integrating bes12 and good dynamics -...

Quick Reference GuideIntegrating BES12 and Good Dynamics

Version 12.5

Published: 2016-07-19SWD-20160719104328102

ContentsIntegrating BES12 and Good Dynamics.............................................................................5

Determining your integration path..................................................................................................................................... 5

Steps to integrate your BES12 and Good Dynamics environments......................................................................................6

Verifying that your environment meets the device and server requirements........................................................................7

Good server requirements..........................................................................................................................................7

BES12 server requirements....................................................................................................................................... 8

Device requirements..................................................................................................................................................8

Good Secure EMM Suites...........................................................................................................................................9

Connecting BES12 to a Good Control server.................................................................................................................... 10

In Good Control, deactivate device management on devices.....................................................................................10

In Good Control, disable MDM..................................................................................................................................10

Export the self-signed root certificate for the Good Control server............................................................................. 11

In BES12, configure a connection to a Good Control server.......................................................................................11

Setting up Good Dynamics for devices.............................................................................................................................12

In Good Control, entitle Good for BES12 and Good apps........................................................................................... 12

In Good Control, configure Exchange ActiveSync for Good Work............................................................................... 12

In Good Control, select apps to authenticate for other apps...................................................................................... 13

In BES12, create a Good Dynamics profile ...............................................................................................................14

In BES12, add the Good apps for iOS devices........................................................................................................... 14

In BES12, add the Good apps for Android devices.................................................................................................... 15

In BES12, create an app group that contains all of the Good apps.............................................................................16

In BES12, create an activation profile.......................................................................................................................16

In BES12, create a user account.............................................................................................................................. 20

In BES12, assign the Good Dynamics profile to a user account................................................................................. 22

In BES12, assign an app group to a user account..................................................................................................... 22

In BES12, assign the activation profile to a user account...........................................................................................22

Activate an Android device on BES12.......................................................................................................................23

Activate an iOS device on BES12............................................................................................................................. 23

Manage Good Dynamics apps that have been installed on devices...................................................................................24

Generate a Good Dynamics access key for devices that are not activated on BES12.........................................................25

Manage Good Dynamics access keys.............................................................................................................................. 25

Turn off the ability to create users in Good Control............................................................................................................26

Legal notice....................................................................................................................27

Integrating BES12 and Good Dynamics

This document outlines how to integrate BES12 and Good Dynamics. When you integrate BES12 and Good Dynamics, you can take advantage of Good's mobile app containerization and BlackBerry's cross-platform MDM capabilities.

When you integrate BES12 and Good Dynamics, you get unparalleled features and flexibility. For existing BES12 environments, here are some of the advantages you get when you integrate with Good Dynamics:

• Best-in-class secure mobile app platform and container

• Good Work and collaboration apps optimized for business-class user experience

• Ecosystem of more than 2000 secure mobile apps and Open API SDK

• Cross-platform support for iOS, Android, OS X, and Windows devices, desktops, and wearables

For existing Good Dynamics environments, here are some of the advantages you get when you integrate with BES12:

• Simplified Good Dynamics end-user enrollment experience

• Best-in-class MDM/MAM/EMM, including Apple DEP and VPP, BlackBerry Secure Gateway Service, and support for Samsung KNOX Workspace and Android for Work

• Comprehensive EMM platform, extensible to a rich portfolio of secure mobile apps and services, such as WatchDox, Strong Authentication, and Enterprise Identity by BlackBerry

Determining your integration pathCurrent environment Path

You currently have a Good for Enterprise environment and do not require MDM or MAM capabilities.

Upgrade to Good Control. For instructions on how to transition from Good for Enterprise to Good Control, see Steps to transition from Good for Enterpriese to Good Work if you do not require MDM.

You currently have a Good for Enterprise environment and want to take advantage of BES12 cross-platform MDM capabilities and simplified Good Dynamics end-user enrollment experience.

1. Upgrade to Good Control. For instructions on how to transition from Good for Enterprise to Good Control, see Steps to transition from Good for Enterprise to Good Work if you require MDM.

2. Steps to integrate your BES12 and Good Dynamics environments.

You currently have a Good Dynamics environment and want to take advantage of

Steps to integrate your BES12 and Good Dynamics environments

1


5

http://help.blackberry.com/en/good-dynamics/current/gfe-transition/xoy1459876924924.html

http://help.blackberry.com/en/good-dynamics/current/gfe-transition/xoy1459876924924.html

http://help.blackberry.com/en/good-dynamics/current/gfe-transition/ypp1457473336130.html

http://help.blackberry.com/en/good-dynamics/current/gfe-transition/ypp1457473336130.html

Current environment Path

BES12 cross-platform MDM capabilities and simplified Good Dynamics end-user enrollment experience.

