount credentials are not stored after the browser session ends and must be entered each time you access theConnect service. The service account must have RTCUniversalReadOnlyAdmins rights. If an account has not yetbeen created, contact your Windows domain administrator to request an account.

Before you configure the BlackBerry Connect service, if you have an on-premises Microsoft Lync Server or Skypefor Business server make sure you prepare the Microsoft Lync Server or Skype for Business topology for BEMS.For instructions, see Preparing the Microsoft Lync Server and Skype for Business topology for BEMS.

Note: If you make changes to the BEMS dashboard, you must first stop the Good Technology Connect service,make the changes, and then start the Good Technology Connect service for the changes to take affect.

When you configure the Connect service, you configure the following components:

• Database• BlackBerry Dynamics• Microsoft Lync Server 2010, Microsoft Lync Server 2013, Skype for Business, or Cisco Jabber• Optionally, Microsoft Exchange Server• Optionally, Web proxy

Configure the Microsoft SQL Server database for the Connect service

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Connect.

2. If necessary, click Service Account and enter the BEMS service account credentials. 3. Click Database4. Enter the Microsoft SQL Server and database name. 5. In the Authentication Type drop-down list, select one of the following options:

• If you select Windows Authentication, the Connect service uses the Windows credentials accessthe Microsoft SQL Server database.

• If you select SQL Server Login, type the username and password used to access the Microsoft SQLServer database.

6. If your organization uses AlwaysOn support for SQL Server, in the Additional Properties field,type MultiSubnetFailover=true.

7. Click Test to verify the connection with the database.8. Click Save.

Configure BEMS connectivity with BlackBerry Dynamics

The BlackBerry Dynamics server information in the following instructions refers to the FQDN of the serverthat hosts the BlackBerry Proxy service. The BlackBerry Proxy service is installed on on-premises BlackBerryUEM servers that have BlackBerry Connectivity Node. The BlackBerry Connectivity Node is required forsome BlackBerry UEM Cloud deployments when they link a company directory to the BlackBerry UEMCloud tenant and to offer on-premises connectivity to BlackBerry Dynamics users activated using the BlackBerryUEM Cloud. For more information about the BlackBerry Connectivity Node, see the BlackBerry UEM Planningcontent.



https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/bems-blackberry-installation-html/qhd1475781841461/eug1476123918441/bems-lync-topology

https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/planning-architecture/planning/buem-requirements

https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/planning-architecture/planning/buem-requirements

2. Click Service Account. 3. Enter the service account username and password. 4. Click Save. 5. Click BlackBerry Dynamics.6. In the Hostname field, type the FQDN of the server hosting the BlackBerry Proxy service.7. In the Port field, the port number is prepopulated based on the communication type that you select.

• If you select HTTP, the Port field prepopulates to 17080.• If you select HTTPS, the Port field prepopulates to 17433.

Note: If you select HTTPS, you must import the trusted certificate to the Windows keystore. For instructions,see Import the BlackBerry Proxy CA certificate to the BEMS Windows keystore.

8. Click Test to verify the connection to the BlackBerry Proxy server. 9. Click Save.

After you finish: If you selected HTTPS, you must configure the BlackBerry Connect app to use SSLcommunications. For instructions, see "Configuring BlackBerry Connect app settings" for your environment inthe BlackBerry Connect Administration content.

Configure Microsoft Lync Server 2010, Microsoft Lync Server 2013, Skype for Business, or Skype for Business Online for theConnect service

You can configure your environment to work with Microsoft Lync Server, Skype for Business and Skype forBusiness Online.

Before you begin:

• If your environment uses multiple Skype for Business on-premises servers using trusted application modeor non-trusted application mode, have the Skype for Business servers load balanced with a load balanceserver. For more information about load balancing requirements, visit https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/network-requirements/load-balancing.

• If your environment uses Skype for Business in non-trusted application mode, verify that you completed theprerequisite for the LyncDiscoverInternal DNS record. For more information about preinstallation requirements,see "BlackBerry Connect and BlackBerry Presence" in the BEMS installation content.

• If your environment uses Skype for Business in non-trusted application mode, import the certificate chain trustinto the BEMS Java keystore to trust the HTTPS connections to LyncDiscoverInternal.example.com and theSkype Front End pool. For instructions on how to import the certificate chain, see Import the CA certificate intothe Java certificate store.

• If you configure your environment to use Skype for Business Online, have the following information:• Skype for Business Online tenant name• Connect service app ID and app Key• BlackBerry Connect app ID

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, clickConnect.

2. If necessary, click Service Account and enter the BEMS service account credentials.3. Click Lync 2010, Lync 2013, or Skype for Business. The system queries the instant messaging server to verify

that the appropriate BEMS instant messaging server topology is added. This can take a few moments.4. Complete one of the following tasks:



https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/network-requirements/load-balancing


https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/bems-blackberry-installation-html/iin1485548392323/njr1475777703867

Instant messaging server inenvironment Tasks

Microsoft Lync Server 2010 orMicrosoft Lync Server 2013

a. In the Application ID drop-down list, select<appid_connect.mycompany.com>.

If the drop-down list is empty, either the BEMS <instant messagingserver type> topology is not set up correctly or the service accountdoes not have permissions to query these settings.

Skype for Business Online a. Select the Skype for Business Online checkbox.b. In the Tenant name/ID field, enter the tenant name for your Skype

for Business Online. If you need to connect to more than onetenant, enter common.

c. In the BlackBerry BEMS Connect/Presence Service App ID field,enter the BlackBerry BEMS Connect service App ID. For instructionson obtaining the app ID, see Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.

d. In the BlackBerry BEMS Connect/Presence Service AppKey field, enter the BlackBerry BEMS Connect service appkey. For instructions on obtaining the App Key, see Obtainan Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.

e. In the BlackBerry Connect Client App ID field, enter the BlackBerryConnect client app ID. For instructions, see Obtain an Azure app IDfor the Connect client.

Skype for Business on-premisesusing trusted application mode

Note: Using this configuration,the Connect service is trustedby Skype for Business and canimpersonate a user. End userauthentication is not required onthe device to access BlackBerryConnect.

a. Select the Skype for Business On-Premises check box.b. Select Trusted Application Mode.c. Beside the Application ID dropdown list, click Browse. This step

can take up to a minute to complete.d. In the Application ID drop-down list, select the app ID. For example,

<appid_connect.mycompany.com>.

If the drop-down list is empty, either the BEMS <instant messagingserver type> topology is not set up correctly or the service accountdoes not have permissions to query these settings.

e. If you enable persistent chat in your Skype for Business 2015environment, in the Persistent Chat Default Category field, enter thedefault category. For more information on enabling persistent chat,see the BlackBerry Connect Administration content.


http://help.blackberry.com/en/blackberry-connect-administrators/current/blackberry-connect-administration-guide-html/

Instant messaging server inenvironment Tasks

Skype for Business on-premisesusing non-trusted applicationmode

Note: Using this configuration,the Connect service is not trustedby Skype for Business and cannotimpersonate a user. End userauthentication on the device isrequired to access BlackBerryConnect.

a. Select the Skype for Business On-Premises check box.b. Select Non-trusted Application Mode.c. Complete one or both of the following actions:

• Select the Auto discover servers checkbox for BEMS to use theexisting DNS records of LyncDiscoverInternal to discover theSkype for Business servers in the environment. For moreinformation about preinstallation requirements, see "BlackBerryConnect and BlackBerry Presence" in the BEMS installationcontent.

• Enter the default Skype for Business on-premises FQDN orthe complete URL to the Skype for Business server for BEMSto use if autodiscovery is not enabled or fails. For example,http(s)://<FQDN_of_the Skype_front_end_pool>/Autodiscover/AutodiscoverService.svc/root/oauth/user.

Note: The certificate chain trust must be imported intothe BEMS Java keystore to trust the HTTPS connectionsto LyncDiscoverInternal.example.com and the Skype Front Endpool. For instructions on how to import the certificate chain, seeImport the CA certificate into the Java certificate store.

Skype for Business and Skype forBusiness Online

• Complete the tasks for Skype for Business Online and Skype forBusiness on-premises using trusted application mode or non-trusted mode.

5. Click Test to verify that the Azure information is accurate.6. Complete one or both of the following actions to log in to the user account:

• If you configure the environment to use Skype for Business On-Premises

a. Click Test.b. Enter a user email address and password.c. Click Test.

• If you configure the environment to use Skype for Business Online

a. Click Test.b. Sign in to a user account.

7. Click Save.

After you finish:

Depending on your environment configuration, you can configure BEMS to allow users to provision the BlackBerryConnect app using an email address that is different from the email address used to login to Skype forBusiness Online. For more information about setting the ucwa.appresource.uservalidation.skip parameter andunderstanding the settings in the common settings configuration file, see Appendix B: Understanding the Skypefor Business Online Common Settings configuration file.

For more information about available settings in the BEMS-Connect configuration files, see Appendix A:Understanding the BEMS-Connect configuration file.





Obtain an Azure app ID for the Connect client

Before you begin: To grant permissions, you must use an account with tenant administrator privileges. If youneed to obtain multiple Azure app IDs (for example, BlackBerry Work, BEMS, and Docs), it is recommended thatyou create a separate app ID for each app.

1. Log on to portal.azure.com.2. In the left column, click Azure Active Directory.3. Click App registrations.4. Click New registration.5. In the Name field, enter a name for the application.6. Select a supported account type.7. In the Redirect URI drop-down list, select Public client (mobile & desktop) and enter

urn:ietf:wg:oauth:2.0:oob

8. Click Register.9. Add an additional Redirect URI.

a. In the App that you registered, on the Overview page, click the link for the URI beside Redirect URIs.b. In the Mobile and desktop applications section, click Add URI.c. In the blank field, enter com.blackberry.connect://ADAL/d. In the Advanced Settings section, set the Treat application as a public client to Yes.e. Click Save.

10.Click API permissions.11.Click Add a permission.12.In the Select an API section, click APIs my organization uses.13.Search for and select the application name that you created for Obtain an Azure app ID for the BEMS-Connect,

BEMS-Presence, and BEMS-Docs service.14.Click Add permissions.15.Complete only one of the following tasks:

Important: These tasks requires tenant administrator privileges.

• In the API permissions screen, click Grant admin consent for <organizational directory name>. Click Yes.• Click Azure Active Directory > Users > User settings. Click Manage how end users launch and view their

applications. Set the Users can consent to apps accessing company data on their behalf to No. Click Save.

Complete this option to present each BlackBerry Connect user with a prompt to approve that their useraccount is used to access the Connect service when they log in.

16.Copy the Application (client) ID. The Application (client) ID is displayed in the main Overview. This is usedfor the following:

• Client ID in the Azure portal, Expose an API > Add a client application screen• BlackBerry Connect Client App ID in the BEMS dashboard for BlackBerry Connect• BlackBerry Presence Client App ID in the BEMS dashboard for BlackBerry Presence

Allow users to use the UPN to authenticate to Skype for Business Online

You can configure BEMS to allow users to authenticate to Skype for Business Online using their UPN addresswhen it is different from the email address that was used to install and activate the BlackBerry Connect app.



Complete this task only if your environment uses modern authentication. You can configure BEMS to disablevalidating the email address when users authenticate to Skype for Business Online or the environmentuses Azure-IP.

1. If your users are configured with UPNs that are different from their email address, enable the "Use explicitUPN" property to allow BlackBerry Connect to authenticate to Microsoft Office 365. For more information, seethe BlackBerry UEM on-premises configuration content.a) In BlackBerry UEM, on the menu bar, click Settings > BlackBerry Dynamics > Global Properties. b) Under the Kerberos Constrained Delegation heading, select the Use explicit UPN checkbox. c) Click Save.

2. Sign in to the computer that is running the BEMS-Connect service.3. In a browser, open the Apache Karaf Web Console Configuration web site. Type https://

localhost:8443/system/console/configMgr and login as administrator with the appropriate MicrosoftActive Directory credentials.

4. On the menu, click OSGi > Configuration.5. Click Blackberry Connect UCWA common settings.6. In the ucwa.appresource.uservalidation.skip field, type true. 7. Click Save.8. Close the browser.

Configuring the BEMS-Presence and BEMS-Connect services in a multi-cluster Cisco Unified Communications Manager for IMand Presence environment

You can configure the BEMS-Presence and BEMS-Connect services for users that are located in multi-clusterCisco Unified Communications Manager for IM and Presence deployments to locate and communicate with eachother.

Configuring your Cisco Unified Communications Manager for IM and Presence multi-cluster environment with theBEMS Presence and Connect service allows users to connect and communicate with users in the same Presencedomain and located in separate clusters.

Steps to configure a multicluster Cisco Unified Communications Manager IM and Presence environments for BlackBerryConnect and BlackBerry Presence services

When you configure a multicluster Cisco Unified Communications Manager IM and Presence environment forBlackBerry Connect and BlackBerry Presence services, you perform the following actions:

Step Action

Make sure your multi-cluster environment has the following configured:

• DNS SRV records for Cisco Jabber Service Discovery. For instructions, see " ServiceDiscovery" in the Cisco Jabber Planning Guide for your version of Cisco Jabber.

• Cisco Intercluster Lookup Service (ILS) between the CUCM clusters in your environment.For instructions, see "Intercluster Lookup Service" in the Cisco Unified CommunicationsManager Features and Services Guide for your version of Cisco Unified CommunicationsManager.

• Intercluster Peering between the CIMP clusters in your environment. For instructions,see " Intercluster Peer Configuration" in the Cisco Unified Communications ManagerConfiguration and Administration Guide for your version of the Cisco UnifiedCommunications Manager.


https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/installation-configuration/configuration/ski1473699481442/hbj1473699623312/knb1473699643939

https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/installation-configuration/configuration/ski1473699481442/hbj1473699623312/knb1473699643939

http://www.cisco.com/c/en/us/support/unified-communications/jabber-windows/products-installation-guides-list.html

http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-maintenance-guides-list.html

http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-maintenance-guides-list.html

http://www.cisco.com/c/en/us/support/unified-communications/unified-presence/products-installation-and-configuration-guides-list.html

http://www.cisco.com/c/en/us/support/unified-communications/unified-presence/products-installation-and-configuration-guides-list.html

Step Action

Create the following users and passwords on each CUCM Publisher in each CUCM clusterin a multi-cluster environment. These must be the same, including case sensitivity on eachserver. BEMS uses these users and password to authenticate to the CUCM server for userPresence information.

For BlackBerry Connect

• AXL application user username and password. The AXL application user must be auser that is in a group that is assigned the Standard AXL API Access role. For moreinformation, see your Cisco documentation.

For BlackBerry Presence

• Application user and password. For instructions, see Create an Application User.• UDS Username (Dummy user). For instructions, see Create a Dummy User.

Download the required certificates from each cluster.

• Tomcat.der• Cup.der• Cup-xmpp.pem and Cup-xmpp-ECDSA.pem (in a Cisco 11.x or later environment) • CUCM SSL certificate. Visit the Cisco Devnet to see Download the Cisco Unified CM SSL

Certificate

Import the certificates into the Java keystore. For instructions, see Import the CA certificateinto the Java certificate store.

Configure the BlackBerry Connect service.

Configure the BlackBerry Presence service.

Configure the BEMS-Connect service for Cisco Unified Communications Manager IM and Presence

With BEMS installed, the initial configuration dashboard URL used will not match the self-signed certificate thatwas created. You can replace localhost with the FQDN that you specified during the installation, and bookmarkthis for future use.

Before you begin: Stop the Good Technology Connect service.


2. If necessary, click Service Account and enter the BEMS service account credentials. 3. Click Jabber.4. In the IM and Presence SIP domain field, enter the SIP domain.5. If your environment consists of multiple IM and Presence service clusters, select the Enable Service

Discovery checkbox and enter the following information:

• Enter the AXL Application user username and AXL Application password. The AXL Application usermust be in a group that is assigned the Standard AXL API Access role. For more information, seeyour Cisco documentation.


https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/bems-blackberry-installation-html/qhd1475781841461/cuw1476193798135/bems-application-user

https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/bems-blackberry-installation-html/qhd1475781841461/cuw1476193798135/bems-dummy-user

https://developer.cisco.com/site/devnet/home/index.gsp

https://developer.cisco.com/site/axl/learn/how-to/axl-java-sample-application.gsp

https://developer.cisco.com/site/axl/learn/how-to/axl-java-sample-application.gsp

• If the voice service and XMPP service domains are not the same in your environment, in the ServiceDomain field, enter the domain where the SRV records are located.

6. In the Cisco Unified Communications Manager User Data Service (UDS) FQDN field, enter the FQDN ofthe Cisco Unified Communications Manager server that Jabber Presence Provider (JPP) needs to access andquery the contact cards.

7. In the Cisco Unified Communications Manager User Data Service (UDS) port field, enter the Cisco UnifiedCommunications Manager server port number that JPP uses with the ciscoUDSServer to query the contactcards. For example, 8443.

8. In the Cisco Unified Communications Manager IM and Presence XMPP client service FQDN field, enter theFQDN of the Cisco Unified Communications Manager IM and Presence server. Cisco Jabber uses CUCM LDAP only. It does not use directory lookup.

9. In the Cisco Unified Communications Manager IM and Presence XMPP client service port field, enterthe outbound port that points to the Cisco Jabber XMPP Service. By default this 5222.

10.Start the Good Technology Connect service.

Configure BEMS to access on-premises Microsoft Exchange Server conversation histories

Note: Complete this task only if your environment includes an on-premises Microsoft Exchange Server. If yourenvironment uses Microsoft Exchange Online, complete the instructions in Configure BEMS to access MicrosoftExchange Online conversation histories.

You can enable the conversation history to allow users to access conversations that are saved in theConversation History folder of the user's Microsoft Exchange mailbox. Saving the conversation history issupported in the following environments:

• Users in a Skype for Business on-premises and have mailboxes on an on-premises Microsoft Exchange Server.• Users in a Skype for Business Online environment and have mailboxes on an on-premises Microsoft Exchange

Server.• Users in a Skype for Business Online environment and have mailboxes on Microsoft Office 365.

Saving the conversation history is not supported in an on-premises Skype for Business environment where usershave mailboxes on Microsoft Office 365.

Before you begin:

• Enable Autodiscovery on the Microsoft Exchange Server. For instructions, see your Microsoft Exchange Serverdocumentation.

• Integrate the Microsoft Lync Server or Skype for Business integration with the Microsoft Exchange Server.For instructions, see your Microsoft Exchange Server and Microsoft Lync Server or Skype for Businessdocumentation.

• Install the Microsoft Exchange Server SSL certificates on the computer that hosts the Connect service.Failing to correctly install the SSL certificate on the computer that hosts the Connect service results in thehistory logging to the Microsoft Exchange Server to fail. For instructions, see your Microsoft Exchange Serverdocumentation.

• The conversation history is enabled on the enterprise Microsoft Lync Server 2010, Microsoft Lync Server 2013,or Skype for Business for which you configure BlackBerry Connect.

• You prepared the Microsoft Lync Server or Skype for Business topology for BEMS. For instructions, seePreparing the Microsoft Lync Server and Skype for Business topology for BEMS

• Grant application impersonation permission to the BEMS service account on the Microsoft Exchange Server.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, clickConnect.

2. If necessary, click Service Account and enter the BEMS service account credentials.


https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/bems-blackberry-installation-html/qhd1475781841461/eug1476123918441/bems-lync-topology

3. Click Microsoft Exchange.4. Select the Enable Conversation History checkbox. Complete the following actions:

• In the Please enter the Microsoft Exchange Server information field, type the web address of yourMicrosoft Exchange Server.

• In the Exchange Server Type drop-down list, select the Microsoft Exchange Server version that is in yourenvironment.

• In the Server Write Interval field, type the frequency, in minutes, that each unique conversation is sent tothe Microsoft Exchange Server.

• If required, select the Requires Credential checkbox. Type the user name and password used to access theMicrosoft Exchange Server.

5. Click Test.6. Click Save.

Grant application impersonation permissions to the BEMS service account

Complete this task only if your environment has an on-premises Microsoft Exchange Server. Forthe Connect service to save instant messaging chats to the Microsoft Exchange Server Conversation History,the Connect service account must have impersonation permissions. Complete this task if you use a differentservice account for Connect.

Execute the following Microsoft Exchange Management Shell command to apply Application Impersonationpermissions to the Connect service account. This task enables application impersonation for all users tothe Connect service account.

1. On the Microsoft Exchange Server open the Microsoft Exchange Management Shell.2. Type New-ManagementRoleAssignment -Name:<ImpersonationAssignmentName>

-Role:ApplicationImpersonation -User:<ConnectServiceAccount> (forexample, New-ManagementRoleAssignment -Name:BlackBerryAppImpersonation -Role:ApplicationImpersonation -User ConnectAdmin).

Configure BEMS to access Microsoft Exchange Online conversation histories

Note: Complete this task only if your environment includes a Microsoft Exchange Online. If your environmentuses an on-premises Microsoft Exchange Server, complete the instructions in Obtain an Azure app ID forthe BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.

If you configure the Connect service, you can enable the conversation history to allow users to accessconversations that are saved in the Conversation History folder of the user's Microsoft Exchange mailbox. Savingthe conversation history is supported in the following environments:

• Users in a Skype for Business on-premises and have mailboxes on an on-premises Microsoft Exchange Server.• Users in a Skype for Business Online environment and have mailboxes on an on-premises Microsoft Exchange

Server.• Users in a Skype for Business Online environment and have mailboxes on Microsoft Office 365.


Configure the web proxy for the Connect service

Complete this task if your organization uses a web proxy server to connect to the Internet.



2. If necessary, click Service Account and enter the BEMS service account credentials. 3. Click Web Proxy.4. Select the Use Web Proxy checkbox. 5. Type the proxy web address and port number. 6. In the Proxy Authentication Type drop-down list, select one of the following authentication types:

• Basic authentication requires a user name and password by the Connect service to authenticate a request.• Digest authentication is more secure because it applies a hash function to the password before sending it

over the network.• None, if no authentication is required.

Note: If you specify an authentication type, the Connect service username and password are automaticallypopulated based on the Windows domain service account you assigned to the Connect service underConfiguring Windows Services.

7. Optionally, specify a domain.8. Optionally, click Test to verify the connection to the web proxy.9. Click Save.

After you finish: If you environment is configured to use Skype for Business Online, you must make surethat the BEMS web proxy server is configured so that users can log in to Skype for Business Online. Forinstructions, see Configure a web proxy server.

Configuring BlackBerry UEM for BlackBerry ConnectWhen you use BEMS in a BlackBerry UEM environment, you must prepare the BlackBerry UEM by completing thefollowing tasks:

• If required, synchronize your existing Good Control server information, such as policies and profiles,to BlackBerry UEM.

• Manage BlackBerry Dynamics apps, such as BlackBerry Connect, by adding them to BlackBerry UEM. • Manage users and groups.• Activate devices.

For more information about configuring BlackBerry UEM for BlackBerry Connect, see the BlackBerryConnect Administration content.

Enabling persistent chatThe persistent chat feature allows users to create topic-based discussion rooms and participate in rooms.If you enable persistent chat in Microsoft Lync Server 2013 or Skype for Business 2015, you can enable it inyour BEMS environment.

Note: Persistent chat is not supported in a Skype for Business Online and Skype for Business 2019 environment.

For more information about enabling persistent chat for BlackBerry Connect, see the BlackBerryConnect Administration content.

Configuring the Connect service for high availabilityConfiguring Connect for high availability is not supported for Connect using Cisco Jabber.

When you configure the Connect service for high availability, you perform the following actions:

1. Configure each new Connect instance to use the existing database.2. In the BEMS Dashboard, configure each new Connect instance to point to the same BlackBerry Proxy server.




https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/current/blackberry-connect-administration-guide-html/wnb1495990451395/cvz1494244998112

https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/current/blackberry-connect-administration-guide-html/wnb1495990451395/cvz1494244998112

3. In the BlackBerry UEM console, add the new computer hosting the Connect service instance to BlackBerryUEM.

4. Add each new computer hosting the Connect instance to the BlackBerry Connect app settings.

Configuring the Connect service for disaster recoveryDisaster Recovery for the BlackBerry Connect service is based on an active/warm standby clustering model.Disaster recovery is not supported for BlackBerry Connect using Cisco Jabber.

Before you add a BlackBerry Connect instance for disaster recorvery, you complete the following actions:

1. Evaluate your Microsoft Lync Server or Skype for Business disaster recovery strategy.

If you have separate Front End pools for disaster recovery, create a separate Trusted Application Pool for yourConnect instances. This separate Trusted Application Pool should be associated with the disaster recoveryFront End pool. Associate all disaster recovery BlackBerry Connect instances to this Trusted Application Pool.If you don’t have separate Front End pools for disaster recovery, then using a single Trusted Application Pool,but make sure your Lync or Skype for Business disaster recovery strategy properly preserves the TrustedApplication Pool in event of a failover.

Consider the following for Microsoft Lync Server or Skype for Business front-end pool:

Your environment has the following Microsoft Lync Server or Skype for Business Front-End pools:

• Pool1 is for general use• Pool2 is for high availabilty use

You create a Trusted Application Pool for Pool1. It is recommended you create an additonal TrustedApplication Pool for the high availability instances. The additional Trusted Application Pool is created in yourfront-end high availability pool.

2. Make sure that the appropriate network ports are open to allow BlackBerry Connect servers in your disasterrecovery site to communicate with database, Microsoft Lync Server or Skype for Business Server, MicrosoftLync Server or Skype for Business database, and BlackBerry Proxy servers in your disaster recovery andprimary site.

Add a new Connect service instance for disaster recovery

1. Install a new Connect service instance and turn off the service.2. After the installation, configure Connect to use the database in the disaster recovery site3. Add the server, or servers if the Connect service is installed on multiple computers, to the entitlement. Make

sure that you specify the BlackBerry Proxy cluster of the new site as the primary proxy cluster for theseservices. For instructions, see "Configure BlackBerry Connect connection settings in BlackBerry UEM" in theBlackBerry administration content.

4. Configure your disaster recovery Connect instance to use the secondary BlackBerry Proxy server in the cluster.5. Allow the disaster recovery server hosting the BlackBerry Connect instance in BlackBerry UEM. Make sure you

set the priority setting to Secondary or Tertiary.

After you finish: After the disaster recovery Connect instance is installed and configured, stop the GoodTechnology Connect service. This places the disaster recovery Connect instance in warm standby.

Allow the disaster recovery server hosting the BlackBerry Connect instance in BlackBerry UEM

1. On the menu bar, click Policies and Profiles.2. Click Networks and Connections > BlackBerry Dynamics connectivity.3.

Click to create a new connectivity profile or click on the Default connectivity profile to edit it.


https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/current/blackberry-connect-administration-guide-html/wnb1495990451395/btn1497536357786/sgy1485950787289





4.In the Additional servers section, click .

