BlackBerry Dynamics Apps User Guide

July 26, 2024
BlackBerry

BlackBerry Dynamics Apps

Specifications

  • Product: BlackBerry UEM
  • Version: 12.20

Product Information

Planning Tools

  • BlackBerry UEM Performance Calculator:
    • The Performance Calculator helps determine the minimum number of instances needed for your device configuration and workload.
  • BlackBerry UEM Readiness Tool:
    • This tool validates proper traffic flow and is essential for detecting issues related to traffic monitoring or SSL termination.
  • BlackBerry UEM Configuration Tool:
    • Calculate the number of SRP IDs required for over 500 users and import them into the database before adding or migrating users.

Installation Options

  • Installing or Upgrading:
    • Detailed instructions on how to install or upgrade to BlackBerry UEM are provided in the manual.

High Availability Planning

  • AlwaysOn High Availability:
    • Information on planning high availability for a BlackBerry UEM domain, including requirements and setup instructions.

Preinstallation and Preupgrade Requirements

  • Hardware Requirements:
    • Details on the hardware specifications needed for installing BlackBerry UEM.
  • Port Requirements:
    • Information on port configurations and minimum ports to open between BlackBerry UEM instances.

Product Usage Instructions

Step 1: Planning Your Deployment

  • Before starting the installation, use the Planning Tools provided to ensure a smooth deployment.

Step 2: Installation or Upgrade

  • Follow the detailed instructions for installing or upgrading BlackBerry UEM as per the manual.

Step 3: High Availability Setup

  • If planning for high availability, refer to the AlwaysOn High Availability section for guidance.

Step 4: Hardware Setup

  • Ensure that the hardware requirements are met before proceeding with the installation.

Step 5: Port Configuration

  • Configure the necessary ports as per the Port Requirements section to enable communication between instances.

FAQ

  • Q: What is the purpose of the BlackBerry UEM Configuration Tool?
    • A: The BlackBerry UEM Configuration Tool helps calculate the number of SRP IDs required for organizations with over 500 users and facilitates their import into the database.

“`

Planning a BlackBerry UEM deployment

Planning a BlackBerry UEM deployment to support MDM or BlackBerry Dynamics apps

When you prepare to deploy BlackBerry UEM, it is important to understand the server and network resources that UEM requires to support your user base. The requirements vary based on the number of users that you support and the features that your organization requires. If you are installing UEM to support mobile device management (MDM) only, your environment must be ready to support only UEM components. If you are installing UEM to support MDM and BlackBerry Dynamics apps such as BlackBerry Work or BlackBerry Access, your environment must also be ready to support the BlackBerry Enterprise Mobility Server (BEMS) and the BlackBerry Proxy server. For information about installing BEMS, see Installing the BlackBerry Enterprise Mobility Server.

Planning a BlackBerry UEM deployment to support MDM or BlackBerry Dynamics apps

Planning tools

In addition to all of your planning considerations, BlackBerry UEM has some tools that you can use to assist you in planning your BlackBerry UEM installation or upgrade: · BlackBerry UEM Performance Calculator · BlackBerry UEM Readiness Tool · BlackBerry UEM Configuration Tool
BlackBerry UEM Performance Calculator

The BlackBerry UEM Performance Calculator contains BlackBerry UEM performance models and SPEC CPU conversions. You can use the Performance Calculator for BlackBerry UEM to determine the minimum number of BlackBerry UEM instances and BlackBerry Connectivity Node instances for your device configuration and workload.

BlackBerry UEM Readiness Tool

You can use the BlackBerry UEM Readiness Tool to check system requirements before you run the BlackBerry UEM setup application. The BlackBerry UEM Readiness Tool is included with the UEM software. You can also download the tool from myAccount The BlackBerry UEM Readiness Tool checks the following requirements: · Proxy server setting validation · Minimum operating system requirements · JRE version · Minimum hard disk space · Secure connection · SRP connection · Connection to the BlackBerry Dynamics NOC · Required ports · Account permissions · Database validation Note: · The BlackBerry UEM Readiness Tool does not check for Microsoft .NET Framework 4.8. · The BlackBerry UEM Readiness Tool performs a simple CONNECT to determine that ports are open. It does not
validate that traffic will flow properly. For example, the BlackBerry UEM Readiness Tool cannot detect issues related to traffic monitoring, SSL termination, or other systems that might reactively close sessions.
BlackBerry UEM Configuration Tool
If your organization plans to support more than 500 users, use the BlackBerry UEM Configuration Tool to calculate the number of SRP IDs you require. After you install BlackBerry UEM, run the BlackBerry UEM Configuration Tool to import the SRPs into the BlackBerry UEM database before you add or migrate users. The BlackBerry UEM Configuration Tool is included with the BlackBerry UEM software. You can also download the tool from myAccount.

Planning tools

The BlackBerry UEM Configuration Tool allows you to: · Update or change the following BlackBerry UEM database properties:
· Microsoft SQL Server name · Database name · Port configuration · Database authentication · Windows username · Windows password · Calculate the number of SRP IDs required for BlackBerry UEM based on the projected total number of users · Import extra SRP IDs into the BlackBerry UEM database For more details on the BlackBerry UEM Configuration Tool, visit support.blackberry.com/community to read article 36443. For more information about obtaining and importing SRP IDs, visit support.blackberry.com/community to read article 36435.

BlackBerry UEM installation options

You can install all BlackBerry UEM components on one server, or you can install the components on separate servers. The setup application allows you to install the primary BlackBerry UEM components, the management console, and the device connectivity components separately. You can install BlackBerry UEM components on separate servers for security reasons or if your server has system resource limitations.
Note:
· You must install the BlackBerry UEM primary components on one server before you install the management console or BlackBerry Connectivity Node on separate servers.
· When the primary components and management console are installed on the same server, the management console permanently binds to the local BlackBerry UEM Core. The result is that the management console will not try to use any other instances of the BlackBerry UEM Core unless the local BlackBerry UEM Core is shut down.
· You cannot install only the management console and the device connectivity components on the same server. · For instructions on installing the components, and for instructions on configuring the BlackBerry Connectivity
Node, see the Installation and upgrade content.

Installing or upgrading to BlackBerry UEM

You can use the UEM setup application to install the UEM software and database or to upgrade from up to two previous versions of UEM.

Considerations for upgrades from BlackBerry UEM

If you are upgrading from a previous version of BlackBerry UEM, make sure your servers meet the requirements for the BlackBerry UEM configuration you are upgrading to. Note: If you have any inactive BlackBerry Connectivity Nodes, either activate them or remove them from the environment. If you do not activate them before upgrading, any devices they manage will be removed.

Upgrading BlackBerry UEM with BlackBerry Dynamics devices

If you are upgrading an environment that has activated BlackBerry Dynamics applications on devices, connections to the application servers, including the mail server, will continue to supported. For example, the BlackBerry Work application will continue to receive email during the upgrade. BlackBerry Dynamics applications cannot be activated during the upgrade. All servers in the environment must be upgraded before any BlackBerry Dynamics applications can be activated. Upgrade all servers in the environment within 24 hours of the first server upgrade.