You have a BES12 environment and want to take advantage of Good's best-in-class secure mobile app platform and container, including Good Work and collaboration apps optimized for business-class user experience.

Steps to integrate your BES12 and Good Dynamics environments

Steps to integrate your BES12 and Good Dynamics environmentsWhen you integrate your BES12 and Good Dynamics environments, you perform the following actions:

Step Action

Verify that your environment meets the device and server requirements.

In Good Control, deactivate device management on devices and disable MDM.

In Good Control, entitle Good for BES12 and Good apps..

In Good Control, configure Exchange ActiveSync for Good Work.

In Good Control, select apps to authenticate for other apps.

In BES12, configure a connection to a Good Control server.

In BES12, create a Good Dynamics profile .

In BES12, add the Good apps for iOS devices or for Android devices.

In BES12, create an app group that contains all of the Good apps.


6

Step Action

In BES12, create an activation profile.

In BES12, create any necessary user accounts.

In BES12, assign an app group to a user account.

In BES12, assign the activation profile to a user account.

In BES12, assign the Good Dynamics profile to a user account.

Instruct users to activate an Android device or activate an iOS device.

Verifying that your environment meets the device and server requirementsBefore you can integrate BES12 and Good Dynamics, you must make sure that the following requirements are met:

• Good server requirements

• BES12 server requirements

• Device requirements

• You must be using Microsoft Exchange. For a list of supported Microsoft Exchange versions, see "Supported Exchange Versions" in the Good Work Product Guide for Administrators.

For additional requirements, see the Compatibility matrix.

Good server requirementsTo access Good resources, you must create a Good Account at https://account.good.com/pce/#/register. If you are already registered with https://community.good.com, you do not need to create a new account.

Good server requirement Where to find more information

Good Control server version 2.2.511.26 or later

For information about installing a Good Control server, refer to GD Server Installation at https://community.good.com/docs/DOC-1043.


7

https://media.good.com/documents/goodwork_product_guide.pdf

http://help.blackberry.com/detectLang/bes-compatibility-matrix/latest/

https://account.good.com/pce/#/register

https://community.good.com

https://community.good.com/docs/DOC-1043

Good server requirement Where to find more information

Good Proxy server version 2.2.511.16 or later

For information about installing a Good Proxy server, refer to GD Server Installation at https://community.good.com/docs/DOC-1043.

Note: If your environment includes Android for Work and KNOX Workspace devices with Good Dynamics apps (for example, Good Work, Good Access, and Good Connect), it is recommended that you configure the Connectivity Profile assigned to these devices in Good Control to disable the Good Proxy server. If you do not, the Good Dynamics apps can use BlackBerry Secure Connect Plus, but network activity from the apps might be delayed because the data is routed from devices to BES12 and to the Good Dynamics components. For instructions, see Optimize secure tunnel connections for Android devices that are Good enabled.

Good Secure EMM Suites licenses Contact your BlackBerry account representative to get the latest details on packaging, pricing, and licensing.

To use additional services (for example, Good Connect, Good Presence, Good Push Notifications, Good Docs, Good Follow-Me, Good Directory Lookup, and Good Analytics), install the latest version of the Good Enterprise Mobility Server

For more information about installing a Good Enterprise Mobility Server, see the GEMS Deployment Planning Guide at https://media.good.com/documents/gems_deployment.pdf.

BES12 server requirementsBES12 server requirement Where to find more information

BES12 version 12.5 or later For information on installing BES12, see http://help.blackberry.com/en/bes12/12.5/installation-and-upgrade/steps_to_plan_your_BES12_environment.html.

Device requirementsDevice requirement Where to find more information

Android devices with the latest version of the BES12 Client installed

For more information about the BES12 Client, see "Using the Good for BES12 app or BES12 Client" in the BES12 Security Note.


8

https://community.good.com/docs/DOC-1043

http://help.blackberry.com/en/bes12/12.5/administration/enable-BlackBerry-secure-connect-plus.html#aqj1468333088875


https://media.good.com/documents/gems_deployment.pdf

https://media.good.com/documents/gems_deployment.pdf

http://help.blackberry.com/en/bes12/12.4/installation-and-upgrade/steps_to_plan_your_BES12_environment.html

http://help.blackberry.com/en/bes12/12.4/installation-and-upgrade/steps_to_plan_your_BES12_environment.html

http://help.blackberry.com/detectLang/bes12-security/current/bes12-security-note/BES12-latest-Security-Note-en.pdf


Device requirement Where to find more information

iOS devices with the latest version of the Good for BES12 app installed

For more information about the BES12 Client, see "Using the Good for BES12 app or BES12 Client" in the BES12 Security Note.