5. In the Server field, specify the FQDN of the BlackBerry Enterprise Mobility Server.6. In the Port field, specify the port for the BlackBerry Enterprise Mobility Server. By default, the port number is

8080 or 8443.7. In the Primary BlackBerry Proxy cluster drop-down list, specify the name of the BlackBerry Proxy cluster that

you want to set as the primary cluster.8. In the Secondary BlackBerry Proxy cluster drop-down list, specify the name of the BlackBerry Proxy cluster

that you want to set as the secondary cluster.9. Click Save.10.In the App servers section, click Add.11.Search for and select BlackBerry Work.12.Click Save.13.

In the table for the app, click .14.In the Server field, specify the FQDN of the BlackBerry Enterprise Mobility Server that is hosting the BlackBerry

Connect service..15.In the Port field, specify the port of the BlackBerry Proxy cluster that is used to access the BlackBerry

Enterprise Mobility Server.16.In the Priority drop-down list, specify the priority of the BlackBerry Proxy cluster that must be used to reach the

domain. Select Secondary or Tertiary.17.Click Save.

Failover in disaster recovery

1. Stop the Good Technology Connect service on all your primary Connect instances.2. Start the Good Technology Connect service on your disaster recovery Connect instance.

Specify the BlackBerry Proxy the BlackBerry Connect service contacts in a cluster You can specify the BlackBerry Proxy server that the Connect service contacts first. When you specifythe BlackBerry Proxy, it forces BEMS to always communicate with this BlackBerry Proxy server first forany BlackBerry Dynamics messages. The Connect service uses the BlackBerry Proxy server to create a listof BlackBerry Proxy servers to use. If the BlackBerry Proxy server that you specified in the BEMS Dashboard fails,then the Connect service contacts the next primary BlackBerry Proxy server in the list.

By default, this feature is disabled.

Before you begin:

• More then one BlackBerry Proxy is installed and configured in clusters in your environment.• BEMS is configured to use a BlackBerry Proxy.

1. On the computer that hosts BEMS, in a text editor, open the GoodConnectServer.exe.config file. By default,the file is located in <drive>:\Program Files\BlackBerry\BlackBerry Enterprise MobilityServer\Good Connect\.

2. Add the following key and value to the file: type <add key="ENABLE_CONFIGURED_GP_PIN”value="true" />.

3. Save the file.4. Restart the Good Technology Connect service.


Using friendly names for certificates in BlackBerry ConnectThe friendly name of a certificate can be helpful when multiple certificates with similar subjects exist ina certificate store. Friendly names are properties in the X.509 certificate store that associate aliases withcertificates so they can be easily identified. If you installed the Connect service on multiple computers, completethis task on each computer that hosts the service.

You can restrict certificates used for BlackBerry Connect to a Friendly Name by completing the following actions

1. If you do no have one, create and enroll a certificate.2. Change the certificate friendly name and description.3. Setting the new certificate friendly name string value in the BlackBerry Connect Server configuration file

(GoodConnectServer.exe.config).

If you do not already have a certificate, you can create and verify a BEMS SSL certificate for Lync. For moreinformation, see SSL certificate requirements for Microsoft Lync Server and Skype for Business.

Change the certificate friendly name description

1. Open the Microsoft Management Console (MMC).2. Click Console Root.3. Click File > Add/Remove Snap-in.4. In the Available snap-ins column, click Certificates > Add.5. Select Computer account. Click Next. 6. Select Local Computer. Click Finish.7. Click OK.8. Click Certificates (Local Computer) > Personal > Certificates.9. Double-click the certificate you want to change.10.Click the Details tab.11.In the Show drop-down list, click <All>. 12.Click Edit Properties. 13.In the Friendly name field, type a friendly name.14.In the Description field, type a description.15.Click Apply. 16.Click OK. Click OK again.

After you finish: Specify the certificate's friendly name in the configuration file for the Connect service.

Add the certificate friendly name to the BlackBerry Connect server configuration file

Before you begin: Specify the certificate friendly name.

1. In a text editor, open the GoodConnectServer.exe.config file. By default, the GoodConnectServer.exe.config fileis located in <install path>\Program Files\BlackBerry\BlackBerry Enterprise MobilityServer\Good Connect\.

2. In the <appSettings> section, type <add key="RESTRICT_CERT_BY_FRIENDLY_NAME"value="<cert_friendly_name>" />. The key value is case sensitive.

3. Save your changes. 4. Restart the Good Technology Connect service.


https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/bems-blackberry-installation-html/qhd1475781841461/eug1476123918441/mzb1476144892120

Configure the Connect service to receive SSL communications for a new installationBy default, SSL is enabled when you install the Connect service and runs securely using SSL/TLS (HTTPS)to communicate with the BlackBerry Connect app over port 8082. By default, the BEMS installer generatesa secure certificate that is bound to port 8082. Optionally, you can choose to manually create a securecertificate that you must import to BEMS and bind to port 8082 or another available port. If you upgradefrom BEMS 2.10 or earlier, see Options to configure the Connect service to receive SSL communications from anupgraded BEMS instance for available options.

If you installed the Connect service on multiple computers, complete this task on each computer that hoststhe Connect service.

For SSL support, you perform one of the following actions based on your environment:

• Use the default BEMS-Connect SSL certificate that is generated by the BEMS installer and the default portnumber. In this scenario, you must Assign the BEMS SSL certificate to users.

• Use the default BEMS-Connect SSL certificate that is generated by the BEMS installer, but your environmentrequires that you use a different port number. In this scenario, you must complete the following steps:

1. Unbind the SSL certificate from port 8082.2. Bind the SSL certificate to the Connect service SSL port. 3. Update the port number to enable SSL for BEMS Common and Connect service. 4. In BlackBerry UEM, assign the BEMS SSL certificate to users.5. Configure the BlackBerry Connect app to send requests over SSL

• Use your own SSL certificate and the default port number. In this scenario you must complete the followingsteps:

1. Create a CSR request.2. Submit a CSR request to a certificate authority. You must install the certificate on the server that generated

the CSR.3. Import the signed certificate to the computer that hosts the Connect service.4. Import the certificate into the Java keystore.5. Bind the SSL certificate to the Connect service SSL port6. Add the certificate friendly name to the BlackBerry Connect server configuration file.7. Configure the BlackBerry Connect app to send requests over SSL.8. In BlackBerry UEM, assign the BEMS SSL certificate to users.

Options to configure the Connect service to receive SSL communications from an upgraded BEMS instance

If you upgraded from BEMS version 2.10 or earlier, select one of the following scenarios:

• You want to upgrade your BEMS instance, don't have the Connect service configured for secure connections,and don't require secure connections. In this scenario, you are not required to complete any additional upgradesteps.

• You want to upgrade my BEMS instance and am already using secure connections and want to keep thisconfiguration. In this scenario, you are not required to complete any additional upgrade steps.

• You want to configure a non-secure connection environment to a secure connection environment. In thisscenario, you must choose one of the following options:

• Configure BEMS to use a secure connection using the default installation SSL certificate generated bythe BEMS installer

• Configure BEMS to use a secure connection using your own SSL certificate


Configure BEMS to use a secure connection using the default installation SSL certificate generated by the BEMS installer

1. Bind the SSL certificate to the Connect service SSL port.2. Enable SSL communications.3. Configure the BlackBerry Connect app to send requests over SSL.4. In BlackBerry UEM, assign the BEMS SSL certificate to users.

Configure BEMS to use a secure connection using your own SSL certificate

1. Create a CSR request.2. Submit a CSR request to a certificate authority. You must install the certificate on the server that generated the

CSR.3. Import the signed certificate to the computer that hosts the Connect service.4. Import the certificate into the Java keystore.5. Bind the SSL certificate to the Connect service SSL port.6. Enable SSL communications.7. Configure the BlackBerry Connect app to send requests over SSL.8. In BlackBerry UEM, assign the BEMS SSL certificate to users.

Assign the BEMS-Connect SSL certificate to users in BlackBerry UEM

By default, BEMS-Connect uses a self-signed certificate that is generated by the BEMS installer.


• If you use the default SSL certificate generated by the BEMS installer,

a. In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click SSLCertificate.

b. Click Download SSL Certificate. By default, the BemsCert.cer file is saved to the Downloads folder.• If you use your own SSL certificate,export the SSL certificate chain from the Microsoft Management

Console (MMC). If you don't know which certificate chain to download, in a command prompt type netshhttp show sslcert to confirm the certificate hash, then use the MMC to locate the certificate where thecertificate thumbprint is the same as the certificate hash.

a. Open the Microsoft Management Console (MMC).b. Click Console Root.c. Click File > Add/Remove Snap-in.d. In the Available snap-ins column, click Certificates > Add. e. In the Certificates snap-in wizard, select Computer account. Click Next.f. On the Computer > Select Computer screen, select Local Computer. Click Finish.g. Click OK. h. In the MMC, expand Certificates (Local Computer) > Personal .i. Double-click the SSL certificate.j. Click Certification Path. k. Click the root certificate. The root certificate is the first item in the Certificate hierarchy. l. Click View Certificate. m. Click the Details tab. n. Click Copy to File. o. Click Next.


p. Enter name for the certificate and export it to your desktop.q. Click Save. r. Click Finish. s. Click OK.

2. In BlackBerry UEM, create a CA certificate profile for the BEMS Self-Signed certificate, or create individual CAcertificate profiles for the CA Root certificate and any CA Intermediate certificates. Assign the profiles to usersor user groups. For instructions on creating a CA certificate profile and assigning it to users or user groups,see the BlackBerry UEM administration content.

Create a CSR request

1. Log in to the computer hosting BEMS with the service account.2. Open the Microsoft Management Console (MMC).3. Click Console Root.4. Click File > Add/Remove Snap-in5. In the Available snap-ins column, click Certificates > Add.6. In the Certificates snap-in wizard, select Computer account. Click Next.7. On the Computer > Select Computer screen, select Local Computer. Click Finish.8. Click OK.9. In the Microsoft Management Console, expand Certificates (Local Computer).10.Right-click Personal and click All Tasks > Advanced Operations > Create Custom Request.11.In the Certificate Enrollment wizard, click Next.12.On the Select Certificate Enrollment Policy screen, select Proceed without enrollment policy. Click Next.13.On the Custom request screen, select the following settings:

• In the Template field, select (No template) Legacy key• In the Request format option, select PKCS #10

14.Click Next.15.On the Certificate Information screen, expand Details for the custom request.16.Click Properties.17.Click the Subject tab.18.On the Subject tab, in the Subject name section, complete the following actions:

a) In the Type drop-down list, select Common Name.b) In the Value field, type the <BEMSFQDN> of the computer that hosts the Connect service (for example,

BEMSHost.mycompany.com).c) Click Add.

19.In the Alternative name section, add two values by completing the following actions:a) In the Type drop-down list, select DNS.b) In the Value field, type the <BEMSFQDN> of the computer that hosts the Connect service (for example,

BEMSHost.mycompany.com).c) Click Add.

20.On the Extensions tab, complete the following actions:a) In the Extended Key Usage (application policies) drop-down list, in the Available options column, click

Server Authentication.b) Click Add.

21.On the Private Key tab, complete the following actions:


https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/administration/profiles-variables-email-templates/

a) In the Cryptographic Service Provider drop-down list, in the Select cryptographic service provider(CSP)section, clear all the check boxes.

b) Select the Microsoft RSA SChannel Crytographic Provider (Encryption) check box.c) In the Key size field, type 2048.d) In the Key options drop-down list, in the Key type drop-down list, select Exchange.

22.Click Apply.23.Click OK.24.Click Next.25.Enter a name for the certificate request and save it to your desktop.26.In the File format section, select Base 64.27.Click Finish.

After you finish:

1. Submit the certificate request that you created to the certificate authority to obtain a certificate.2. Import the signed certificate to the computer that hosts the Connect service

Import the signed certificate to the computer that hosts the Connect service

Make sure that you install the certificate on the server that generated the CSR.

1. If necessary, open the Microsoft Management Console (MMC).2. Expand Certificates (Local Computer).3. Right-click Personal and click All Tasks > Import.4. Click Next.5. Navigate to the certificate file that you obtained from the certificate authority.6. Click Next. 7. On the File to Import screen, select the file and click Open8. Click Next.9. In the Certificate Store screen, click Browse and click Trusted Root Certification Authorities.10.Click Next.11.Click Finish.

After you finish: Bind the signed certificate to the Connect service SSL port.

Bind the SSL certificate to the Connect service SSL port

Before you begin: Import the CA-signed certificate to the computer that hosts the Connect service.

1. Copy the thumbprint of the imported certificate.

a. Double-click the imported certificate.b. Click the Details tab.c. In the Show dropdown list, click Properties Only.d. In the Field column, click Thumbprint.e. Copy the hexidecimal values into a text editor. Delete the spaces between the hexadecimal values. For

example, if you copied 80 82 41 2f..., it becomes 8082412f...f. Keep the text editor open.

2. If required, login to the computer that hosts the Connect service with the service account.


3. Open a command prompt (run as administrator). 4. Check that a certificate is not already bound to port 8082. Type netsh http show sslcert. If you use a

new certificate, document the hash information for port 8082. The certificate hash is used in step 4. If a certificate is bound to port 8082 or a port that you want to use, type netstat -abn >netstatoutput.txt to output the list of ports and processes to which they are bound. You must first deletethe certificate before binding the new certificate or select a new port to bind the SSL. If you choose to bindthe certificate to another port, consider this modification when configuring the Connect service. To delete theexisting certificate, type netsh http delete sslcert ipport=0.0.0.0:8082 or the port that you wantto bind the certificate to.

For more information about netsh, visit the Technet Library to see Netsh Commands for Hypertext TransferProtocol (HTTP).

5. Bind the certificate to the SSL port. In a command prompt (run as administrator), type netshhttp add sslcert ipport=0.0.0.0:<port> certhash=<thumbprint>appid={AD67330E-7F41-4722-83E2-F6DF9687BC71} Where <thumbprint> is the thumbprint of the signed certificate that you exported to the text editor. Forinstructions, see Import the signed certificate to the computer that hosts the Connect service.

6. Press Enter.7. To verify the certificate binding, type netsh http show sslcert.

After you finish:

1. Enable SSL communications.2. Configure the BlackBerry Connect to send requests over SSL.

Enable SSL communications

You must enable SSL in two locations; the BlackBerry Connect server configuration file and the BEMS Commonto Connect communications.

Before you begin: Backup the BlackBerry Connect server configuration file.

1. Enable SSL communications in the Connect service.a) To modify the server configuration to use the correct SSL certificate, navigate to

the GoodConnectServer.exe.config file. By default, the file is located in <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Connect\.

b) In a text editor (run as administrator), edit the GoodConnectServer.exe.config file. c) Locate the BASE_URL line (for example, <add key="BASE_URL" value="http://*:8080/"/>).d) Change the line to <add key="BASE_URL" value="https://*:8082/"/>. If required, update the port

to the port that you are using. e) Save your changes.f) Restart the Good Technology Connect service.

2. Enable SSL for BEMS Common to Connect communicationsa) On the computer that hosts BEMS, open the Apache Karaf Web Console. Open a browser window and

navigate to https://<fqdn_of_the_bems_host>:8443/system/console/configMgr. b) Scroll to and click Good Technology Core Adapter Service. c) In the connect.websocket.uri field, verify that URI is wss://localhost:8082/

AdapterNotifyService/Notify/ws. If necessary, change the port to the port you want to use. d) Click Save.

After you finish: Configure the BlackBerry Connect to send requests over SSL.


https://technet.microsoft.com/library/bb625087.aspx

https://technet.microsoft.com/en-us/library/cc725882(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/cc725882(v=ws.10).aspx

Configure the BlackBerry Connect app to send requests over SSL in BlackBerry UEM

Before you begin: If you configured the BlackBerry Connect app configuration to use the default port of 8080, youcan update the app configuration to use the SSL port information.

Complete the instructions in the Configure BlackBerry Connect app settings in the BlackBerry Connect Administrationcontent. For the Connect Server Hosts field, make sure you type the FQDN of the computers that hostthe BlackBerry Connect server and use the SSL port 8082. For example, if you have multiple servers,separate the names using commas, no spaces. For example, https://domain01.example.com:8082,https://domain02.example.com:8082,https://domain03.example.com:8082.

Configuring Windows ServicesThe BlackBerry Connect server is now listed in Windows Services. You can view the service status and the serviceaccount user you entered for the Connect service.

For Connect to run as another domain user, the alternate domain user must:

• Have access to the private key of the computer certificate.• Be enabled to “Log on as a service” through the Local Security Policy tool.

Configure permissions for the service account

1. On the computer that hosts BlackBerry Connect, run the Local Security Policy administrative tool.2. In the left pane, expand Local Policies.3. Click User Rights Assignment.4. Configure the BlackBerry Connect service account for the Log on as a service permission.

Global catalog for Connect and PresenceThe global catalog is a distributed data repository that contains a searchable, partial representation of everyobject in every domain in a multi-domain Active Directory Domain Services (AD DS) forest. Global catalogsare typically used in a single AD DS forest that has more than one domain. A global catalog provides a way forproducts and services to access data that is available in other domains in the same forest. For more informationabout global catalogs, visit the Technet Library to see What Is the Global Catalog?.

You can configure the Connect service to use the global catalog so that the Connect service can find users whoexist in other domains within your AD DS forest. This enables the BlackBerry Connect app to search for people inthose other domains and start conversations with them, or add them to the contact list.

You can also configure the Presence service to use the global catalog so that the Presence service can subscribethe receive presence information for Lync users who exist in other domains within your AD DS forest. This ishelpful if you are using a Presence client, such as BlackBerry Work, by users who email with others who reside inother domains in your AD DS forest.

In addition to configuring the Connect and Presence services to use the global catalog, you must replicatesome additional Microsoft Lync Server or Skype for Business attributes to the global catalog. You mustperform this set up only once, whether the global catalog is used for one or both services. Some environmentsmight require some Active Directory attributes to be correctly replicated to the global catalog in the otherdomains. For more information about enabling replication of user attributes to the global catalog server,visit support.blackberry.com/community to read article 46152.


https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/current/blackberry-connect-administration-guide-html/wnb1495990451395/

https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/current/blackberry-connect-administration-guide-html/wnb1495990451395/

https://technet.microsoft.com/en-us/library/cc728188.aspx


Enable the Connect service to use a global catalog

The instructions in this topic use the environment example.com to configure the Connect service to use a globalcatalog. If you installed the Connect service on multiple servers, complete this task on each computer that isrunning the Connect service.

1. In a text editor, open the GoodConnectServer.exe.config file. By default, the file is located in <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Connect folder.

2. In the <appSettings> section of the file, locate the following values:

• <addkey = "AD_USERS_SOURCE" value= "" /> • <addkey = "AD_USERS_SOURCE_DOMAIN" value="" />

3. Update the values as required for your environment. For example, to configure the Connect service toaccess Active Directory domains outside of the local domain that the BEMS is located in, complete thefollowing steps:a) In the value double quotation marks of the <addkey = "AD_USERS_SOURCE" value= "" /> key, enter GC.b) In the value double quotation marks of the <addkey = "AD_USERS_SOURCE_DOMAIN" value="" /> key,

enter DC=EXAMPLE,DC=COM or the fully qualified domain name EXAMPLE.COM. Make sure that you usethe distinguished name of the domain. For more information, see Appendix A: Understanding the BEMS-Connect configuration file.The following example shows the GoodConnectServer.config file configured to access a global catalog:

.

.<add key="AD_USERS_SOURCE" value="GC" /><add key="AD_USERS_SOURCE_DOMAIN" value="DC=EXAMPLE,DC=COM" />..

4. In the Windows Manager, restart the Good Technology Connect service.

Revert the Connect service settings to use the local Active Directory

If you configured the Connect service to use a global catalog, you can modify the GoodConnectServer.exe.configfile to have the Connect service use the local Active Directory domain that the BEMS is located in. In the followingexample, the Connect service was configured to use the global catalog in the example.com environment. Ifyou installed the Connect service on multiple servers, complete this task on each computer that is runningthe Connect service.

1. In a text editor, open the GoodConnectServer.exe.config file. By default, the file is located in <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Connect folder.


• <addkey = "AD_USERS_SOURCE" value= "GC" /> • <addkey = "AD_USERS_SOURCE_DOMAIN" value="DC=EXAMPLE,DC=COM" />

3. Remove the specified values from the double quotation marks. The following example shows theGoodConnectServer.exe.config file configured to use the local Active Directory domain where the BEMS islocated:

.

.<add key="AD_USERS_SOURCE" value="" /><add key="AD_USERS_SOURCE_DOMAIN" value="" />..

4. In the Windows Manager, restart the Good Technology Connect service.

Enable the Presence service to use a global catalog with Microsoft Lync Server or Skype for Business

The instructions in this topic use the environment example.com to configure the Presence service to use a globalcatalog and applies to an environment that is configured for on-premises Microsoft Lync Server 2010 and 2013or Skype for Business on-premises servers using trusted application mode. If you installed the Connect serviceon multiple servers, complete this task on each computer that is running the Presence service.

1. In a text editor, open the LyncPresenceProviderService.exe.config file. By default, the file is locatedin <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\GoodPresence folder.


• <addkey = "AD_USERS_SOURCE" value= "" /> • <addkey = "AD_USERS_SOURCE_DOMAIN" value="" />

3. Update the values as required for your environment. For example, if your environment (example.com) requiresaccess to a global catalog, complete the following steps:a) In the value double quotation marks of the <addkey = "AD_USERS_SOURCE" value= "" /> key, enter GC.b) In the value double quotation marks of the <addkey = "AD_USERS_SOURCE_DOMAIN" value="" /> key,

enter the distinguished domain name using DC=EXAMPLE,DC=COM or the fully qualified domain nameusing EXAMPLE.COM. Make sure that you use the the distinguished name of the domain. For moreinformation, see Appendix A: Understanding the BEMS-Connect configuration file.The following example shows the LyncPresenceProviderService.exe.config file configured to access aglobal catalog:

.

.<add key="AD_USERS_SOURCE" value="GC" /><add key="AD_USERS_SOURCE_DOMAIN" value="DC=EXAMPLE,DC=COM" />..

4. In the Windows Manager, restart the Good Technology Presence service.

Revert the Presence service settings to use the local Active Directory

If you configured the Presence service to use a global catalog, you can modify theLyncPresenceProviderService.exe.config file to have the Presence service use the local Active Directory domainthat the BEMS is located in. In the following example, the Presence service was configured to use the globalcatalog in the example.com environment. If you installed the Connect service on multiple servers, complete thistask on each computer that is running the Presence service.

1. In a text editor, open the LyncPresenceProviderService.exe.config file. By default, the file is locatedin <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\GoodPresence folder.


• <addkey = "AD_USERS_SOURCE" value= "GC" /> • <addkey = "AD_USERS_SOURCE_DOMAIN" value="DC=EXAMPLE,DC=COM" />

3. Remove the specified values from the double quotation marks. The following example shows theLyncPresenceProviderService.exe.config file configured to use the local Active Directory domain wherethe BEMS is located:

.

.<add key="AD_USERS_SOURCE" value="" /><add key="AD_USERS_SOURCE_DOMAIN" value="" />..

4. In the Windows Manager, restart the Good Technology Presence service.

Enable Microsoft Lync Server or Skype for Business related attributes in the global catalog

Complete this task on the Domain controller in your environment.

1. Open the Run command.2. Type schmmgmt.msc. Press Enter.3. In the left navigator window, click Active Directory Schema.4. In the middle window, double-click Attributes.5. Double-click Mail.6. Select the Replicate this attribute to the Global Catalog checkbox. Click OK.7. Repeat steps 5 and 6 for the following attributes:

• msRTCSIP-PrimaryUserAddress• msRTCSIP-UserEnabled• msRTCSIP-DeploymentLocator• telephoneNumber• displayname• title• mobile• givenName• sn

• sAMAccountName

Troubleshooting BlackBerry Connect IssuesBEMS-Connect service logs information in different log files and saves them to the different folder locationsdepending on the installation configuration of the BEMS-Connect service. These log files are required whentroubleshooting Connect issues. The log files contain critical information for the instant messaging serverthat is used in your environment (for example, Microsoft Lync Server, Cisco Unified Communications Managerfor communications, Skype for Business Online, and Skype for Business using non-trusted application mode ortrusted application mode).

Finding log files

By default, a server log file is created for each BEMS server and is stored daily on the computer that hosts BEMS.

BEMS-Core log files are displayed as gems_<server_name_date_time stamp>.log. By default, the BEMS log files arestored daily in C:\BlackBerry\bemslogs.

Note: The timestamp for each file is reset daily at 0:00 (midnight). It is also reset each time that the BEMS-Connect service is restarted and when a maximum file size is reached.

The following table summarizes the log files that are generated by the BEMS-Connect service.

Log file Default log file location Description

Connect_<server_name>

_<date_time_stamp>.log

C:\Program Files\BlackBerry\BlackBerryEnterprise MobilityServer\Good Connect\Logs

• This log file logs BlackBerryConnect app connections data.

• In Microsoft Lync Server or Skype forBusiness on-premises using trustedapplication mode environments, thislog also logs all of the service log dataincluding communications with theinstant messaging platform.

• The log file is reset when it reachesa maximum of 20 MB and a newlog file is started. The log files areautomatically deleted after three days.

• The BEMS-Connect servicelog4net.config file controls theinformation that is logged in the logfile. For more information, visit http://support.blackberry.com/community toread article 41080.




Log file Default log file location Description

Connect-LongTerm_<server

_name>_<date_time

_stamp>.log


• This log file logs similar informationto the Connect_<server_name>

_<date_time_stamp>.log file(above) over a longer duration,but with less details. For example,this log file only logs some INFOlevel logging, all ERROR andWARN level logging. It doesn't logDEBUG level logging. By default,the Connect_<server_name>

_<date_time_stamp>.log logfile logs additional INFO logging andDEBUG log lines.

• The log file is reset when it reachesa maximum of size 20 MB and a newlog file is started. The log files areautomatically deleted after 20 days.

Connect_MSMData_<date

_stamp>.log


• This log file logs BEMS-Connect appMSM-specific data that is used bythe Good Mobile Service Manager.

• This log file isn't reset after amaximum size or deleted after aspecified number of days.

• This log file is not requiredfor troubleshooting BEMS-Connect issues.

gems_<server_name>_<date

_time_stamp>.log

C:\BlackBerry\bemslogs

• This log file logs BEMS-Connect interaction informationwith Skype for Business on-premises using non-trustedapplication mode, Skype forBusiness Online or Cisco UnifiedCommunications Manager that isconfigured in your environment.

• This log file is reset when it reaches amaximum size of 100 MB.

• The log file is automatically purgedafter 10 days.


Failed to start BlackBerry Connect server

Possible cause Possible solution

If the Application-log displays Failed to start GoodConnectServer:Microsoft.Rtc.Signaling.ConnectionFailureException:Unable to establish a connection. --->System.Net.Sockets.SocketException: No such host is known,then the hostname value in the configuration file for the key OCS_SERVER doesnot exist or is not recognized as a valid server.