Installing the BlackBerry Enterprise Mobility Server

To support BlackBerry Dynamics apps, you must install the BlackBerry Enterprise Mobility Server (BEMS) in your BlackBerry UEM environment to provide additional services for BlackBerry Dynamics apps. BEMS integrates the following services: BlackBerry Push Notifications, BlackBerry Connect, BlackBerry Presence, and BlackBerry Docs. For information about sizing your environment for BEMS and determining whether you should install BEMS on a separate server, see Hardware requirements: BEMS. For information about installing BEMS, see the BlackBerry Enterprise Mobility Server Installation and configuration content. Note: When you upgrade BlackBerry UEM, you may also have to upgrade BEMS. See the BlackBerry UEM Compatibility Matrix for information about which versions of BEMS are compatible with your version of BlackBerry UEM.
Installing a BlackBerry Connectivity Node instance
You can install one or more instances of the BlackBerry Connectivity Node to add additional capacity for device connectivity, for the purposes of regionalizing device connectivity, or for the purpose of high availability or disaster recovery. Each BlackBerry Connectivity Node instance contains the following BlackBerry UEM components: · BlackBerry Secure Connect Plus · BlackBerry Gatekeeping Service · BlackBerry Secure Gateway · BlackBerry Proxy

· BlackBerry Cloud Connector Each BlackBerry Connectivity Node instance provides another active instance of these components to the BlackBerry UEM domain that can process and manage secure device connections (by default, the BlackBerry Gatekeeping Service in a BlackBerry Connectivity Node instance is disabled). Enterprise connectivity can be maintained by creating server groups for BlackBerry Secure Connect Plus connectivity or BlackBerry Proxy clusters for BlackBerry Dynamics connectivity. A server group contains one or more instances of the BlackBerry Connectivity Node. When you create a server group, you specify the regional data path that you want the components to use to connect to the BlackBerry Infrastructure. You can associate email and enterprise connectivity profiles with a server group. Any device that is assigned those profiles uses that server group’s regional connection to the BlackBerry Infrastructure when it uses any of the components of the BlackBerry Connectivity Node. Optionally, you can designate each BlackBerry Connectivity Node in a server group to handle a single connection type: BlackBerry Secure Connect Plus only, BlackBerry Secure Gateway only, or BlackBerry Proxy only. This frees up server resources to allow fewer servers required for the same number of users or containers. A BlackBerry Proxy cluster contains one or more instances of the BlackBerry Connectivity Node. When you create a BlackBerry Proxy cluster, you specify the BlackBerry Proxy servers included in the cluster, as well as whether that cluster will be used for BlackBerry Dynamics activation, or only for application server connectivity. After you install a BlackBerry Connectivity Node, you must register it before it can be used.

High availability and disaster recovery

It is important to understand the difference between high availability and disaster recovery. High availability means that each service has some form of redundancy within a BlackBerry UEM environment. For BlackBerry UEM, high availability is active-active. High availability could mean N+1 or N+N (where N is the number of servers for your environment as defined by the Performance Calculator), depending on how much fault tolerance is acceptable. All nodes in a high availability configuration exist within the same physical location and have minimal latency between nodes. In high availability, the database server is collocated (with low latency) to all online Core nodes. All running core nodes must be within 5ms of the database at all times (for more information, see Hardware requirements). Disaster Recovery means servers located in an alternate physical site that can be failed over to in the event of a disaster in the primary site (complete site failure). Disaster recovery servers for BlackBerry UEM must remain offline and must have a mirrored/clustered copy of the database in the disaster recovery site. Failing over to the disaster recovery site is “all or nothing”. For example, if the database fails over, the BlackBerry UEM Core servers also need to be brought up in the disaster recovery site and brought down in the primary site. For more information, see Planning high availability for a BlackBerry UEM domain, and Configuring UEM for disaster recovery in the Installation content.

Log files

The size of log files for BlackBerry UEM varies based on the number of devices in your organization’s environment, the level of user activity on devices, and the logging levels that BlackBerry UEM uses. It is a best practice to monitor and control the amount of disk space that the BlackBerry UEM log files take up. For more information about configuring logging, see the Logging content.

BlackBerry Secure Connect Plus
If your BlackBerry UEM domain will support more than 1000 devices per server using BlackBerry Secure Connect Plus at the same time, you must install Windows Server 2012 R2 or later on the computers that host BlackBerry UEM.
Third-party software requirements
For more information about which third-party software is compatible with BlackBerry UEM, see the Compatibility matrixes.

Planning high availability for a BlackBerry UEM domain

BlackBerry UEM uses an active-active high availability model to minimize service interruptions for device users. To configure high availability, you install multiple instances of BlackBerry UEM, each on a separate computer. Each instance connects to the BlackBerry UEM database and actively manages user accounts and devices.
High availability in BlackBerry UEM includes the following features:

Description

Each BlackBerry UEM instance connects to the BlackBerry UEM database to access user and device data.
You can use any management console to manage the domain’s user accounts and devices. The BlackBerry UEM Core associated with that console carries out the management tasks.
You can configure a round-robin DNS pool that connects to each console. If there is a problem with a console, the pool connects to a working console.

High availability and the BlackBerry UEM Core
High availability is automatic when you set up a second BlackBerry UEM Core. For a larger environment, install N +1 core nodes. All active core nodes need to be local to DB. Configuration of failover is not required.