Any of the following licenses:

• Silver SIM license

• Gold SIM license

• Silver server license

• Gold - Secure Work Space server license

• Gold server license

• Gold - Flex server license

Note: After the device is Good enabled, the BES12 license is released and no longer required. You do not have to purchase additional BES12 licenses.

For more information about licensing, see see the Licensing content..

Good Secure EMM SuitesGood Secure EMM Suite licenses allow devices to use both BES12 and Good Dynamics features. The license names are different in myAccount and BES12. In the Account Support > Advanced License Management section in myAccount, the names reflect the Good Secure EMM Suite license names. On the Licensing summary page in the BES12 management console, the names reflect the corresponding BES12 license names listed in the following table. When you activate Good Secure EMM Suite licenses in BES12, the licenses are added to the total for the appropriate BES12 license. For example, if you have 50 Silver licenses and you activate 100 Good Secure Enterprise Suite licenses, the Licensing summary page displays a total of 150 Silver licenses. In later versions of BES12, the Licensing summary page will display the Good Secure EMM Suite license names.

Note: Good Secure EMM Suites provide user-based licenses, which allow a user to activate multiple devices with a single license. If you activate Good Secure EMM Suite licenses in BES12 version 12.4 or earlier, they are considered device-based licenses and a user requires a license for each device that they want to activate. For more information, contact BlackBerry support.

Good Secure EMM Suite subscription BES12 license

Good Secure Management Suite Silver

Good Secure Enterprise Suite Silver

Good Secure Collaboration Suite Gold - Flex

Good Secure Mobility Suite Gold - Flex


9



http://help.blackberry.com/detectLang/bes12/12.5/licensing/

http://help.blackberry.com/detectLang/bes12/12.5/licensing/

Good Secure EMM Suite subscription BES12 license

Good Secure Content Suite Gold - Flex

Connecting BES12 to a Good Control serverYou can configure a connection between BES12 and a Good Control server instance to allow iOS and Android devices to access Good Dynamics productivity apps, such as Good Work, Good Access, and Good Connect.

In Good Control, deactivate device management on devicesTo manage a user's devices in BES12, the user must not have any activated devices in Good Control. To deactivate devices in Good Control, you must remove the policy sets that are assigned to users. You must know the names of the device policies and any associated policy sets.

1. In Good Control, click Policy Sets.

2. Click the Edit icon beside the device policy that you want to remove.

3. Click Device Management.

4. In the Device Policies section, under Actions, click the Delete icon to remove the device policy from the policy set.

5. Click Update.

6. Click Update.

7. Repeat these steps for all affected policy sets and device policies.

In Good Control, disable MDM1. In Good Control, under Settings, click Servers > Server Properties.

2. Deselect gc.mdm.enabled.

3. Click Submit.

4. Restart the Good Control services. For instructions, see Start or Restart the GC or GP Service in the Good Control help.


10

Export the self-signed root certificate for the Good Control serverComplete the following task if the Good Control certificate has not been replaced with a third-party certificate. BES12 inherently trusts certificates from third-party providers, so you do not need to export the certificate from the Good Control server and import it in to BES12.

Note: The following task is not browser-specific. For specific instructions, see the documentation for the browser you are using.

1. In a browser, navigate to the login screen of any of your Good Control servers. A certificate error message is displayed because the CA that signed the certificate was Good Control, and the browser does not recognize it as a well-known CA.

2. To open the Certificate dialog, click the certificate icon in the URL field.

3. Click View certificate or Certificate information to open the Certificate management menu.

4. Click the Certification Path tab.

5. Select the root certificate. The root certificate is the first item in the Certificate hierarchy (for example, GD12345678 CA).

6. Click View Certificate.

7. Click the Details tab.

8. Click Copy to file or Export.

9. Make sure that the DER encoded binary X.509 (.CER) format is selected.

10. Enter a location and file name for the certificate.

11. Click Next or Save.

12. Click Finish.

In BES12, configure a connection to a Good Control serverBefore you begin:

• Verify that you have access to an administrator account on the Good Control server.

• In a browser, navigate to the Good Control console and export the Good Control server root CA certificate to your desktop. For instructions, see your browser's help documentation.

1. In the BES12 management console, on the menu bar, click Settings > Infrastructure > Good Control.

2. In the Server name field, enter the FQDN of any of the Good Control servers in your environment.

3. In the Username field, enter the <domain_name>\<username> of the Good Control administrator account.

4. In the Password field, enter the password of the Good Control administrator account.


11

5. If necessary, click Browse. Navigate to and select the Good Control server root CA certificate. If the Good Control server certificate has been replaced with a third-party certificate, you do not need to export the certificate from the Good Control server and import it to BES12. By default, BES12 trusts certificates from third-party providers.