Correct the OCS_SERVERvalue in the configurationfile.

If the Application-log displays Failed tostart BlackBerryConnectServer:Microsoft.Rtc.Signaling.ConnectionFailureException: Failedto listen on any address and port supplied, then the port numberspecified for UCMA_APPLICATION_PORT in the configuration file is either blockedby a firewall or used by another application.

Unblock port if it is afirewall issue or chooseanother port number.

If the Application-log displays Failed tostart BlackBerryConnectServer:WCFGaslampServiceLibrary.OCSCertificateNotFoundException:Certificate not found, then the certificate's subjectName doesn't containthe local host's FQDN and the private key for the certificate isn't enabled for theuser which executes the BEMS software.

Enable private keysfor this certificatefor the user runningthe BEMS machine.

Error message: The process was terminated due to an unhandled exception. Microsoft.Rtc.Internal.Sip.TLSException

Possible cause

The SSL certificate was not created with the correct cryptographic service provider and key spec. The KeySpecproperty sets or retrieves the type of key generated. Valid values are determined by the cryptographic serviceprovider in use, typically Microsoft RSA.

Possible solution

Verify that the Provider, ProviderType, and KeySpec values are the same as the examples below or the CA mustreissue a new SSL and appropriate provider and key spec values.

1. On the computer that hostsBEMS, open the Windows PowerShell and type the following command:certutil.exe –v –store “my” <name of ssl cert>” > c:\temp\ssl.txt

2. In a text editor, open the ssl.txt file. By default, the ssl.txt file is located in <drive>:\temp.3. Search for CERT_KEY_PROV_INFO_PROP_ID.4. The SSL certificate information should return the following information:

CERT_KEY_PROV_INFO_PROP_ID(2):Key Container = 9ad85141c0b791ad17f0687d00358b70_dd7675d5-867d-479c-90b0-cd24435fe903Provider = Microsoft RSA SChannel Cryptographic ProviderProviderType = cFlags = 20KeySpec = 1 -- AT_KEYEXCHANGE


Configuring the BlackBerry Presence serviceWhen you configure the BlackBerry Presence service to support BlackBerry Work, you perform one of thefollowing actions.

• If your environment includes a Microsoft Lync Server or Skype for Business:

• Configure BlackBerry Presence in the BEMS Dashboard.• Manually configure the Presence service for multiple application endpoints.• Optionally, Configure BlackBerry UEM for Presence.• Optionally, enable the Presence service to use a global catalog.• Optionally, configure BlackBerry UEM for high availability.• Optionally, configure BlackBerry UEM for disaster recovery.

• If your environment includes a Cisco Unified Communications Manager (Cisco Jabber):

• Configure BlackBerry Presence in the BEMS Dashboard.• Configure Jabber for the Presence service• Configure BlackBerry UEM for Presence.• Optionally, configure BlackBerry UEM for high availability.• Optionally, configure BlackBerry UEM for disaster recovery.• Add the computer, or computers if the Presence service is installed on separate computers to the

entitlement. For instructions, see "Configure BlackBerry Work connection settings" in the BlackBerry Workadministration content.

Configuring the BlackBerry Presence service in the BEMS DashboardThe BlackBerry Presence service API allows BlackBerry Work and other third-party BlackBerryDynamics applications to access users' presence statuses or availability.

When you configure the BlackBerry Presence service, you complete the following actions:

• If not completed, configure BlackBerry Dynamics• If your environment uses a Microsoft Lync Server or Skype for Business, log in with the service account

credentials• Optionally, configure the BlackBerry Presence service settings• Configure Microsoft Lync Server 2010, Microsoft Lync Server 2013, and Skype for Business for the BlackBerry

Presence service• Configure Jabber for the BlackBerry Presence service

Logging in to the Presence service

The BlackBerry Presence service components are unavailable until you provide the correct service accountcredentials for BEMS. BEMS uses this information to securely connect to Microsoft Services like MicrosoftActive Directory, Microsoft Lync Server, Microsoft Exchange Server, Skype for Business server, and MicrosoftSQL Server. The service account must have RTCUniversalReadOnlyAdmins rights. If an account has not yet beencreated, contact your Windows domain administrator to request an account.

Note: The service account credentials are not stored after the current browser session ends and must be enteredeach time you access the Presence service. Stop the Good Technology Presence service before you configure theservice account for BEMS.

Configure the BlackBerry Presence service settings

You can specify the settings for the BlackBerry Presence service or keep the default settings.




1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Presence.

2. If your environment uses a Microsoft Lync Server or Skype for Business, click Service Account and type thelogin credentials for the Good Technology Presence service account.

3. Click Settings. 4. Optionally, in the Subscription Expiration Time field, type an expiration time in seconds. The Subscription

Expiration Time is the time interval when BlackBerry Work contacts the Presence service for user presencestatus updates. By default, this is 180 seconds. If you experience issues with the Presence status notdisplaying, increase the subscription expiration time (for example, 1000 seconds). Increasing the expirationtime allows the subscriptions to remain active for a longer time.

5. Optionally, select the Enable domain whitelisting checkbox. For more information,see Allow Presence subscriptions to users in specified domains.a) In the Domains whitelist dialog box, click .b) In the Domains whitelist text box, type the email domains for which you want to allow presence

subscriptions. When adding multiple domains, you can add the domains using one or more of the followingformats to separate the domains.

• Comma, followed by a space• Semi-colon, followed by a space• Space• New line

For example, example.com, example1.com, and so forth.c)

Click .6. Click Test.7. Click Save.

Allow Presence subscriptions to users in specified domains

Your organization can use whitelisting to control which users in internal and federated Microsoft LyncServer 2010, Microsoft Lync Server 2013, Skype for Business, Skype for Business Online, or Cisco UnifiedCommunications Manager environments can be subscribed to. By allowing specific domains to be subscribedto, you can improve the performance of the Presence service and exclude domains that are not part of theinternal or federated domains. You can also limit presence subscriptions to specific internal and federateddomains. By default, the whitelisting feature is disabled and all internal and external domain subscriptions areattempted. When this feature is configured, you can manage the allowed list from all BEMS servers that hostthe Presence service.

When your organization enables whitelisting, contacts in an email domain that is not listed are restricted and nopresence subscriptions are attempted to that domain. Consider the following scenarios when you enable domainwhite listing:

• If you enable domain whitelisting, but do not specify one or more email domains, all email domains arerestricted from requesting Presence subscriptions.

• If you enable domain whitelisting and specify one or more email domains, only contacts in the specified emaildomains are included in the subscription request to the instant messaging server. If a contact is not a user inthe whitelisted email domains, the user presence is not displayed.

• If you do not enable domain whitelisting, then contacts in any email domain are included in the subscriptionrequest to the instance messaging server.


Remove a domain and restrict users from requesting subscription requests

You can remove domains and restrict users of that domain from requesting subscription requests

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, clickPresence.

2. If necessary, click Service Account and type the login credentials for the BEMS service account.3. Click Settings.4. In the Domains whitelist dialog box, click the X beside the domain you want to remove from the list.5. Click Save.

Configure Microsoft Lync Server 2010, Microsoft Lync Server 2013, Skype for Business, or Skype for Business Online for thePresence service

Environments configured to use Microsoft Lync Server 2010 or 2013, or Skype for Business on-premises thatare using trusted application mode use the Unified Communications Managed API (UCMA) software for thePresence service to communicate with the instant messaging server. Environments configured to use Skypefor Business Online or Skype for Business on-premises that are using non-trusted application mode use UnifiedCommunications Web API (UCWA) software for the Presence service to communicate with the instant messagingserver.

Before you begin:

• If your environment uses Skype for Business on-premises using non-trusted application mode, make surethat the Skype for Business on-premises root CA certificate is imported. For instructions, see Import the CAcertificate into the Java certificate store.

• If your environment uses Skype for Business on-premises using non-trusted application mode or Skype forBusiness Online, the Good Technology Presence service is not used.

• If your environment uses multiple Skype for Business on-premises servers using trusted applicationmode or non-trusted application mode, have the Skype for Business servers load balanced with a loadbalancer. For more information about load balancing requirements, visit https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/network-requirements/load-balancing.

• If you configure your environment to use Skype for Business Online, have the following information. If youconfigured the Connect service, reuse the tenant name and app ID and app Key. For instructions, see Obtainan Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.• Tenant name• Service app ID and app Key• BlackBerry Work app ID


2. If necessary, click Service Account and type the login credentials for the BEMS service account.3. Click Lync 2010, Lync 2013, or Skype for Business. The system queries the instant messaging server to verify

that the appropriate BEMS instant messaging server topology is added. This can take a few moments tocomplete.





../../../../blackberry-work/admin-guide/bep1504702528192.xml

Instant messaging server in environment Tasks

Microsoft Lync Server 2010 or MicrosoftLync Server 2013

a. In the Application ID drop-down list, select<appid_connect.mycompany.com>.

If the drop-down list is empty, either the BEMS <instantmessaging server type> topology is not set up correctly orthe service account does not have permissions to querythese settings.

b. In the Application Endpoint drop-down list, select thecorresponding application endpoint.

Skype for Business Online a. Select the Skype for Business Online checkbox.b. In the Tenant name/ID field, enter the name of your

Skype for Business Online tenant. If you need to connectto more than one tenant, enter common.

c. In the BlackBerry BEMS Connect/Presence ServiceApp ID field, enter the BlackBerry Presence service appID. For instructions on obtaining the app ID, see Obtainan Azure app ID for the BEMS-Connect, BEMS-Presence,and BEMS-Docs component service.

d. In the BlackBerry BEMS Connect/Presence Service AppKey field, enter the BlackBerry Presence service app key.

e. In the BlackBerry Presence Client App ID field, enterthe BlackBerry Work app ID. For instructions, see Obtainan Azure app ID for BlackBerry Work.

Skype for Business on-premises usingtrusted application mode

Note: Using this configuration, the Presenceservice is trusted by Skype for Businessand can impersonate a user. End userauthentication is not required on the deviceto view the presence status

a. Select the Skype for Business On-Premises check box. b. Select Trusted Application Mode. c. Beside the Application ID drop-down list, click Browse.

This step can take up to a minute to complete.d. In the Application ID drop-down list, select the app ID.

For example, <appid_connect.mycompany.com>.

If the drop-down list is empty, either the BEMS <instantmessaging server type> topology is not set up correctly orthe service account does not have permissions to querythese settings.


Instant messaging server in environment Tasks

Skype for Business on-premises using non-trusted application mode

Note: Using this configuration, the

• Presence service is not trusted by Skypefor Business and cannot impersonatea user. End user authentication on thedevice is required.

• Presence service passes through theweb proxy if it is defined, but doesn'tuse the bypass list even if the Skypefor Business servers are added tothe bypass proxy list. In some casesauthentication to Skype for Businessmight fail. For more information onconfiguring the web proxy, see Configurea web proxy server.

a. Select the Skype for Business On-Premises check box.b. Select Non-trusted Application Mode. c. Complete one or both of the following actions:

• Select the Auto discover servers checkbox to haveBEMS discover the Skype for Business servers in theenvironment.

• Enter the default Skype for Business on-premisesFQDN or the complete URL to the Skype forBusiness server for BEMS to use if autodiscoveryis not enabled or fails. For example, http(s)://<FQDN_of_the Skype_front_end_pool>/Autodiscover/AutodiscoverService.svc/root/oauth/user.

5. Click Test to verify that the Azure information is valid.6. Complete one or both of the following actions to log in to the user account:

• If you configure the environment to use Skype for Business on-premises:

a. Enter a user email address and password.b. Click Test.

• If you configure the environment to use Skype for Business Online:

a. Click Test.b. Sign in to a user account.

7. Click Save. 8. Complete one of the following actions:

• If you configured the Presence service for Microsoft Lync Server 2010, Microsoft Lync Server 2013, orSkype for Business on-premises using trusted application mode, start the Good Technology Presenceservice. Make sure that you save the configuration in the Dashboard prior to starting the service.

• If you configured the Presence service for Skype for Business Online or Skype for Business on-premises using non-trusted application mode only, you do not need to start the Good Technology Presenceservice. Skype for Business Online and Skype for Business on-premises using non-trusted applicationmode don't require the Presence service to view users' presence status. If you try to start the service, thefollowing error message is displayed. Windows could not start the Good Technology Presence service onLocal Computer. Error 5: Access denied.

• If you configured the Presence service for Skype for Business Online or Skype for Business on-premises using non-trusted application mode only, restart the Good Technology Common Services toenable the BEMS cache to use memory instead of Redis.

Obtain an Azure app ID for BlackBerry Work

If you are configuring Office 365 settings in the app configuration for BlackBerry Work, you may need toobtain and copy the Azure app ID for BlackBerry Work. If you need to obtain multiple Azure app IDs (forexample, Docs, BEMS, and BlackBerry Connect), it is recommended that you create a separate app ID for eachapp.


1. Log on to portal.azure.com.2. In the left column, click Azure Active Directory.3. Click App registrations.4. Click New registration.5. In the Name field, enter a name for the app. This is the name that users will see. 6. Select a supported account type.7. In the Redirect URI drop-down list, select Public client (mobile & desktop) and

enter com.blackberry.work://connect/o365/redirect8. Click Register. 9. In the Manage section, click API permissions. 10.Click Add a permission. 11.In the Select an API section, click the Microsoft APIs tab. 12.Complete one or more of the following tasks:

Environment Permissions

If your environmentis configured touse Microsoft Office365

a. Click Microsoft Graph. If Microsoft Graph is not listed, add Microsoft Graph. b. Set the following permissions:

• In delegated permissions, select the following permissions:

• Sign in and read user profile checkbox (User > User.Read)• Send mail as a user checkbox (Mail > Mail.Send)

c. Click one of the following:

• If Microsoft Graph existed in the API permissions, click Updatepermissions.

• If you needed to add Microsoft Graph, click Create. d. Click Add permissions.

If your environmentis configured touse Microsoft ExchangeOnline for email

a. Click the Exchange. b. Set the following permissions:

• In delegated permissions, select Access mailboxes as the signed-in uservia Exchange Web Services checkbox (EWS > EWS.AccessAsUser.All).

c. Click Add permissions.

If your environmentis configuredfor Microsoft ExchangeOnline and uses Skypefor Business Online formeetings

a. Click Skype for Business.b. Select all delegated permissions.

1. Click Delegated permissions.2. Click expand all. Make sure that all options are selected.




Environment Permissions

If your environmentis configured touse MicrosoftSharePointOnline or Azure-IPto enable modernauthentication forthe BlackBerryWork client

a. Click the APIs my organization uses tab.b. Search for and click the BEMS app that you created in Obtain an Azure app

ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs componentservice. For example, AzureAppIDforBEMS.

c. Select all delegated permissions.

1. Click Delegated permissions.2. Click expand all. Make sure that all options are selected.

d. Click Add permissions.

13.Click Grant admin consent for <Organization name> to apply the permissions for the app. These settings willnot be applied to the app until you have granted the updated permissions.

14.Click Yes. 15.You can now copy the Application ID for the app that you created. In the Manage section, click Overview. It is

located under the name of the app, in the Application (client) ID field.

Configure Jabber for the Presence service

Complete this task only if you have a Cisco CM IM and Presence server in your environment.


2. If necessary, click Service Account and type the login credentials for the BEMS service account.3. Click Jabber.4. In the Cisco Unified Communications Manager User Data Service (UDS) FQDN field, enter the FQDN of the

Cisco Unified Communications Manager server that Jabber Presence Provider (JPP) needs to access andquery the contact cards.

5. In the Cisco Unified Communications Manager User Data Service (UDS) port field, enter the Cisco UnifiedCommunications Manager server port number that JPP uses with the ciscoUDSServer to query the contactcards. For example, 8443.

6. In the Presence SIP domain field, enter the domain that the Cisco Unified CM IM and Presence server islocated in.

7. In the Cisco Unified Communications Manager Server User field, enter the Cisco Unified CommunicationsManager enduser. This is the user you created in Create a Dummy User. If you install multiple BEMS instances,you must use the same user account for each instance.

8. In the REST-based Client Configuration Web Service Endpoint field, enter the web address of the computerhosting the REST-based Presence Web Service. This must be the Cisco IM and Presence server that thedummy user is assigned to. For example, https://<Cisco IM and Presence FQDN>:8443/EPASSoap/service.

9. In the REST-based Presence Web Service Endpoint field, enter the web address of the computer hosting theREST-based Presence Web Service. This must be the Cisco IM and Presence server that the dummy user isassigned to. For example, https://<Cisco IM and Presence FQDN>:8083/presence-service.

10.In the Application Username field, enter the username of the application user. If you install multiple BEMSinstances, you must use a different username for each instance.

11.In the Application Password field, enter the password of the application user.12.In the BEMS Presence Keystore File Location field, enter the Java keystore file location that you imported the

Cisco certificates into when you completed the task Import the CA certificate into the Java certificate store.For example, %JAVA_HOME%\lib\security\cacerts


https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-work/current/modern-authentication/wbq1512944278560



https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/bems-blackberry-installation-html/qhd1475781841461/cuw1476193798135/bems-dummy-user

13.Click Test to verify the fields are completed. The test does not verify that the information in the fields areaccurate.

14.Click Save.

Manually configure the Presence service for multiple application endpointsYou can manually configure multiple application endpoints for BlackBerry Presence to load balance Presencerequests between multiple endpoints on a single BEMS instance. Cisco Jabber, Skype for Business Online,and Skype for Business on-premises using non-trusted application mode do not support multiple applicationendpoints.

If you installed the Presence service on multiple computers, complete this task on each computer that hosts thePresence service.

Before you begin: You must have a Microsoft Lync Server 2010, Microsoft Lync Server 2013, or Skype forBusiness setup in your environment.

1. On the computer that hosts BEMS, navigate to the LyncPresenceProviderService.exe.config file. By default,the LyncPresenceProviderService.exe.config file is located in <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Presence.

2. In a text editor, open the LyncPresenceProviderService.exe.config and record the values for the followingproperties:

• UCMA_APPLICATION_NAME• LYNC_TRUSTED_APPLICATION_POOL• UCMA_ENDPOINT_SIP

3. Determine a naming convention for the additional Trusted Application Endpoints (virtual SIP addresses).By default, the format for the existing SIP Addresses is sip:presence_<BEMSFQDN>@<SIPDomain>.For example, sip:[email protected],sip:[email protected], and so on.

4. Create the additional Trusted Application Endpoints in the Microsoft Lync Server or Skype for Businesstopology using the information from steps 2 and 3 above. For instructions on creating additional TrustedApplication Endpoints, see Prepare additional computers hosting BEMS.

5. In a text editor, open LyncPresenceProviderService.exe.config.6. Locate the <ucmaEndpointSips> section. Add the value of the new additional application endpoints that you

published in step 4.For example,

<ucmaEndpointSips> <collection> <add item="sip:[email protected]" /> <add item="sip:[email protected]" /> <add item="sip:[email protected]" /> </collection> </ucmaEndpointSips>

7. Specify the maximum contact subscriptions that each application endpoint can manage. By default, theMAX_SUBSCRIPTIONS_PER_ENDPOINT is 1000. You can specify a subscription value between 1 and 5000.For example, if you specify that each application endpoint can manage 2000 contact subscriptions, you wouldlocate the MAX_SUBSCRIPTIONS_PER_ENDPOINT key and change the value as required.

<add key="MAX_SUBSCRIPTIONS_PER_ENDPOINT" value="2000" />


https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/bems-blackberry-installation-html/qhd1475781841461/eug1476123918441/bems-lync-topology/bems-additional-computers

Note: Specifying the MAX_SUBSCRIPTIONS_PER_ENDPOINT, doesn't load balance the subscriptions acrossall endpoints, it assigns 2000 subscriptions to the first endpoint before assinging the next 2000 subscriptionsto the next endpoint.

8. Save the file.9. Restart the Good Technology Presence service from the Windows Service Manager.

Configuring BlackBerry UEM for BlackBerry PresenceBlackBerry Presence is one of three services, along with BlackBerry FollowMe and BlackBerry Directory Lookup,enabled through BlackBerry UEM using the Good Enterprise Services entitlement app. You add BEMS as theapplication server to the Good Enterprise Services entitlement once to enable all three services.

If you configured Configuring BlackBerry UEM for BlackBerry Work, BlackBerry Tasks, and BlackBerry Notes whenyou configured the BlackBerry Push Notifications no additional configuration is required.

Configuring the Presence service for high availabilityThe BlackBerry Presence service supports high availability by adding additional BEMS servers running thePresence service.

When you configure Presence for high availability, you perform the following actions:

1. Configure each new Presence instance to use the same BlackBerry Proxy server.2. Add the new computer hosting the Presence service instance to BlackBerry UEM.3. If you installed the Presence service on a separate computer, configure each computer with the Presence

service instance for the BlackBerry Presence Service (com.blackberry.gd-service.entitlement.presence) app.

Configuring Presence service for disaster recoveryDisaster recovery for BlackBerry Presence is based on an active/warm standby clustering model.

Before you add a Presence instance for disaster recovery, you complete the following actions. If you installedthe Presence service on multiple computers, complete this task on each computer that hosts the service.

1. Evaluate your Microsoft Lync Server or Skype for Business disaster recovery strategy.

If you have separate Front End pools for disaster recovery, it is recommended that you create a separateTrusted Application Pool for your BlackBerry Connect instances. This separate Trusted Application Poolshould be associated with the disaster recovery Front End pool. Associate all disaster recovery BlackBerryConnect instances to this Trusted Application Pool. If you don’t have separate Front End pools for disasterrecovery, then using a single Trusted Application Pool is fine, although you must make sure your Lync disasterrecovery strategy properly preserves the Trusted Application Pool in event of a failover.

Note: Presence and Connect can use the same Trusted Application Pool for disaster recovery.2. Ensure that the appropriate network ports are open to allow Connect servers in your disaster recovery site

to communicate with with database, Microsoft Lync Server or Skype for Business Server, Microsoft LyncServer or Skype for Business database, and BlackBerry Proxy servers in your disaster recovery and Primarysite.

Add a new Presence service instance for disaster recovery

Complete this task only if you installed the Presence service on a separate computer.

Allow your disaster recovery BlackBerry Presence instance server host and port in BlackBerry UEM. Make sure tospecify the BlackBerry Proxy cluster of the new site as the primary proxy cluster for these services.


https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/current/blackberry-connect-administration-guide-html/wnb1495990451395/fpf1495992318770

https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/current/blackberry-connect-administration-guide-html/wnb1495990451395/njp1495992870361/abg1495992954325

After you finish: After the disaster recovery Presence instance is installed and configured, stop the GoodTechnology Presence service. This places the Presence instance for disaster recovery in warm standby.


1. Stop the Good Technology Connect service on all your primary Connect instances.2. Start the Good Technology Connect service on your disaster recovery Connect instance.

Using friendly names for certificates in PresenceNote: Friendly names for certificates only apply to environments that use a Microsoft Lync Server or Skype forBusiness on-premises using trusted application mode.

The friendly name of a certificate can be helpful when multiple certificates with a similar subject exist ina certificate store. Friendly names are properties in the X.509 certificate store that associate aliases withcertificates so they can be easily identified.

You can restrict certificates used for BlackBerry Presence to a friendly name by completing the following actions

1. If you do no have one, create and enroll a certificate.2. Change the certificate friendly name description.3. Setting the new certificate friendly name string value in the BEMS Lync Presence Provider (LLP) service

configuration file (LyncPresenceProviderService.exe.config).

If you do not already have a certificate, you can create and verify a BEMS SSL certificate for Lync. For moreinformation, see SSL certificate requirements for Microsoft Lync Server and Skype for Business.

Change the certificate friendly name description

1. Open the Microsoft Management Console (MMC).2. Click Console Root.3. Click File > Add/Remove Snap-in.4. In the Available snap-ins column, click Certificates > Add.5. Select Computer account. Click Next. 6. Select Local Computer. Click Finish.7. Click OK.8. Click Certificates (Local Computer) > Personal > Certificates.9. Double-click the certificate you want to change.10.Click the Details tab.11.In the Show drop-down list, click <All>. 12.Click Edit Properties. 13.In the Friendly name field, type a friendly name.14.In the Description field, type a description.15.Click Apply. 16.Click OK. Click OK again.

After you finish: Specify the certificate's friendly name in the configuration file for the Connect service.

Add the certificate friendly name to the Presence server configuration file

Before you begin: Specify the certificate friendly name.


https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/bems-blackberry-installation-html/qhd1475781841461/eug1476123918441/mzb1476144892120

1. In a text editor, open the LyncPresenceProviderService.exe.config file. By default, theLyncPresenceProviderService.exe.config file is located in <install path>\Technology\BlackBerryEnterprise Mobility Server\BlackBerry Presence\.

2. Locate the existing entry for <add key="RESTRICT_CERT_BY_FRIENDLY_NAME"value=""/> and enter the certificate friendly name in the value property. For example: <addkey="RESTRICT_CERT_BY_FRIENDLY_NAME" value="<cert_friendly_name>" />. The key value iscase sensitive.

3. Save your changes. 4. Start the Good Technology Presence service.

Troubleshooting BlackBerry Presence IssuesBEMS-Presence logs information in the log files and saves them to the bemslogs folder. These log filesare required when troubleshooting Presence issues. If your environment is configured for Microsoft LyncServer or Skype for Business on-premises using trusted application mode, additional log text files, LPP-log.txt, arecreated.

Finding log files

By default, a server log file is created for each BEMS server and is stored daily on the computer that hosts BEMS.

BEMS-Core names the log files gems_<server_name_time stamp>.log.

By default, the BEMS log files are stored daily in C:\BlackBerry\bemslogs.

Note: The timestamp is reset daily at 0:00. It is also reset each time that the Presence service is restarted andwhen the file size is a maximum of 100 MB.

A new log file is not generated when the Presence service is restarted. When the log file reaches 10 MB, a new logis created. When 20 log files are created, the older log files are automatically deleted.

When using BEMS-Presence for Microsoft Lync Server or Skype for Business on-premises using trustedapplication mode, the Presence service also writes Lync Presence Provider log files and names files LPP-log.txt. By default, the BEMS Presence log files are stored in C:\Program Files\BlackBerry\BlackBerryEnterprise Mobility Server\Good Presence\Logs\

Configuring the BlackBerry Docs serviceYou use the BEMS dashboard to configure and maintain document/file repositories (for example, file shares,Microsoft SharePoint, Box, and CMIS-supported content management systems) and user access policies formobile app users of the service.

When you configure the BlackBerry Docs service, you configure the following components:

1. Configure the Web Proxy.2. Configure the Database.3. Confirm the Repositories.4. Configure storages.5. Configure the Settings.6. Configure Audit.