| Planning high availability for a BlackBerry UEM domain | 14

Configuring high availability for the management console
To configure high availability for the BlackBerry UEM management consoles, you can use your organization’s hardware load balancer or DNS server to configure a round-robin pool that connects to each management console in the domain. If a management console is not available, the load balancer or DNS server connects to one of the other available consoles. For more information about setting up a round-robin pool, consult the documentation for your organization’s hardware load balancer or DNS server. After you configure a round-robin pool, it is a best practice to update the %AdminPortalURL% and %UserSelfServicePortalURL% variables in the management console (Settings > General settings > Default variables) with the pool name. If you do, email messages that use these variables to link to the management console and BlackBerry UEM Self-Service can use the round-robin pool. If you enabled single sign-on, you must update the SPNs for the Microsoft Active Directory account with the pool name and restart the BlackBerry UEM services on each computer that hosts a BlackBerry UEM instance. A BlackBerry UEM management console instance in the round-robin pool can disconnect from the BlackBerry UEM domain if the DNS server assigns a different IP address to that instance. The instance is disconnected because the new IP address doesn’t recognize the user’s login information. If this happens, the user must log out and log back in again.
High availability and the BlackBerry Connectivity Node
You can install one or more instances of the BlackBerry Connectivity Node to add additional instances of the device connectivity components to your organization’s domain. This includes BSCP traffic for enterprise connectivity and BlackBerry Dynamics traffic for BlackBerry Dynamics devices. Each BlackBerry Connectivity Node contains the following BlackBerry UEM components: BlackBerry Secure Connect Plus, the BlackBerry Gatekeeping Service, the BlackBerry Secure Gateway, BlackBerry Proxy, and the BlackBerry Cloud Connector. Each BlackBerry Connectivity Node provides another active instance of these components to the BlackBerry UEM domain that can process and manage secure device connections. For information about installing a BlackBerry Connectivity Node, see the the Installation and upgrade content. You can also create server groups. A server group contains one or more instances of the BlackBerry Connectivity Node. When you create a server group, you specify the regional data path that you want the components to use to connect to the BlackBerry Infrastructure. For example, you can create a server group to direct device connections for BlackBerry Secure Connect Plus and the BlackBerry Secure Gateway to use the path for the United States to the BlackBerry Infrastructure. You can associate email and enterprise connectivity profiles with a server group. Any device that is assigned those profiles uses that server group’s regional connection to the BlackBerry Infrastructure when it uses any of the components of the BlackBerry Connectivity Node. Optionally, you can designate each BlackBerry Connectivity Node in a server group to handle a single connection type: BlackBerry Secure Connect Plus only, BlackBerry Secure Gateway only, or BlackBerry Proxy only. This frees up server resources to allow fewer servers required for the same number of users or containers. If a server group contains multiple instances of the BlackBerry Connectivity Node, devices can use any instance that is running. Device connections are load balanced across the available instances in the group. If no instances are available, devices cannot use those components for secure connections. At least one of the instances must be available.

Planning high availability for a BlackBerry UEM domain

Configuring database high availability using Microsoft SQL Server AlwaysOn
Before you install BlackBerry UEM, decide if you want to configure high availability for the BlackBerry UEM database. Database high availability allows you to retain database service and data integrity if issues occur with the BlackBerry UEM database. You can use one of the following Microsoft SQL Server features for database high availability: · AlwaysOn Failover Cluster Instances (FCI) for Microsoft SQL Server 2014 or 2016 (Standard Edition) · AlwaysOn Availability Groups for Microsoft SQL Server 2014 or 2016 (Enterprise Edition) · Database mirroring for Microsoft SQL Server 2014 If you want to use an AlwaysOn feature, you must complete configuration steps before you install BlackBerry UEM. This section gives you instructions for configuring database high availability using AlwaysOn. You can configure database mirroring any time after you install BlackBerry UEM. For instructions, see the Configuration content. Note: Microsoft recommends using AlwaysOn because database mirroring will be deprecated in a future version of Microsoft SQL Server.
AlwaysOn high availability
BlackBerry UEM supports AlwaysOn using a Failover Cluster Instance (FCI) or availability group. Both methods require a Windows Server Failover Clustering (WSFC) cluster where independent servers interact to provide a high availability solution for databases. For more information about WSFC, visit the MSDN Library to see Windows Server Failover Clustering (WSFC) with SQL Server. Instance-level high availability using an AlwaysOn Failover Cluster Instance
An FCI is an instance of Microsoft SQL Server that is installed across multiple computers (or “nodes”) in a WSFC cluster. The nodes are members of a resource group, and all nodes have shared access to the BlackBerry UEM database. One of the nodes has ownership of the resource group and gives the BlackBerry UEM components
| Planning high availability for a BlackBerry UEM domain | 16

access to the BlackBerry UEM database. If the node that owns the resource group becomes unavailable (for example, a hardware or OS failure), a different node takes ownership of the resource group. As a result, BlackBerry UEM database service continues with minimal interruption. For more information, visit the MSDN Library to see AlwaysOn Failover Cluster Instances (SQL Server). Database-level high availability using an AlwaysOn availability group
To use an availability group, you configure a WSFC cluster with multiple nodes. Each node is a separate computer that has an instance of Microsoft SQL Server. One of the nodes hosts the primary BlackBerry UEM database and gives the BlackBerry UEM components read-write access. This node is the “primary replica.” The WSFC cluster can have one to eight other nodes, each hosting a secondary database. These nodes are “secondary replicas.” The primary database synchronizes data with the secondary databases. Data is synchronized with each secondary database independently. If one secondary database is unavailable, it does not affect the other secondary databases. You can configure the data synchronization to be asynchronous (delayed synchronization with minimal transaction latency) or synchronous (faster synchronization with increased transaction latency). BlackBerry recommends the synchronous configuration. Automatic failover requires the primary replica and secondary replicas to use synchronous-commit mode. If you configure an availability group for automatic failover and the primary database becomes unavailable, one of the secondary replicas becomes the primary replica. That replica’s secondary database becomes the primary database. As a result, BlackBerry UEM database service continues with minimal interruption. For more information, visit the MSDN Library to see Overview of AlwaysOn Availability Groups (SQL Server) and AlwaysOn Availability Groups (SQL Server).
AlwaysOn requirements
Review the following requirements for configuring AlwaysOn in a BlackBerry UEM environment: · Create a WSFC cluster. It is recommended to use static port 1433 for the database server. For requirements
and instructions, visit the Technet Library to see Create a Failover Cluster. · If you want to use an AlwaysOn FCI:
· Verify that your environment meets Microsoft requirements. Visit the MSDN Library to see Before Installing Failover Clustering.
· Configure the FCI. Visit the MSDN Library to see Create a New SQL Server failover Cluster (Setup).
| Planning high availability for a BlackBerry UEM domain | 17

· If you want to use an AlwaysOn availability group: · Verify that your environment meets Microsoft requirements. Visit the MSDN Library to see Prerequisites, Restrictions, and Recommendations for AlwaysOn Availability Groups (SQL Server). · Enable the availability groups feature and complete the initial setup tasks, including creating an availability group listener. You will set up the primary replica and secondary replicas after you install BlackBerry UEM and create the BlackBerry UEM database. Visit the MSDN Library to see Getting Started with AlwaysOn Availability Groups.
| Planning high availability for a BlackBerry UEM domain | 18

Preinstallation and preupgrade requirements
Review the following checklists before you begin installing or upgrading BlackBerry UEM. Hardware requirements Review and complete the Performance Calculator for BlackBerry UEM. The performance calculator provides minimum recommendations based on the values you enter. If you require additional capacity, redundancy, or room for growth, enter values that reflect these needs to accommodate any near future large app and user deployment projects. Ensure your environment meets the hardware requirements for your needs. Ensure that database latency requirements are met. BlackBerry UEM Core servers must have less than 5ms latency to the database server.
Third-party software requirements Verify that your computer is running an operating system that supports BlackBerry UEM. Verify that you have a supported browser on the computers that host the UEM management console. The browser must support configuration of the following settings: · Support for JavaScript · Cookies turned on · Support for TLS · SSL certificate installed to permit trusted connections to the consoles If you have a requirement to use a proxy server in your organization, verify that you have a supported proxy solution. Ensure that Windows is up to date and that you perform any reboot required for the update. Verify that your computer is running Windows PowerShell 2.0 or later for the following: · RRAS for BlackBerry Secure Connect Plus setup during the UEM installation · Exchange ActiveSync gatekeeping (optional) Verify that you have installed JRE 17 on the servers where you will install UEM. Visit support.blackberry.com to review article 52117. For more information about supported JRE versions, see the Compatibility matrix. Verify that you have a mail server that supports BlackBerry UEM. Verify that the Exchange ActiveSync version meets the minimum requirements.
Environment configuration requirements Verify that the BlackBerry UEM listening ports are configured.