6. Click Save.

Setting up Good Dynamics for devicesYou can use the Good Dynamics profile to allow iOS and Android devices to access Good Dynamics apps. You can assign the Good Dynamics profile to user accounts, user groups, or device groups. Multiple devices can access the same apps.

The Good Dynamics profile is added to the BES12 management console when communication between BES12 and the Good Control server is configured.

In Good Control, entitle Good for BES12 and Good appsUsers must be entitled to view or run the Good apps before they can be managed in BES12. Good Control has an Everyone group that automatically includes all users. The easiest way to entitle apps for all your users is to entitle the apps in the Everyone group.

Before you begin: Your organization must have licenses and entitlements for Good Work, Good Access, Good for BES12, and any other Good apps that you want users to install on devices.

1. In Good Control, under Apps, click App Groups.

2. Click the Edit icon beside Everyone.

3. Beside Entitled Enterprise Apps, click Add More.

4. In the View drop down box, select All Applications.

5. Select Good for BES12, Good Work, Good Access, and any other Good apps that you are entitled to.

6. Click OK.

In Good Control, configure Exchange ActiveSync for Good WorkThe Good Work app must be configured for Exchange ActiveSync. This allows your users to easily enroll in Exchange ActiveSync when they activate their Good Work app. For more information on how to configure Exchange ActiveSync for Good Work, see the "Enabling Exchange ActiveSync (EAS)" section in the Good Work Product Guide for Administrators at https://media.good.com/documents/goodwork_product_guide.pdf.


12



In Good Control, select apps to authenticate for other appsYou can select apps to act as the authentication delegate on behalf of other apps so that users do not have to create a password for each app that they install. After authentication delegation is configured, each time a user opens a Good Dynamics app, the device displays the password screen for the authentication delegate instead of the app that they are attempting to open. After the user enters the password for the authentication delegate, the user can open the Good Dynamics app. For more information about delegating authentication, see https://media.good.com/documents/goodwork_product_guide.pdf.

1. In Good Control, under Policies, click Policy Sets.

2. Create a copy of the Good Default Policy.

3. Enter a name and description for the new policy.

4. On the Security Policies tab, scroll to the Authentication Delegation section.

5. Click Add Application. From the list, select the app that you want to use as the authentication delegate. You can choose any app to be the authentication delegate for other apps, but the following table provides recommendations:

Option Description

If you are not sure which app to use as the authentication delegate

1. Choose the most commonly used app.

2. If authentication delegate was not the first app that the user installed, has an optional disposition and may not be installed on all devices, or you do not want to enforce that Good Dynamics apps can only be used when a device is MDM managed, select the Allow self-authentication when no authentication delegate application is detected option. Otherwise, you can leave this unselected.

If you want to enforce that Good Dynamics apps can only be used when a device is MDM managed

1. Choose the Good for BES12 app or the BES12 Client.

2. Make sure that the Allow self-authentication when no authentication delegate application is detected option is not selected.

If you want to install apps in the KNOX Workspace

1. Do not choose the Good for BES12 app or the BES12 Client. The user must activate the first Good Dynamics app installed in the work space using an access key and can then use this app as the authentication delegate.

2. Select the Allow self-authentication when no authentication delegate application is detected option

If you already have another Good Dynamics app configured as the authentication delegate, to read article KB000038123 at http://support.blackberry.com/kb/articleDetail?articleNumber=000038123.

6. Click Update.


13


http://support.blackberry.com/kb/articleDetail?articleNumber=000038123

In BES12, create a Good Dynamics profileBefore you begin:

• In Good Control, entitle Good for BES12 and Good apps

• In Good Control, select apps to authenticate for other apps

1. In the BES12 management console, on the menu bar, click Policies and Profiles.

2. Click beside Good Dynamics.

3. Type a name and description for the profile.

4. In the Good Control policy set drop-down list, select the policy set that you created in Good Control for authentication delegation.

5. If you entitled apps for the Everyone group in Good Control, you do not need to select an app group because the Everyone group is used by default. If you entitled apps to a custom app group in Good Control, click under Good app group to select the group.

6. Click Add.

When you create or delete a Good Dynamics profile in BES12, changes are not made to users or devices that already exist in Good Control. Users that do not exist in Good Control are automatically created when you assign a Good Dynamics profile to them. When you assign a Good Dynamics profile to a user in BES12 that already exists in Good Control, the user’s Good app group and Good Control policy set are not automatically updated. The Good app group and Good Control policy set selected in the Good Dynamics profile only take effect when the user is first created in Good Control through BES12.