Configure a web proxy server for the Docs serviceIf you use a web proxy to connect your enterprise servers to the Internet for Microsoft SharePoint, MicrosoftSharePoint Online, and Microsoft Office Web Apps (OWAS), you must enable Use Web Proxy and configure itsaddress, port, and authentication type for the Docs service.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Web Proxy.3. Select the Use Web Proxy.4. In the Proxy Address field, type the FQDN of the web proxy server. 5. In the Proxy port field, type the port number of the proxy server. 6. In the Proxy Server Authentication Type drop-list, click an authentication type. If you select Basic or NTLM

authentication, enter the required login credentials. 7. Click Test to verify the connection to the proxy server.8. Click Save.

Configure the database for the BlackBerry Docs serviceIn configuring your Microsoft SQL Server database for BEMS-Docs, you have a choice of usingeither Windows Authentication or SQL Authentication for granting access to the database by BEMS. Afterrestarting the Good Technology Common Services, perform the steps below for either Windows Authentication orSQL Authentication.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Database3. Enter the Microsoft SQL Server name and password. 4. In the Authentication Type drop-down list, select one of the following options:.

• If you select Windows Authentication, the credentials for the Windows service account configured forthe BlackBerry Connect service are used.

• If you select SQL Server Login, enter the Microsoft SQL Server username and password.5. If your organization uses AlwaysOn support for SQL Server, in the Additional Properties field,

type MultiSubnetFailover=true.6. Click Test to verify the connection with the Microsoft SQL Server database.7. Click Save. 8. Restart the Good Technology Common Services service.

RepositoriesThe Docs service furnishes your end users with access to stored enterprise data from their mobile devices.A Docs repository (also called a "share") lives on an enterprise server containing files shared by authorized users.

Before you configure your repositories, configure the Docs security settings, and then configure BlackBerryUEM to entitle your users so that they can access the repositories you add and define from their devices. Formore information about setting up and maintaining your enterprise shares in BEMS and the associated useraccess, see Managing Repositories.

Storage servicesBEMS is installed with support for several storage service providers, including File Share, Microsoft SharePoint,Microsoft SharePoint Online, and Box.


You can also add a new storage service if you need to use a service that is not displayed, or your environmentrequires customized storage service settings. The following table lists the available storage providers and whenthey should be used.

Storageprovider

Description

Box By default, BEMS allows corporate box.com cloud storage users to view the Box repositoriesusing BlackBerry Work Docs. If you delete the predefined Box storage, the hiddenauthentication parameters are also removed. For more information about determining ifyou are using a non-default Box storage and how to re-add the default Box storage, visitsupport.blackberry.com/community to read article 48469.

CMIS You can add storage services that utilize the Content Management Interoperability Services(CMIS) protocol, an open standard that allows different content management systems tointer-operate over the Internet. Note: Only Microsoft Active Directory users are supported forCMIS. This requires that the content management system is connected to a Microsoft ActiveDirectory for user authentication for Docs to support it.

FileShare This storage provider allows BEMS to communicate with the FileShare server. If yourenvironment is configured for a specific version of SMB or CIFS protocol to access a FileShare, BEMS must be installed on a compatible Windows operating system. Refer to yourMicrosoft documentation for more information on compatibility.

SharePoint If your environment uses a supported version of Microsoft SharePoint or MicrosoftSharePoint Online, this storage provider allows BEMS to determine the appropriate storageprovider to use to communicate with your version of SharePoint.

SharePoint2010

Use this storage provider for BEMS to communicate with Microsoft SharePoint 2010 using theSOAP protocol.

SharePoint2013

Use this storage provider for BEMS to communicate with supported versions of MicrosoftSharePoint 2013 and later, and Microsoft SharePoint Online using the REST protocol.

For more information about supported versions of Microsoft SharePoint, see the BEMS Compatibility Matrix.

Add a storage service

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs.2. Click Storages. A list of storage providers is displayed.3. Click New Storage.4. In the Storage name field, type a name for the storage.5. In the Storage provider drop-down list, select a service provider. For more information about storage services

and when each storage provider should be used, see Storage services.6. In the Authentication Provider drop-down list, select an authentication provider. For information about

authentication providers and the storage provider that each can be used for, see Authentication providers. 7. To make the storage available on user devices, select the select the Enable Storage checkbox.

It may take up to an hour or a restart of the apps for storage changes to take effect on user devices. It maytake up to five minutes for the changes to take effect on the server. Enabling and disabling storage providerson this page affects what storage resources are visible at any given time for users, but has no such impact



https://docs.blackberry.com/en/endpoint-management/compatibility-matrix/BlackBerry-Enterprise-Mobility-Server-Compatibility-Matrix-html/ssa1499884739326/Microsoft-SharePoint,-Microsoft-SharePoint--Online-and-Microsoft-OneDrive-for-Business

on the server. If this option is not selected, users can't access the fileshare and receive the following errormessage on the device: Data sources could not be retrieved. Unable to connect to the server.

After you finish: Add repositories in the storage provider. For instructions, see Managing Repositories

Authentication providersThe following table lists the available authentication providers and the storage provider that each can be usedfor. For instructions on adding storage services, see Add a storage service and Enable modern authenticationfor Microsoft SharePoint Online

Authentication Provider Storage provider

Windows - Explicit Credentials FileShare, SharePoint

Windows - Kerberos Constrained Delegation FileShare, SharePoint

OAuth2 Box

Explicit Credentials Workspaces

Modern SharePoint Online

Configure the Docs security settingsDocs security settings control acceptable Microsoft SharePoint Online domains, the URL of the approvedMicrosoft Office Web Apps (OWAS), the appropriate LDAP domains to use, whether you want to use Kerberosconstrained delegation for user authentication, and Azure-IP authentication. Delegation allows a service toimpersonate a user account to access resources throughout the network. Constrained delegation limits this trustto a select group of services explicitly specified by a domain administrator.

Before you begin: Verify that one or more of the following are configured in your environment:

• Kerberos constrained delegation for the BlackBerry Docs service is configured in your environment. Forinstructions, see Configuring Kerberos constrained delegation for the Docs service.

• Resource-based Kerberos constrained delegation for the BlackBerry Docs service is configured in yourenvironment. For instructions, see Configuring resource based Kerberos constrained delegation for the Docsservice.

• Your environment is configured to use Azure-IP, have the following information. For instructions, see Obtainan Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.• Azure Tenant Name• BEMS Service Azure Application ID• BEMS Service Azure Application Key

• Optionally, you can configure BEMS to allow users to authenticate to Microsoft SharePoint Online with anemail address that is different from the email address that was used to install and activate BlackBerry Work.For instructions, see Enable the use of an alternate email address to authenticate to BEMS-Docs.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs.2. Click Settings.3. Select the Enable Kerberos Constrained Delegation checkbox to allow Docs to use Kerberos constrained

delegation.4. Separated by a comma, enter each of the Microsoft SharePoint Online domains you plan to make available.

For more information, see Configuring support for Microsoft SharePoint Online and Microsoft OneDrive forBusiness.


5. Enter the URL for your approved Office Web App Server.6. Provide your Microsoft Active Directory user domains (separated by commas), then enter the corresponding

LDAP Port. LDAP (Lightweight Directory Access Protocol) is used to look up users and their membership inuser groups.

7. Select the Use SSL for LDAP checkbox for secure communication with your Microsoft Active Directory servers.8. Add the Workspaces Public Key. Adding the public key allows BEMS and the BlackBerry Workspaces server

to communicate with each other. For more information about locating the public key, contact BlackBerryTechnical Support Services.

9. Select the Enable Azure Information Protections check box to allow Docs to authenticate to Azure-IP.Complete the Azure registration fields to authenticate Docs to Azure-IP to allow the Docs to decrypt protecteddocuments and confirm the rights any given user has on a document. For instructions about obtaining theAzure registration fields, see Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.

10.Click Save.11.Restart the Good Technology Common Services for the changes to take effect.

Enable cross-origin resource sharing support to BEMS-Docs

You must set the AllowedCorsOrigins parameter in BEMS to allow cross-origin resource sharing (CORS) for DocsSelf-service API calls. For more information about Docs Self-Service web console functions, see the Docs RESTAPI reference guide.

1. Sign in to the computer that is running the BEMS-Docs service.2. In a browser, open the BEMS Karaf Console Configuration web site. Type https://localhost:8443/

system/console/configMgr and log in as an administrator with the appropriate Microsoft Active Directorycredentials.

3. On the menu, click Main > Gogo.4. In the command, type the following to add the CORS origin to the list of origins

that can access the BEMS-Docs service: docs:config AllowedCorsOrigins “https://domain1.com:8080,https://domain2.com:8089". Separate the CORS URLs with acomma and no space.

5. Close the browser.

Enable the use of an alternate email address to authenticate to BEMS-Docs

You can configure BEMS to allow users to authenticate to Microsoft SharePoint Online with an email address thatis different from the email address that was used to install and activate BlackBerry Work. Complete this task onlyif your environment is configured to use one of the following:

• If your environment is configured to use Windows authentication, you can configure BEMS to usethe UserPrincipalName (UPN), email address or any other Active Directory attribute to authenticate toMicrosoft SharePoint Online. By default, the UserPrincipalName attribute is used.

• If your environment uses modern authentication, you can configure BEMS to disable validating the emailaddress when users authenticate to Microsoft SharePoint Online or the environment uses Azure-IP.

1. Sign in to the computer that is running the BEMS-Docs service.2. In a browser, open the BEMS Karaf Console Configuration web site. Type https://localhost:8443/

system/console/configMgr and login as administrator with the appropriate Microsoft Active Directorycredentials.

3. On the menu, click Main > Gogo.4. In the command, type one of the following commands:


https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/docs-rest-api-html/

https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/docs-rest-api-html/

Task Attribute Description

Authenticate to MicrosoftSharePoint Online using mail

docs:configSAMLUsernameAttributemail

Allows users to use their emailaddress to authenticate to MicrosoftSharePoint Online instead of the user'suserPrincipalName.

To use the users' UPN again toauthenticate, type docs:configSAMLUsernameAttributeUserPrincipalName

Disable user validation whenauthenticating to one of thefollowing:

• Microsoft SharePointOnline configured formodern authentication

• Azure-IP

docs:configadal.uservalidation.skip1

Disables validation of the user's emailaddress.

5. Close the browser.

Configure your Audit propertiesYour Audit settings enable or disable the Docs service audit logs. When you enable audit logs, actions are loggedto the database (for example, user downloads, deletions, browsing history, and files created).

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Audit.3. On the Audit Settings tab, select the Enable Audit Logs checkbox.4. In the Audit Operations section, select the audit operations you want the log files to include logging for. 5. Click Save. It can take up to two minutes for the changes to take effect. 6. Optionally, on the Audit Purge tab, in the Purge audit logs from the database before field, select a purge-

before date. Click Purge to remove audit records logged to the database earlier than the purge date selected.

After you finish:

• Configure BlackBerry UEM to entitle your users, using user groups, to use the Docs service. Following userentitlement, see Managing Repositories to set up your file shares, SharePoint sites, and Box storage.

• View the Docs service audit report

View the Docs service audit report

These steps require that you have Microsoft SQL Server and permissions to access it, and the Microsoft SQLServer Reporting Services are available. For more information, see your SQL Server documentation or contactyour SQL Server administrator.

Before you begin: .

1. With SQL Server administrator permissions, in a browser, open Microsoft SQL Server Reporting Services. Bydefault, the web address is http://<SQL Server hostname>/reports

2. Start the Report Builder.3. Create a new report.


4. Create a data source connection. Specify the following fields:

• Name field: Enter a descriptive name for the report (for example, docs_audit_report_date) • Select Connection type drop-down: Select Microsoft SQL Server.• Connection string field: If required, enter a string that points to the Docs DB FSBAudit table.

5. Design the query. Specify the following settings:

• Database view column: under Tables, select FSBAudit and AuditActionType. • Select fields section: make a relationship between the two tables. Click ActionName > AutoDetect. • Arrange fields screen: arrange the fields to group the data and values to how you want them to display. For

example, if you create a report that is based on the username, you would specify the following:

• Available fields column: select ActionPath. • Row groups column: select Username to display the username that completes the action in the report.• Values column: specify the values to display in the table (for example, action time, action type, and

action path).

• ActionTime provides information for when the action occurred.• ActionType details the action (for example, accessing or downloading a file). • ActionPath provides the path to the file for which the action was completed.

6. Save the settings and run the report. The report is saved to the Microsoft SQL Server Reporting Services. 7. Double-click the report that you want to view.

Add an app server hosting the BlackBerry Docs app to a BlackBerry Dynamics connectivity profileIf you have a BlackBerry Docs app that is served from an app server or web server, you can specify the name ofthat server and the priority of the BlackBerry Proxy clusters used for communication with it.


Click to create a new connectivity profile or click the BlackBerry Dynamics connectivity profile that youwant to add an app server to.

4. If necessary, click .5. Under App servers, click Add.6. Select the Feature - Docs Service Entitlement app that you want to add an app server for. 7. Click Save.8.

In the table for the app, click .9. In the Server field, specify the FQDN of the BEMS server. 10.In the Port field, specify the port of the BlackBerry Proxy cluster that is used to access the server. By default,

the port is 8443. 11.In the Priority drop-down list, specify the priority of this or these servers as primary.12.In the Primary BlackBerry Proxy cluster drop-down list, specify the name of the BlackBerry Proxy cluster

(primary cluster 1) that you want to set as the primary cluster.13.In the Secondary BlackBerry Proxy cluster drop-down list, specify the name of the BlackBerry Proxy cluster

that you want to set as the secondary cluster.14.Click Save.


Configuring BlackBerry UEM for the BlackBerry Docs service For users to access, synchronize, and share documents natively using their enterprise file server, SharePoint, Box,and content management systems supporting CMIS, without the need for VPN software, firewall reconfiguration,or duplicate data stores, app entitlements must be assigned to the organization before the users canuse the BlackBerry Docs app. For more information about managing BlackBerry Work, see the BlackBerryWork, BlackBerry Notes, and BlackBerry Tasks Administration content.

Configuring Docs for Rights Management ServicesActive Directory Rights Management Services (AD RMS) and Azure-IP RMS from Microsoft allows documents tobe protected against access by unauthorized people by storing permissions to the documents in the documentfile itself. Access restrictions can be enforced wherever the document resides or is copied or forwarded to. Fordocuments to be protected with AD RMS or Azure-IP RMS, the app that the document is associated with must beRMS aware. For more information about AD RMS and Azure-IP RMS, visit Comparing Azure Information Protectionand AD RMS.

Note: For this release, BEMS doesn't support both the AD RMS and Azure-IP RMS in the same environment.

Support for RMS protected documents is provided through two methods:

• In Docs and BlackBerry Work, support for RMS protected documents is provided through the MicrosoftOffice Web Apps server with viewing and editing enabled through the BlackBerry Access browser. Note thatwhile BlackBerry Access browser is a BlackBerry Dynamics app with all the secure features it provides, it hasonly partial support for RMS features.

• In BlackBerry Work, support for RMS protected documents is provided directly in BlackBerry Work andthrough BlackBerry Work.

The following table compares the features of RMS protected documents in BlackBerryWork and through BlackBerry Access. These features require a client that is RMS aware.

RMS protected documents directlyin BlackBerry Work

RMS protected documentsthrough BlackBerry Access

Features • View protected documents directlyin BlackBerry Work. This featurerequires BEMS 2.10 or later.

• Protect unprotected documentsin BlackBerry Work. This featurerequires BEMS 2.12 or later.

• Change permissions for documentsin BlackBerry Work. This featurerequires BEMS 2.12 or later.

• Upload a new file and saveit as protected. This featurerequires BEMS 2.12 or later and BlackBerryWork app 2.18 or later.

• View and edit protected documents in Docs and BlackBerry Work throughthe BlackBerry Access browser.




https://docs.microsoft.com/en-us/azure/information-protection/compare-on-premise

https://docs.microsoft.com/en-us/azure/information-protection/compare-on-premise

RMS protected documents directlyin BlackBerry Work

RMS protected documentsthrough BlackBerry Access

Security • Users can save what is on screen as a webclip and this screenshot file can be sharedwith other BlackBerry Dynamics apps.Mitigation is to disable web clips inthe BlackBerry Access policy.

• Share the Microsoft Office Web Apps URLthat is used to render the documentviewing or editing with other BlackBerryDynamics apps. The URL expires inthirty minutes but during this time,other BlackBerry Dynamics appsmight be able to access it without anyauthentication. For example, if it is sharedwith BlackBerry Work, the URL can beemailed to others. If it is shared witha BlackBerry Dynamics app that allowsprinting, then the page that is renderedmight be printed. Mitigation would beto enable user agent in the BlackBerryAccess policy and then use it to createfiltering rules in the Microsoft OfficeWeb Apps server so that only BlackBerryAccess is able to access the URL.The Microsoft IIS URL Rewrite extensioncan be used to create the rules.

• Users can save what is on screen asa web clip and this screenshot filecan be shared with other BlackBerryDynamics apps. Mitigation is to disableweb clips in BlackBerry Access policy.

• When editing a document, by default, copyand paste of content would be possible bydefault polices only within the BlackBerryDynamics secure container environment.Ensure that the protection providedis adequate given these limitationsand satisfies your RMS protectionrequirements before enabling this support.

Rights Management Services restrictions

The following Rights Management Services (RMS) restrictions are respected by the Docs service:

• View right is required to view documents.• Edit right is required to edit documents.• Print or Export rights are required to convert documents to PDF.• If a user is the owner of a document and the "Grant owner full control" right is set, then viewing, editing, and

converting to PDF is allowed.• If the current date is beyond the content expiry date, then no access to the document is allowed except when

the user is owner and the "Grant owner full control" right is set.• Revocation of rights is respected.• Use licenses are acquired on every use of the document.• Both template-based and custom protection on documents are honored.


Docs deployment for Active Directory Rights Management Services support

1. On the computer that hosts BEMS, install the Rights Management Services Client 2.1. To download the client,visit www.microsoft.com/downloads and search for ID=38396.

2. If using self-signed certificates in AD RMS server, add the SSL certificate for https://<AD RMS server URL> totrusted CA list.

3. In Internet Explorer, add https://<AD RMS server URL> to the Local Intranet site list.4. Install the Docs service with BEMS common services service running as a domain user.5. If a super users group is not already configured in AD RMS server, configure one. Then add BEMS process user

(BEMS common services service user) to this AD RMS super users group.6. On the AD RMS server, find the file %systemdrive%\Inetpub\wwwroot\_wmcs\Certification

\ServerCertification.asmx and add Read and Read & Execute permissions for the following:

• the "AD RMS Service Group”.

Note: The AD RMS Service Group is a local group and not a domain group.• the computer account for each of the BEMS servers.• The BEMS common services service user.

Steps to deploy Azure IP Rights Management Services support for the Docs service

When you configure Azure IP RMS support for the Docs service, you complete the following steps:

Step Action

On the computer that hosts BEMS, install the Rights Management Services Client 2.1. Todownload the client, visit www.microsoft.com/downloads and search for ID=38396.

Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs componentservice.

If necessary, migrate any labels that you need in the environment.

Note: BEMS-Docs service only supports migrated unified labels. For instructions to migratelabels, visit https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-migrate-labels.

Convert protections templates to labels. For more information about converting templatesto labels, visit https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-templates and read "To convert templates to labels".

Configure the Docs security settings

Configuring the Docs instance for high availability When you configure Docs for high availability, you perform the following actions:

1. Configure each new Docs instance to use the existing database.2. Configure each new Docs instance to point to the same BlackBerry Proxy server.


https://www.microsoft.com/downloads

http://www.microsoft.com/downloads

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-migrate-labels

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-migrate-labels

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-templates

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-templates

3. Add the computer that hosts the Docs service, to the entitlement.

Configuring the Docs service for disaster recoveryDisaster Recovery for Docs is based on an active/warm standby clustering model.

Before you add a Docs instance for disaster recovery, you complete the following actions:

1. Evaluate the disaster recovery strategy for your network resources such as File Share, Microsoft SharePoint,Microsoft Office Web Apps (OWAS), and so forth, then make sure your network resources are accessible fromyour disaster recovery site in the event a disaster recovery situation arises.

2. Configure database replication for the Docs database from your primary site to your disaster recovery site.SQL log shipping is recommended. Consult your database administrator for assistance.

3. Ensure that the appropriate network ports are open to allow Docs servers in your disaster recovery site tocommunicate with the database, network resources, and Good Proxy servers in your disaster recovery andPrimary sites.

Add a new Docs instance for disaster recovery

1. Configure your disaster recovery Docs instance to use the Docs database in your primary site.2. Allow the disaster recovery server that hosts the BlackBerry Docs instance in BlackBerry UEM. Make sure your

disaster recovery Docs instance uses the primary BlackBerry Proxy server in the cluster.3. Configure your disaster recovery Docs instance in BlackBerry UEM for the BlackBerry Work App. Make sure the

Priority is set to Secondary or Tertiary.4. Add the server, or servers if the Docs service is installed on a separate computer, to the entitlement. Make sure

to specify the BlackBerry Proxy cluster of the new site as the primary proxy cluster for these services.

After you finish: After the disaster recovery Docs instance is installed and configured, stop the Good TechnologyCommon Services. This places the disaster recovery Docs instance in warm standby.

Allow the disaster recovery server that hosts the BlackBerry Docs instance in BlackBerry UEM

Complete this task only if you installed the BEMS services on separate computers.


Click to create a new connectivity profile or click on the Default connectivity profile to edit it.4. In the App servers section, click Add.5. Search for and select Feature - Docs Service Entitlement (com.good.feature.share).6. Click Save.7.

In the table for the app, click .8. In the Server field, specify the FQDN of the BlackBerry Enterprise Mobility Server.9. In the Port field, specify the port of the BlackBerry Proxy cluster that is used to access the BlackBerry

Enterprise Mobility Server. By default, the port is port 8443.10.In the Priority drop-down list, specify the priority of the BlackBerry Proxy cluster that must be used to reach the

domain. Select Secondary or Tertiary. Make sure you select the BlackBerry Proxy cluster of the new cluster. 11.Click Save.


1. Stop the BlackBerry Common Services on all your Primary Docs instances


2. Failover your Docs database on your database server (for example, make the Docs database in your disasterrecovery site active).

3. Failover your database FQDN DNS to your disaster recovery database server.If you were not able to failover the database DNS, then you must login to the BEMS Dashboard and update theDocs database information to point to your disaster recovery database server. Restart the BlackBerry CommonServices for the new database settings to take effect.

4. Start the Good Technology Common Services on your disaster recovery Docs instance.5. If you also failed over your BlackBerry Proxy servers in this process, you must update the BlackBerry Proxy

information in the BEMS Dashboard for the Docs service.

Managing RepositoriesBEMS has the following repository storage providers:

Storagerepository Description

File Share A secure directory on an enterprise file server containing shared files and sub-directorieswhich can be remotely accessed.

SharePoint

SharePointOnline

A secure web server containing shared files which are accessed via the Internet.

If your environment is configured for Microsoft OneDrive for Business the SharePointOnline storage repository is used.

Box A secure cloud storage account furnished by box.com containing shared files which can beaccessed via the Internet.

CMIS-based Content Management Interoperability Services (CMIS) is an open standard that allowsdifferent content management systems to inter-operate over the Internet.

A repository is further categorized in the Docs service by who added and defined.

Storagerepository Description

Admin-defined Storage provider sites added and maintained by BEMS administrators to which individualusers and user groups are granted access.

User-defined Sites added by individual end users from their mobile devices to which you, asthe BEMS administrator, may rescind and reinstate mobile-based access in accordancewith your enterprise IT acceptable-use policies.

Configuring repositories

The Repository configuration page has the following three tabs that you can configure:

Tabs Description

Admin defined Allows you to create and manage repositories, add and remove users and user groups,and assign users and user groups file access and use permissions.


Tabs Description

User defined Allows you to add and remove users and user groups, enable and disable user and usergroup the ability to create user-defined repositories, and grant and rescind permissionsto perform a range of file-related actions on their user-defined repositories.

Users Allows you to search for a user in a Microsoft Active Directory domain to view therepositories permitted by path or override, and who defined the share (for example,administrator or user).

Admin-defined shares

Shares are document repositories for a particular storage provider. You can further organize your administrator-defined shares into lists. A named (defined) share, however, can only belong to one list. This is enforced to helpyou avoid unwanted or unintended duplication.

When you define repositories and lists, you perform the following actions:

Step Action

Define a repository.

Define a repository list.

Define user and user group access permissions.

Granting user access permissions

Access permissions are defined for a single repository or inherited from an existing list of repositories.Permissions can be selectively granted to existing Microsoft Active Directory domain users and user groups. Atleast one user or user group must be added to the repository definition to configure access permissions.

The following table lists the access permissions and the default setting that are available.

Permission Permissions Attributes Default setting

List (Browse) View and browse repository content (for example, subfolders andfiles) in a displayed list, and sort lists by Name, Date, Size, or Kind

Enabled

Delete Files Remove files from the repository Enabled

Read (Download) Download repository files to the user's device and open them toread

Enabled

Write (Upload) Upload files (new/modified) from user's device to the repositoryfor storage

Enabled



Cache (OfflineFiles)

Temporarily store a cache of repository files on the device foroffline access.

You can designate files and folders to synchronize tousers' BlackBerry Work Docs app Offline folder.

Enabled

Open In Open a file in a format-compatible app on the device Enabled

Create Folder Add new folders to the repository Enabled

Copy/Paste Copy repository file content and paste it into a different file or app Enabled

Check In/CheckOut

When a file is checked out, the user can edit, close, reopen, andwork with the file offline. Other users cannot change the file or seechanges until it is checked back in

Enabled

(SharePoint only)

Generate SharedLink

Users can generate a link to a file and folder and send the link torecipients

The Generate Shared Link requires an updated BlackBerryWork app.

Enabled

(Box only)

Change access permissions

1. On the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Docs.

2. Click Repositories.3. Click the Admin defined tab.4. Click a repository or list. 5. Under Access Permissions, beside the user or user group, select or clear the permission checkbox that you

want to change.6. Click beside a user or user groups that you want to remove. 7. Click Save.

Define a repository

Microsoft Active Directory users and groups must be added to a repository definition or a list definition beforeaccess permissions can be configured. Users and groups added automatically receive the default accesspermissions.

Before you begin: For users to access their Microsoft SharePoint repositories on their devices, make sure thatthey have the "Read" permission level and the "Browse Directories" permission assigned.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs.2. Click Repositories.3. Click the Admin defined tab.4. Click New Repository.


5. In the Display Name field, type the name of the repository that will be displayed to users granted mobileaccess to the repository.The repository name must be unique and can contain spaces. The following special characters cannot be useddue to third-party limitations:

• Microsoft SharePoint 2010, 2013, 2016, and 2019: ~ " # % & * : < > ? / \ { | }• File Share: \ / : * ? " < > |• Box: \ /|

6. In the Storage drop-down list, select a storage provider.If you select SharePoint or SharePoint Online, and the share is running SharePoint 2013 or later, select the Addsites followed by users on this site check box to make this feature available to users of this share. This settingonly applies for personal (my) SharePoint or OneDrive for Business sites.