Preinstallation and preupgrade requirements

Environment configuration requirements
Verify that you opened the necessary ports on your organization’s firewall. For more information about port and firewall requirements, visit support.blackberry.com/community to read article 36470. Note: BlackBerry UEM services do not support SSL Termination, SSL Offloading, SSL Packet Inspection or Deep Packet Inspection. Ensure these endpoint services are not enabled on your proxy/firewall.
Verify that the TCP/IP network protocols are turned on for your UEM database.
Verify that you have DNS support for resolving IP addresses into host names.
If you perform the installation or upgrade process on a computer that has more than one NIC, verify that the production NIC is first in the bind order in the Windows network settings.
If a Windows host operating system is configured in a workgroup instead of a domain, verify that you configured the primary DNS suffix. For information on configuring the primary DNS suffix, visit the Microsoft support website.
Ensure that the no count setting for the Microsoft SQL Server is disabled.
Verify that the UEM service account has local administrator permissions on each computer.
The Microsoft SQL Server account must have dbo as its default schema.
Ensure antivirus exclusions have been made for both the extracted installation files and the target installation and logging directories. For more information, visit support.blackberry.com/community to read article 36596.
If you previously upgraded from a legacy Good Control environment and modified the Java Heap value, make note of the existing value. You will need to reapply the change after upgrade. For more information, visit support.blackberry.com/community to read article 56641.

Additional considerations

If you plan to install BlackBerry UEM in a DMZ, read Installing BlackBerry UEM in a DMZ.
Plan for an appropriate amount of downtime based on the number of servers in your environment. Upgrading the first server may take 45-60 minutes. Additional servers may take 15-45 minutes depending on which components are installed and whether or not these components can be installed in parallel. Consider adding additional time to account for rolling back servers if troubleshooting is required.
Verify that you have the appropriate licenses.
Visit support.blackberry.com/community to review article 38980 about upgrades.
If your organization uses a proxy server for Internet access, verify that you have the computer name, port number, and credentials for the proxy server.
If your organization uses Apple VPP accounts, after the upgrade you must generate a new .vpp token file and edit your Apple VPP account information at Apps > iOS App licenses.
| Preinstallation and preupgrade requirements

Additional considerations If you are planning a multistage upgrade, review the upgrade documentation for the versions you are upgrading to. Decommission surplus nodes, if applicable. For more information, visit support.blackberry.com/community to read article 46210 and see the Installation and upgrade content for instructions on how to remove BlackBerry UEM software.
| Preinstallation and preupgrade requirements

Hardware requirements

BlackBerry UEM hardware requirements depend on the size of your environment. BlackBerry UEM also has requirements for third-party software compatibility.
To determine the CPU and disk space requirements for BlackBerry UEM, you must consider the number of devices that you plan to activate, the types of connection that devices use, and the level and type of user activity on devices. To calculate hardware requirements for a BlackBerry UEM environment, use the Performance Calculator for BlackBerry UEM.
· Hardware requirements: BlackBerry UEM · Hardware requirements: BEMS

Hardware requirements: BlackBerry UEM

The following sections list the hardware requirements for BlackBerry UEM. Note: If you are installing BlackBerry UEM on virtual machines, the servers require dedicated or reserved hardware resources.
Small deployments
A small BlackBerry UEM deployment consists of 2000 or fewer devices. All BlackBerry UEM components are typically installed on one server; however, you can install the BlackBerry Connectivity Node and Microsoft SQL Server on separate servers.
Hardware requirements for up to 500 devices

For up to 500 devices, install the BlackBerry UEM primary components, BlackBerry UEM management console, BlackBerry Connectivity Node, and Microsoft SQL Server or Microsoft SQL Server Express on one server. A domain with this configuration can have a maximum of 500 devices.
Note: You may need to adjust the -Xmx values of the UI and Core services for this configuration.

Server

Requirement

BlackBerry UEM primary components, BlackBerry UEM management console, BlackBerry Connectivity Node, and Microsoft SQL Server or Microsoft SQL Server Express

Database server Microsoft SQL Server

BlackBerry UEM server

Requirement

All BlackBerry UEM components on one server

BlackBerry UEM primary components, management console, and BlackBerry Connectivity Node
(5000 devices per instance)

· 10 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 28 GB of available memory · 64 GB of disk space

BlackBerry UEM components on separate servers

BlackBerry UEM primary components and BlackBerry · 8 processor cores, E5-2670 (2.6 GHz), E5-2683 v4

UEM management console

(2.1 GHz), or equivalent

(25,000 devices per instance for MDM-only or

Large deployments
A large BlackBerry UEM deployment consists of between 25,000 and 150,000 devices. You can install all the BlackBerry UEM components on one server, or have a separate server for the BlackBerry Connectivity Node. Microsoft SQL Server is installed on a separate server. You can install multiple instances of BlackBerry UEM and multiple instances of the BlackBerry Connectivity Node.
Hardware requirements for up to 150,000 devices
For a domain with up to 150,000 devices, you can install multiple instances of all BlackBerry UEM components, or you can install multiple instances of the BlackBerry UEM primary components and management console, and multiple instances of the BlackBerry Connectivity Node.
In both types of deployment, install Microsoft SQL Server on a separate server. The servers that host BlackBerry UEM must be physically located near the server with the Microsoft SQL Server database (less than 5ms latency). The BlackBerry UEM servers do not need to be near the mail and messaging servers.
One instance of BlackBerry UEM can support:
· Up to 25,000 Androidor Windows devices with MDM-only activation (no BlackBerry Dynamics) · Up to 25,000 Android, iOS, Windows 10, or macOS devices with BlackBerry Dynamics-only activation (no MDM) · Up to 20,000 Android devices with MDM and BlackBerry Dynamics

| Hardware requirements

· Up to 10,000 iOS devices with MDM (with or without BlackBerry Dynamics)
Specific features may also limit the number of devices that one instance can support. Use the Performance Calculator for BlackBerry UEM to determine the number of instances required.
One instance of the BlackBerry Connectivity Node can support up to 5000 iOS, macOS, Android, or Windows devices.
However, if you enable single-service performance mode, the BlackBerry Connectivity Node can support up to 10,000 devices per instance.

BlackBerry UEM servers

Requirement

All BlackBerry UEM components on one server

BlackBerry UEM primary components, management console, and BlackBerry Connectivity Node
(5000 devices per instance)

Install enough instances of BlackBerry UEM to support the number of devices.
· 10 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 28 GB of available memory · 64 GB of disk space

BlackBerry UEM components on separate servers

BlackBerry UEM primary components and BlackBerry UEM management console
(25,000 devices per instance for MDM-only or BlackBerry Dynamics-only, 20,000 Android devices per instance for MDM and BlackBerry Dynamics, 10,000 iOS devices per instance for MDM and BlackBerry Dynamics. Use the Performance Calculator for BlackBerry UEM for details.)

Install enough instances of BlackBerry UEM to support the number of devices.
· 8 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 16 GB of available memory · 64 GB of disk space

BlackBerry Connectivity Node (5000 devices per instance)

Install enough instances of BlackBerry Connectivity Node to support the number of devices.
· 6 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 12 GB of available memory · 64 GB of disk space

BlackBerry Connectivity Node with single-service performance mode enabled for BlackBerry Proxy only
(10,000 devices per instance)

· 6 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 12 GB of available memory · 64 GB of disk space

BlackBerry Connectivity Node with single-service performance mode enabled for BlackBerry Secure Connect Plus only
(10,000 devices per instance)

· 4 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 12 GB of available memory · 64 GB of disk space

| Hardware requirements | 27

BlackBerry UEM servers
BlackBerry Connectivity Node with single-service performance mode enabled for BlackBerry Secure Gateway only (10,000 devices per instance)

Requirement
· 8 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 12 GB of available memory · 64 GB of disk space

Database server

Requirement

Microsoft SQL Server
Note: Microsoft SQL Server has compute capacity limits on the number of processor cores that specific editions support. Ensure that the edition of Microsoft SQL Server you are using supports 24 processor cores.

· 24 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 30 GB of available memory · 64 GB of disk space

Hardware requirements: BEMS

The following sections list the hardware requirements for BEMS.
Note:
· If you are installing BEMS on virtual machines, the servers require dedicated or reserved hardware resources. · You can compress the log files that are generated and saved in the default log folder or folder you specified
during the installation of BEMS. For more information, see “Enabling log file compression” in the BEMS-Core configuration content.

Small deployments
A small BEMS deployment consists of 2000 or fewer devices. BEMS hardware requirements for up to 500 devices

For up to 500 devices, install BEMS (with BlackBerry Push Notifications and BlackBerry Presence only) on the same server as the BlackBerry UEM primary components, BlackBerry UEM management console, BlackBerry Connectivity Node, and Microsoft SQL Server or Microsoft SQL Server Express. A domain with this configuration can have a maximum of 500 devices. You may need to adjust the -Xmx values of the UI and Core services for this configuration.
Note: To add BlackBerry Connect and BlackBerry Docs, you must meet the hardware requirements for 2000 or 5000 devices, which require a separate server for BEMS.

Server

Requirement

BEMS (with BlackBerry Push Notifications and BlackBerry Presence), BlackBerry UEM primary components, BlackBerry UEM management console, BlackBerry Connectivity Node, and Microsoft SQL Server or Microsoft SQL Server Express

· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 22 GB of available memory · 64 GB of disk space

| Hardware requirements | 28

BEMS hardware requirements for up to 1000 devices

For up to 1000 devices, install BlackBerry UEM and BEMS (with BlackBerry Push Notifications and BlackBerry Presence) on one server and Microsoft SQL Server on another server. The BlackBerry UEM and BEMS server must be physically located near the server that hosts the Microsoft SQL Server database. You may need to adjust the Xmx values of the UI and Core services for this configuration.
Note: To add BlackBerry Connect and BlackBerry Docs, you must meet the hardware requirements for 2000 or 5000 devices, which require a separate server for BEMS.

BlackBerry UEM and BEMS server

Requirement

BlackBerry UEM and BEMS (with BlackBerry Push Notifications and BlackBerry Presence)

· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 26 GB of available memory · 64 GB of disk space

Database server Microsoft SQL Server

Requirement
· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 2 GB of available memory · 64 GB of disk space

BEMS hardware requirements for up to 2000 devices

For up to 2000 devices, install BEMS on its own server. The BEMS server must be physically located near the server that hosts the Microsoft SQL Server database.
Note: If you install both BEMS with BlackBerry Push Notifications and BEMS with BlackBerry Connect, install BlackBerry Presence on only one of those two servers.

BEMS servers

Requirement

BEMS with BlackBerry Push Notifications and optional BlackBerry Presence

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 6 GB of available memory · 64 GB of disk space

BEMS with BlackBerry Connect and optional BlackBerry Presence

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 6 GB of available memory · 64 GB of disk space

BEMS with BlackBerry Docs

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 6 GB of available memory · 64 GB of disk space

| Hardware requirements | 29

Database servers

Requirement

Microsoft SQL Server for BEMS with BlackBerry Push Notifications

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 4 GB of available memory · 64 GB of disk space

Microsoft SQL Server for BEMS with BlackBerry Connect

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalentz
· 4 GB of available memory · 64 GB of disk space

Microsoft SQL Server for BEMS with BlackBerry Docs

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 4 GB of available memory · 64 GB of disk space

Medium deployments
A medium BEMS deployment consists of between 2000 and 25,000 devices. You must install BEMS on its own server, and you can deploy multiple BEMS servers.
BEMS hardware requirements for up to 5000 devices

For up to 5000 devices, install BEMS on its own server. The BEMS server must be physically located near the server that hosts the Microsoft SQL Server database.
Note: If you install both BEMS with BlackBerry Push Notifications and BEMS with BlackBerry Connect, install BlackBerry Presence on only one of those two servers.

BEMS servers

Requirement

BEMS with BlackBerry Push Notifications and optional BlackBerry Presence

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 128 GB of disk space

BEMS with BlackBerry Connect and optional BlackBerry Presence

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space

BEMS with BlackBerry Docs

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space

| Hardware requirements | 30

Database servers

Requirement

Microsoft SQL Server for BEMS with BlackBerry Push Notifications

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 6 GB of available memory · 64 GB of disk space

Microsoft SQL Server for BEMS with BlackBerry Connect

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 6 GB of available memory · 64 GB of disk space

Microsoft SQL Server for BEMS with BlackBerry Docs

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 6 GB of available memory · 64 GB of disk space

BEMS hardware requirements for up to 25,000 devices

For up to 25,000 devices, install BEMS on its own server. This configuration requires multiple BEMS servers (not including high availablilty or disaster recovery scenarios). One dedicated instance of BEMS can support approximately 10,000 devices. To support more devices, add more instances of BEMS.
Use the BEMS Performance Calculator to determine the minimum number of BEMS instances for your device configuration and workload.
The servers that BEMS is installed on must be physically located near the server that hosts the Microsoft SQL Server database (less than 5 ms latency).
Note: If you install both BEMS with BlackBerry Push Notifications and BEMS with BlackBerry Connect, install BlackBerry Presence on only one of those two servers.

BEMS servers

Requirement

BEMS with BlackBerry Push Notifications and optionally BlackBerry Presence

· 4 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 250 GB of disk space

BEMS with BlackBerry Connect and optionally BlackBerry Presence

· 4 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space

BEMS with BlackBerry Docs

· 4 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space

| Hardware requirements | 31

Database servers

Requirement

Microsoft SQL Server for BEMS with BlackBerry Push Notifications

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space

Microsoft SQL Server for BEMS with BlackBerry Connect

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space

Microsoft SQL Server for BEMS with BlackBerry Docs

· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space

Large deployments

A large BEMS deployment consists of between 25,000 and 150,000 devices. You must install BEMS on its own server, and you can deploy multiple BEMS servers.
BEMS hardware requirements for up to 150,000 devices

For up to 150,000 devices, install BEMS on its own server. This configuration requires multiple BEMS servers (not including high availability or disaster recovery scenarios). One dedicated instance of BEMS can support approximately 10,000 devices. To support more devices, add more instances of BEMS.
Use the BEMS Performance Calculator to determine the minimum number of BEMS instances for your device configuration and workload.
The servers that BEMS is installed on must be physically located near the server that hosts the Microsoft SQL Server database (less than 5 ms latency).
Note: If you install both BEMS with BlackBerry Push Notifications and BEMS with BlackBerry Connect, install BlackBerry Presence on only one of those two servers.

BEMS servers

Requirement

BEMS with BlackBerry Push Notifications and optionally BlackBerry Presence (one for every 10,000 devices)

· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 250 GB of disk space

BEMS with BlackBerry Connect and optionally BlackBerry Presence

· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space

| Hardware requirements | 32

BEMS servers BEMS with BlackBerry Docs

Requirement
· 4 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space

Database servers

Requirement

Microsoft SQL Server for BEMS with BlackBerry Push Notifications

· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 12 to 24 GB of available memory, depending on the size of EWS SyncState, up to 60 KB
· 64 GB of disk space

Microsoft SQL Server for BEMS with BlackBerry Connect

· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space

Microsoft SQL Server for BEMS with BlackBerry Docs

· 4 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space

Before you install or upgrade BlackBerry UEM, you should familiarize yourself with how BlackBerry UEM uses ports.
The BlackBerry UEM components use various ports to communicate with the BlackBerry Infrastructure, the BlackBerry Dynamics NOC, and internal resources (for example, your organization’s messaging software). The topics in this section indicate the default ports that BlackBerry UEM uses for outbound connections and also describe the internal connections that you should verify. These port connections are required whether or not BlackBerry UEM is installed in a DMZ.
BlackBerry Enterprise Mobility Server (BEMS) must be installed in BlackBerry UEM environments that use BlackBerry Dynamics. BEMS has port requirements for communication with BlackBerry UEM and the BlackBerry Dynamics NOC.
For more information about BlackBerry UEM and BEMS ports, visit support.blackberry.com/kb to read article 36470.

Server configuration

The recommended and least restrictive firewall configuration is to enable the listed TCP ports to carry outbound initiated bidirectional communications to the blackberry.com and bbsecure.com subdomains.

Note: represents a unique region code depending on the EULA selected during installation. For example, if Canada was selected, then is ca. To find a specific country code, see the ISO Standard.

Global IP ranges

BlackBerry may add new IP addresses to the Global IP ranges. BlackBerry has reserved IP address ranges, identified below for this purpose. BlackBerry recommends that you add these IP address ranges in the firewall rules to ensure that future changes do not impact server connectivity. For information about updating the IP ranges, visit support.blackberry.com to read article 36470.
EMEA
· 20.31.194.160/29 · 20.223.121.168/29
APAC
· 20.24.116.64/29 · 20.198.205.208/29
Canada/LATAM
· 20.116.139.104/29 · 52.229.69.64/29
USA
· 20.84.181.104/29 · 20.96.255.112/29

Mobile device configuration

Mobile device configuration (Wi-Fi requirements)

The port requirements in this section are for mobile devices to connect to the BlackBerry Infrastructure. These addresses and ports may not be required by the BlackBerry UEM server components. For example, in a typical WiFi network setup, connectivity to the internet on port 443 is allowed, but connectivity to APNs may be blocked.
Mobile devices managed by UEM also have specific connectivity requirements. Whether the device is attempting a connection over the mobile network or a Wi- Fi network, the port requirements must be met.

Note: represents a unique region code depending on the EULA selected during installation. For example, if Canada was selected, then is ca. To find a specific country code, see the ISO Standard.

Device OS iOS, Android

TCP port 443

idp.blackberry.com

1 In addition to standard HTTPS traffic, BlackBerry UEM components may also need to make an HTTP CONNECT and HTTP OPTIONS call on port 443. Because some firewalls are configured to block non-HTTPS traffic detected on port 443, this traffic may need to be explicitly allowed. Similarly, some firewalls incorrectly recognize TLS traffic on port 3101 as nonstandard and block the traffic. Ensure that necessary allow lists are in place on your firewall or other network appliances.

2 When using Samsung Knox with BlackBerry Secure Connect Plus, all device traffic, including HTTP and TCP traffic, is redirected to the BlackBerry UEM server. The device-side TCP ports must be allowed from the BlackBerry UEM server. For more information, visit support.blackberry.com/community to read article 46317. 3 To open the firewall to specific IP addresses, for analytics.blackberry.com use 74.82.73.148, and for receiver.analytics.blackberry.com use 74.82.73.149.
Outbound connections: BlackBerry UEM to the BlackBerry Infrastructure
BlackBerry UEM must connect with and receive data from the BlackBerry Infrastructure to perform tasks. BlackBerry UEM connects with the BlackBerry Infrastructure over the outbound-initiated, two-way port 3101 (TCP).
Your organization’s firewall must allow outbound two-way connections over port 3101 to .srp.blackberry.com,

.[bbsecure.com](http://bbsecure.com), and .[turnb.bbsecure.com](http://turnb.bbsecure.com).

Note: If you install the device connectivity components (the BlackBerry Connectivity Node) on a separate computer, your organization’s firewall must allow connections from that computer over port 443 through the BlackBerry Infrastructure (.bbsecure.com) to activate the BlackBerry Connectivity Node. All other outbound connections from the BlackBerry Connectivity Node use port 3101 through the BlackBerry Infrastructure (.bbsecure.com). To add a BlackBerry Connectivity Node instance to an existing server group when you activate it, your organization’s firewall must allow connections from that server over port 443 through the BlackBerry Infrastructure (.bbsecure.com) and to the same bbsecure.com region as the Core server.
You have the option of routing data from BlackBerry UEM through your organization’s TCP proxy server to the BlackBerry Infrastructure. If you choose to send data through a proxy server, configure the firewall to allow the following outbound two-way connections:

· Use port 3102 as the default listening port to connect the BlackBerry UEM components to the TCP proxy server · Use port 3101 as the default listening port to connect the components that manage BlackBerry OS devices to
the TCP proxy server
If you configure BlackBerry UEM to use a TCP proxy server, verify that the proxy allows connections over port 3101 to

.[srp.blackberry.com](http://srp.blackberry.com), .[bbsecure.com](http://bbsecure.com), and .turnb.bbsecure.com.

Description

Establish secure device connections to work resources

You can install one or more instances of the BlackBerry Connectivity Node to add additional instances of the device connectivity components to your organization’s domain. Each BlackBerry Connectivity Node contains the following BlackBerry UEM components:
· BlackBerry Secure Connect Plus: Connects to the BlackBerry Infrastructure to provide devices with a secure connection to work resources
· BlackBerry Secure Gateway: connects to the BlackBerry Infrastructure to provide iOS devices with the MDM controls activation type with a secure connection to your organization’s mail server
· BlackBerry Gatekeeping Service: Connects through the BlackBerry Infrastructure to the primary BlackBerry UEM components and the Microsoft Exchange Server or Microsoft 365 for Exchange ActiveSync gatekeeping
· BlackBerry Cloud Connector: Connects to the BlackBerry Infrastructure to allow the BlackBerry Connectivity Node components to communicate with the primary BlackBerry UEM components
The BlackBerry Connectivity Node also includes the BlackBerry Proxy, which maintains the secure connection between your organization and the BlackBerry Dynamics NOC. The BlackBerry Proxy does not use the 3101 connection.

Outbound connections: BlackBerry UEM to the BlackBerry Dynamics NOC

Your organization’s firewall must allow TCP connections to the appropriate IP ranges so that the BlackBerry Proxy can connect to the BlackBerry Dynamics NOC. Alternatively, you can configure your organization’s firewall to allow connections to host names specifically for BlackBerry Dynamics apps, listed in Mobile device configuration (Wi-Fi requirements). If you do not configure a web proxy server for a BlackBerry Proxy instance, your organization’s internal and external firewalls must allow connections over port 17533. If you configure BlackBerry Proxy to use BlackBerry Dynamics Direct Connect, your organization’s external firewalls must allow connections over port 17533. For more information about configuring BlackBerry Proxy, see the Configuration content.

Outbound connections: Devices on a work Wi-Fi network

iOS, Android, and Windows devices that use your work Wi-Fi network use the following outbound ports to connect to the BlackBerry Infrastructure and external services. Configure your organization’s firewall to allow outbound two-way connections over these ports. For more information about outbound connections for devices with BlackBerry Dynamics apps, devices using CylancePROTECT, and for BlackBerry Analytics, see Mobile device configuration (Wi-Fi requirements).

To connect to the .bbsecure.com subdomain when activating the device

1. HTTP CONNECT to BlackBerry Infrastructure; creates tunnel from device to BlackBerry UEM
2. TLS session between device and BlackBerry UEM

To connect to the .bbsecure.com subdomain so that administration commands can be applied to the devices

1. HTTP CONNECT to BlackBerry Infrastructure; creates tunnel from device to BlackBerry UEM
2. TLS session between device and BlackBerry UEM

Intranet connections

Connections initiated by the BlackBerry UEM Core

To simplify administration and support certain device features, the BlackBerry UEM Core must be able to connect to your organization’s intranet applications. Examples of intranet applications include Microsoft Active Directory, an LDAP directory, Microsoft Exchange, or an SMTP server. Consult the documentation or support resources for your organization’s applications to identify the ports that BlackBerry UEM must be able to access.

Intranet port configurations for BlackBerry Proxy

On each computer that hosts BlackBerry Proxy, verify that the following inbound ports are open, available, and not used by other servers or processes: · 17080 · 17433 The computer that hosts BlackBerry Proxy should have at least 30,000 ports in the dynamic TCP port allocation for outbound connections to the BlackBerry Dynamics NOC (when Direct Connect is configured, these ports become inbound). To route connections from BlackBerry Dynamics apps through a web proxy server, the proxy server must support the HTTP Connect command and must not require authentication. Your organization’s internal firewall must allow connections over port 17533. If you do not configure a web proxy server for a BlackBerry Proxy instance, your organization’s internal and external firewalls must allow connections over port 17533. For more information about configuring BlackBerry Proxy, see the Configuration content.

How BlackBerry UEM selects listening ports during installation

When you install BlackBerry UEM for the first time, the setup application determines whether default listening ports are available for use. If a default port is not available, the setup application assigns a port value from the range of 12000 to 12999. The setup application stores the port values in the BlackBerry UEM database. When you install an additional BlackBerry UEM instance in the domain, the setup application retrieves the listening port values from the database and uses those values for the current installation. If a defined listening port is not available, you receive an error message stating that you cannot complete the installation until the port is available for use. The default values of some listening ports may have changed over the course of BlackBerry UEM releases. When you upgrade BlackBerry UEM to a new version, the upgrade process retains the listening port values that were defined by the original installation.

BlackBerry UEM listening ports

The following is a list of the default ports that the BlackBerry UEM setup application tries to use when you install the first BlackBerry UEM instance in your organization’s domain. If a default port is not available, the setup application assigns a port from the range of 12000 to 12999. Some listening ports require the default port and cannot be assigned a different port value (see notes in the table below). To check the minimum ports that must be open between BlackBerry UEM instances, or any assigned listening port, see Check the ports assigned by the BlackBerry UEM setup application.
| Port requirements | 41

Note: BlackBerry UEM uses port 8889 to handle SCEP requests for BlackBerry Secure Connect Plus. BlackBerry UEM must be able to access this port.

The BlackBerry UEM Core uses this port to obtain the status of the BlackBerry Secure Gateway. The status is displayed in the management console.
The BlackBerry UEM Core uses this port to obtain the status of the BlackBerry Collaboration Service.
The BlackBerry UEM Core and the management console and BlackBerry UEM Self- Service use this port for internal communication.
The BlackBerry UEM management console uses this port when an administrator or user logs in to the management console or BlackBerry UEM Self-Service using certificate-based authentication.
The BlackBerry UEM Core uses this port to receive enrolment requests for iOS, Android, and Windows Phone devices.

The BlackBerry UEM Core uses this port to receive management requests for iOS, Android, and Windows Phone devices. The connection uses mutual authentication with RSA certificates.
The BlackBerry UEM Core uses this additional port to receive management requests for iOS devices. The connection uses mutual authentication with RSA certificates.
The BlackBerry UEM Core and the management console use this port for authenticated connections to check the status of BlackBerry UEM instances.
The BlackBerry UEM Core uses this port to handle SCEP requests for BlackBerry Secure Connect Plus (the BlackBerry UEM Core acts as the CA).

Purpose

When BlackBerry Secure Connect Plus and the BlackBerry Gatekeeping Service are installed remotely as part of a BlackBerry Connectivity Node, these components use this port to obtain configuration and authorization data and certificates. The BlackBerry Gatekeeping Service also uses this port for gatekeeping operations.

Certain BlackBerry Infrastructure services use this mutually authenticated port to connect with BlackBerry UEM.
When BlackBerry Secure Connect Plus and the BlackBerry Gatekeeping Service are installed with the primary BlackBerry UEM components, they use this port to obtain configuration and authorization data and certificates. The BlackBerry Gatekeeping Service also uses this port for gatekeeping operations.

The BlackBerry UEM Core health can be collected on this port. This functionality is available only for deployments of BlackBerry UEM Cloud.
The BlackBerry UEM Core uses this port is to receive requests from external services such as BEMS, BlackBerry Connect, and BlackBerry Workspaces.
BlackBerry UEM listens on this port for REST requests from BlackBerry Dynamics apps. This port uses GDAuthToken-based authentication.
The BlackBerry Gatekeeping Service listens on this secure SSL port.
BlackBerry Secure Connect Plus uses this port to listen for signaling requests from the BlackBerry Infrastructure.

Purpose

BlackBerry Proxy listens on this port for connections from application servers.

Note: The default port must be used. The setup application does not assign an alternate port if the default port is not available.

BlackBerry UEM listens on this port for BlackBerry Dynamics container management data.

Note: The default port must be used. The setup application does not assign an alternate port if the default port is not available.

BlackBerry Proxy listens on this port for SSL connections from application servers.

Note: The default port must be used. The setup application does not assign an alternate port if the default port is not available.

BlackBerry Proxy listens on this port for SSL connections.

Note: The default port must be used. The setup application does not assign an alternate port if the default port is not available.

The BlackBerry UEM Core listens on this port to route traffic for BlackBerry Enterprise Identity through the BlackBerry Infrastructure.

Minimum ports to open between BlackBerry UEM instances

If your organization’s domain has more than one BlackBerry UEM instance, note the following requirements:

· If you install the device connectivity components (the BlackBerry Connectivity Node) on a separate computer, your organization’s firewall must allow connections from that computer over port 443 through the BlackBerry Infrastructure to activate the BlackBerry Connectivity Node. All other outbound connections from the BlackBerry Connectivity Node use port 3101 through the BlackBerry Infrastructure (.bbsecure.com).
· If you are migrating data from one BlackBerry UEM instance to another, the ports that must be open between the source and destination servers are 8887 (TCP) and 35844 (TCP) for BlackBerry UEM and static ports 1433 (TCP) and 1434 (UDP) for Microsoft SQL Server.
· The following listening ports must be open between each instance. The default port values are listed. After you install the first instance, you can verify the listening port values that the setup application defined. For instructions, see Check the ports assigned by the BlackBerry UEM setup application.

Problems Issues

Many of the items to consider when planning the support of your BlackBerry UEM deployment are similar to items you looked at when you assessed your organization’s environment.

Hardware issues

Possible issues
· The hardware does not work or does not meet UEM requirements
· Not all hardware is available

Mitigation options
Before the planned installation date:
· Check all hardware before the planned installation date to verify that it is in working order and that it meets all hardware requirements.
· Prepare one or two extra computers in case a computer stops working on the planned installation date.
During installation, if you must install multiple instances of UEM, stage the deployment so that you complete a full installation on one computer first to make sure that all hardware is working.

Software issues

Possible issues
· Port conflicts · The computers operating
system does not meet UEM requirements · The UEM setup application does not work

Mitigation options
Before the planned installation date:
· Run the UEM Readiness Tool on the computers you plan to install UEM on. The Readiness Tool helps you determine whether or not the computers meet the minimum requirements for installing UEM.
· Make sure all application servers, such as Exchange ActiveSync and the mail servers, are active, running, and tested.

Network issues

Possible issues

Mitigation options

Required firewall ports are not open

· UEM instances cannot communicate with each other
· UEM cannot communicate with the BlackBerry Infrastructure
· UEM cannot communicate with application or content servers

Before the planned installation date:

· Run the UEM Readiness Tool on the computers that you plan to install UEM on. The Readiness Tool helps you determine whether or not the computers meet the minimum requirements for installing UEM.
· Create a detailed list of the ports that are required. Confirm with your networking team that the ports are open.
· UEM services do not support SSL Termination, SSL Offloading, SSL Packet Inspection or Deep Packet Inspection. Ensure these endpoint services are not enabled on your proxy/firewall. For more information, see KB 36470.

The UEM database does not install

Before the planned installation date:

· Check all hardware before the planned installation date to verify that it is in working order and that it meets all UEM hardware requirements.
· Verify that SQL Server permissions are set to allow the creation of the database.
· Install and test the database using createdb. For instructions, see the Installation and upgrade content.
· Test all connectivity between the computer that will host UEM and the database.

Returning to a previous environment

Most organizations cannot afford a long service interruption while troubleshooting. Before a database upgrade, you should plan for the ability to return to the previous environment, in case any issues arise.
Returning to the previous environment is not as simple as stopping the upgrade, especially if data was being migrated when an issue occurred. To prepare to return to your previous environment, before the planned installation date:
· Back up the existing databases. (By default, the UEM setup application backs up the existing database.) · If you use a virtual environment, take a snapshot of it.

If you encounter an issue during or after installing UEM, collect data about the issue before you return to your previous environment so that you can determine the root cause.
For more information about backing up the UEM database, see the Installation and upgrade content.

Legal notice

©2024 BlackBerry Limited. Trademarks, including but not limited to BLACKBERRY, BBM, BES, EMBLEM Design, ATHOC, CYLANCE and SECUSMART are the trademarks or registered trademarks of BlackBerry Limited, its subsidiaries and/or affiliates, used under license, and the exclusive rights to such trademarks are expressly reserved. All other trademarks are the property of their respective owners.
Patents, as applicable, identified at: www.blackberry.com/patents.

This documentation including all documentation incorporated by reference herein such as documentation provided or made available on the BlackBerry website provided or made accessible “AS IS” and “AS AVAILABLE” and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies (“BlackBerry”) and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.

This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or thirdparty websites (collectively the “Third Party Products and Services”). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way.

EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES

WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.

THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.

Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry’s products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so.

If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry’s products and services are provided as a convenience to you and are provided “AS IS” with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry.

The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.

BlackBerry Enterprise Software incorporates certain third-party software. The license and copyright information associated with this software is available at http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp.

BlackBerry Limited 2200 University Avenue East Waterloo, Ontario Canada N2K 0A7
BlackBerry UK Limited Ground Floor, The Pearce Building, West Street, Maidenhead, Berkshire SL6 1RL United Kingdom

References

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>

Related Manuals