In BES12, add the Good apps for iOS devicesBefore you can assign the Good apps to users, you must add the apps to BES12.

1. In the BES12 management console, on the menu bar, click Apps.

2. Click .

3. Click App Store.

4. In the search field, search for Good Work.

5. In the drop-down list, select the country of the store that you want to search in.

6. Click Search.

7. In the search results, click Add beside the Good Work app.

8. In the Supported device form factor drop-down list, select the form factors that the app can be installed on. For example, you can prevent the app from being available in the Work Apps app for iPad.


14

9. If you want the app to be deleted from the device when the device is removed from BES12, select Remove the app from the device when the device is removed from BES12. This option applies only to apps with a disposition marked as required and the default installation for required apps is set to prompt once.

10. If you want to prevent apps on iOS devices from being backed up to the iCloud online service, select Disable iCloud backup for the app. This option applies only to apps with a disposition marked as required. You set the disposition of the app when you assign the app to a user or group.

11. In the Default installation for required apps drop-down list, perform one of the following actions:

• If you want users to receive one prompt to install the app on their iOS devices, select Prompt once. If users dismiss the prompt, they can install the app later.

• If you don't want users to receive a prompt, select No prompt.

The default installation method applies only to apps with a disposition marked as required. You set the disposition of the app when you assign the app to a user or group.

12. In the Convert installed personal app to work app drop-down list, select one of the following:

• To convert the app to a work app if it is already installed on iOS 9 or later devices, select Convert to convert the app. After you assign the app to a user, the app is converted to a work app and can be managed by BES12.

• If you don't want to convert the app to a work app if it is already installed on iOS 9 or later devices, select Do not convert. After you assign the app to a user, the app cannot be managed by BES12.

13. Click Add. Good Dynamics apps are badged with a lock icon in the app list.

14. Repeat these steps for Good Access and any other Good apps that you want users to install on devices.

In BES12, add the Good apps for Android devices1. In the BES12 management console, on the menu bar, click Apps.

2. Click .

3. Click Google Play.

4. Click Open Google Play and search for Good Work.

5. Click the Good Work app, copy the URL, and save the icon to a location on your computer.

6. In the App name field, type Good Work.

7. In the App description field, type a description for the app.

8. In the Vendor field, type the name of the app vendor.

9. In the App icon field, click Browse. Locate the Good Work icon that you saved to your computer.

10. In the App web address from Google Play field, paste the web address of the Good Work app.


15

11. To add screen shots of the app, click Add and browse to the screen shots. The supported image types are .jpg, .jpeg, .png, or .gif.

12. In the Send to drop-down list, select All Android devices.

13. Click Add. Good Dynamics apps are badged with a lock icon in the app list.

14. Repeat these steps for Good Access and any other Good apps that you want users to install on devices.

Note: If your environment includes Android for Work and KNOX Workspace devices with Good Dynamics apps (for example, Good Work, Good Access, and Good Connect), it is recommended that you configure the Connectivity Profile assigned to these devices in Good Control to disable the Good Proxy server. If you do not, the Good Dynamics apps can use BlackBerry Secure Connect Plus, but network activity from the apps might be delayed because the data is routed from devices to BES12 and to the Good Dynamics components. For instructions, see Optimize secure tunnel connections for Android devices that are Good enabled.

In BES12, create an app group that contains all of the Good appsBefore you begin:

• In BES12, add the Good apps for iOS devices

• In BES12, add the Good apps for Android devices

1. In the BES12 management console, on the menu bar, click Apps > App groups.

2. Click .

3. Type a name and description for the app group.

4. Click .

5. Select the Good apps that you added to BES12.

6. Click Add.

7. Click Add.

In BES12, create an activation profileYou can control how devices are activated and managed using activation profiles. An activation profile specifies how many and what types of devices a user can activate and the type of activation to use for each device type.

1. In the BES12 management console, on the menu bar, click Policies and Profiles.

2. Click beside Activation.

3. Type a name and description for the profile.

4. In the Number of devices that a user can activate field, specify the maximum number of devices the user can activate.


16



5. In the Device ownership drop-down list, perform one of the following actions:

• If some users activate personal devices and some users activate work devices, select Not specified.

• If users typically activate work devices, select Work.

• If users typically activate personal devices, select Personal.

6. Optionally, select an organization notice in the Assign organization notice drop-down list. If you assign an organization notice, users must accept the notice to complete the activation process.

7. In the Activation type section, select the activation profile that you want to use for iOS and Android devices:

Activation type Description

MDM controls A separate work space is not created on devices. Administrators have basic management controls.