If your environment is configured for Microsoft OneDrive for Business, select the SharePoint Online storageprovider.

7. In the Path field, specify the path to the share. Complete one of the following tasks based on the storage typethat you selected in step 6.

Storage type Description

Box Enter a fully qualified URL with or without Microsoft Active Directory attributes.

FilesShare The Path can include Microsoft Active Directory attributes.

For example, \\fileshare1\<SAMAccountName> or <homeDirectory>.

SharePoint

SharePoint Online

If your storage provider is Microsoft OneDrive for Business, complete this task.

Enter a fully qualified URL with or without Microsoft Active Directory attributes.

To add "my" or personal SharePoint sites, specify the URL for the "my" site. Forexample,

• If your environment uses SharePoint and SharePoint Online, https://<MicrosoftSharePoint server>/my.

• If your environment uses Microsoft OneDrive for Business, https://<yourO365 domain>-my.sharepoint.com/personal/admin_<domain>_onmicrosoft_com/_layouts/15/onedrive.aspx

If the personal site includes usernames or other Microsoft Active Directoryattributes, enter the path including these attributes. For example, https://<Microsoft SharePoint server>/my/<SAMAccountName>.

Optionally, to automatically add followed sites, complete the following steps:

a. Add a repository for the "my" or personal SharePoint site.b. Select the Add sites followed by users on this site for the repository.c. On the User-defined tab, enable a user-defined repository permission. Make

sure that you select the Enable 'User Defined Shares' and Automatically addsites followed by users check boxes. For instructions, see Enable user-definedrepository permissions.


Storage type Description

CMIS-based For storage providers using CMIS support that you have added to BEMS, bothAtomPub and Web Services web addresses are supported. A repository ID maybe optionally specified and a path inside the repository may also be optionallyspecified.

If no repository ID is specified, then all repositories that a user has access to arelisted to the user. If no path is specified, then the listing starts at the repositoryroot.

Following is the format of the paths for BEMS Docs repositories for accessingCMIS repositories:

• <ATOM-PUB-URL>?RepositoryId=<REPOSITORY-ID>&RelativePath=<REPOSITORY-PATH>

• <WEB-SERVICES-URL>?RepositoryId=<REPOSITORY-ID>&RelativePath=<REPOSITORYPATH>&BindingType=WebService

• Where ATOM-PUB-URL and WEB-SERVICES-URL is specific to the CMISvendor. Contact your CMIS vendor for more information.

• Where REPOSITORY-ID is the CMIS repository ID (optional).• Where REPOSITORY-PATH is the path inside the CMIS repository (optional).

8. Optionally, in the List drop-down list, select an existing list that you want this repository to belong to. If no list isdefined, you can create one later or leave this field blank.If a List is selected, select the Enable inheriting of access control of repository list checkbox to apply theAccess Permissions of the List to the repository. If the check box is not selected, you must define specificaccess permissions for this share (repository).

9. Select Manage access through WatchDox if you have a BlackBerry Workspaces server in your environment,have configured the Unified Content Connector, and you want to manage access permissions from theBlackBerry Workspaces server. For more information about the Unified Content Connector, contact BlackBerryTechnical Support Services.

10.In the Access permissions section, click Add Users/Groups.11.In the Search In field, enter a new domain or keep the default domain.12.In the Search for Users in Active Directory field, type a full or partial search string. Click Search.13.In the search results, select one or more entries.14.Optionally, select the Use Different Credentials and enter a username and password to configure a different

Username and Password for accessing this repository by these users.15.Click Add.16.Optionally, specify files and folders to synchronize to users' Offline folder in the BlackBerry Work Docs app.

a) Click Add.b) Navigate to the file or folder that you want to synchronize to users' offline folder.c) Click Add.d) Repeat steps a to c for each file and folder that you want to synchronize.

17.Click Test and enter the test user login credentials to validate the repository information on behalf of theuser, including the repository path, access to the user account, and the offline files and folders path. If thetest fails, the appropriate message is displayed (for example, No user or user group assigned permission toaccess the repository or Could not validate path(s) <file/folder path>). Resolve the issue that is specified andtest again.


18.Click Save. If the save fails and the issue is determined, the appropriate error message is displayed (forexample, if you have a repository named Marketing and you create another repository with the same name,the error message Repository already exists with name Marketing is displayed). Resolve the issue that isspecified and save again.

After you finish: To remove the offline files and folders, select the checkbox beside the files or folders to delete.Click Delete.

Edit a repository

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Repositories.3. Click the Admin defined tab.4. Click a repository you want to edit. 5. Make the required changes. 6. Click Save.

Define a repository list

Use Lists to assign users to multiple repositories and to organize your repositories by common characteristics.This allows you to batch-configure user access permissions. Included repositories can inherit the configured useraccess permissions of the list or maintain permissions independent of the list.

Microsoft Active Directory users and groups must be added to a repository definition or a list definition beforeaccess permissions can be configured. Users and groups added automatically receive the default accesspermissions.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Repositories.3. Click the Admin Defined tab.4. Click New List.5. In the Display Name, enter the name that will be displayed to authorized users on their mobile devices. 6. In the Select Repositories to include field, select the defined repositories to include. 7. Select Manage access through WatchDox if you have a BlackBerry Workspaces server in your environment,

have configured the Unified Content Connector, and want to manage access permissions from the BlackBerryWorkspaces server. For more information about the Unified Content Connector, contact BlackBerry TechnicalSupport Services.

8. Click Save.

After you finish:

If you don't use a BlackBerry Workspaces server in your environment, complete the following tasks:

1. Add new users and groups to the list definition. 2. Grant user access permissions.

Add users and user groups to repositories and list definitions

You must add Microsoft Active Directory users and groups to a repository definition or a list definition before youcan configure access permissions. Users and groups that are added automatically receive the default accesspermissions.


1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Repositories.3. On the Repositories Configuration page, click the Admin defined tab.4. Click a repository or list. 5. Under Access permissions, click Add users/groups.6. In the Search In field, enter a new domain or keep the default domain.7. Select Users or Groups.8. In the Search for Users in Active Directory field, type a full or partial search string. Click Search.9. In the search results, select one or more entries. 10.Optionally, select the Use Different Credentials checkbox and enter a username and password to configure a

different username and password for accessing this repository by these users.11.Click Add. 12.Click Save.

After you finish: Grant user and user groups access permissions.

Allow user-defined repositories

You can allow users to define their own "named" data sources on admin-defined repositories for which they havealready been granted permission.

When you allow users to define their own repositories, you perform the following actions:

1. Enable user-defined repository permissions2. Change user access permissions

Enable user-defined repository permissions

Before you begin: For users to access their Microsoft SharePoint repositories on their devices, make sure thatthey have the "Read" permission level and the "Browse Directories" permission assigned.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Repositories.3. Click the User defined tab.4. Select the Enable 'User Defined Shares' checkbox to allow your mobile users to define their own data sources.5. Optionally, select the Automatically add sites followed by users checkbox for authorized Microsoft

SharePoint repositories with the required MySite plugin enabled.To automatically add followed sites, complete the following steps:

a. On the Admin-defined tab, add a repository for the "my" or personal SharePoint site. For instructions,see Define a repository.

b. Select the Add sites followed by users on this site for the repository. c. On the User-defined tab, make sure that you select the Enable user-defined shares and Automatically add

sites followed by users check boxes.6. In the Storage section, select one or more storage services.

If you do not select at least one storage option,the user-defined option is disabled.7. In the Access Permissions section, click Add users/groups.8. In the Search In field, enter a new domain or keep the default domain.9. Select Users or Groups.


10.In the Search for Users in Active Directory field, type a full or partial search string. Click Search.11.In the search results, select one or more entries. 12.Optionally, select the Use Different Credentials and enter a username and password to configure a different

Username and Password for accessing this repository by these users.13.Click Add. The users and groups added automatically receive the default access permissions. 14.Click Save.

Access permissions

Permissions can be selectively granted to existing Microsoft Active Directory domain users and user groups. Themost restrictive permissions (admin-defined or user-defined) are applied.

The following table lists the permissions that are provided by default when you add users and groups to the User-defined repositories.


List (Browse) View and browse repository content (for example,subfolders and files) in a displayed list, and sort listsby Name, Date, Size, or Kind

Enabled

Delete Files Remove files from the repository Enabled

Read (Download) Download repository files to the user's device andopen them to read

Enabled

Write (Upload) Upload files (new/modified) from user's device to therepository for storage

Enabled

Cache (Offline Files) Temporarily store a cache of repository files on thedevice for offline access

You can designate files and folders to synchronize tousers' BlackBerry Work Docs app Offline folder.

Enabled

Open In Open a file in a format-compatible app on the device Enabled

Create Folder Add new folders to the repository Enabled

Copy/Paste Copy repository file content and paste it into adifferent file or app

Enabled

Check In/Check Out When a file is checked out, the user can edit, close,reopen, and work with the file offline. Other userscannot change the file or see changes until it ischecked back in

Enabled(SharePoint only)

Add New Repositories Permits new repositories to be added from the user'smobile device

Disabled



Generate Shared Link Users can generate a link to a file and folder and sendthe link to recipients

The Generate Shared Link requires anupdated BlackBerry Work app.

Enabled (Box only)

Change user access permissions

1. On the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration,click Docs.

2. Click Repositories.3. Click the User defined tab.4. Under Access Permissions, beside the user or user group, select or clear the permission checkbox that you

want to change.5. Click beside a user or user groups that you want to remove. 6. Click Save.

View user repository rights

In some scenarios, you may need to search for a particular user to review which repositories are configured fortheir access, as well as the specific permissions granted. For example, when a user is one member of a MicrosoftActive Directory group configured for repositories and is not listed individually in your admin-defined or user-defined repository configurations and you want to consider making specific changes to the user's accesspermissions.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs.2. Click Repositories.3. Click Users.4. In the Search Users field, begin typing the user's Microsoft Active Directory account name. If you don't see

the user you want, extend or narrow the search string or click Switch Domains to search a different MicrosoftActive Directory domain.

5. Click the user name. The Defined by column specifies if the repository is admin-defined or user-defined.6. Click the name of the repository or on the row to view the user's access permissions. To modify the access

permissions, see Change user access permissions. 7. Optionally, if the repository is admin-defined, in theOverride Path for this user field, enter an override path. 8. Optionally, if the repository is user-defined, in theepository name field, enter a new repository name.

Enable users to access Box repository using a custom Box email address

On the Home screen of the computer hosting BEMS, complete one of the following actions:


Attributes Task

The Box email address matches oneof the following Microsoft ActiveDirectory attributes:

• mail• userPrincipalName• proxyAddresses• targetAddress

No action is required.

The Box email address matches a MicrosoftActive Directory attribute other than theattributes listed above.

Set the config value, LDAPUserCheckAttribute, to specifythe Microsoft Active Directory attribute that contains thecustom Box email address.

a. On the computer hosting BEMS, open a command promptand navigate to the client.bat file. By default, the file islocated at <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\bin.

b. Type client.bat -u domain name\username.Press Enter.

• Where domain name is the name of the domain BEMS islocated in.

• Where username is the name of an administratoraccount on BEMS.

c. Type the password for the BEMS user account.Press Enter.

d. Set the LDAPUserCheckAttribute.Type docs:config Config-Name Config-Value.

• Where Config-Name is LDAPUserCheckAttribute.• Where Config-Value is the name of the Microsoft Active

Directory attribute you want to add. For example,BoxLogin.

e. Optionally, confirm the Config-Value is set.Type docs:config Config-Name


Attributes Task

The Box email address does not matchany Microsoft Active Directory attribute.

Complete one of the following tasks:

• Add an attribute to contain the Box email address and usethe previous configuration. See the instructions above.

• Enable the EnablePersonalBoxAccess config value to allowusers to use personal Box email addresses without addingan attribute.

Warning: If you use this method to allowusers to use custom Box email addressesto access Box, users can copy documentsfrom your organization's network to theirprivate Box accounts.

a. On the computer hosting BEMS, open a commandprompt and navigate to the client.bat file. By default,the file is located at <drive>:\Program Files\BlackBerry\BlackBerry EnterpriseMobility Server\Good Server Distribution\gems-quickstart-<version>\bin.

b. Type client.bat -u domain name\username.Press Enter.

c. Type the password for the BEMS administratoraccount. Press Enter.

d. Set the EnablePersonalBoxAccess to 1 toenable the attribute. Type docs:configEnablePersonalBoxAccess 1.

e. Optionally, confirm EnablePersonalBoxAccessis enabled. Type docs:configEnablePersonalBoxAccess.

Using the Docs Self-Service web console

Similar to the method for adding user-defined repositories on and from the device (see "Add a new data source"in the respective BlackBerry Work User Guide for iOS or Android), authorized users can access the Docs Self-Service web console from a browser on their office workstation or laptop to add user-defined File Share, Box,and SharePoint repositories. The self-service console is included in your BEMS installation and automaticallyconfigured with the Docs service in the BEMS Dashboard.

The web address to access the Docs Self-Service web console can be one of the following webaddresses. Contact your BEMS or BlackBerry Work administrator for the specific web address in yourenvironment.

• If you configured single sign-on, navigate to https://<bems_fqdn>:<port>/docsconsole-sso• If you require a username and password, navigate to https://<bems_fqdn>:<port>/docsconsole

Add a repository using the Docs Self-Service web console

Before you begin: You must be authorized to access the Docs Self-Service web console. For instructions onauthorizing access to the Docs Self-Service web console, see Allow user-defined repositories. Users must havethe Add New Repositories permission to add a repository from the browser.



1. In your computer browser, open a browser and navigate to the Docs Self-Service console at one of thefollowing web addresses:

• If your environment is configured for single sign-on, go to https://<bems_fqdn>:<port>/docsconsole-sso (for example, https://bemsserver.example.com:8443/docsconsole-sso).If you are authorized, you are automatically logged in using your Microsoft Active Directory credentials.

• If your environment is configured to require a username and password, go to https://<bems_fqdn>:<port>/docsconsole (for example, https://bemsserver.example.com:8443/docsconsole). You must enter your Microsoft Active Directory credentials.

2. Click Add Repository to define a new data source.3. In the Display Name field, type a display name. This name is displayed in repository lists in the console and on

your device.4. In the Storage Type field, select a storage type (for example, File Share, SharePoint, or Box).5. In the Path field, enter the path.6. Click Save.

To remove a repository, click beside it.

Enable modern authentication for Microsoft SharePoint OnlineYou can also enable modern authentication for Microsoft SharePoint Online when you have MicrosoftSharePoint configured in your environment.

Before you begin: If you enable modern authentication, configured the Azure registration in the Docs >Settings screen. For more information, see Configure the Docs security settings.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Storages. 3. Click the storage name SharePoint Online.4. If this is a new installation, the following settings are selected by default:

• Authentication Provider drop-down list: Modern. For information about authentication providers andthe storage provider that each can be used for, see Authentication providers.

• Use Azure registration from Settings check box is selected. SharePoint uses the Azure registration settingsthat are specified in the Docs > Settings screen. For more information, see Configure the Docs securitysettings.

5. If you upgraded from BEMS 2.10 or earlier and modern authentication was configured, no additional actionsare required. Optionally, select the Use Azure registration from Settings check box for SharePoint to usethe Azure registration settings that are specified in the Docs > Settings screen. For more information,see Configure the Docs security settings.

6. To make the storage available on user devices, select the select the Enable Storage checkbox.

Note: It may take up to an hour or a restart of the apps for storage changes to take effect on users' devices.It may take up to five minutes for the changes to take effect on the server. Enabling and disabling storageproviders on this page affects what storage resources are visible at any given time for users, but it has no suchimpact on the server. If this option is not selected, users can't access the fileshare and receive the followingerror message on the device: Data sources could not be retrieved. Unable to connect to the server.

After you finish:

Add repositories in the storage added. For instructions, see Managing Repositories


Windows Folder Redirection (Native)This feature gives administrators the ability to redirect the path of a folder to a new location, which can be onthe local computer or a directory on a network file share. Users can work with documents on a server as if thedocuments were based on a local drive. The documents in the folder are available to the user from any computeron the network.

Folder Redirection is located under Windows Settings in the console tree when you edit a domain-based GroupPolicy using the Group Policy Management Console (GPMC). The path is <Group Policy Object Name>\User Configuration\Policies\Windows Settings\Folder Redirection.

Offline File technology (turned on by default) gives users access to the folder even when they are not connectedto the network, and is especially useful on laptops and mobile devices. Offline folders do not, however, workout of the box with Samba network drives. See Offline Folders (Native) for details. Otherwise, Windows FolderRedirection can be enabled for any of the predefined folders in the Group Policy Management Editor.

The following different folders can be redirected.

• AppData (Roaming)• Desktop• Start Menu• Documents• Pictures• Music• Favorites• Contacts• Downloads• Links• Saved Games• Searches• Videos

As an administrator, you must create the root folder for the destination location. This folder can be created on alocal or remote machine (NAS).

Note: All members of the group who have Windows Folder Redirection enabled must have full access to the rootfolder.

Enable folder redirection and configure access

When you enable folder redirection the user’s folder will have exclusive user permissions. Other users cannot seethe files. The user can update, add new, and delete files. When the user connects to the corporate network, thefiles are automatically synchronized with the redirected location.

If modifications are made on the file in both locations at the same time, an alert is issued, and the user isresponsible for resolving the conflict; for example, keep the source, keep the destination, or keep both files).

If a user uploads a file through a mobile app directly to the share, the file is visible on the local computer in theDocuments folder. Moreover, when the Docs service is configured with “User Private Shares” pointing to theredirected root folder—for example, C:\RedirectShare\— users can automatically use their own folders inside themobile app from the “Home Directory” on their phone or tablet.

Note: Users with their home folder defined in Microsoft Active Directory, Folder Redirection works when theredirection path is the same as the user’s home folder in Microsoft Active Directory.

1. Create a root folder (for example, RedirectShare) for the redirect destination.


2. In the Group Policy Management Editor, select a specific folder (for example, Documents) and add one ormore rules to determine which users and user groups can redirect the selected folder to the root folder.

3. Set an environment variable %USERNAME% to the path [Root]\<username>\Documents\.

Local Folder Synchronization – Offline Folders (Native)Users who work remotely on content creation and save files locally for offline access, can now access thesefiles on-the-go from their mobile devices without having to open their local machine. The Docs service providesauthorized users access to their Home Directory hosted on network-attached storage (NAS) shares and exposedthrough Microsoft Active Directory. This synchronization feature, synching folders on the user’s remote laptop ordesktop with their home directory, is only available on local machines running Microsoft Windows.

When you select a network file or folder to make it available offline, Windows automatically creates a copy of thatfile or folder on your computer. Thereafter, any time you reconnect to the network folder, Windows synchronizesthese files with those in the network folder. You can also synchronize them manually any time you want. Aspointed out above, this feature does not work out of the box with a Samba network drive, and workarounds are notcurrently supported by Microsoft. Otherwise, the feature can be enabled from Windows Explorer and used for anyshared folder as pictured.

Now that the shared folder is available offline, it can be used offline. Users can even make a shortcut to theshared folder on their desktop for convenience. When working offline and changes are made to offline files ina network folder, Windows automatically synchronizes the changes the next time you connect to that networkfolder. You can also manually synchronize changes by clicking the Sync Center tool .

Additionally, there are more advanced synchronization scheduling controls available in the Windows Sync Center.

If the user is working offline while someone else changes a file in a shared network folder, Windows synchronizesthose changes with the offline file on the local computer the next time it connects to that network folder. If asynchronization conflict occurs, for example, changes were made to both the network and offline versions of thefile between syncups, Windows prompts the user to confirm which change takes precedence.

Files that were cached automatically are removed on a least-recently used basis once the maximum cache sizeis reached. Files cached manually are never removed from the local cache. When the total cache size limit isreached and all files that were cached automatically have already been removed, files cannot be made availableoffline until you specify a new limit or delete files from the local cache by using the Offline Files control panelapplet.

The default size limit for the Offline Files cache is 25-percent of the total disk space of the drive where the cacheis located. The cache size can be configured through the Group Policy by setting the limit on disk space used byOffline Files—go to Computer Configuration > Policies > Administrative Templates > Network > Offline Files—oneach client separately.

Synchronization takes place a few minutes after the user logs in and connects/opens a shared network foldercontaining offline files and is schedule- or event-based. However, this must still be enabled manually by eachuser. Even so, through the Group Policy editor, the domain administrator can set various synchronization triggers;e.g., On Logon, On Logoff, Sync Interval, etc.

these settings are available in User Configuration\Administrative Templates\Network\Offline Files and inComputer Configuration\Administrative Templates\Network\Offline Files in the Group Policy Object Editor snap-in. For more information about policy settings, see the Explain tab on the Properties page of each policy.

Folder Redirection and Offline Folders, provide the following advantages compared to a proprietary laptop/desktop agent furnished by Good:

• IT does not have to manage and deploy another desktop agent• Microsoft Folder Redirection is integrated with GPO and manages conflicts• Existing compliance tools and processes govern the data.


Once the files are synchronized to the “Home Directory,” IT administrators can make use of the Docs servicefeature in which Microsoft Active Directory attributes can be specified in the path to expose the user’s “HomeDirectory” to the BlackBerry Work app running on provisioned mobile devices. It is also important to rememberthat for users who have their home folder defined in Microsoft Active Directory, Folder Redirection works when thefolder redirection path is the same as the user’s home folder in Microsoft Active Directory.

Configuring support for Microsoft SharePoint Online and Microsoft OneDrive for BusinessMicrosoft SharePoint Online locations can be added as repositories in the Docs service just like an on-premise Microsoft SharePoint site to support both admin-defined and user-defined data sources. This is also truefor Microsoft OneDrive for Business.

Microsoft SharePoint Online provides the following ways for users to authenticate andperform SharePoint operations:

• Using on-premises Microsoft Active Directory

• DirSync with Password Hash: Users and their passwords on Microsoft Active Directory are synchronizedwith Microsoft Office 365. Users are presented with a login page where they can enter their credentials toaccess Microsoft SharePoint Online.

• Active Directory Federation Service (ADFS): ADFS serves as a Secure Token Service. Behind the scenes (inbackground), users are redirected to ADFS for authentication and are issued security tokens that are thenused by Microsoft SharePoint Online to sign in. Microsoft SharePoint Online users do not need to entercredentials when accessing from the corporate network, which typically enables sign sign-on scenarios.

• Using modern authentication

• Enable modern authentication in the BEMS Dashboard.

These authentication mechanisms are supported by the Docs service and all preparations take place on theserver side exclusively. No device changes are required to use the on-premises Active Directory. The followingprerequisites are required for users to authenticate to Microsoft SharePoint Online:

• For users to authenticate to Microsoft SharePoint Online using Microsoft Active Directory, MicrosoftSharePoint Online is deployed in your environment based on DirSync with Password Hash or ADFS authentication mechanisms.

• For users to authenticate to Microsoft SharePoint Online using modern authentication, Microsoft SharePointOnline is deployed in your environment and enabled for modern authentication in the BEMS Dashboard.

Configure Microsoft SharePoint Online and Microsoft OneDrive for Business

For instructions on enabling modern authentication for Microsoft SharePoint Online, see Enable modernauthentication for Microsoft SharePoint Online.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Settings.3. In the SharePoint Online section, in the SharePoint Online Domain field, type the FQDN for your

primary Microsoft SharePoint Online domain. Then, separated by a comma, type your FQDNfor Microsoft OneDrive for Business. For example, goodshare.sharepoint.com,goodshare-my.sharepoint.com.

4. Click Save. 5. Restart Good Technology Common Services.6. Click Repositories.7. Click New Repository.8. In the Display Name field, type a name for the repository,9. In the Storage Type drop-down list, click SharePoint.10.In the Path field, type path for your primary Microsoft SharePoint Online site from Step 2


11.Click Save.12.Optionally, click New Repository for Microsoft OneDrive for Business and repeat steps 8 to 11 using the path

for the Microsoft OneDrive for Business. You can use the username wild card in the web address. For example, https://goodshare-my-sharepoint.com/personal<username>_goodshare_us.

You can lookup the path web address by logging in to theMicrosoft SharePoint Online website and clickthe Microsoft OneDrive option. Copy the web address into the Path field.

13.Click Save. Both repositories are listed in the repository list.

Microsoft SharePoint Online authentication setupThe following instructions do not apply when you configure Microsoft SharePoint Online using ModernAuthentication. For Kerberos constrained delegation (KCD), which allows for single sign-on credential-less accessto network resources from devices, only Active Directory Federation Service (ADFS) authentication to MicrosoftSharePoint Online is supported.

Note: Configure delegation using the BEMS service account (for example, BEMSAdmin). When adding Kerberosdelegation constraints for Docs service users, add the ADFS server HTTP service. Do not add MicrosoftSharePoint Online servers for delegation here.

For non-KCD configurations, where users enter their credentials on the device, both DirSync with Password Hashand ADFS authentication mechanisms to Microsoft SharePoint Online are supported. No extra authentication-related steps are required to use this configuration.

ADFS version and location

Refer to the version of Microsoft Windowsthat is installed in your environment to verify which version of ADFSis required. The ADFS server is automatically identified by the Docs service based on the Microsoft SharePointOnline location and does not need to be specified.

ADFS HTTPS certificate

If your ADFS server uses a self-signed certificate for HTTPS communication, the certificate must be added as atrusted CA on the computer hosting BEMS.

To add the certificate, navigate to the Microsoft IIS Manager on the computer hosting ADFS, then go to ServerCertificates and export the certificate to a file. On the computer hosting BEMS, import this certificate into thetrusted CA list.

Once you deploy Microsoft SharePoint Online, you’re ready to configure the Docs service for your MicrosoftSharePoint Online users.

Troubleshooting Microsoft SharePoint Issues

BlackBerry Work Docs fails to find a Microsoft SharePoint view by name

Possible cause

Maximum HTTP URL length is set to short.


Possible solution

Increase the maxUrlLength setting.

1. In Microsoft IIS, under site or server, open Configuration Editor.2. In the drop-down at the top, expand system.web and select httpRuntime.3. Change the maxUrlLength property to 2048. By default, the maxUrlLength is 260 characters.

Configuring Microsoft Office Web Apps server for Docs service supportMicrosoft Office Web Apps (OWAS) is an Office server product from Microsoft that delivers browser-basedversions of Microsoft Word, Microsoft PowerPoint, Microsoft Excel, and Microsoft OneNote. A single MicrosoftOffice Web Apps server farm can support Docs service users who access Office files through MicrosoftSharePoint and File Shares. The new stand-alone deployment model means that you can manage updates to yourMicrosoft Office Web Apps server farm independently of other Office Server products that are deployed in yourorganization.