User privacy MDM control of the device is not required (for example, BYOD devices) and users' personal data remains private. Devices activated with User privacy are activated on BES12 and can use services such as Find my Phone and Root Detection, but administrators cannot control device policies.

Work and personal - user privacy (Android for Work)

This activation type maintains privacy for personal data but lets you manage work data using commands and IT policy rules. This activation type creates a work profile on the device that separates work and personal data. Work and personal data are both protected using encryption and password authentication.

Good Dynamics apps can be installed in the work profile.

This activation type does not support BlackBerry Secure Connect Plus.

Users do not have to grant Administrator permissions to the BES12 Client.

Work and personal - user privacy (Android for Work - Premium)

This activation type maintains privacy for personal data but lets you manage work data using commands and IT policy rules. This activation type creates a work profile on the device that separates work and personal data. Work and personal data are both protected using encryption and password authentication.


Users do not have to grant Administrator permissions to the BES12 Client.

You must use this activation type if you want to support BlackBerry Secure Connect Plus with the features of the Work and personal - user privacy (Android for Work) activation type.


17


Work space only (Android for Work) If you assign this activation type to a user, you must also assign the Work space only (Android for Work) activation email template to that user. Assigning that template makes sure that the user receives the Google activation code required during the activation process.

This activation type lets you manage the entire device using commands and IT policy rules. This activation type requires the user to reset the device to factory settings before activating. The activation process installs a work profile and no personal profile. The user must create a password to access the device. All data on the device is protected using encryption and a method of authentication such as a password.


This activation type does not support BlackBerry Secure Connect Plus.

During activation, the device installs the BES12 Client automatically and grants it Administrator permissions. Users cannot revoke the Administrator permissions or uninstall the app.

Work space only (Android for Work - Premium) If you assign this activation type to a user, you must also assign the Work space only (Android for Work) activation email template to that user. Assigning that template makes sure that the user receives the Google activation code that is required during the activation process.

This activation type lets you manage the entire device using commands and IT policy rules. This activation type requires the user to reset the device to factory settings before activating. The activation process installs a work profile and no personal profile. The user must create a password to access the device. All data on the device is protected using encryption and a method of authentication such as a password.


During activation, the device installs the BES12 Client automatically and grants it Administrator permissions. Users cannot revoke the Administrator permissions or uninstall the app.

You must use this activation type if you want to support BlackBerry Secure Connect Plus with the features of the Work space only (Android for Work) activation type.

Work and personal - full control (Samsung KNOX)

This activation type lets you manage the entire device using commands and the KNOX MDM and KNOX Workspace IT policy rules. This activation type creates a separate work space on the device and the user must create a password to access the work space. Data in the work


18


space is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint.

Good Dynamics apps can be installed in the work space. If a Good Dynamics app is installed in the work space, the same app cannot run in the personal space and will be disabled if it is already installed on device.

During activation users must grant Administrator permissions to the BES12 Client.

Work and personal - user privacy - (Samsung KNOX)

This activation type maintains privacy for personal data, but lets you manage work data using commands and IT policy rules. This activation type does not support the KNOX MDM IT policy rules. This activation type creates a separate work space on the device and the user must create a password to access the work space. Data in the work space is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint. The user must also create a Screen lock password to protect the entire device and will not be able to use USB debugging mode.

Good Dynamics apps can be installed in the work space.

During activation, users must grant Administrator permissions to the BES12 Client.

Work space only - (Samsung KNOX) This activation type lets you manage the entire device using commands and the KNOX MDM and KNOX Workspace IT policy rules. This activation type removes the personal space and installs a work space. The user must create a password to access the device. All data on the device is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint.

Good Dynamics apps can be installed in the work space.

During activation, users must grant Administrator permissions to the BES12 Client.

To activate a device on BES12, one of the following licenses is consumed:

• Silver SIM license

• Gold SIM license

• Silver server license

• Gold - Secure Work Space server license

• Gold server license


19

• Gold - Flex server license

After the device is Good enabled, this license is released and no longer required.

8. Click Add.

In BES12, create a user accountUsers that do not exist in Good Control are automatically created when you assign a Good Dynamics profile to them. If a user is deleted from BES12 after they have activated a device, the user is also deleted from Good Control.

Before you begin:

• If you want to add a directory user, verify that BES12 is connected to your company directory. The same company directory must also be configured for Good Control.

• If you did not configure the company directory when you installed Good Control, you must add it to Good Control. For more information about the "authenticator.adsi.domains.additional" property, see the GC Server Property Reference the in the Good Control online help.

1. In the BES12 management console, on the menu bar, click Users.

2. In the left pane, click Add user.

3. Perform one of the following tasks:

Task Steps

Add a directory user 1. On the Company directory tab, in the search field, specify the search criteria for the directory user that you want to add. You can search by first name, last name, display name, username, or email address.