Supported file types

Docs support for Microsoft Office Web Apps (OWAS) gives your users the ability to view and edit Officedocuments and convert them to PDF format in BlackBerry Work and other BlackBerry Dynamics-powered appsthat use the Docs service. This is all done within the secure BlackBerry Dynamics container. The BlackBerryWork Docs component is used to browse and select the files. BlackBerry Access is used to view and edit thedocuments.

The following table lists the supported file types for Microsoft Word.

File format View Edit

Open XML (.docx)√

√

iPad only

Binary (.doc) √ —

Macro (.docm)√

—

Macrosdon't work

Templates (.dotm, .dotx) √ —

Other file formats

(.dot, .mht, .mhtml, htm, .html, .odt, .rtf, .txt, .xml, .wps, .wpd)— —

The following table lists the supported file types for Microsoft Excel.


Open XML (.xlsx) √ √

Binary (.xlsb) √ √

Binary (.xls) — —



Macro (.xlsm)

√

√

However, you areprompted to create

a copy of the filethat has the macrosremoved when yousave the changes

that you have made

Other file formats

(.xltx, .xltm, .xlam, .xlm, .xla, .xlt, .xml, .xll, .xlw,ods, .prn, .txt, .csv, .mdb, .mde, .accdb, .accde, .dbc, .igy, .dqy, .rqy, .oqy, .cub, .uxdc, .dbf, .slk, .dif, .xlk, .bak, .xlb)

— —

The following table lists the supported file types for Microsoft PowerPoint.


Open XML (.pptx, .ppsx)√

√

iPad only

Binary (.ppt, .pps)

√

√

PowerPoint Onlineor PowerPoint

Web App convertsthe .ppt or .pps fileto a .pptx or .ppsxfile to allow you to

edit the file, but youmust save the file asa .pptx or .ppsx file to

save your changes.

Macro (.pptm, .potm, .ppam, .potx, .ppsm) √ —

Other file formats

(.pot, .htm, .html, .mht, .mhtml, .txt, .rtf, .wpd, .wps, .ppa, .odp,

.thmx)

— —

The following table lists the supported file types for PDF and OpenDocument.


PDF (.pdf) √ —

OpenDocument Text (.odt) √ —



OpenDocument Spreadsheet (.ods) √ √

OpenDocument Presentation (.odp) √ √

For more information on the file types supported with Microsoft Office Web Apps,visit support.microsoft.com and read article 2028380.

Supported files and storage types

Documents in a supported file format can reside on any of the following storage types:

• File Shares• Microsoft SharePoint Online• Microsoft SharePoint

For information about the supported Microsoft SharePoint versions, see the BEMS Compatibility Matrix.

Supported devices

• iOS devices

• iPad: view and edit• iPhone: view only

• Android devices

• Phones: view only• Tablets: view only

Configure the Docs service for Microsoft Office Web Apps access

Before you begin:

• A Microsoft Office Web Apps server is installed and configured in your environment.• Verify that you have the Microsoft Office Web Apps server URL, and custom port if required. BEMS

automatically adds '/hosting/discovery ' to the web address when BEMS performs a service discovery andadding it to the web address is not required.

• Add a registry key to enable strong cryptography on the Office Online Server. If this key is not added to theregistry, users can't view or edit Microsoft Office Web Apps files in BlackBerry Access and the Office OnlineServer log files log the error message Could not create SSL/TLS secure channel. For instructions, see theKnown issues section of the BEMS Release Notes content.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs.2. Click Settings.3. Under Office Web App Server, in the Office Web App Server URL field, type the web address of the

Microsoft Office Web Apps server. For example, https://officewebapps.example.com or https://officewebapps.example.com:1234 if a custom port is used.

4. Click Save.5. On the Office Web App Server server, in the Windows folder, copy Microsoft.CobaltCore.dll file. By default, the

file is located in <drive>:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.CobaltCore\.


https://support.microsoft.com/en-us/kb/2028380

https://docs.blackberry.com/en/endpoint-management/compatibility-matrix/BlackBerry-Enterprise-Mobility-Server-Compatibility-Matrix-html/ssa1499884739326/Microsoft-SharePoint,-Microsoft-SharePoint--Online-and-Microsoft-OneDrive-for-Business

https://docs.blackberry.com/en/endpoint-management/blackberry-enterprise-mobility-server/current/release-notes-html/

6. On the BEMS, browser to and paste the file into the lib folder at <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\lib.

7. Restart the Good Technology Common Services.8. On BEMS, export the SSL certificate to a file.

a) In the BlackBerry Enterprise Mobility Server Dashboard, under BEMS System Settings, click SSLCertificate.

b) Click Download SSL Certificate. By default, the BemsCert.cer file is saved to the Downloads folder.9. On the Office Web App Server server, add the SSL certificate to the Trusted Root CA of the computer account.

a) Open the Microsoft Management Console.b) Click File > Add/Remove Snap-in.c) In the Available snap-ins column, click Certificates > Add.d) Select Computer account. Click Next.e) Select Local Computer. Click Finish.f) Click OK.g) In the Microsoft Management Console, expand Certificates (Local Computer).h) Right-click Trusted Root Certificate Authorities. Select All Tasks.i) Click Import.j) In the Certificate Import Wizard, click Next.k) Browse to the SSL certificate file you exported in step 8.

10.Obtain the Microsoft Office Web Apps server SSL certificate.11.Add the Microsoft Office Web Apps server SSL certificate to BEMS. For instructions, see Importing CA

Certificates for BEMS.12.Repeat steps 8 to 11 for each BEMS server in your environment.

Configuring resource based Kerberos constrained delegation for the Docs serviceYou can configure the Docs service to use resource based Kerberos constrained delegation (KCD) to accessresources, such as Microsoft SharePoint servers and File Share servers, and remove the requirement for usersto provide their network credentials to access resources within the domain, and between domains and forests.When you configure resource based KCD for your Docs service, the resource authorizes the service accountsthat can delegate against the resource. If you need to enable KCD in your environment, it is recommended youenable resource based KCD, if your environment meets the minimum requirements. This is also recommended inenvironments that do not use multiple domains or forests. If your environment does not meet the requirementsfor resource based KCD, you can configure Kerberos constrained delegation (KCD).

Configuring the Docs service with resource based KCD allows users to access resources in the same domain orbetween domains and forests.

When you configure resource based Kerberos constrained delegation, you perform the following actions:

1. Configure resource based Kerberos constrained delegation2. Optionally, Verify the delegation is configured correctly3. Turn on resource based Kerberos constrained delegation

Configure resource based Kerberos constrained delegation

You can configure the Docs service with resource based Kerberos constrained delegation (KCD) to allows usersto access resources in the same domain and between domains and forests.

Before you begin:

• All BEMS instances in your environment are hosted on a computer that is running Windows 2012 or later.


• Each domain in your environment has one or more Domain Controllers on a computer that is running Windows2012 or later.

• The BEMS service account is a member of the local Administrators group and has the Act as part of theOperating System privilege.

• If you are configuring resource based KCD for Microsoft SharePoint, make sure that Microsoft SharePointserver uses Integrated Windows Authentication – Negotiate (Kerberos) for the authentication provider.

• You identified the file share servers and Microsoft SharePoint servers that the Docs service requires access to.

1. On the Domain Controller or another computer in your environment, open Windows PowerShell (run asadministrator) and set up delegation.a) Import the ServerManager module. Type Import-Module ServerManager. Press Enter.b) Install the Microsoft Active Directory module for Windows PowerShell and the Microsoft Active Directory

Services. Type Add-WindowsFeature RSAT-AD-PowerShell. Press Enter.c) Import the Microsoft Active Directory module. Type import-module activedirectory. Press Enter.

2. Find the application pool identity for the Microsoft SharePoint servers in your environment. The applicationpool identity is located in the Microsoft Internet Information Services (IIS) Manager, on the Application Poolsscreen.

3. If the Microsoft SharePoint web application is running on a non-default port (the default port is 80 and 443) oris not running under the network service, create SPNs. Complete one or more of the following tasks:

Note: If you have multiple Microsoft SharePoint web applications, you must create an SPN for each webapplication that is available in the scenarios below.

Task Steps

Create SPNs for aMicrosoft SharePointweb application runningon a non-default portand as a specific user

a. Type setspn -S HTTP/<Sharepoint server name>:<Sharepointapp port> <Sharepoint domain>\<Sharepoint app user>. PressEnter.

• Where <Sharepoint server name> is the name of the computer hosting theMicrosoft SharePoint web application.

• Where <Sharepoint app port> is the port number of the MicrosoftSharePoint web application server.

• Where <Sharepoint domain> is the domain where the Microsoft SharePointweb application server is located. For example, www.example.com.

• Where <Sharepoint app user> is the user or service account that is listedin the Identity column in step 2. If the service is set to run as a user, theidentity column displays <web application server name>/<username>. If theservice is set to run as a network, you will see Network service.

b. Type setspn -S HTTP/<Sharepoint server FQDN>:<Sharepointapp port> <Sharepoint domain>\<Sharepoint app user>. PressEnter.

• Where Sharepoint server FQDN is the FQDN of the computer hosting theMicrosoft SharePoint web application server.

Create SPNs for aMicrosoft SharePointweb application runningon a default port (80 or443) and as a specificuser

a. Type setspn -S HTTP/<Sharepoint server name> <Sharepointdomain>\<Sharepoint app user>. Press Enter.

b. Type setspn -S HTTP/<Sharepoint server FQDN> <Sharepointdomain>\<Sharepoint app user>. Press Enter.


Task Steps

Create SPNs for aMicrosoft SharePointweb application runningon a non-default portand under a networkservice

a. Type setspn -S HTTP/<Sharepoint server name>:<Sharepointapp port> <Sharepoint domain>\<Sharepoint server name>.Press Enter.

b. Type setspn -S HTTP/<Sharepoint server FQDN>:<Sharepointapp port> <Sharepoint domain>\<Sharepoint server name>.Press Enter.

4. Add the delegation to each file share server in your environment.

Task Steps

Add the delegation forone computer hostingBEMS.

a. Type $gems1 = Get-ADComputer -Identity <GEMS-SERVER-NAME>.Press Enter.

b. Type Set-ADComputer <File server name> -PrincipalsAllowedToDelegateToAccount $gems1. Press Enter.

Add the delegation formultiple computershosting BEMS.

a. Type $gems1 = Get-ADComputer -Identity <GEMS-SERVER1-NAME>. Press Enter.

b. Type $gems2 = Get-ADComputer -Identity <GEMS-SERVER1-NAME>. Press Enter.

For each additonal BEMS, increment the $gems# by one.c. Type Set-ADComputer <File server name> -

PrincipalsAllowedToDelegateToAccount $gems1,$gems2. PressEnter.

For each additional BEMS, add a comma and $gems# incrementing the # byone.

5. If you configure the delegation for file share servers in a DFS configuration, add delegations tothe name server and the file server. For domain based DFS, this requires adding delegations forall of the Domain Controllers in the domain. Type Set-ADComputer <DC-SERVER-NAME> -PrincipalsAllowedToDelegateToAccount $gems1. Press Enter.Where <DC-SERVER-NAME> is the name of the computer hosting the domain controller.

6. Add delegation to the Microsoft SharePoint servers in your environment. Complete one of the followingactions:

• If the application pool identity for Microsoft SharePoint application is NetworkService, type Get-ADComputer <Sharepoint server name> -PropertiesPrincipalsAllowedToDelegateToAccount.

• If the application pool identity for Microsoft SharePoint application is a specific domain user, type Get-ADUser <Sharepoint app user> -Properties PrincipalsAllowedToDelegateToAccount.

Where Sharepoint app user is the user name that is listed in the Identity column in step 2.7. Press Enter.

Verify the delegation is configured correctly

You can verify that the delegation property was set correctly.

1. On the Domain Controller or another computer in your environment, open Windows PowerShell (run asadministrator).


2. Complete one of the following actions to verify the delegation:

• If the delegation was set on the server name, type Get-ADComputer <server_name> -PropertiesPrincipalsAllowedToDelegateToAccount.

• If the delegation was set on the username, type Get-ADUser <user_name> -PropertiesPrincipalsAllowedToDelegateToAccount.

Turn on resource based Kerberos constrained delegation

When you configure resource based Kerberos constrained delegation (KCD) for the Docs service, consider thefollowing:

• Only Windows authentication in Microsoft SharePoint is supported. Forms-based and claims-basedauthentication are not supported.

• IP addresses are not allowed in the Microsoft SharePoint URLs and File Share paths that you configurein BEMS.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs. 2. Click Settings. 3. In the Kerberos Contrained Delegation section, select the Enable Kerberos Constrained Delegation checkbox.4. Restart the Good Technology Common Services.5. On the computer hosting the BEMS-Docs service, grant the Act as part of the operating system privilege to

the BEMS server account (for example, GoodAdmin).a) Run the Local Security Policy administrative tool.b) In the left pane, expand Local Policies.c) Click User Rights Agreement.d) Configure the service account for the Act as part of the operating system permission.

6. Click OK.

Remove resource based Kerberos constrained delegation

1. Open the Windows PowerShell (run as administrator).2. Complete one of the following tasks:

• To remove the delegation from a server, type Set-ADComputer <server_name> -PrincipalsAllowedToDelegateToAccount $null.

If you have multiple file share or Microsoft SharePoint servers in your environment, complete this step foreach server.

• To remove the delegation from a user, type Set-ADUser <user_name> -PrincipalsAllowedToDelegateToAccount $null.

If you use different usernames for the Microsoft SharePoint and file share servers, complete this step foreach username.

3. Press Enter.

Configuring Kerberos constrained delegation for DocsConfiguring the Docs service to use Kerberos constrained delegation (KCD) for accessing resources suchas Microsoft SharePoint and File Shares removes the requirement for end-users to provide their networkcredentials to access to network resources using the Docs service.

Before configuring the Docs service to use KCD, it is important to understand that configuring KCDfor Docs service is independent of configuring BlackBerry Dynamics KCD. This means, for example, that if


your mobile app (for example, BlackBerry Work) requires use of the Docs service exclusively, you only need toconfigure KCD for the Docs service.

For example, the following diagram charts a sample KCD call flow for BlackBerry Work.

All KCD transactions are between the Docs service account and the key distribution center (KDC) and respectiveresources. No KCD information is cached on the mobile app. The Docs service uses Microsoft’s Servicefor User (S4U) specifications for KCD. For more information on S4U, visit the MSDN Library to see: https://msdn.microsoft.com/en-us/library/cc246071.aspx.

Configuring Kerberos constrained delegation for the Docs service

When you configure Kerberos constrained delegation (KCD) for Docs, you perform the following actions:

1. Find the SharePoint application pool identity and port.2. Create any required Service Principle Names (SPNs).3. Add Kerberos constrained delegation for Microsoft SharePoint servers.4. Add Kerberos constrained delegation for file shares.5. Turn on Kerberos constrained delegation.

If you want to configure KCD for File Share repositories only, you can skip the Microsoft SharePoint configurationguidance that follows and proceed directly to Add Kerberos constrained delegation for file shares.

Find the SharePoint application pool identity and port

Before you begin: Make sure that you create a list of web applications that are going to be shared through theDocs service.

1. Open Windows Internet Information Services (IIS) Manager.Make sure that you record any additional port numbers that are assigned if a web application was extended tocreate alternate access mappings.


http://msdn.microsoft.com/library/

https://msdn.microsoft.com/en-us/library/cc246071.aspx

https://msdn.microsoft.com/en-us/library/cc246071.aspx

2. Find the Application Pool identity in the Application Pools list view or in SharePoint Central Administration >Security > Configure service accounts.In most instances, for Kerberos constrained deleagtion (KCD) to work properly, the application pool identityuser must be the same for all application pools whose applications will be accessed by the Docs service. Thismeans you cannot have different application pools running under different users.

3. In SharePoint Central Administration, on the Web Applications tab, find the port for each of the webapplications listed. Look in the Alternate Access Mappings view as necessary.

4. In the Sharepoint Central Administration, open the Application Management, choose the web applicationand click Authentication Providers in the ribbon bar. Make sure that the authentication type for each webapplication is set to Windows and that Negotiate (Kerberos) is enabled under IIS Authentication Settings.In certain scenarios, switching to Negotiate (Kerberos) might require enabling Kernel-mode authentication inIIS for the corresponding IIS site. For more information, visit the MSDN Library to see Service Principal Name(SPN) checklist for Kerberos authentication with IIS 7.0/7.5.

Create Service Principal Names

Create a Service Principle Name (SPN) for each web application that needs to be shared as follows:

setspn –S HTTP/SPHOST:PORT <domain>\AppPoolUsersetspn –S HTTP/SPHOST.FQDN:PORT <domain>\AppPoolUsersetspn –S HTTP/SPHOST <domain>\AppPoolUsersetspn –S HTTP/SPHOST.FQDN <domain>\AppPoolUser

If the port is a default port, such as 80 or 443, omit the commands that include port above.

Note: Some of the lines only require a host name while others require a fully qualified host name. If theapplication pool identity is for a built-in user such as Network Service, then specify the host name as shown belowinstead of <domain>\AppPoolUser.

setspn –S HTTP/SPHOST:PORT <domain>\SPHOSTsetspn –S HTTP/SPHOST.FQDN:PORT <domain>\SPHOSTsetspn –S HTTP/SPHOST <domain>\SPHOSTsetspn –S HTTP/SPHOST.FQDN <domain>\SPHOST

Note: If you use SSL, the SPN must refer to HTTP instead of HTTPS.

Add Kerberos constrained delegation in Microsoft Active Directory for Microsoft SharePoint

Note:

There is a limit of 1300 services that can be delegated to one account.

If you want to configure Kerberos contrained delegation (KCD) for File Share repositories only, do not completethis task.

1. Open Microsoft Active Directory Users and Computers.2. In your domain, click Users.3. Right-click the BEMS service account. For example BEMSAdmin. Click Properties.4. In the Microsoft Active Directory account properties, on the Delegation tab, select the following options:

• Trust this user for delegation to specified services only• Use any authentication protocol

5. Click Add.


http://msdn.microsoft.com/library/

http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

6. Click Users or Computers.7. In the Enter the object names to select field, type one of the following:

• If the SharePoint web application is running under a domain user account, type the SharePoint ApplicationPool identity username.

• If SharePoint web application is running under the Network Service account, type the Microsoft SharePointserver name.

8. Click OK.9. In the Add Services dialog box, select the HTTP service that corresponds to the SharePoint web applications

running under the account specified in step 7.10.Click OK.11.Repeat Steps 4–9 for each application pool identity user and each Web Application identified.

Add Kerberos constrained delegation for file shares

The main difference between sharing files in File Share repositories, compared to sharing apps (for example,Microsoft SharePoint), is that here the delegation is to the computer hosting the BEMS instance account and notto the Docsservice process user, BEMSAdmin.

1. Open Microsoft Active Directory Users and Computers.2. In your domain, click Computers.3. Right-click the BEMS computer entry. Click Properties.4. Click the Delegation tab.5. In the Microsoft Active Directory account properties, on the Delegation tab, select the following options:

• Trust this user for delegation to specified services only• Use any authentication protocol

6. Click Add, select Users or Computers, type in the name of the server whose file share needs access and clickOK.

7. In the list of services, click cifs. Click OK.8. Repeat Step 3 to 6 for each server that has file shares needing access.9. Restart the BEMS server. Since Kerberos tokens are cached, restarting the BEMS server is the only way to

make sure all delegation changes are received on the machines.

Turn on Kerberos constrained delegation

When you configure Kerberos constrained delegation (KCD) for the Docs service, consider the following:

• Only Windows authentication in Microsoft SharePoint is supported. Forms-based and claims-basedauthentication are not supported.

• IP addresses are not allowed in the Microsoft SharePoint URLs and File Share paths that you configure inBEMS.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry Services Configuration, click Docs.2. Click Settings.3. In the Kerberos Contrained Delegation section, select the Enable Kerberos Constrained Delegation checkbox.4. Restart the Good Technology Common Services.5. On the computer hosting the BEMS-Docs service, grant the Act as part of the operating system privilege to the

BEMS server account (for example, GoodAdmin).a) Run the Local Security Policy administrative tool.


b) In the left pane, expand Local Policies.c) Click User Rights Agreement.d) Configure the service account for the Act as part of the operating system permission.

6. Click OK.


Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component serviceWhen your environment is configured for Skype for Business Online, Microsoft SharePoint Online, MicrosoftOneDrive for Business, or Microsoft Azure-IP you must register the BEMS component services in Azure. You canregister one or more of the services in Azure. In this task, the Connect, Presence, and Docs services and MicrosoftAzure-IP are registered in Azure.

If you configure the Connect service, you can enable the conversation history to allow users to accessconversations that are saved in the Conversation History folder of the user's Microsoft Exchange mailbox. Savingthe conversation history is supported in the following environments:

• Users in a Skype for Business on-premises environment that have mailboxes on an on-premises MicrosoftExchange Server

• Users in a Skype for Business Online environment that have mailboxes on an on-premises Microsoft ExchangeServer

• Users in a Skype for Business Online environment that have mailboxes on Microsoft Office 365


Before you begin: To grant permissions, you must use an account with tenant administrator permissions.

1. Sign in to portal.azure.com.2. In the left column, click Azure Active Directory.3. Click App registrations.4. Click New registration.5. In the Name field, enter a name for the app. For example, AzureAppIDforBEMS.6. Select a supported account type. 7. In the Redirect URI drop-down list, select Web and enter https://localhost:8443.8. Click Register.9. Record the Application (client) ID.

This is used as the following in the BEMS dashboard:

• BlackBerry BEMS Connect/Presence Service App ID value the BEMS dashboard for the BlackBerryConnect service

• BlackBerry BEMS Connect/Presence Service App ID value for the Presence service• BEMS Service Azure Application ID value for the Docs > Settings service

10.In the Manage section, click API permissions.11.Click Add a permission. 12.In the Select an API section, click APIs my organization uses. 13.If your environment is configured for Azure-IP, search for and click Microsoft Information Protection Sync

Service. Set the following permission:

• In delegated permissions, select the Read all unified policies a user has access to checkbox (UnifiedPolicy> UnifiedPolicy.User.Read).

14.Click Add permissions.15.Click Add a permission.16.Complete one or more of the following tasks:

| Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service | 115


Service Permissions

If you configure BEMS-Connect to use Skypefor Business Online

a. Click the Microsoft APIs tab. b. Click Skype for Business. c. Set the following permissions:

• In application permissions, select all of the permissions.

1. Click Application permissions. 2. Click expand all. Make sure that all options are selected.

• In delegated permissions, select all of the permissions

1. Click Delegated permissions. 2. Click expand all. Make sure that all options are selected.

d. Click Add permissions.e. If you enable saving the conversation history, complete the following steps:

1. On the API permissions page, click Add a permission.2. In the Select an API section, click Microsoft APIs tab. 3. Click Exchange. 4. In delegated permissions, select the Access mailboxes as the

signed-in user via Exchange Web Services checkbox (EWS >EWS.AccessAsUser.All)

5. Click Add permissions.

If you configure BEMS-Presence to use Skypefor Business Online

a. Search for and click Skype for Business. b. Set the following permissions:

• In application permissions, select all of the permissions.

1. Click Application permissions. 2. Click expand all. Make sure that all options are selected.

• In delegated permissions, select all of the permissions.

1. Click Delegated permissions. 2. Click expand all. Make sure that all options are selected.


If you configure BEMS-Docs to use MicrosoftSharePointOnline or MicrosoftOneDrive for Business

a. Search for and click SharePoint.b. Set the following permissions:

• In application permissions, clear all of the permissions.

1. Click Application permissions.2. Click expand all. Make sure that all options are cleared.

• In delegated permissions, select the Read and write items and item listsin all site collections checkbox. None. Clear the check boxes for alloptions.

• Delegated permissions Select the Read and write items and lists in allsite collections checkbox. (AllSite > AllSites.Manage)



Service Permissions

If you use MicrosoftAzure-IP

a. Click Microsoft Graph. If Microsoft Graph is not listed, add Microsoft Graph. b. Set the following permissions:

• In application permissions, select the Read directory data checkbox(Directory > Directory.Read.All).

• In delegated permissions, select the Read directory data checkbox(Directory > Directory.Read.All).

c. Click Update permissions.

17.Wait a few minutes, then click Grant admin consent. Click Yes.

Important: This step requires tenant administrator privileges.18.To allow autodiscovery to function as expected, set the authentication permissions. Complete the following

steps:a) In the Manage section, click Authentication.b) Under the Implicit grant section, select the ID Tokens checkbox.c) In the Default client type, select No. d) Click Save.

19.Define the scope and trust for this API. In the Manage section, click Expose an API. Complete the followingtasks.

Task Steps

Add a scope The scope restricts access to data and functionality protected by the API.

a. Click Add a scope. b. Click Save and continue.c. Complete the following fields and settings:

• Scope name: Provide a unique name for the scope. • Who can consent: Click Admins and user.• Admin consent display name: Enter a descriptive name. • Admin consent description: Enter a description for the scope.• State: Click Enabled. By default, the state is enabled.

d. Click Add Scope.

Add a client application Authorizing a client application indicates that the API trusts the application andusers shouldn't be prompted for consent.

a. Click Add a client application. b. In the Client ID field, enter the client ID that you recorded in step 9 above. c. Select the Authorized scopes checkbox to specify the token type that is

returned by the service.d. Click Add application.

20.In the Manage section, click Certificates & secrets and add a client secret. Complete the following steps:a) Click New client secret.b) In the Description field, enter a key description up to a maximum of 16 characters including spaces. c) Set an expiration date (for example, In 1 year, In 2 years, Never expires). d) Click Add.


e) Copy the key Value.

Important: The Value is available only when you create it. You cannot access it after you leave thepage. This is used as the BlackBerry BEMS Connect/Presence Service App Key value in the BEMS-Connect and BEMS-Presence services and BEMS Service Application Key in the BEMS-Docs service inthe BEMS Dashboard.


Updating the Connect and Presence services using LyncDirectorThe Lync Director role provides functionality for users accessing the Microsoft Lync Server, internally andexternally. For more information about the Lync Director, visit the Technet Wiki and see Lync Director.

To support this capability, the Microsoft Lync Server is deployed as one or more pools, based on Standard Editionor Enterprise Edition Microsoft Lync Server. Users can be homed on only a single pool. Clients can be configuredto find their Lync pool automatically. However, the DNS records that support this functionality can point to only asingle pool. In a multi-pool environment, this "primary" pool will have to redirect users to their correct home pool.This is an overhead on the primary pool. The Lync Director is used to offload this redirection functionality. TheDirector does not home any users itself but instead redirects the user to their correct pool home. The requirementfor the Lync Director is therefore for multi-pool environments with high user numbers.

Once the user has been redirected to their correct pool, the Lync Director plays no further role in communicationsbetween the client and the pool server.