2. Click .

3. In the search results, select the user account.

Add a local user 1. Click the Local tab.

2. In the First name field, enter a first name for the user account.

3. In the Last name field, enter a last name for the user account.

4. In the Display name field, make changes if necessary. The display name is automatically configured with the first and last name that you specified.

5. In the Username field, enter a unique username for the user account.

6. In the Email address field, enter a contact email for the user account.

4. If local groups exist in BES12, and you want to add the user account to groups, in the Available groups list, select one or more groups and click .


20

When you create a user account, you can only add it to local groups in BES12. If the user account is a member of a directory-linked group, it is automatically associated with that group when the synchronization between BES12 and your company directory occurs.

To add a user account to groups that are assigned an administrative role, you must be a Security Administrator.

5. If you add a local user, in the Console password field, enter a password for BES12 Self-Service. If the user is assigned an administrative role, they can also use the password to access the management console.

6. Perform one of the following tasks:

Task Steps

Automatically generate an activation password for the user and send an activation email

1. Select the Autogenerate device activation password and send email with activation instructions option.

2. In the Activation period expiration field, specify the number of minutes, hours, or days that the user can activate a device before the activation password expires.

3. In the Activation email template drop-down list, click a template to use for the activation email.

Set an activation password for the user and, optionally, send an activation email

1. Select the Set device activation password option.

2. Enter an activation password.

3. In the Activation period expiration field, specify the number of minutes, hours, or days that the user can activate a device before the activation password expires.

4. Perform one of the following actions:

a To send activation instructions to the user, in the Activation email template drop-down list, click a template to use for the activation email.

b If you do not want to send activation instructions to the user, clear the Send email with activation instructions and activation password check box. You must communicate the activation password to the user.

Do not set an activation password for the user

1. Select the Do not set device activation password option. You can set an activation password and send an activation email later.

7. If you use custom variables, expand Custom variables and specify the appropriate values for the variables that you defined.

8. Perform one of the following actions:

• To save the user account, click Save.


21

• To save the user account and create another user account, click Save and new.

In BES12, assign the Good Dynamics profile to a user accountBefore you begin: In BES12, create a Good Dynamics profile .


2. Search for a user account.

3. In the search results, click the name of the user account.

4. In the IT policy and profiles section, click .

5. Click Good Dynamics.

6. In the drop-down list, click the name of the profile that you want to assign to the user.

7. If a Good Dynamics profile is already assigned directly to the user, click Replace. Otherwise, click Assign.

In BES12, assign an app group to a user accountBefore you begin: In BES12, create an app group that contains all of the Good apps.



3. In the search results, click the name of a user account.

4. In the Apps section, click .

5. Select the check box beside the app group that you want to assign to the user account.

6. Click Next.

7. In the Disposition drop-down list for the app, perform one of the following actions:

• To require users to install the apps, select Required.

• To permit users to install and remove the apps, select Optional.

8. Click Assign.

In BES12, assign the activation profile to a user accountBefore you begin: In BES12, create an activation profile.



22



4. In the IT policy and profiles section, click .

5. Click Activation.

6. In the drop-down list, click the activation profile that you created.

7. If an activation profile is already assigned directly to the user, click Replace. Otherwise, click Assign.

Activate an Android device on BES12Send the following activation instructions to the device user.

1. On the device, install the BES12 Client. You can download the BES12 Client from Google Play.

2. On the device, tap BES12 Client.

3. Read the license agreement and tap I Agree.

4. Type your work email address and tap Next.

5. If necessary, type the server address and tap Next. You can find the server address in the activation email message you received or in BES12 Self-Service.

6. Confirm that the certificate details displayed on the device are accurate and tap Accept. If your administrator sent you the certificate details separately, you can compare the information displayed with the information you received.

7. Type your activation password and tap Activate My Device.

8. Tap Next.

9. Depending on your security settings, you may be prompted to create a screen unlock option.

10. Tap Activate.

Good Dynamics will be configured on the device and, if your administrator has assigned you any apps, you will be prompted to install them.

Activate an iOS device on BES12Send the following activation instructions to the device user.

1. On the device, install the Good for BES12 app. You can download Good for BES12 from the App Store.

2. On the device, tap Good for BES12.

3. Read the license agreement and tap I Agree.

4. Type your work email address and tap Go.


23

5. If necessary, type the server address and tap Go. You can find the server address in the activation email message you received or in BES12 Self-Service.

6. Confirm that the certificate details displayed on the device are accurate, and tap Accept. If your administrator sent you the certificate details separately, you can compare the information displayed with the information you received.

7. Type your activation password and tap Activate My Device.

8. Tap Install to install the required certificate.

9. Good Dynamics will be configured on the device. If you are prompted to enter the password for your email account or the passcode for your device, follow the instructions on the screen.

10. If your administrator has assigned you any apps, you will be prompted to install them.

Manage Good Dynamics apps that have been installed on devicesAfter a Good Dynamics app has been installed on a device, you can perform actions on the apps. For example, you can delete app data if a user has lost a device.

1. On the menu bar, click Users.



4. Select the device tab for the device that has installed the app that you want to manage.

5. In the Good Apps section, perform one of the following actions:

Option Description

Lock app Lock the Good Dynamics app. This is useful when a user has lost a device but may recover it. The app cannot be accessed but app data is not deleted.

Unlock app Unlock the Good Dynamics app. The user will regain access to the app and app data.

Delete app data Delete all data for the Good Dynamics app and make the app unusable. The app data cannot be recovered. This is useful when a user has lost a device and cannot recover it.

Logging on Turn on app logging. Logging is set to debug level.

Logging off Turn off app logging.

Upload log files Upload the app logs from the device to the Good Dynamics NOC.

Get app events Display detailed information about compliance and other app events.

6. Confirm whether you want to complete the action.


24

Generate a Good Dynamics access key for devices that are not activated on BES12If you have connected your BES12 and Good Dynamics environments, you do not have to log in to Good Control to generate an access key for devices that are not activated on BES12. You can add the user to BES12 and generate an access key from there. Users can also generate their own access keys from BES12 Self-Service or you can send access key to multiple users at the same time.

Before you begin:

• In BES12, create a user account

• In BES12, assign the Good Dynamics profile to a user account




4. Click Set activation password.

5. Select the Autogenerate Good Dynamics access key and send email with instructions option.

6. In the Number of access keys to generate drop-down list, select the number of access keys that you want to create for the user.

7. Click Save.

Manage Good Dynamics access keysAfter you have generated a Good Dynamics access key, the number of keys that have been generated is listed in the Activation details section on the user's summary screen.

Before you begin: Generate a Good Dynamics access key for devices that are not activated on BES12.


2. Search for the user account that has the Good Dynamics access keys that you want to manage.


4. Under Activation details, in the Good Dynamics access keys section, click the link that specifies the number of keys that have been generated. If you do not see this section, you have not generated a Good Dynamics access key for that user.

5. In the Good Dynamics access keys dialog box, perform one of the following tasks:


25

http://help.blackberry.com/en/bes12-self-service/latest/bes12-self-service/odz1464209032242

http://help.blackberry.com/en/bes12/12.5/administration/amo1453228178643.html

http://help.blackberry.com/en/bes12/12.5/administration/amo1453228178643.html

Option Description

Resend the access key to the user.

Delete the access key.

6. Click Save.

Turn off the ability to create users in Good ControlYou can turn off the ability to create users in Good Control to make sure that users are not created in Good Control without also being created in BES12.

1. In the BES12 management console, on the menu bar, click Settings > Infrastructure > Good Control.

2. In the Good Control console section, select the Do not allow administrators to create users in Good Control option.

3. Click Save.


26

Legal notice

©2016 BlackBerry Limited. Trademarks, including but not limited to BLACKBERRY, BES, EMBLEM Design, ATHOC, EMBLEM Design, ATHOC & Design and PURPLE GLOBE Design, GOOD, GOOD WORK, LOCK Design, MANYME, MOVIRTU, SECUSMART, SECUSMART & Design, SECUSUITE, SECUVOICE, VIRTUAL SIM PLATFORM, WATCHDOX and WORKLIFE are the trademarks or registered trademarks of BlackBerry Limited, its subsidiaries and/or affiliates, used under license, and the exclusive rights to such trademarks are expressly reserved. All other trademarks are the property of their respective owners.

Android and Google Play are trademarks of Google Inc. App Store, iCloud, iPad, and OS X are trademarks of Apple Inc. iOS is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS® is used under license by Apple Inc. Microsoft, Active Directory, ActiveSync, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are the property of their respective owners.

This documentation including all documentation incorporated by reference herein such as documentation provided or made available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.

This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way.

EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.

2

Legal notice

27

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.

THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.

IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.

Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry.

The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.

Legal notice

28

BlackBerry Enterprise Software incorporates certain third-party software. The license and copyright information associated with this software is available at http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp.

BlackBerry Limited2200 University Avenue EastWaterloo, OntarioCanada N2K 0A7

BlackBerry UK Limited200 Bath RoadSlough, Berkshire SL1 3XEUnited Kingdom

Published in Canada

Legal notice

29

http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp

integrating bes12 and good dynamics -...

Documents