Specify the Connect and Presence services to use a Lync Director1. On the BEMS host, stop the Good Technology Connect service and the Good Technology Presence service.2. Complete the following actions:

Task Steps

Update the BlackBerryConnect configuration file

a. On the BEMS host, navigate to the GoodConnectServer.exe.configfile. By default, the GoodConnectServer.exe.config file is locatedin <drive>:\Program Files\BlackBerry\BlackBerryEnterprise Mobility Server\Good Connect.

b. In a text editor, open the GoodConnectServer.exe.config file.

Update the BlackBerryPresence configuration file

a. On the BEMS host, navigate to theLyncPresenceProviderService.exe.config file. By default,the LyncPresenceProviderService.exe.config file is locatedin <drive>:\Program Files\BlackBerry\BlackBerryEnterprise Mobility Server\Good Presence.

b. In a text editor, open the LyncPresenceProviderService.exe.configfile.

3. Locate the LYNC_SERVER key and update the value with the FQDN of the Director pool that you want to use.4. On the BEMS host, start the Good Technology Connect service and Good Technology Presence service.

| Updating the Connect and Presence services using Lync Director | 119

http://social.technet.microsoft.com/wiki/

http://social.technet.microsoft.com/wiki/contents/articles/3933.lync-director.aspx

Configuring BlackBerry Dynamics LauncherThe BlackBerry Dynamics Launcher is a UI component that is accessed in BlackBerry Dynamics apps (for example, BlackBerry Work) with the BlackBerry Dynamics Launcher button. The BlackBerry DynamicsLauncher creates a placeholder location for app settings. The BlackBerry Dynamics Launcher is a library modulewith numerous functions, currently comprising of the following:

• The user's name, photo, presence, and status• A list of BlackBerry Dynamics-powered apps and modules installed on the device.• Quick create options to easily compose an email, create a note, schedule a calendar event, or add a contact,

regardless of which app is currently open.

To provide this rich user experience, the BlackBerry Dynamics Launcher library requires BEMS server-side servicesto:

• Synchronize policy-based sections (modules) between applications. For example, when Docs is enabledin BlackBerry Work, the Docs icon is enabled in the BlackBerry Dynamics Launcher, even when it is openedoutside of BlackBerry Work in apps like BlackBerry Access or BlackBerry Connect.

• Fetch company directory information about the user to display the correct name and picture.• Fetch presence information for the user and display the appropriate status (available, busy, away, do not

disturb) and the user's presence message.

The required server-side services for the BlackBerry Dynamics Launcher comprise of the following:

• Presence (service id = com.good.gdservice.enterprise.presence)• BlackBerry Directory Lookup (service id = com.good.gdservice.enterprise.directory)• BlackBerry Follow-Me Store (service id = com.good.gdservice.enterprise.followme)

The client entitlement app to use these services is Good Enterprise Services (AppID =com.good.gdserviceentitlement.enterprise). For information on entitlement apps that are required when theservices are installed on separate computers, see Server-side services.

BlackBerry Dynamics clients, like the BlackBerry Work app, check the server list for available BEMS instanceshosting these services. This means the list must be populated with at least one computer that hosts BEMS toenable Good Enterprise Services. In addition, the Good Enterprise Services entitlement app must be added to atleast one App Group in BlackBerry UEM like "All users".

Configuring Good Enterprise Services in BlackBerry UEMWhen you configure Good Enterprise Services in BlackBerry UEM, you perform the following actions:

1. Verify the Good Enterprise Services app is available in BlackBerry UEM.2. Add BEMS to the Good Enterprise Services entitlement app.3. Add the Good Enterprise Services entitlement app to users. You can use one or more of the following options.

For instructions, see the BlackBerry UEM Administration content.

• Apply the app directly by completing one of the following tasks:

• Assign the entitlement app to a user group• Assign the entitlement app to a user account

• Assign the entitlement app to an app group. Then complete one of the following tasks:

• Assign the app group to a user group• Assign the app group to a user account

| Configuring BlackBerry Dynamics Launcher | 120

https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/administration/blackberry-dynamics/managing-blackberry-dynamics-apps

https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/administration/users-groups/hse1372277059163/assign-app-to-user-group

https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/administration/users-groups/adr1374514829642/assign-app-to-user

https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/administration/managing-apps/uet1513022719416/managing-app-groups/adr1370365704284

https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/administration/users-groups/hse1372277059163/assign-app-to-user-group

https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/administration/users-groups/adr1374514829642/assign-app-to-user

Verify that Good Enterprise Services are available in BlackBerry UEM1. Log in to the BlackBerry UEM console.2. On the menu bar, click Apps.3. Search for Good Enterprise Services.

Add the BEMS instance to the Good Enterprise Services and BlackBerry Work entitlement appYou must add the BEMS instance to the Good Enterprise Services entitlement app to allow users to use theservices. You must also add the BEMS instance to allow users to receive email notifications. If the BEMS instanceis not added to the BlackBerry Work entitlement app, users receive email messages, but do not receive thenotifications when the email messages are received. For more information about configuring your environmentto support BlackBerry Dynamics apps, making the apps available to users, and configuring the app settings, seethe BlackBerry Work, Tasks, and Notes administration content.

1. On the menu bar, click Policies and Profiles.2. Click Networks and connections > BlackBerry Dynamics connectivity.3.

Click to create a new connectivity profile or click the Default connectivity profile to edit it.4.

In the Additional servers section, click .5. Complete one of the following tasks:

Task Steps

Route all traffic Select the Route all traffic checkbox to specify whether all BlackBerryDynamics app data is routed through the BlackBerry Proxy. For moreinformation about the BlackBerry Dynamics connectivity profilesettings, see the Managing BlackBerry Dynamics apps content.

Add the BEMS instance to theAdditional servers

a.In the Additional servers section, click .

b. In the Server field, specify the FQDN of the BlackBerry EnterpriseMobility Server.

c. In the Port field, specify the port for the BlackBerry EnterpriseMobility Server. By default, the port number is 8443.

d. In the Primary BlackBerry Proxy cluster drop-down list, select thename of the BlackBerry Proxy cluster that you want to set as theprimary cluster.

e. If necessary, in the Secondary BlackBerry Proxy cluster drop-downlist, select the name of the BlackBerry Proxy cluster that you wantto set as the secondary cluster.

6. Click Save.7. Add the BEMS instance to the Good Enterprise Services entitlement app.

a)In the App servers section, click .

b) Click Add.c) Search for and select Good Enterprise Services.d) Click Save.e)

In the App servers for Good Enterprise Services, click .f) In the Server field, specify the FQDN of the BlackBerry Enterprise Mobility Server.



https://docs.blackberry.com/en/endpoint-management/blackberry-uem/current/administration/blackberry-dynamics/hsb1514925662708/blackberry-dynamics-connectivity-profile-settings

g) In the Port field, specify the port of the BlackBerry Proxy cluster that is used to access the BlackBerryEnterprise Mobility Server.

h) In the Priority drop-down list, select the priority of the BlackBerry Proxy cluster that must be used to reachthe domain.

i) If necessary, in the Secondary BlackBerry Proxy cluster drop-down list, select the name of the BlackBerryProxy cluster that you want to set as the secondary cluster.

j) Click Save.8. Add the BEMS instance to the BlackBerry Work entitlement app.

a)In the App servers section, click .

b) Click Add.c) Search for and select BlackBerry Work.d) Click Save.e)

In the App servers for BlackBerry Work, click .f) In the Server field, specify the FQDN of the BlackBerry Enterprise Mobility Server.g) In the Port field, specify the port of the BlackBerry Proxy cluster that is used to access the BlackBerry

Enterprise Mobility Server.h) In the Priority drop-down list, select the priority of the BlackBerry Proxy cluster that must be used to reach

the domain.i) If necessary, in the Secondary BlackBerry Proxy cluster drop-down list, select the name of the BlackBerry

Proxy cluster that you want to set as the secondary cluster.j) Click Save.

9. To save the updates to the existing profile, click Save.10.To save the settings and add the new profile, click Add.

Setting a customized icon for the BlackBerry Dynamics LauncherYou can specify a default customized icon for the BlackBerry Dynamics Launcher on users' devices. Whenyou specify a customized icon, the icon replaces the BlackBerry Dynamics icon for all users managed bythe BEMS instance.

When you specify a customized icon, make sure that the file meets the following requirements:

• Less than 500kb. Icons larger than 500kb are not added to the custom icons list. • Named using the following format: <file name>_<device_type>_<resolution>.png. For example, Icon_iOS_2x.png.

Where resolution is the supported resolution for the device. For example:

• Android devices: ldpi, mdpi, hdpi, xhdpi, xxhdpi, and xxxhdpi • iOS devices: 1x, 2x, 3x, and so on

• Saved as a .png format

Specify a customized icon for the BlackBerry Dynamics LauncherBEMS allows you to specify a custom icon for users in your environment. When you add customicons, BEMS verifies the validity of the uploaded images. For more information about customized iconrequirements, see Setting a customized icon for the BlackBerry Dynamics Launcher.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry System Settings, click LauncherBranding.

2. Select the Show customized icon in launcher checkbox.


3. Click the Device drop-down list, and select the device that you want to specify the launcher icon for. Bydefault, Android is selected.

4. Under Icon, click Choose File.5. Navigate to the icon file location. Click the file and then click Open. 6. Click Save.7. Repeat steps 4 to 6 for each customized Android device icon file resolution.8. Complete steps 3 to 6 for customized iOS device icon file resolution.

Remove a customized icon for the BlackBerry Dynamics LauncherYou can choose to remove a customized icon you specified for the BlackBerry Dynamics Launcher. If you removeall of the customized icon files, the default Launcher icon is used on the client devices for the Launcher app.

1. In the BlackBerry Enterprise Mobility Server Dashboard, under BlackBerry System Settings, click LauncherBranding.

2. Click the Device drop-down list, and select the device for which you want to remove thecustomized Launcher icon.

3. Click Delete beside the icon you want to remove.4. Click Save.


MonitoringYou can monitor the status of BEMS, users and nodes using the following monitoring tools

• BEMS Lookout tool• Java Management Extensions (JMX)-compliant monitoring tools• Health service servlet

Monitoring probesThe following table describes the monitoring probes you can use to view additional information for the health ofyour BEMS server and users. You can use monitoring probes to view information for a BEMS instance locally orfrom a remote computer.

Note: To use monitoring probes in your environment, you must enable them. For instructions, see one of thefollowing:

• If you are using the BEMS Lookout tool, see Install the BEMS Lookout tool.• If you are using the health service servlet, see Enable the health service servlet.

Probe name cURL Command Output description

PushNotificationCounter

Type curl -k -i -X GET \ -H"Content-Type:application/json" \ -H "Authorization:BasicZG9tYWluXHVzZXI6cGFzc3dvcmQ="\ 'https://<BEMS instancename> :8443/monitor/push.notifications'

SuccessfulPushes

This probe specifies the number of pushnotifications, per push notification type(for example, APNS, GNP, and GCM)that have the instance sent for userssupported by this instance.

You want to see the number increaseover short intervals of time. If it stopsrising then BEMS is not sending anypush notifications.

Total user count Type curl -k -i -X GET \ -H"Content-Type:application/json" \ -H "Authorization:BasicZG9tYWluXHVzZXI6cGFzc3dvcmQ=" \'https://<BEMS instance name>:8443/monitor/mail.users/UsersCount'

UsersCount

This probe specifies the total numberof users across the BEMS cluster whichsuccessfully registered a device andare successfully auto discovered byBEMS. The UsersCount does not reflectthe number of devices receiving pushnotifications.

Stale user count type curl -k -i -X GET \ -H"Content-Type:application/json" \ -H "Authorization:BasicZG9tYWluXHVzZXI6cGFzc3dvcmQ=" \'https://<BEMS instance name>:8443/monitor/mail.users/StaleUsersCount'

StaleUsersCount

This probe specifies the total numberof users across the BEMS cluster whichsuccessfully registered a device, but forwhich BEMS is no longer sending pushnotifications because the device hasn'tregistered in the past 72 hours.

| Monitoring | 124

Probe name cURL Command Output description

EWS user count Type curl -k -i -X GET \ -H"Content-Type:application/json" \ -H "Authorization:BasicZG9tYWluXHVzZXI6cGFzc3dvcmQ=" \'https://<BEMS instance name>:8443/monitor/mail.ewslistener/EWSUserStats'

EWSConnectedUserCount

This probe specifies the number ofusers on the Microsoft ExchangeWeb Services instance, for whichBEMS connects to the MicrosoftExchange Server, and is attemptingto monitor the users' mailboxes. ThisEWSConnectedUserCount reflectsthe number of users most likely to bereceiving push notifications unlessBEMS is experiencing errors with itsMicrosoft Exchange Web Servicesconnections to the Microsoft ExchangeServer.

The EWSConnectedUserCount shouldbe equal across all Microsoft ExchangeWeb Services instances in a cluster. Ifthis count drops to 0 then the MicrosoftExchange Web Services instance is notservicing any user mailboxes.

Monitoring the status of BEMS and users using the BEMS LookouttoolYou can use the BEMS Lookout tool to view the status of the BEMS node and scan the logs for informationincluding the following:

• The state of devices and users. • Notification success and failure• The notifications received by a user during a specified time range

You can also use monitoring probes to report on the health metrics for the Push Notifications service. Forexample, number of successful and failed push notifications. You can run the Lookout tool on log files you savedlocally in a folder or on a shared drive. The analysis tool is included in your BEMS 2.4 or later installation packageand supports analyzing logs from BEMS 2.1.5 or later.

Install the BEMS Lookout toolBefore you begin: Install Python 2.7 on the computer that you use to analyse the BEMS logs. You can download itfrom www.python.org/downloads/windows/. Make sure that you download and install a version between 2.7.13and later and earlier than version 3.x.x.

1. Update the PATH system variable.a) On the computer that you use to run the Lookout tool, right-click Computer or This PC. Click Properties.b) Click Advanced system settings.c) Click the Advanced tab.d) Click Environment Variables.e) In the System variables list, click Path. Click Edit.

| Monitoring | 125

https://www.python.org/downloads/windows/

f) In the Variable value field, add ;C:\Python27;C:\Python27\Scripts.g) Click OK. Click OK again.

2. Optionally, configure the node for BEMS to authenticate with the authentication source.a) On the computer that hosts BEMS, open the Apache Karaf Web Console. Open a browser window and

navigate to https://<BEMS instance hostname>:8443/system/console/configMgr.b) Scroll to and click com.good.gcs.monitor.MonitorComponent.name.c) In the default realm field, type gems-ad.d) In the default role field, type admin.e) Click Save.f) Verify the monitoring probes are successfully enabled. In a browser navigate to https://<BEMS

FQDN>:8443/monitor. Review the monitor content. If you are prompted to download the monitor.json file,download it to review the content. To view the data provided by each monitoring probe, see Monitoringprobes.

3. On the computer that hosts BEMS, navigate to the BEMS Lookout tool. By default, the BEMS Lookout toolis located in the BEMS installation folder at <drive>:\GoodEnterpriseMobilityServer<version>\GoodEnterpriseMobilityServer\bems-lookout.

4. Extract the bems-lookout<version>tools.zip file.5. Double-click setup.bat to install the python libraries on the computer.6. In a text editor, open Config.cfg.

• ServerBaseUrls: Optionally, specify the BEMS https web addresses you want to connect to and include inyour analysis. If you want to run the Lookout tool on multiple BEMS instances, separate the instances usinga comma, no space.

• MonitorCredentials: If you configured ServerBaseURLs, you must include the user credentials specifiedduring BEMS monitoring setup. For example, gemsadmin:<password>.

• ServerLogDirectories: Specify the location of the logs for each computer that hosts a BEMS instance inthe BEMS cluster. You must include the BEMS instance name and location of the log files. For example,if the log files for BEMS1 are available on a network share and BEMS2 are located in C:\blackberry, andyou analyze the logs on BEMS2 you specify <bemshost1>:\\<bemshost1>\<bemslogs share>,<bemshost2>:C:\blackberry\bemslogs.

Note: You can list the BEMS log locations in any order.• DataDir: Create a folder to where the processed data is saved. For example, create a folder called 'bem-

lookout-data'. Update the DataDir property to DataDir=C:\blackberry\bems-lookout-data.• LogSyncIntervalSec: Optionally, specify the interval time, in seconds, that the analysis tool scans the log

directory for new logs. By default, the LogSyncIntervalSec is set to onetime. If logs are not available, youcan set the LogSyncIntervalSec=none to only view the user state.

• MaxLogScanAgeDays: Optionally, specify the oldest date that you want to synchronize the logs. By default,the MaxLogScanAgeDays is 14 days.

7. Save the Config.cfg file.

After you finish: Run the BEMS Lookout tool to analyze the BEMS logs.

Run the BEMS Lookout tool

Before you begin:

• Install Python 2.7 on the computer that you use to analyse the BEMS logs. You can download it from Python2.7 at www.python.org/downloads. Make sure that you download and install a version between 2.7.13 andlater and earlier than version 3.x.x.

• Install the BEMS Lookout tool.

| Monitoring | 126

https://www.python.org/downloads/

1. On the computer that you installed the BEMS Lookout tool, navigate to the bems-lookout-<version>.toolsfolder. By default, the folder is located at: <drive>:\Downloads\GoodEnterpriseMobilityServer.<version>\GoodEnterpriseMobilityServer\bems-lookout\bems-lookout-<version>.tools-all\bems-lookout-<version>.tools

2. Start the log analysis, double-click start.bat. The BEMS Lookout tool writes the log files it generates to theDataDir parameter that you specified when you installed the BEMS Lookout tool.

Note: If the BEMS instance is restarted, you must start the log analysis again.

After you finish: The BEMS Lookout tool log analysis results are saved to a database in the DataDir folder. Toview the analysis results, open a browser and go to http://localhost:5000.

Java Management Extensions (JMX)-compliant monitoring toolsYou can now use Java Management Extensions (JMX)-compliant monitoring tools to monitor the Mail (PushNotifications) and BEMS-Docs services. JMX is a Java Standard which is compatible with many tool suitesincluding JConsole which is distributed with every JDK installation.

Monitoring the status of Push Notifications using JMX-compliant monitoring toolsYou can view the status of the BEMS node on Push Notifications statistics including the following:

• The state of devices and users. • Notification success and failure• The time of the last notification received • The state of the BEMS infrastructure, such as processing time and response to database requests

Monitoring the status of the BEMS-Docs service using JMX-compliant monitoring toolsYou can view the status of the BEMS node on BEMS-Docs statistics including the following:

• The average completion time of upload and download requests • The average completion time of requests • The number of requests sent to supported storage providers (for example, CMIS and Microsoft SharePoint on-

premises and Microsoft SharePoint Online)• Request, upload, and download success and failure

Monitoring attributesThe following table describes the statistics that you can use to monitor the health of BEMS server, users,and BEMS-Docs using the monitoring tool.

Statistic Description

Push Notifications

RelayStats <notification type>RelayStats

This attribute specifies the number of push notifications for each pushnotification type (for example, APNS, GNP, and FCM). If this numberstops rising, then BEMS is not sending any push notifications.

The numbers should increase over short intervals.

| Monitoring | 127


EWSStats EWSConnectedUserCount

This attribute specifies the number of users on the Microsoft ExchangeWeb Services instance that BEMS uses to connect to the MicrosoftExchange Server so that it can monitor the users' mailboxes. Thisattribute reflects the number of users most likely to be receiving pushnotifications unless BEMS is experiencing errors with its MicrosoftExchange Web Services connections to the Microsoft Exchange Server.

The EWSConnectedUserCount should be equal across all MicrosoftExchange Web Services instances in a cluster. If this count drops to 0,then the Microsoft Exchange Web Services instance is not servicing anyuser mailboxes.

UserStats UsersCount

This attribute specifies the total number of users acrossthe BEMS cluster which successfully registered a device and aresuccessfully autodiscovered by BEMS. The UsersCount does not reflectthe number of devices receiving push notifications.

StaleUsersCount

This attribute specifies the total number of users acrossthe BEMS cluster that BEMS is no longer sending push notifications tobecause the devices that were registered previously haven't registered inthe past 72 hours.

HealthStats HealthStats

This attribute specifies the overall health of the BEMS status, includinghealth of consumer threads, producer threads, ActiveMQ, and access tothe database.

ClientAPIStats ClientAPIStats

This attribute identifies generic problems with the BEMS service bymonitoring the average and maximum processing time of requeststo the BEMS database. This statistic is for the last minute only. Forexample, if the LookupUser is {Min:10, Max:90000, Average:50000,Count:26}, it means that BEMS received 26 LookupUser requests in thelast minute and the average duration is 50,000 milliseconds.

DatabaseStats DatabaseStats

This attribute can identify common failure points forthe BEMS Infrastructure. This attribute monitors statistics such asthe average, maximum, minimum, and number of requests to BEMS ifthe NumOfRequests is 25, it means BEMS received 25 databaserequests in the last minute. If the database stops, the processing timedisplays Infinity.

| Monitoring | 128


AutodiscoverStats EAS

This attribute specifies the total number of successful or failed ActiveDirectory requests for EAS client requests.

EWS

This attribute specifies the total number of successful or failed ActiveDirectory requests for all EWS requests and client requests.

Tests

This attribute specifies the total number of successful or failed ActiveDirectory requests for both EWS and EAS tests.

BEMS-Docs

DocsConfigInfo This attribute specifies the overall BEMS-Docs configuration information,including the version of BEMS that is installed, the status of all bundles,and database status.

DocsServices This attribute specifies overall health of the BEMS-Docs service,including the total number of requests, downloads, and uploads with theaverage processing time. The success and failure of the statistics arealso included.

DocsStorageProviders This attribute specifies the total number of requests and downloadsto a specific fileshare (for example, Microsoft SharePoint, MicrosoftSharePoint Online, CMIS, and Box).

Enable JMX You must modify the GoodServerDistribution-wrapper.conf file on the computer that hosts the BEMS instance toallow jconsole to connect to BEMS and view the monitoring attributes. By default, this feature is disabled.

1. In a text editor, navigate to the GoodServerDistribution-wrapper.conf file. By default, this file is locatedin <drive>:\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\etc. Make a backup of this file and save it to your desktop.

2. In the # Use the Garbage First (G1) Collector section, uncomment the following properties:

• wrapper.java.additional.<n>=-Dcom.sun.management.jmxremote.port=<port>• wrapper.java.additional.<n>=-Dcom.sun.management.jmxremote.authenticate=false• wrapper.java.additional.<n>=-Dcom.sun.management.jmxremote.ssl=false• If you want to allow remote access, uncomment wrapper.java.additional.<n>=-

Dcom.sun.management.jmxremote.local.only=false

Where <n> must be changed to the next unique, incremental identifier in the GoodServerDistribution-wrapper.conf file. For example, in the following example, you must change the <n> for jmxremote.port to 22.

# Needed for Certicom Security Providerwrapper.java.additional.19=-Dcerticom.keyagreement.ecdh=rawECDH# Use the Garbage First (G1) Collectorwrapper.java.additional.20=-XX:+UseG1GCwrapper.java.additional.21=-Djava.security.properties="%KARAF_ETC%/java.security"

| Monitoring | 129

# Uncomment to enable jmx#wrapper.java.additional.n=-Dcom.sun.management.jmxremote.port=1616#wrapper.java.additional.n=-Dcom.sun.management.jmxremote.authenticate=false

3. Record the port number. This port number is required to log in to jconsole.4. Save and close the file.5. Restart the Good Technology Common Services service.

View statistics using the JMX toolBefore you begin:

• Verify that jconsole is available on the computer that hosts the BEMS-Mail (Push Notifications) and BEMS-Docs. It is distributed with every JDK installation.

• Enable JMX and record the port number.

1. Open the jconsole app on the computer that hosts the service that you want to view statistics (PushNotifications service or BEMS-Docs service). By default, the app is located in <drive>:\%JAVA_HOME%\bin.

2. In the Remote Process field, enter the <hostname>:<port>. To obtain the hostname, complete one of theappropriate steps:

• Where the host name is one of the following:

• If you connect locally, enter 127.0.0.1.• If you connect remotely, complete the following steps to obtain the host name:

a. On the Apache Karaf Web Console, open a browser window and navigate to https://<BEMS instancehostname>:8443/system/console/configMgr.

b. Scroll to and click Apache Karaf JMX Management.c. Copy the RMI Registry Host.

• Where the port is one of the following:

• If you connect locally, the port number that you recorded from the GoodServerDistribution-wrapper.conffile when you enabled JMX or the port displayed in Karaf.

a. On the Apache Karaf Web Console, open a browser window and navigate to https://<BEMS instancehostname>:8443/system/console/configMgr.

b. Scroll to and click Apache Karaf JMX Management.c. Copy the RMI Registry Port.

• If you connect remotely, the port number that you recorded from the GoodServerDistribution-wrapper.conf file when you enabled JMX.

3. Click Connect.4. Click Insecure connection.5. In the Java Monitoring & Management Console, click the MBeans tab.6. Do any of the following:

View Statistics Steps

Push Notifications

View statistics about the FCM, GCM, APNS, andAPNS push notifications.

Click com.good.gcs.notifications > instance >RelayStats > Attributes.

View statistics about users on the MicrosoftExchange Web Services instance.

Click com.good.gcs.pushnotify > instance >EWSStats > Attributes.

| Monitoring | 130

View Statistics Steps

View statistics about users in the BEMS cluster thathave registered a device.

Click com.good.gcs.pushnotify > instance >UserStats > Attributes.

View the overall health of BEMS. Click com.good.gcs.core.health > instance >HealthStats > Attributes.

View the client API status statistics for the previousminute for requests received by BEMS.

Click com.good.gcs.clientapi > instance > ClientAPI Status > Attributes.

View the average, maximum, minimum, and numberof requests to the BEMS database.

Click com.good.gcs.database > instance >DatabaseStats > Attributes.

View statistics for EAS and EWS Autodiscover andadministrator functions.

Click com.good.gcs.pushnotify > instance >AutodiscoverStats.

BEMS-Docs

View the overall BEMS-Docs configurationinformation.

Click com.good.server.docs.monitoring > instance> DocsConfigInfo

View statistics about success and failure of BEMS-Docs uploads, downloads, requests, and the averageprocess duration.

Click com.good.server.docs.monitoring > instance> DocsServices

View statistics about the number of requests anddownloads by storage providers.

Click com.good.server.docs.monitoring > instance> DocsStorageProviders

Monitoring the health status of a nodeYou can enable the health service servlet to monitor the health and system status of a node in your environment.The health and system status is specific to the node that the feature is enabled on. It does not provide healthinformation on a cluster in the environment. By default, this feature is disabled and must be enabled on each nodein the environment.

Configure the node for BEMS to authenticate with the authentication sourceYou must configure the node to allow BEMS to authenticate with the authentication source (realm) in Karaf beforeyou can enable the health service servlet to monitor the health and system status of a node in your environment.

1. On the computer that hosts BEMS, open the Apache Karaf Web Console. Open a browser window and navigateto https://<BEMS instance hostname>:8443/system/console/configMgr.

2. Enter your login credentials.3. Scroll to and click com.good.gcs.monitor.MonitorComponent.name.4. In the com.good.gcs.monitor.MonitorComponent.realm.name field, type gems-ad.5. In the com.good.gcs.monitor.MonitorComponent.role.name field, type admin.6. Click Save.

| Monitoring | 131

Enable the health service servletBefore you begin: Make sure that you have configured the node for BEMS to authenticate with the authenticationsource.

1. On the computer that hosts BEMS, open the Apache Karaf Web Console. Open a browser window and navigateto https://<BEMS instance hostname>:8443/system/console/configMgr.

2. Enter your login credentials.3. Scroll to and click com.good.gcs.core.health.HealthServiceImpl.name.4. In the com.good.gcs.core.health.HealthServiceImpl.healthCheck.enabled.name field, type true.5. Click Save.6. Restart the Good Technology Common Services.

Run the health checks on a nodeFor information about monitoring probes, see Monitoring probes.

Before you begin: Enable the health service servlet

1. On the computer that hosts BEMS, open a browser and complete one of the following tasks:

• To monitor the node health statistics: type https://BEMS instance hostname:8443/monitor/• To monitor the node’s health at a higher level (for example, including health information

about BEMS, type https://BEMS instance hostname:8443/health2. If you are prompted, enter your credentials. Press OK.

| Monitoring | 132

Additional informationAfter you complete the tasks to configure BEMS, see to the following content to install and configure thenecessary BlackBerry Dynamics apps:

• BlackBerry Work, Notes and Tasks administration content• BlackBerry Connect administration content• BlackBerry Access administration content

| Additional information | 133

https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-work/current/blackberry-work-administration-guide/


https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-access/current/blackberry-access-administration-guide

Appendix A: Understanding the BEMS-Connectconfiguration fileConfiguration settings can be manually updated in the BEMS Connect configuration file(GoodConnectServer.exe.config) located in <drive>\Program Files\BlackBerry\BlackBerryEnterprise Mobility Server\Good Connect. However, best practice for updating the file should use theBEMS admin console. If you manually update the configuration file, complete this task on each computer thathosts the Connect service.

Note: Stop the Good Technology Connect service before you update the configuration file, make your changes,and start the service on BEMS for the changes to take effect.

Parameter name Required Description Default setting

ACK_TIME_WAIT

—

Time (in milliseconds) that theBlackBerry Connect server waits foracknowledgment from client for amessage received before sendingmessage failed to deliver.

90 000

ACTIVE_DIRECTORY_CACHE

_REFRESH_SECS√

The number of seconds theBlackBerry Connect server waitsbefore synchronizing with theMicrosoft Active Directory (any valuesmaller than 7200 is disregarded infavor of 7200 seconds).

86,400 (24hours)

ACTIVE_DIRECTORY_SEARCH

_RESULT_MAX √The upper limit on the number ofhits from a search of the companydirectory.

50

AD_USERS_SOURCE

—

Parameter indicates if the Connectservice should connect to MicrosoftActive Directory Global Catalogservers or use the distinguishedname to a local Domain Controller forloading SIP-enabled users. This valuecan be “GC” or “LDAP”. By default, thevalue is LDAP if the value is empty.

AD_USERS_SOURCE_DOMAIN√

If userssourceis GC

The Active Directory Domain inthe Global Catalog to query. Thisvalue can be the distinguishedname of the domain or the fullyqualified domain name; forexample, DC=EXAMPLE,DC=COM orEXAMPLE.COM, respectively.

APN_BADGE√

Determines whether or not to usethe badge graphic for Apple pushnotifications.

True

| Appendix A: Understanding the BEMS-Connect configuration file | 134


APN_SLEEP_TIME

√

The number of milliseconds theBlackBerry Connect server waitsin between queued Apple pushnotifications.

100

APN_SOUND √ Play sound when an Apple devicereceives a push notification.

BASE_URL

√

Web address for the Connect servicewhich takes one of the followingvalues:

• http://*:8080/• https://*:8082/

https://*:8082/

BUILD_VERSION √ The version number of the BlackBerryConnect server build.

Auto-populated

DB_PURGE_HOURS

—

Any IMs from invitations areobfuscated. In addition toobfuscation, the integer valuerepresenting the maximum age,in hours, of missed messagesand invitations before they areautomatically deleted (purged) is setwith DB_PURGE_HOURS.

For example, <addkey="DB_PURGE_HOURS" value="72" />

If Connect is started 7/8/2015@ 12:31pm, then on 7/9/2015 @12:31pm a process removes allinvitations and all missed messagesolder than 72 hours. Connectcontinues to run every 24 hoursthereafter.

0

DB_RECONNECT_TRY_NUM√

Number of times the Connect servertries reconnecting to the databaseafter a failure to connect to database.

3

DB_RECONNECT_WAITTIME_SEC√

Number of seconds the Connectserver waits before trying toreconnecting to database.

300

DB_SESSION_TIMEOUT_SECS√

Time limit for search Lync/OCS database as defined byLYNC_DB_CONNECTIONSTRING.

300



DISABLE_MESSAGEUPDATE—

Disable message not delivered errorswhich may potentially be due clientand network latencies.

False

DISABLE_SSL_CERT_CHECKING

—

Disables certificate validation whenthe Connect service connects to theNotifications service.

For example, <addkey="DISABLE_SSL_CERT_CHECKING"value="true" />

False

ENABLE_SOURCE_NETWORK

—

Labels address book contacts as"external" if they do not belong to yourorganization. These are federatedcontacts. A federated contact isa member of a company whoseMicrosoft Lync Server or Skypefor Business server is federated(connected) with your company’sMicrosoft Lync Server or Skype forBusiness server.

False

ENABLE_PERSISTENT_CHAT — Enables persistent chat features inBEMS, enabling users to create andparticipate in group discussions.Requires that the feature is enabled inMicrosoft Lync Server 2013 or Skypefor Business 2015 server.

For more information about enablingpersistent chat, see the BlackBerryConnect Administration content.

False

EWS_HISTORY_INTERVAL

_MINUTES

—

Defines the number of interval inminutes the BlackBerry Connectserver waits before writing toConversation history. 0 meansthat conversation history is writtenonly after conversation has beenterminated.

5

EWS_HOST

—

FQDN of the Microsoft ExchangeServer to which the BlackBerryConnect server writes conversationhistories.


https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/current/blackberry-connect-administration-guide-html/wnb1495990451395/cvz1494244998112/enable-persistent-chat

https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/current/blackberry-connect-administration-guide-html/wnb1495990451395/cvz1494244998112/enable-persistent-chat


EWS_VERSION

—

EWS_Version parameter number andcorresponding Microsoft ExchangeServer version

• 1 = Microsoft Exchange Server2010

• 2 = Microsoft Exchange Server2010 SP1



• 5 = Microsoft Exchange Server2013

• 6 = Microsoft Exchange Server2016 and Microsoft ExchangeServer 2019

• 100 = Microsoft Exchange Online

2

GD_APN_HTTP_URL√

Web Service web address forBlackBerry Dynamics Apple PushNotifications Service (APNS).

GD_APN_PROXY_AUTH_DOMAIN — Web Proxy Domain Deprecated

GD_APN_PROXY_AUTH

_PASSWORD—

Web Proxy Password Deprecated

GD_APN_PROXY_AUTH

_USERNAME—

Web Proxy Username Deprecated

GD_APN_PROXY_HTTP_HOST — Web Proxy Host

GD_APN_PROXY_HTTP_PORT — Web Proxy Port

GD_APN_PROXY_TYPE

—

Web Proxy AuthenticationMechanisms. Acceptable values are:

"" (empty string for no proxy) "Basic No Auth" "Basic" "Digest"

""

GD_APNS_BLACKLIST_RETRY

_NO √Specifies the number retries after theserver receives APNS response wherethe token is blacklisted

3



GD_URL

√

Complete web address of the GoodProxy server, with protocol, fullyqualified domain name, and port. Forexample: https://example.com:17433.

IS_ON_LINE_ENABLED—

This setting specifies that theConnect service is configured to workwith Skype for Business Online.

False

IS_ON_PREM_ENABLED—

This setting specifies that theConnect service is configured to workwith Skype for Business on-premise.

False

IS_TRUSTED_APP_MODE

—

This setting specifies that theConnect service is configured to workwith Skype for Business on-premisesand uses trusted application mode toobtain user information.

True

LONG_INVITATION_TIME_DELAY

—

Time (in milliseconds) that a Connectclient waits for invitation receivedto confirm or ignore a request to aconversation.

60 000

LYNC_SERVER√

The FQDN of the Microsoft LyncFront-End server or Front-End serverpool.

LYNC FQDN

LYNC_PORT The port number of the MicrosoftLync Front-End server or Front-Endserver pool.

5061

PCHAT_DEFAULT_CATEGORY_ID

—

Specifies the default persistent chatcategory for users.

For more information about enablingpersistent chat, see the BlackBerryConnect Administration content.

RESTRICT_CERT_BY_FRIENDLY

_NAME —

Allows naming of certificate so thatthe BlackBerry Connect can loadcorrect certificate; the certificatefriendly name must match the namespecified here.

SEND_TIME_WAIT

—

Time (in milliseconds) the BlackBerryConnect server waits after sendingmessage before reporting messagefailed to deliver.

120 000


https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/current/blackberry-connect-administration-guide-html/wnb1495990451395/Enabling_persistent_chat_5/cvz1494244998112

https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-connect/current/blackberry-connect-administration-guide-html/wnb1495990451395/Enabling_persistent_chat_5/cvz1494244998112


SESSION_TIMEOUT_SECS

√

The number of seconds a client isallowed to remain idle

Note: The minimumSESSION_TIMEOUT_SECS is 600,even if you put in 60 seconds or 1second. This was done to mitigatestress related race conditions.

86,400 (24hours)

UCMA_APPLICATION_NAME

√

Name of application as definedthrough the installation provisioningprocess.

Generatedduringapplicationprovisioning

UCMA_APPLICATION_PORT√

The fixed port used by the BlackBerryConnect server to receive messagesfrom the enterprise IM server.

49555

UCMA_GRUU

√

GRUU = Globally Routable User-AgentURI that uniquely defines the SessionInitiation Protocol (SIP) URI for theapplication.

Generatedduringapplicationprovisioning


Appendix B: Understanding the Skype for BusinessOnline Common Settings configuration fileSkype for Business Online Common Settings configuration settings can be manuallyupdated in the BEMS Skype for Business Online Common Settings configuration file(com.good.gcs.common.ucwa.config.impl.UcwaCommonSettingsImpl.cfg) located in <drive>\ProgramFiles\BlackBerry\BlackBerry Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\etc. However, the best practice for updating the file is to usethe BEMS admin console. If you manually update the configuration file, complete this task on each computer thathosts the Connect service.

Note: After you update the configuration parameters, you must restart the computer that hosts BEMS for thechanges to take effect.

Parameter name Description

sfb.isonprem This setting indicates that the environment is configured for Skype forBusiness on-premises. By default, this setting is false.

sfb.defaultserverlocation This setting specifies the FQDN of the Skype for Business server.

sfb.online.bemsappid This setting specifies the Connect Service App ID that was createdfor Connect Service. For more information, see Obtain an Azure app IDfor the BEMS-Connect, BEMS-Presence, and BEMS-Docs componentservice.

sfb.online.tenantname This is the Skype for Business Online tenant name.

sfb.isonline This setting indicates that the environment is configured for Skype forBusiness Online. By default, this setting is false.

sfb.autodiscovery This setting indicates that the environment is configured for Skypefor Business on-premises and uses autodiscovery to locatethe BEMS servers hosting the Connect service. By default, this setting isfalse.

sfb.online.bemsappkey This setting specifies the Connect Service App Key that was created.For more information, see Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service.

sfb.online.clientappid This setting specifies the Connect Client App ID that was created. Formore information, see Obtain an Azure app ID for the Connect client.

sfb.istrustedappmode This setting indicates that the environment is configured for Skype forBusiness on-premises and is configured for trusted application mode. Bydefault, this setting is True.

ucwa.appresource.uservalidation.skip=trueThis setting allows the provisioned user email address to be differentfrom the email address used to login to Skype for Business Online.

| Appendix B: Understanding the Skype for Business Online Common Settings configuration file | 140

Appendix C: Java Memory SettingsThe Java settings for BEMS are located in the GoodServerDistribution-wrapper.conf file. By default, this file islocated in the following location:

• In a new BEMS installation: C:\Program Files\BlackBerry\BlackBerry EnterpriseMobility Server\Good Server Distribution\gems-quickstart-<version>\etc\GoodServerDistribution-wrapper.conf

• In an environment upgraded from GEMS to BEMS: C:\Program Files\Good Technology\GoodEnterprise Mobility Server\Good Server Distribution\gems-quickstart-version>\etc\GoodServerDistribution-wrapper.conf

You can review or modify the default Java settings used by BEMS. However, in general, you won't need to makechanges to the following initial memory allocation settings:

• # Initial Java Heap Size (in MB)

wrapper.java.initmemory=2048

• # Maximum Java Heap Size (in MB)

wrapper.java.maxmemory=4096

| Appendix C: Java Memory Settings | 141

Appendix D: BEMS Windows Event Log MessagesTo view the BEMS Windows Event Log messages, open the Windows Event Viewer on the computer that hoststhe BEMS instance. Expand the Windows Logs and click Application. Search for Event ID 4096.

Message Component Level Context

Error Node exceeded capacity(100%). <number of usersincluding users over exceededcapacity>/<number of users formaximum capacity>

autodiscover/ewslistener

Error This error occurs whenthe BEMS instance reaches maximumuser capacity. BEMS features mightnot work as expected for any newusers added to the BEMS instance. Forexample, notifications.

Warn Node close to exceedcapacity (80%). <number ofusers>/<number of users formaximum capacity>

autodiscover/ewslistener

Warn This warning occurs whenthe BEMS instance reaches 80% ofuser capacity or if one BEMS instanceis working at overcapacity andone BEMS instance is workingunder capacity. BEMS automaticallyreassigns users between thetwo BEMS instances.

Error communicatingwith BlackBerry Proxy Server -HTTP code {}, Message {}

server-core/gd-core Error Could not connect to BlackBerryProxy server while verifyingauthorization token (during PushRegistration from G3 Mail context)

Failed to retrieve the listof BlackBerry Proxy servers -code {} - Reason {}

server-core/gd-core Error Used for high availability andload balancing of requeststo BlackBerry Proxy server. The list ofknown BlackBerry Proxy servers aremaintained in memory and requestsare load-balanced through this list.

Failed to retrieve the listof BlackBerry Proxy servers

server-core/gd-core Error Used for high availability andload balancing of requeststo BlackBerry Proxy server. The list ofknown BlackBerry Proxy servers aremaintained in memory and requestsare load-balanced through this list.

Incorrect BlackBerryProxy Server configuration

server-core/gd-spring Error Communicate with BlackBerryProxy server to verify Authorizationtoken using HTTP(s) protocol. If URLis syntactically wrong or configurationerror then error is logged in event log.

| Appendix D: BEMS Windows Event Log Messages | 142


Autodiscover failed for {}users with exception {}

server-notifications/autodiscover

Warn Failed to retrieve user’s settingsthrough autodiscover. Needsadministrator attention to fix the issue.The user will not receive notificationsuntil issue is resolved. This is a batchrequest and the log only prints thenumber of users that failed autodiscover.

Invalid syntax for property {},must be a valid URL


Error Server is configured with an invalidURL used for bypassing the stepsto find the autodiscover endpoint. BEMS ignores this URL andfollows the regular steps to performautodiscover.

User {} being quarantinedafter {} attempts to performautodiscover


Warn BEMS can not autodiscover the user’ssettings for configured number ofattempts. The user mentioned ismarked as ‘QUARANTINED’ and doesnot receive notifications. The statuscan be reset through karaf command(user:reset).

No response from serverwhile performing autodiscoverfor user {}


Warn Autodiscover failed for the usermentioned.

Autodiscover failed for user {},error code: {}, Detail: {}



Failed to retrieve user settingswhile performing autodiscoverfor user {}



No valid EWS URL settingconfigured for the user {}



Error communicating withDatabase server - {error msg}


Error BEMS failed to connect to SQLdatabase. Needs immediate attention.

Database Error - {error msg} server-notifications/autodiscover

Error BEMS failed to connect to SQLdatabase. Needs immediate attention.

Lost connection withexchange server. Last knownerror {}

server-notifications/ewslistener

Error EWSListener: Lost connection withexchange server. This might be due toExchange server\Autodiscover servicedown.



Error subscribing user {} withexchange server {}


Error Subscribe to the user email addresswith exchange server to trackmodifications of user mailbox.

User {} marked forreautodiscover


Info Does a database call to mark the userfor reautodiscovery. This task is doneevery n interval of time.

Error communicating withDatabase server - {errordetails}

server-notifications/pushnotifydbmanager

Error Bootstrap database connection.

{} is no longer the master(producer) since databaseserver time {}

servernotifications/pushnotifyha-dbwatcher

Error High availability System: Checkwhether the node itself is Producer ornot. Prints the error in event log whenthe server has lost ownership of thehigh availability system (not masterany more).

{} is the master (producer)since database server time {}


Info High availability System: Checkwhether the node itself is Producer ornot. If it was not master before; thefail-over is happening.

Detected Server {} is inactive.Users will be load balanced toother active servers


Error High availability System: If serveris detected as inactive\heartbeatfails, the users of the bad server arereassigned to other active server.

Error communicating withDatabase server - {errordetails}

servernotifications/pushnotifyprefs

Error Database error due to server down\login error, etc.

{ Good Dynamic Proxy Serverconnection error details }

server-console/config Error Connect BlackBerry Dynamics Module– Test from dashboard with GP down,connection failure error.

Connection to Good DynamicProxy Server is successful

server-console/config Info Connect BlackBerry Dynamics – Testfrom dashboard when GP is up andrunning, successful test.

Connection Successful,Server: -{}: Database : {}

server-console/config Info Mail – DB – Test databaseconfigurations from dashboard.Connection successful.

Exception during connectiontest - {}

server-console/config Error Mail – DB – Test databaseconfigurations from dashboard.Connection issues due to badpassword or user or host info.



Invalid configurationproperties- {}

server-console/config Error Mail – DB – Test databaseconfigurations from dashboard.Validation of database configurationvalues.

{ Good Dynamic Proxy Serverconnection error details }

server-console/config Error Presence BlackBerry Dynamics –Test from dashboard with BlackBerryProxy down, connection failure error.

Connection to Good DynamicProxy Server is successful

server-console/config Info Presence BlackBerry Dynamics – Testfrom dashboard when BlackBerryProxy is up and running, successfultest.

Lync Presence Provider Pingfailed with error status {} and

reason - {}

server-presence/presencebundle

Error Connection to Presence server. Ifresponse received, log the reason forfailure.

Lync Presence Provider Pingfailed with exception {}: {} - setstatus {}


Error Connection to Presence server. Mostlikely connection refused becausedown

Lync Presence Provider Pingfailed, cause unknown


Error Connection to Presence server.

Presence Service failed toreset LPP, interrupted witherror: {}


Error Reset all contacts presence status.

Presence Service failed toreset LPP, timed out witherror: {}


Error Reset all contacts presence status.Timeout error.

Failed to reset LPP, {} witherror: {}


Error Reset all contacts presence status.

Presence Service started server-presence/presencebundle

Info Presence service started.

Presence Service stopped server-presence/presencebundle

Info Presence service stopped.

Bad Lync Presence ProviderSubscription URI: {}


Error Presence service provider subscriptionURI.

Bad Lync Presence Provider

Ping URI: {} Ping


Error Presence service provider subscriptionURI.



Redis Cache & Queue servicesare not available at themoment.


Error When cache provider is set to Redisand Redis service is unavilable.

GNP Relay Service notavailable


Warn GNP service which sends GNPnotification is not available or down.


Appendix E: File types supported by the BlackBerryDocs serviceThe following file types and extensions are currently supported by the BlackBerry Docs service and as mailattachments:

.goodsharefile .tiff .utf16-plain-text,

.doc, Docx .apple.pict .rtf

wordprocessingml.document .compuserve.gif .html

powerpoint.ppt, PPTx .png .xml

excel.xls, XLSX .quicktime-image .xhtml

spreadsheetml.sheet, .bmp .htm

adobe.pdf .camera-raw-image .data

apple.rtfd, .svg-image, .content

apple.webarchive .text .zip

.image .plain-text

.jpeg .utf8-plain-text

The following media file types are supported on iOS devices only:

.3gp .caf .au

.mp3 .aac .snd

.mp4 .adts .sd2

.m4a .aif .mov

.m4v .aiff

.wav .aifc

| Appendix E: File types supported by the BlackBerry Docs service | 147

Appendix F: Server-side serviceshe following table lists the server-side services when all of the BEMS services are installed on one computer orthe services are installed on separate computers. Depending on the configuration for your BlackBerry Work app inyour environment, you require different services. Consider the following scenarios:

• BlackBerry Work app is configured to use heritage settings: You can assign the Good EnterpriseServices entitlement in the BlackBerry Dynamics Connectivity profile.

• BlackBerry Work isn't configured to use heritage settings: You must add the necessary entitlementsindividually.

For more information on configuring the BlackBerry Work app, see the BlackBerry Work administration content.

Installations Required app and service IDs Included server-side services

All of the BEMS

services are installedon one computer.

• Good Enterprise Services(com.good.gdserviceentitlement.enterprise)

• BlackBerryConnect (com.good.goodconnect)

• Directory Service 1.0.0.0(com.good.gdservice.enterprise.directory)

• Email Service 1.0.0.0(com.good.gdservice.enterprise.email)

• FollowMe Store Service 1.0.0.0(com.good.gdservice.enterprise.followme)

• Launcher customizationservice 1.0.0.0(com.blackberry.gdservice.launcher-customization)

• Presence Service 1.0.0.0(com.good.gdservice.enterprise.presence)

• Docs Service 1.0.0.0(com.good.gdservice.enterprise.docs)

Only the Mail serviceis installed on onecomputer

BlackBerry Core and Mail Services(com.blackberry.gdservice-entitlement.coreandmail)

• Directory Service 1.0.0.0(com.good.gdservice.enterprise.directory)

• Email Service 1.0.0.0(com.good.gdservice.enterprise.email)

• FollowMe Store Service 1.0.0.0(com.good.gdservice.enterprise.followme)

• Launcher customizationservice 1.0.0.0(com.blackberry.gdservice.launcher-customization)

Only the Connect

service is installed ona computer

BlackBerryConnect (com.good.goodconnect)

• Send Message Service 1.0.0.0(com.good.gdservice.send-message)

Only the Presence

service is installed ona computer

BlackBerry Presence Service(com.blackberry.gd-service.entitlement.presence)

• Presence Service 1.0.0.0(com.good.gdservice.enterprise.presence)

| Appendix F: Server-side services | 148

https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-work/3_1/blackberry-work-administration-guide/xqp1494958005090/vju1484855511640

Installations Required app and service IDs Included server-side services

Only the Docs

service is installed ona computer.

Feature-Docs Service Entitlement(com.good.feature.share)

• Docs Service 1.0.0.0(com.good.gdservice.enterprise.docs)

The Mail and

Presence servicesare installed on onecomputer

• BlackBerry Core and Mail Services(com.blackberry.gdservice-entitlement.coreandmail)

• BlackBerry Presence Service(com.blackberry.gd-service.entitlement.presence)

• The Mail servicesand Presence services listed above.

The Connect and

Presence servicesinstalled on acomputer.

• BlackBerryConnect (com.good.goodconnect)

• BlackBerry Presence Service(com.blackberry.gd-service.entitlement.presence)

• The Connect and Presence services listedabove.

| Appendix F: Server-side services | 149

Legal notice ©2020 BlackBerry Limited. Trademarks, including but not limited to BLACKBERRY, BBM, BES, EMBLEM Design,ATHOC, CYLANCE and SECUSMART are the trademarks or registered trademarks of BlackBerry Limited, itssubsidiaries and/or affiliates, used under license, and the exclusive rights to such trademarks are expresslyreserved. All other trademarks are the property of their respective owners.

This documentation including all documentation incorporated by reference herein such as documentationprovided or made available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE"and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited andits affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical,or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary andconfidential information and/or trade secrets, this documentation may describe some aspects of BlackBerrytechnology in generalized terms. BlackBerry reserves the right to periodically change information that is containedin this documentation; however, BlackBerry makes no commitment to provide any such changes, updates,enhancements, or other additions to this documentation to you in a timely manner or at all.

This documentation might contain references to third-party sources of information, hardware or software,products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is notresponsible for, any Third Party Products and Services including, without limitation the content, accuracy,copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspectof Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in thisdocumentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the thirdparty in any way.

EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALLCONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESSOR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES,REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE,MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, ORARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THEDOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE,SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED.YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAYNOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENTPERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TOTHE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TONINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THESUBJECT OF THE CLAIM.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALLBLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE,OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRDPARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THEFOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE,OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANYEXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESSOPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA,PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS ORSERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTIONTHEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES ORSERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES

| Legal notice | 150

WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OFSUCH DAMAGES.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALLHAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TOYOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.

THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATUREOF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OFCONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE AFUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENTOR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIRSUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZEDBLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVEDIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.

IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR,EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANYAFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.

Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility toensure that your airtime service provider has agreed to support all of their features. Some airtime serviceproviders might not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service.Check with your service provider for availability, roaming arrangements, service plans and features. Installationor use of Third Party Products and Services with BlackBerry's products and services may require one or morepatent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. Youare solely responsible for determining whether to use Third Party Products and Services and if any third partylicenses are required to do so. If required you are responsible for acquiring them. You should not install or useThird Party Products and Services until all necessary licenses have been acquired. Any Third Party Products andServices that are provided with BlackBerry's products and services are provided as a convenience to you and areprovided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warrantiesof any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of ThirdParty Products and Services shall be governed by and subject to you agreeing to the terms of separate licensesand other agreements applicable thereto with third parties, except to the extent expressly covered by a license orother agreement with BlackBerry.

The terms of use of any BlackBerry product or service are set out in a separate license or other agreement withBlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESSWRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRYPRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.

BlackBerry Enterprise Software incorporates certain third-party software. The license and copyright informationassociated with this software is available at http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp.

BlackBerry Limited2200 University Avenue EastWaterloo, OntarioCanada N2K 0A7

BlackBerry UK LimitedGround Floor, The Pearce Building, West Street,Maidenhead, Berkshire SL6 1RLUnited Kingdom

Published in Canada

| Legal notice | 151

http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp