BlackBerry Dynamics Apps User Guide
- July 26, 2024
- BlackBerry
Table of Contents
- BlackBerry Dynamics Apps
- Specifications
- Product Information
- Product Usage Instructions
- FAQ
- Planning a BlackBerry UEM deployment
- BlackBerry UEM installation options
- High availability and disaster recovery
- Description
- Additional considerations
- Hardware requirements
- Intranet connections
- Purpose
- Problems Issues
- The UEM database does not install
- Legal notice
- References
- Read User Manual Online (PDF format)
- Download This Manual (PDF format)
BlackBerry Dynamics Apps
Specifications
- Product: BlackBerry UEM
- Version: 12.20
Product Information
Planning Tools
- BlackBerry UEM Performance Calculator:
- The Performance Calculator helps determine the minimum number of instances needed for your device configuration and workload.
- BlackBerry UEM Readiness Tool:
- This tool validates proper traffic flow and is essential for detecting issues related to traffic monitoring or SSL termination.
- BlackBerry UEM Configuration Tool:
- Calculate the number of SRP IDs required for over 500 users and import them into the database before adding or migrating users.
Installation Options
- Installing or Upgrading:
- Detailed instructions on how to install or upgrade to BlackBerry UEM are provided in the manual.
High Availability Planning
- AlwaysOn High Availability:
- Information on planning high availability for a BlackBerry UEM domain, including requirements and setup instructions.
Preinstallation and Preupgrade Requirements
- Hardware Requirements:
- Details on the hardware specifications needed for installing BlackBerry UEM.
- Port Requirements:
- Information on port configurations and minimum ports to open between BlackBerry UEM instances.
Product Usage Instructions
Step 1: Planning Your Deployment
- Before starting the installation, use the Planning Tools provided to ensure a smooth deployment.
Step 2: Installation or Upgrade
- Follow the detailed instructions for installing or upgrading BlackBerry UEM as per the manual.
Step 3: High Availability Setup
- If planning for high availability, refer to the AlwaysOn High Availability section for guidance.
Step 4: Hardware Setup
- Ensure that the hardware requirements are met before proceeding with the installation.
Step 5: Port Configuration
- Configure the necessary ports as per the Port Requirements section to enable communication between instances.
FAQ
- Q: What is the purpose of the BlackBerry UEM Configuration Tool?
- A: The BlackBerry UEM Configuration Tool helps calculate the number of SRP IDs required for organizations with over 500 users and facilitates their import into the database.
“`
Planning a BlackBerry UEM deployment
Planning a BlackBerry UEM deployment to support MDM or BlackBerry Dynamics apps
When you prepare to deploy BlackBerry UEM, it is important to understand the server and network resources that UEM requires to support your user base. The requirements vary based on the number of users that you support and the features that your organization requires. If you are installing UEM to support mobile device management (MDM) only, your environment must be ready to support only UEM components. If you are installing UEM to support MDM and BlackBerry Dynamics apps such as BlackBerry Work or BlackBerry Access, your environment must also be ready to support the BlackBerry Enterprise Mobility Server (BEMS) and the BlackBerry Proxy server. For information about installing BEMS, see Installing the BlackBerry Enterprise Mobility Server.
Planning a BlackBerry UEM deployment to support MDM or BlackBerry Dynamics apps
Planning tools
In addition to all of your planning considerations, BlackBerry UEM has some
tools that you can use to assist you in planning your BlackBerry UEM
installation or upgrade: · BlackBerry UEM Performance Calculator · BlackBerry
UEM Readiness Tool · BlackBerry UEM Configuration Tool
BlackBerry UEM Performance Calculator
The BlackBerry UEM Performance Calculator contains BlackBerry UEM performance models and SPEC CPU conversions. You can use the Performance Calculator for BlackBerry UEM to determine the minimum number of BlackBerry UEM instances and BlackBerry Connectivity Node instances for your device configuration and workload.
BlackBerry UEM Readiness Tool
You can use the BlackBerry UEM Readiness Tool to check system requirements
before you run the BlackBerry UEM setup application. The BlackBerry UEM
Readiness Tool is included with the UEM software. You can also download the
tool from myAccount The BlackBerry UEM Readiness Tool checks the following
requirements: · Proxy server setting validation · Minimum operating system
requirements · JRE version · Minimum hard disk space · Secure connection · SRP
connection · Connection to the BlackBerry Dynamics NOC · Required ports ·
Account permissions · Database validation Note: · The BlackBerry UEM Readiness
Tool does not check for Microsoft .NET Framework 4.8. · The BlackBerry UEM
Readiness Tool performs a simple CONNECT to determine that ports are open. It
does not
validate that traffic will flow properly. For example, the BlackBerry UEM
Readiness Tool cannot detect issues related to traffic monitoring, SSL
termination, or other systems that might reactively close sessions.
BlackBerry UEM Configuration Tool
If your organization plans to support more than 500 users, use the BlackBerry
UEM Configuration Tool to calculate the number of SRP IDs you require. After
you install BlackBerry UEM, run the BlackBerry UEM Configuration Tool to
import the SRPs into the BlackBerry UEM database before you add or migrate
users. The BlackBerry UEM Configuration Tool is included with the BlackBerry
UEM software. You can also download the tool from myAccount.
Planning tools
The BlackBerry UEM Configuration Tool allows you to: · Update or change the
following BlackBerry UEM database properties:
· Microsoft SQL Server name · Database name · Port configuration · Database
authentication · Windows username · Windows password · Calculate the number of
SRP IDs required for BlackBerry UEM based on the projected total number of
users · Import extra SRP IDs into the BlackBerry UEM database For more details
on the BlackBerry UEM Configuration Tool, visit
support.blackberry.com/community to
read article 36443. For more information about obtaining and importing SRP
IDs, visit
support.blackberry.com/community to
read article 36435.
BlackBerry UEM installation options
You can install all BlackBerry UEM components on one server, or you can
install the components on separate servers. The setup application allows you
to install the primary BlackBerry UEM components, the management console, and
the device connectivity components separately. You can install BlackBerry UEM
components on separate servers for security reasons or if your server has
system resource limitations.
Note:
· You must install the BlackBerry UEM primary components on one server before
you install the management console or BlackBerry Connectivity Node on separate
servers.
· When the primary components and management console are installed on the same
server, the management console permanently binds to the local BlackBerry UEM
Core. The result is that the management console will not try to use any other
instances of the BlackBerry UEM Core unless the local BlackBerry UEM Core is
shut down.
· You cannot install only the management console and the device connectivity
components on the same server. · For instructions on installing the
components, and for instructions on configuring the BlackBerry Connectivity
Node, see the Installation and upgrade content.
Installing or upgrading to BlackBerry UEM
You can use the UEM setup application to install the UEM software and database or to upgrade from up to two previous versions of UEM.
Considerations for upgrades from BlackBerry UEM
If you are upgrading from a previous version of BlackBerry UEM, make sure your servers meet the requirements for the BlackBerry UEM configuration you are upgrading to. Note: If you have any inactive BlackBerry Connectivity Nodes, either activate them or remove them from the environment. If you do not activate them before upgrading, any devices they manage will be removed.
Upgrading BlackBerry UEM with BlackBerry Dynamics devices
If you are upgrading an environment that has activated BlackBerry Dynamics applications on devices, connections to the application servers, including the mail server, will continue to supported. For example, the BlackBerry Work application will continue to receive email during the upgrade. BlackBerry Dynamics applications cannot be activated during the upgrade. All servers in the environment must be upgraded before any BlackBerry Dynamics applications can be activated. Upgrade all servers in the environment within 24 hours of the first server upgrade.
Installing the BlackBerry Enterprise Mobility Server
To support BlackBerry Dynamics apps, you must install the BlackBerry
Enterprise Mobility Server (BEMS) in your BlackBerry UEM environment to
provide additional services for BlackBerry Dynamics apps. BEMS integrates the
following services: BlackBerry Push Notifications, BlackBerry Connect,
BlackBerry Presence, and BlackBerry Docs. For information about sizing your
environment for BEMS and determining whether you should install BEMS on a
separate server, see Hardware requirements: BEMS. For information about
installing BEMS, see the BlackBerry Enterprise Mobility Server Installation
and configuration content. Note: When you upgrade BlackBerry UEM, you may also
have to upgrade BEMS. See the BlackBerry UEM Compatibility Matrix for
information about which versions of BEMS are compatible with your version of
BlackBerry UEM.
Installing a BlackBerry Connectivity Node instance
You can install one or more instances of the BlackBerry Connectivity Node to
add additional capacity for device connectivity, for the purposes of
regionalizing device connectivity, or for the purpose of high availability or
disaster recovery. Each BlackBerry Connectivity Node instance contains the
following BlackBerry UEM components: · BlackBerry Secure Connect Plus ·
BlackBerry Gatekeeping Service · BlackBerry Secure Gateway · BlackBerry Proxy
· BlackBerry Cloud Connector Each BlackBerry Connectivity Node instance provides another active instance of these components to the BlackBerry UEM domain that can process and manage secure device connections (by default, the BlackBerry Gatekeeping Service in a BlackBerry Connectivity Node instance is disabled). Enterprise connectivity can be maintained by creating server groups for BlackBerry Secure Connect Plus connectivity or BlackBerry Proxy clusters for BlackBerry Dynamics connectivity. A server group contains one or more instances of the BlackBerry Connectivity Node. When you create a server group, you specify the regional data path that you want the components to use to connect to the BlackBerry Infrastructure. You can associate email and enterprise connectivity profiles with a server group. Any device that is assigned those profiles uses that server group’s regional connection to the BlackBerry Infrastructure when it uses any of the components of the BlackBerry Connectivity Node. Optionally, you can designate each BlackBerry Connectivity Node in a server group to handle a single connection type: BlackBerry Secure Connect Plus only, BlackBerry Secure Gateway only, or BlackBerry Proxy only. This frees up server resources to allow fewer servers required for the same number of users or containers. A BlackBerry Proxy cluster contains one or more instances of the BlackBerry Connectivity Node. When you create a BlackBerry Proxy cluster, you specify the BlackBerry Proxy servers included in the cluster, as well as whether that cluster will be used for BlackBerry Dynamics activation, or only for application server connectivity. After you install a BlackBerry Connectivity Node, you must register it before it can be used.
High availability and disaster recovery
It is important to understand the difference between high availability and disaster recovery. High availability means that each service has some form of redundancy within a BlackBerry UEM environment. For BlackBerry UEM, high availability is active-active. High availability could mean N+1 or N+N (where N is the number of servers for your environment as defined by the Performance Calculator), depending on how much fault tolerance is acceptable. All nodes in a high availability configuration exist within the same physical location and have minimal latency between nodes. In high availability, the database server is collocated (with low latency) to all online Core nodes. All running core nodes must be within 5ms of the database at all times (for more information, see Hardware requirements). Disaster Recovery means servers located in an alternate physical site that can be failed over to in the event of a disaster in the primary site (complete site failure). Disaster recovery servers for BlackBerry UEM must remain offline and must have a mirrored/clustered copy of the database in the disaster recovery site. Failing over to the disaster recovery site is “all or nothing”. For example, if the database fails over, the BlackBerry UEM Core servers also need to be brought up in the disaster recovery site and brought down in the primary site. For more information, see Planning high availability for a BlackBerry UEM domain, and Configuring UEM for disaster recovery in the Installation content.
Log files
The size of log files for BlackBerry UEM varies based on the number of devices in your organization’s environment, the level of user activity on devices, and the logging levels that BlackBerry UEM uses. It is a best practice to monitor and control the amount of disk space that the BlackBerry UEM log files take up. For more information about configuring logging, see the Logging content.
BlackBerry Secure Connect Plus
If your BlackBerry UEM domain will support more than 1000 devices per server
using BlackBerry Secure Connect Plus at the same time, you must install
Windows Server 2012 R2 or later on the computers that host BlackBerry UEM.
Third-party software requirements
For more information about which third-party software is compatible with
BlackBerry UEM, see the Compatibility matrixes.
Planning high availability for a BlackBerry UEM domain
BlackBerry UEM uses an active-active high availability model to minimize
service interruptions for device users. To configure high availability, you
install multiple instances of BlackBerry UEM, each on a separate computer.
Each instance connects to the BlackBerry UEM database and actively manages
user accounts and devices.
High availability in BlackBerry UEM includes the following features:
Description
Each BlackBerry UEM instance connects to the BlackBerry UEM database to access
user and device data.
You can use any management console to manage the domain’s user accounts and
devices. The BlackBerry UEM Core associated with that console carries out the
management tasks.
You can configure a round-robin DNS pool that connects to each console. If
there is a problem with a console, the pool connects to a working console.
High availability and the BlackBerry UEM Core
High availability is automatic when you set up a second BlackBerry UEM Core.
For a larger environment, install N +1 core nodes. All active core nodes need
to be local to DB. Configuration of failover is not required.
| Planning high availability for a BlackBerry UEM domain | 14
Configuring high availability for the management console
To configure high availability for the BlackBerry UEM management consoles, you
can use your organization’s hardware load balancer or DNS server to configure
a round-robin pool that connects to each management console in the domain. If
a management console is not available, the load balancer or DNS server
connects to one of the other available consoles. For more information about
setting up a round-robin pool, consult the documentation for your
organization’s hardware load balancer or DNS server. After you configure a
round-robin pool, it is a best practice to update the %AdminPortalURL% and
%UserSelfServicePortalURL% variables in the management console (Settings >
General settings > Default variables) with the pool name. If you do, email
messages that use these variables to link to the management console and
BlackBerry UEM Self-Service can use the round-robin pool. If you enabled
single sign-on, you must update the SPNs for the Microsoft Active Directory
account with the pool name and restart the BlackBerry UEM services on each
computer that hosts a BlackBerry UEM instance. A BlackBerry UEM management
console instance in the round-robin pool can disconnect from the BlackBerry
UEM domain if the DNS server assigns a different IP address to that instance.
The instance is disconnected because the new IP address doesn’t recognize the
user’s login information. If this happens, the user must log out and log back
in again.
High availability and the BlackBerry Connectivity Node
You can install one or more instances of the BlackBerry Connectivity Node to
add additional instances of the device connectivity components to your
organization’s domain. This includes BSCP traffic for enterprise connectivity
and BlackBerry Dynamics traffic for BlackBerry Dynamics devices. Each
BlackBerry Connectivity Node contains the following BlackBerry UEM components:
BlackBerry Secure Connect Plus, the BlackBerry Gatekeeping Service, the
BlackBerry Secure Gateway, BlackBerry Proxy, and the BlackBerry Cloud
Connector. Each BlackBerry Connectivity Node provides another active instance
of these components to the BlackBerry UEM domain that can process and manage
secure device connections. For information about installing a BlackBerry
Connectivity Node, see the the Installation and upgrade content. You can also
create server groups. A server group contains one or more instances of the
BlackBerry Connectivity Node. When you create a server group, you specify the
regional data path that you want the components to use to connect to the
BlackBerry Infrastructure. For example, you can create a server group to
direct device connections for BlackBerry Secure Connect Plus and the
BlackBerry Secure Gateway to use the path for the United States to the
BlackBerry Infrastructure. You can associate email and enterprise connectivity
profiles with a server group. Any device that is assigned those profiles uses
that server group’s regional connection to the BlackBerry Infrastructure when
it uses any of the components of the BlackBerry Connectivity Node. Optionally,
you can designate each BlackBerry Connectivity Node in a server group to
handle a single connection type: BlackBerry Secure Connect Plus only,
BlackBerry Secure Gateway only, or BlackBerry Proxy only. This frees up server
resources to allow fewer servers required for the same number of users or
containers. If a server group contains multiple instances of the BlackBerry
Connectivity Node, devices can use any instance that is running. Device
connections are load balanced across the available instances in the group. If
no instances are available, devices cannot use those components for secure
connections. At least one of the instances must be available.
Planning high availability for a BlackBerry UEM domain
Configuring database high availability using Microsoft SQL Server AlwaysOn
Before you install BlackBerry UEM, decide if you want to configure high
availability for the BlackBerry UEM database. Database high availability
allows you to retain database service and data integrity if issues occur with
the BlackBerry UEM database. You can use one of the following Microsoft SQL
Server features for database high availability: · AlwaysOn Failover Cluster
Instances (FCI) for Microsoft SQL Server 2014 or 2016 (Standard Edition) ·
AlwaysOn Availability Groups for Microsoft SQL Server 2014 or 2016 (Enterprise
Edition) · Database mirroring for Microsoft SQL Server 2014 If you want to use
an AlwaysOn feature, you must complete configuration steps before you install
BlackBerry UEM. This section gives you instructions for configuring database
high availability using AlwaysOn. You can configure database mirroring any
time after you install BlackBerry UEM. For instructions, see the Configuration
content. Note: Microsoft recommends using AlwaysOn because database mirroring
will be deprecated in a future version of Microsoft SQL Server.
AlwaysOn high availability
BlackBerry UEM supports AlwaysOn using a Failover Cluster Instance (FCI) or
availability group. Both methods require a Windows Server Failover Clustering
(WSFC) cluster where independent servers interact to provide a high
availability solution for databases. For more information about WSFC, visit
the MSDN Library to see Windows Server Failover Clustering (WSFC) with SQL
Server. Instance-level high availability using an AlwaysOn Failover Cluster
Instance
An FCI is an instance of Microsoft SQL Server that is installed across
multiple computers (or “nodes”) in a WSFC cluster. The nodes are members of a
resource group, and all nodes have shared access to the BlackBerry UEM
database. One of the nodes has ownership of the resource group and gives the
BlackBerry UEM components
| Planning high availability for a BlackBerry UEM domain | 16
access to the BlackBerry UEM database. If the node that owns the resource
group becomes unavailable (for example, a hardware or OS failure), a different
node takes ownership of the resource group. As a result, BlackBerry UEM
database service continues with minimal interruption. For more information,
visit the MSDN Library to see AlwaysOn Failover Cluster Instances (SQL
Server). Database-level high availability using an AlwaysOn availability group
To use an availability group, you configure a WSFC cluster with multiple
nodes. Each node is a separate computer that has an instance of Microsoft SQL
Server. One of the nodes hosts the primary BlackBerry UEM database and gives
the BlackBerry UEM components read-write access. This node is the “primary
replica.” The WSFC cluster can have one to eight other nodes, each hosting a
secondary database. These nodes are “secondary replicas.” The primary database
synchronizes data with the secondary databases. Data is synchronized with each
secondary database independently. If one secondary database is unavailable, it
does not affect the other secondary databases. You can configure the data
synchronization to be asynchronous (delayed synchronization with minimal
transaction latency) or synchronous (faster synchronization with increased
transaction latency). BlackBerry recommends the synchronous configuration.
Automatic failover requires the primary replica and secondary replicas to use
synchronous-commit mode. If you configure an availability group for automatic
failover and the primary database becomes unavailable, one of the secondary
replicas becomes the primary replica. That replica’s secondary database
becomes the primary database. As a result, BlackBerry UEM database service
continues with minimal interruption. For more information, visit the MSDN
Library to see Overview of AlwaysOn Availability Groups (SQL Server) and
AlwaysOn Availability Groups (SQL Server).
AlwaysOn requirements
Review the following requirements for configuring AlwaysOn in a BlackBerry UEM
environment: · Create a WSFC cluster. It is recommended to use static port
1433 for the database server. For requirements
and instructions, visit the Technet Library to see Create a Failover Cluster.
· If you want to use an AlwaysOn FCI:
· Verify that your environment meets Microsoft requirements. Visit the MSDN
Library to see Before Installing Failover Clustering.
· Configure the FCI. Visit the MSDN Library to see Create a New SQL Server
failover Cluster (Setup).
| Planning high availability for a BlackBerry UEM domain | 17
· If you want to use an AlwaysOn availability group: · Verify that your
environment meets Microsoft requirements. Visit the MSDN Library to see
Prerequisites, Restrictions, and Recommendations for AlwaysOn Availability
Groups (SQL Server). · Enable the availability groups feature and complete the
initial setup tasks, including creating an availability group listener. You
will set up the primary replica and secondary replicas after you install
BlackBerry UEM and create the BlackBerry UEM database. Visit the MSDN Library
to see Getting Started with AlwaysOn Availability Groups.
| Planning high availability for a BlackBerry UEM domain | 18
Preinstallation and preupgrade requirements
Review the following checklists before you begin installing or upgrading
BlackBerry UEM. Hardware requirements Review and complete the Performance
Calculator for BlackBerry UEM. The performance calculator provides minimum
recommendations based on the values you enter. If you require additional
capacity, redundancy, or room for growth, enter values that reflect these
needs to accommodate any near future large app and user deployment projects.
Ensure your environment meets the hardware requirements for your needs. Ensure
that database latency requirements are met. BlackBerry UEM Core servers must
have less than 5ms latency to the database server.
Third-party software requirements Verify that your computer is running an
operating system that supports BlackBerry UEM. Verify that you have a
supported browser on the computers that host the UEM management console. The
browser must support configuration of the following settings: · Support for
JavaScript · Cookies turned on · Support for TLS · SSL certificate installed
to permit trusted connections to the consoles If you have a requirement to use
a proxy server in your organization, verify that you have a supported proxy
solution. Ensure that Windows is up to date and that you perform any reboot
required for the update. Verify that your computer is running Windows
PowerShell 2.0 or later for the following: · RRAS for BlackBerry Secure
Connect Plus setup during the UEM installation · Exchange ActiveSync
gatekeeping (optional) Verify that you have installed JRE 17 on the servers
where you will install UEM. Visit
support.blackberry.com to review article
52117. For more information about supported JRE versions, see the
Compatibility matrix. Verify that you have a mail server that supports
BlackBerry UEM. Verify that the Exchange ActiveSync version meets the minimum
requirements.
Environment configuration requirements Verify that the BlackBerry UEM
listening ports are configured.
Preinstallation and preupgrade requirements
Environment configuration requirements
Verify that you opened the necessary ports on your organization’s firewall.
For more information about port and firewall requirements, visit
support.blackberry.com/community to
read article 36470. Note: BlackBerry UEM services do not support SSL
Termination, SSL Offloading, SSL Packet Inspection or Deep Packet Inspection.
Ensure these endpoint services are not enabled on your proxy/firewall.
Verify that the TCP/IP network protocols are turned on for your UEM database.
Verify that you have DNS support for resolving IP addresses into host names.
If you perform the installation or upgrade process on a computer that has more
than one NIC, verify that the production NIC is first in the bind order in the
Windows network settings.
If a Windows host operating system is configured in a workgroup instead of a
domain, verify that you configured the primary DNS suffix. For information on
configuring the primary DNS suffix, visit the Microsoft support website.
Ensure that the no count setting for the Microsoft SQL Server is disabled.
Verify that the UEM service account has local administrator permissions on
each computer.
The Microsoft SQL Server account must have dbo as its default schema.
Ensure antivirus exclusions have been made for both the extracted installation
files and the target installation and logging directories. For more
information, visit
support.blackberry.com/community to
read article 36596.
If you previously upgraded from a legacy Good Control environment and modified
the Java Heap value, make note of the existing value. You will need to reapply
the change after upgrade. For more information, visit
support.blackberry.com/community to
read article 56641.
Additional considerations
If you plan to install BlackBerry UEM in a DMZ, read Installing BlackBerry UEM
in a DMZ.
Plan for an appropriate amount of downtime based on the number of servers in
your environment. Upgrading the first server may take 45-60 minutes.
Additional servers may take 15-45 minutes depending on which components are
installed and whether or not these components can be installed in parallel.
Consider adding additional time to account for rolling back servers if
troubleshooting is required.
Verify that you have the appropriate licenses.
Visit
support.blackberry.com/community to
review article 38980 about upgrades.
If your organization uses a proxy server for Internet access, verify that you
have the computer name, port number, and credentials for the proxy server.
If your organization uses Apple VPP accounts, after the upgrade you must
generate a new .vpp token file and edit your Apple VPP account information at
Apps > iOS App licenses.
| Preinstallation and preupgrade requirements
Additional considerations If you are planning a multistage upgrade, review the
upgrade documentation for the versions you are upgrading to. Decommission
surplus nodes, if applicable. For more information, visit
support.blackberry.com/community to
read article 46210 and see the Installation and upgrade content for
instructions on how to remove BlackBerry UEM software.
| Preinstallation and preupgrade requirements
Hardware requirements
BlackBerry UEM hardware requirements depend on the size of your environment.
BlackBerry UEM also has requirements for third-party software compatibility.
To determine the CPU and disk space requirements for BlackBerry UEM, you must
consider the number of devices that you plan to activate, the types of
connection that devices use, and the level and type of user activity on
devices. To calculate hardware requirements for a BlackBerry UEM environment,
use the Performance Calculator for BlackBerry UEM.
· Hardware requirements: BlackBerry UEM · Hardware requirements: BEMS
Hardware requirements: BlackBerry UEM
The following sections list the hardware requirements for BlackBerry UEM.
Note: If you are installing BlackBerry UEM on virtual machines, the servers
require dedicated or reserved hardware resources.
Small deployments
A small BlackBerry UEM deployment consists of 2000 or fewer devices. All
BlackBerry UEM components are typically installed on one server; however, you
can install the BlackBerry Connectivity Node and Microsoft SQL Server on
separate servers.
Hardware requirements for up to 500 devices
For up to 500 devices, install the BlackBerry UEM primary components,
BlackBerry UEM management console, BlackBerry Connectivity Node, and Microsoft
SQL Server or Microsoft SQL Server Express on one server. A domain with this
configuration can have a maximum of 500 devices.
Note: You may need to adjust the -Xmx values of the UI and Core services for
this configuration.
Server
Requirement
BlackBerry UEM primary components, BlackBerry UEM management console, BlackBerry Connectivity Node, and Microsoft SQL Server or Microsoft SQL Server Express
Database server Microsoft SQL Server
BlackBerry UEM server
Requirement
All BlackBerry UEM components on one server
BlackBerry UEM primary components, management console, and BlackBerry
Connectivity Node
(5000 devices per instance)
· 10 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 28 GB of available memory · 64 GB of disk space
BlackBerry UEM components on separate servers
BlackBerry UEM primary components and BlackBerry · 8 processor cores, E5-2670 (2.6 GHz), E5-2683 v4
UEM management console
(2.1 GHz), or equivalent
(25,000 devices per instance for MDM-only or
Large deployments
A large BlackBerry UEM deployment consists of between 25,000 and 150,000
devices. You can install all the BlackBerry UEM components on one server, or
have a separate server for the BlackBerry Connectivity Node. Microsoft SQL
Server is installed on a separate server. You can install multiple instances
of BlackBerry UEM and multiple instances of the BlackBerry Connectivity Node.
Hardware requirements for up to 150,000 devices
For a domain with up to 150,000 devices, you can install multiple instances of
all BlackBerry UEM components, or you can install multiple instances of the
BlackBerry UEM primary components and management console, and multiple
instances of the BlackBerry Connectivity Node.
In both types of deployment, install Microsoft SQL Server on a separate
server. The servers that host BlackBerry UEM must be physically located near
the server with the Microsoft SQL Server database (less than 5ms latency). The
BlackBerry UEM servers do not need to be near the mail and messaging servers.
One instance of BlackBerry UEM can support:
· Up to 25,000 Androidor Windows devices with MDM-only activation (no
BlackBerry Dynamics) · Up to 25,000 Android, iOS, Windows 10, or macOS devices
with BlackBerry Dynamics-only activation (no MDM) · Up to 20,000 Android
devices with MDM and BlackBerry Dynamics
| Hardware requirements
· Up to 10,000 iOS devices with MDM (with or without BlackBerry Dynamics)
Specific features may also limit the number of devices that one instance can
support. Use the Performance Calculator for BlackBerry UEM to determine the
number of instances required.
One instance of the BlackBerry Connectivity Node can support up to 5000 iOS,
macOS, Android, or Windows devices.
However, if you enable single-service performance mode, the BlackBerry
Connectivity Node can support up to 10,000 devices per instance.
BlackBerry UEM servers
Requirement
All BlackBerry UEM components on one server
BlackBerry UEM primary components, management console, and BlackBerry
Connectivity Node
(5000 devices per instance)
Install enough instances of BlackBerry UEM to support the number of devices.
· 10 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 28 GB of available memory · 64 GB of disk space
BlackBerry UEM components on separate servers
BlackBerry UEM primary components and BlackBerry UEM management console
(25,000 devices per instance for MDM-only or BlackBerry Dynamics-only, 20,000
Android devices per instance for MDM and BlackBerry Dynamics, 10,000 iOS
devices per instance for MDM and BlackBerry Dynamics. Use the Performance
Calculator for BlackBerry UEM for details.)
Install enough instances of BlackBerry UEM to support the number of devices.
· 8 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 16 GB of available memory · 64 GB of disk space
BlackBerry Connectivity Node (5000 devices per instance)
Install enough instances of BlackBerry Connectivity Node to support the number
of devices.
· 6 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 12 GB of available memory · 64 GB of disk space
BlackBerry Connectivity Node with single-service performance mode enabled for
BlackBerry Proxy only
(10,000 devices per instance)
· 6 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 12 GB of available memory · 64 GB of disk space
BlackBerry Connectivity Node with single-service performance mode enabled for
BlackBerry Secure Connect Plus only
(10,000 devices per instance)
· 4 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 12 GB of available memory · 64 GB of disk space
| Hardware requirements | 27
BlackBerry UEM servers
BlackBerry Connectivity Node with single-service performance mode enabled for
BlackBerry Secure Gateway only (10,000 devices per instance)
Requirement
· 8 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 12 GB of available memory · 64 GB of disk space
Database server
Requirement
Microsoft SQL Server
Note: Microsoft SQL Server has compute capacity limits on the number of
processor cores that specific editions support. Ensure that the edition of
Microsoft SQL Server you are using supports 24 processor cores.
· 24 processor cores, E5-2670 (2.6 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 30 GB of available memory · 64 GB of disk space
Hardware requirements: BEMS
The following sections list the hardware requirements for BEMS.
Note:
· If you are installing BEMS on virtual machines, the servers require
dedicated or reserved hardware resources. · You can compress the log files
that are generated and saved in the default log folder or folder you specified
during the installation of BEMS. For more information, see “Enabling log file
compression” in the BEMS-Core configuration content.
Small deployments
A small BEMS deployment consists of 2000 or fewer devices. BEMS hardware
requirements for up to 500 devices
For up to 500 devices, install BEMS (with BlackBerry Push Notifications and
BlackBerry Presence only) on the same server as the BlackBerry UEM primary
components, BlackBerry UEM management console, BlackBerry Connectivity Node,
and Microsoft SQL Server or Microsoft SQL Server Express. A domain with this
configuration can have a maximum of 500 devices. You may need to adjust the
-Xmx values of the UI and Core services for this configuration.
Note: To add BlackBerry Connect and BlackBerry Docs, you must meet the
hardware requirements for 2000 or 5000 devices, which require a separate
server for BEMS.
Server
Requirement
BEMS (with BlackBerry Push Notifications and BlackBerry Presence), BlackBerry UEM primary components, BlackBerry UEM management console, BlackBerry Connectivity Node, and Microsoft SQL Server or Microsoft SQL Server Express
· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 22 GB of available memory · 64 GB of disk space
| Hardware requirements | 28
BEMS hardware requirements for up to 1000 devices
For up to 1000 devices, install BlackBerry UEM and BEMS (with BlackBerry Push
Notifications and BlackBerry Presence) on one server and Microsoft SQL Server
on another server. The BlackBerry UEM and BEMS server must be physically
located near the server that hosts the Microsoft SQL Server database. You may
need to adjust the Xmx values of the UI and Core services for this
configuration.
Note: To add BlackBerry Connect and BlackBerry Docs, you must meet the
hardware requirements for 2000 or 5000 devices, which require a separate
server for BEMS.
BlackBerry UEM and BEMS server
Requirement
BlackBerry UEM and BEMS (with BlackBerry Push Notifications and BlackBerry Presence)
· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 26 GB of available memory · 64 GB of disk space
Database server Microsoft SQL Server
Requirement
· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 2 GB of available memory · 64 GB of disk space
BEMS hardware requirements for up to 2000 devices
For up to 2000 devices, install BEMS on its own server. The BEMS server must
be physically located near the server that hosts the Microsoft SQL Server
database.
Note: If you install both BEMS with BlackBerry Push Notifications and BEMS
with BlackBerry Connect, install BlackBerry Presence on only one of those two
servers.
BEMS servers
Requirement
BEMS with BlackBerry Push Notifications and optional BlackBerry Presence
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 6 GB of available memory · 64 GB of disk space
BEMS with BlackBerry Connect and optional BlackBerry Presence
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 6 GB of available memory · 64 GB of disk space
BEMS with BlackBerry Docs
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 6 GB of available memory · 64 GB of disk space
| Hardware requirements | 29
Database servers
Requirement
Microsoft SQL Server for BEMS with BlackBerry Push Notifications
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 4 GB of available memory · 64 GB of disk space
Microsoft SQL Server for BEMS with BlackBerry Connect
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or
equivalentz
· 4 GB of available memory · 64 GB of disk space
Microsoft SQL Server for BEMS with BlackBerry Docs
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 4 GB of available memory · 64 GB of disk space
Medium deployments
A medium BEMS deployment consists of between 2000 and 25,000 devices. You must
install BEMS on its own server, and you can deploy multiple BEMS servers.
BEMS hardware requirements for up to 5000 devices
For up to 5000 devices, install BEMS on its own server. The BEMS server must
be physically located near the server that hosts the Microsoft SQL Server
database.
Note: If you install both BEMS with BlackBerry Push Notifications and BEMS
with BlackBerry Connect, install BlackBerry Presence on only one of those two
servers.
BEMS servers
Requirement
BEMS with BlackBerry Push Notifications and optional BlackBerry Presence
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 128 GB of disk space
BEMS with BlackBerry Connect and optional BlackBerry Presence
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space
BEMS with BlackBerry Docs
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space
| Hardware requirements | 30
Database servers
Requirement
Microsoft SQL Server for BEMS with BlackBerry Push Notifications
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 6 GB of available memory · 64 GB of disk space
Microsoft SQL Server for BEMS with BlackBerry Connect
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 6 GB of available memory · 64 GB of disk space
Microsoft SQL Server for BEMS with BlackBerry Docs
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 6 GB of available memory · 64 GB of disk space
BEMS hardware requirements for up to 25,000 devices
For up to 25,000 devices, install BEMS on its own server. This configuration
requires multiple BEMS servers (not including high availablilty or disaster
recovery scenarios). One dedicated instance of BEMS can support approximately
10,000 devices. To support more devices, add more instances of BEMS.
Use the BEMS Performance Calculator to determine the minimum number of BEMS
instances for your device configuration and workload.
The servers that BEMS is installed on must be physically located near the
server that hosts the Microsoft SQL Server database (less than 5 ms latency).
Note: If you install both BEMS with BlackBerry Push Notifications and BEMS
with BlackBerry Connect, install BlackBerry Presence on only one of those two
servers.
BEMS servers
Requirement
BEMS with BlackBerry Push Notifications and optionally BlackBerry Presence
· 4 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 250 GB of disk space
BEMS with BlackBerry Connect and optionally BlackBerry Presence
· 4 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space
BEMS with BlackBerry Docs
· 4 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space
| Hardware requirements | 31
Database servers
Requirement
Microsoft SQL Server for BEMS with BlackBerry Push Notifications
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space
Microsoft SQL Server for BEMS with BlackBerry Connect
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space
Microsoft SQL Server for BEMS with BlackBerry Docs
· 2 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space
Large deployments
A large BEMS deployment consists of between 25,000 and 150,000 devices. You
must install BEMS on its own server, and you can deploy multiple BEMS servers.
BEMS hardware requirements for up to 150,000 devices
For up to 150,000 devices, install BEMS on its own server. This configuration
requires multiple BEMS servers (not including high availability or disaster
recovery scenarios). One dedicated instance of BEMS can support approximately
10,000 devices. To support more devices, add more instances of BEMS.
Use the BEMS Performance Calculator to determine the minimum number of BEMS
instances for your device configuration and workload.
The servers that BEMS is installed on must be physically located near the
server that hosts the Microsoft SQL Server database (less than 5 ms latency).
Note: If you install both BEMS with BlackBerry Push Notifications and BEMS
with BlackBerry Connect, install BlackBerry Presence on only one of those two
servers.
BEMS servers
Requirement
BEMS with BlackBerry Push Notifications and optionally BlackBerry Presence (one for every 10,000 devices)
· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 250 GB of disk space
BEMS with BlackBerry Connect and optionally BlackBerry Presence
· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space
| Hardware requirements | 32
BEMS servers BEMS with BlackBerry Docs
Requirement
· 4 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space
Database servers
Requirement
Microsoft SQL Server for BEMS with BlackBerry Push Notifications
· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 12 to 24 GB of available memory, depending on the size of EWS SyncState, up
to 60 KB
· 64 GB of disk space
Microsoft SQL Server for BEMS with BlackBerry Connect
· 6 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space
Microsoft SQL Server for BEMS with BlackBerry Docs
· 4 processor cores, E5-2670 v2 (2.5 GHz), E5-2683 v4 (2.1 GHz), or equivalent
· 8 GB of available memory · 64 GB of disk space
Before you install or upgrade BlackBerry UEM, you should familiarize yourself
with how BlackBerry UEM uses ports.
The BlackBerry UEM components use various ports to communicate with the
BlackBerry Infrastructure, the BlackBerry Dynamics NOC, and internal resources
(for example, your organization’s messaging software). The topics in this
section indicate the default ports that BlackBerry UEM uses for outbound
connections and also describe the internal connections that you should verify.
These port connections are required whether or not BlackBerry UEM is installed
in a DMZ.
BlackBerry Enterprise Mobility Server (BEMS) must be installed in BlackBerry
UEM environments that use BlackBerry Dynamics. BEMS has port requirements for
communication with BlackBerry UEM and the BlackBerry Dynamics NOC.
For more information about BlackBerry UEM and BEMS ports, visit
support.blackberry.com/kb to read article
36470.
Server configuration
The recommended and least restrictive firewall configuration is to enable the listed TCP ports to carry outbound initiated bidirectional communications to the blackberry.com and bbsecure.com subdomains.
Note:
Global IP ranges
BlackBerry may add new IP addresses to the Global IP ranges. BlackBerry has
reserved IP address ranges, identified below for this purpose. BlackBerry
recommends that you add these IP address ranges in the firewall rules to
ensure that future changes do not impact server connectivity. For information
about updating the IP ranges, visit support.blackberry.com to read article
36470.
EMEA
· 20.31.194.160/29 · 20.223.121.168/29
APAC
· 20.24.116.64/29 · 20.198.205.208/29
Canada/LATAM
· 20.116.139.104/29 · 52.229.69.64/29
USA
· 20.84.181.104/29 · 20.96.255.112/29
Mobile device configuration
Mobile device configuration (Wi-Fi requirements)
The port requirements in this section are for mobile devices to connect to the
BlackBerry Infrastructure. These addresses and ports may not be required by
the BlackBerry UEM server components. For example, in a typical WiFi network
setup, connectivity to the internet on port 443 is allowed, but connectivity
to APNs may be blocked.
Mobile devices managed by UEM also have specific connectivity requirements.
Whether the device is attempting a connection over the mobile network or a Wi-
Fi network, the port requirements must be met.
Note:
Device OS iOS, Android
TCP port 443
1 In addition to standard HTTPS traffic, BlackBerry UEM components may also need to make an HTTP CONNECT and HTTP OPTIONS call on port 443. Because some firewalls are configured to block non-HTTPS traffic detected on port 443, this traffic may need to be explicitly allowed. Similarly, some firewalls incorrectly recognize TLS traffic on port 3101 as nonstandard and block the traffic. Ensure that necessary allow lists are in place on your firewall or other network appliances.
2 When using Samsung Knox with BlackBerry Secure Connect Plus, all device
traffic, including HTTP and TCP traffic, is redirected to the BlackBerry UEM
server. The device-side TCP ports must be allowed from the BlackBerry UEM
server. For more information, visit
support.blackberry.com/community to
read article 46317. 3 To open the firewall to specific IP addresses, for
analytics.blackberry.com use 74.82.73.148, and for
receiver.analytics.blackberry.com
use 74.82.73.149.
Outbound connections: BlackBerry UEM to the BlackBerry Infrastructure
BlackBerry UEM must connect with and receive data from the BlackBerry
Infrastructure to perform tasks. BlackBerry UEM connects with the BlackBerry
Infrastructure over the outbound-initiated, two-way port 3101 (TCP).
Your organization’s firewall must allow outbound two-way connections over port
3101 to
Note: If you install the device connectivity components (the BlackBerry
Connectivity Node) on a separate computer, your organization’s firewall must
allow connections from that computer over port 443 through the BlackBerry
Infrastructure (
You have the option of routing data from BlackBerry UEM through your
organization’s TCP proxy server to the BlackBerry Infrastructure. If you
choose to send data through a proxy server, configure the firewall to allow
the following outbound two-way connections:
· Use port 3102 as the default listening port to connect the BlackBerry UEM
components to the TCP proxy server · Use port 3101 as the default listening
port to connect the components that manage BlackBerry OS devices to
the TCP proxy server
If you configure BlackBerry UEM to use a TCP proxy server, verify that the
proxy allows connections over port 3101 to
Description
Establish secure device connections to work resources
You can install one or more instances of the BlackBerry Connectivity Node to
add additional instances of the device connectivity components to your
organization’s domain. Each BlackBerry Connectivity Node contains the
following BlackBerry UEM components:
· BlackBerry Secure Connect Plus: Connects to the BlackBerry Infrastructure to
provide devices with a secure connection to work resources
· BlackBerry Secure Gateway: connects to the BlackBerry Infrastructure to
provide iOS devices with the MDM controls activation type with a secure
connection to your organization’s mail server
· BlackBerry Gatekeeping Service: Connects through the BlackBerry
Infrastructure to the primary BlackBerry UEM components and the Microsoft
Exchange Server or Microsoft 365 for Exchange ActiveSync gatekeeping
· BlackBerry Cloud Connector: Connects to the BlackBerry Infrastructure to
allow the BlackBerry Connectivity Node components to communicate with the
primary BlackBerry UEM components
The BlackBerry Connectivity Node also includes the BlackBerry Proxy, which
maintains the secure connection between your organization and the BlackBerry
Dynamics NOC. The BlackBerry Proxy does not use the 3101 connection.
Outbound connections: BlackBerry UEM to the BlackBerry Dynamics NOC
Your organization’s firewall must allow TCP connections to the appropriate IP ranges so that the BlackBerry Proxy can connect to the BlackBerry Dynamics NOC. Alternatively, you can configure your organization’s firewall to allow connections to host names specifically for BlackBerry Dynamics apps, listed in Mobile device configuration (Wi-Fi requirements). If you do not configure a web proxy server for a BlackBerry Proxy instance, your organization’s internal and external firewalls must allow connections over port 17533. If you configure BlackBerry Proxy to use BlackBerry Dynamics Direct Connect, your organization’s external firewalls must allow connections over port 17533. For more information about configuring BlackBerry Proxy, see the Configuration content.
Outbound connections: Devices on a work Wi-Fi network
iOS, Android, and Windows devices that use your work Wi-Fi network use the following outbound ports to connect to the BlackBerry Infrastructure and external services. Configure your organization’s firewall to allow outbound two-way connections over these ports. For more information about outbound connections for devices with BlackBerry Dynamics apps, devices using CylancePROTECT, and for BlackBerry Analytics, see Mobile device configuration (Wi-Fi requirements).
To connect to the
1. HTTP CONNECT to BlackBerry Infrastructure; creates tunnel from device to
BlackBerry UEM
2. TLS session between device and BlackBerry UEM
To connect to the
1. HTTP CONNECT to BlackBerry Infrastructure; creates tunnel from device to
BlackBerry UEM
2. TLS session between device and BlackBerry UEM
Intranet connections
Connections initiated by the BlackBerry UEM Core
To simplify administration and support certain device features, the BlackBerry UEM Core must be able to connect to your organization’s intranet applications. Examples of intranet applications include Microsoft Active Directory, an LDAP directory, Microsoft Exchange, or an SMTP server. Consult the documentation or support resources for your organization’s applications to identify the ports that BlackBerry UEM must be able to access.
Intranet port configurations for BlackBerry Proxy
On each computer that hosts BlackBerry Proxy, verify that the following inbound ports are open, available, and not used by other servers or processes: · 17080 · 17433 The computer that hosts BlackBerry Proxy should have at least 30,000 ports in the dynamic TCP port allocation for outbound connections to the BlackBerry Dynamics NOC (when Direct Connect is configured, these ports become inbound). To route connections from BlackBerry Dynamics apps through a web proxy server, the proxy server must support the HTTP Connect command and must not require authentication. Your organization’s internal firewall must allow connections over port 17533. If you do not configure a web proxy server for a BlackBerry Proxy instance, your organization’s internal and external firewalls must allow connections over port 17533. For more information about configuring BlackBerry Proxy, see the Configuration content.
How BlackBerry UEM selects listening ports during installation
When you install BlackBerry UEM for the first time, the setup application determines whether default listening ports are available for use. If a default port is not available, the setup application assigns a port value from the range of 12000 to 12999. The setup application stores the port values in the BlackBerry UEM database. When you install an additional BlackBerry UEM instance in the domain, the setup application retrieves the listening port values from the database and uses those values for the current installation. If a defined listening port is not available, you receive an error message stating that you cannot complete the installation until the port is available for use. The default values of some listening ports may have changed over the course of BlackBerry UEM releases. When you upgrade BlackBerry UEM to a new version, the upgrade process retains the listening port values that were defined by the original installation.
BlackBerry UEM listening ports
The following is a list of the default ports that the BlackBerry UEM setup
application tries to use when you install the first BlackBerry UEM instance in
your organization’s domain. If a default port is not available, the setup
application assigns a port from the range of 12000 to 12999. Some listening
ports require the default port and cannot be assigned a different port value
(see notes in the table below). To check the minimum ports that must be open
between BlackBerry UEM instances, or any assigned listening port, see Check
the ports assigned by the BlackBerry UEM setup application.
| Port requirements | 41
Note: BlackBerry UEM uses port 8889 to handle SCEP requests for BlackBerry Secure Connect Plus. BlackBerry UEM must be able to access this port.
The BlackBerry UEM Core uses this port to obtain the status of the BlackBerry
Secure Gateway. The status is displayed in the management console.
The BlackBerry UEM Core uses this port to obtain the status of the BlackBerry
Collaboration Service.
The BlackBerry UEM Core and the management console and BlackBerry UEM Self-
Service use this port for internal communication.
The BlackBerry UEM management console uses this port when an administrator or
user logs in to the management console or BlackBerry UEM Self-Service using
certificate-based authentication.
The BlackBerry UEM Core uses this port to receive enrolment requests for iOS,
Android, and Windows Phone devices.
The BlackBerry UEM Core uses this port to receive management requests for iOS,
Android, and Windows Phone devices. The connection uses mutual authentication
with RSA certificates.
The BlackBerry UEM Core uses this additional port to receive management
requests for iOS devices. The connection uses mutual authentication with RSA
certificates.
The BlackBerry UEM Core and the management console use this port for
authenticated connections to check the status of BlackBerry UEM instances.
The BlackBerry UEM Core uses this port to handle SCEP requests for BlackBerry
Secure Connect Plus (the BlackBerry UEM Core acts as the CA).
Purpose
When BlackBerry Secure Connect Plus and the BlackBerry Gatekeeping Service are installed remotely as part of a BlackBerry Connectivity Node, these components use this port to obtain configuration and authorization data and certificates. The BlackBerry Gatekeeping Service also uses this port for gatekeeping operations.
Certain BlackBerry Infrastructure services use this mutually authenticated
port to connect with BlackBerry UEM.
When BlackBerry Secure Connect Plus and the BlackBerry Gatekeeping Service are
installed with the primary BlackBerry UEM components, they use this port to
obtain configuration and authorization data and certificates. The BlackBerry
Gatekeeping Service also uses this port for gatekeeping operations.
The BlackBerry UEM Core health can be collected on this port. This
functionality is available only for deployments of BlackBerry UEM Cloud.
The BlackBerry UEM Core uses this port is to receive requests from external
services such as BEMS, BlackBerry Connect, and BlackBerry Workspaces.
BlackBerry UEM listens on this port for REST requests from BlackBerry Dynamics
apps. This port uses GDAuthToken-based authentication.
The BlackBerry Gatekeeping Service listens on this secure SSL port.
BlackBerry Secure Connect Plus uses this port to listen for signaling requests
from the BlackBerry Infrastructure.
Purpose
BlackBerry Proxy listens on this port for connections from application servers.
Note: The default port must be used. The setup application does not assign an alternate port if the default port is not available.
BlackBerry UEM listens on this port for BlackBerry Dynamics container management data.
Note: The default port must be used. The setup application does not assign an alternate port if the default port is not available.
BlackBerry Proxy listens on this port for SSL connections from application servers.
Note: The default port must be used. The setup application does not assign an alternate port if the default port is not available.
BlackBerry Proxy listens on this port for SSL connections.
Note: The default port must be used. The setup application does not assign an alternate port if the default port is not available.
The BlackBerry UEM Core listens on this port to route traffic for BlackBerry Enterprise Identity through the BlackBerry Infrastructure.
Minimum ports to open between BlackBerry UEM instances
If your organization’s domain has more than one BlackBerry UEM instance, note the following requirements:
· If you install the device connectivity components (the BlackBerry
Connectivity Node) on a separate computer, your organization’s firewall must
allow connections from that computer over port 443 through the BlackBerry
Infrastructure to activate the BlackBerry Connectivity Node. All other
outbound connections from the BlackBerry Connectivity Node use port 3101
through the BlackBerry Infrastructure
(
· If you are migrating data from one BlackBerry UEM instance to another, the
ports that must be open between the source and destination servers are 8887
(TCP) and 35844 (TCP) for BlackBerry UEM and static ports 1433 (TCP) and 1434
(UDP) for Microsoft SQL Server.
· The following listening ports must be open between each instance. The
default port values are listed. After you install the first instance, you can
verify the listening port values that the setup application defined. For
instructions, see Check the ports assigned by the BlackBerry UEM setup
application.
Problems Issues
Many of the items to consider when planning the support of your BlackBerry UEM deployment are similar to items you looked at when you assessed your organization’s environment.
Hardware issues
Possible issues
· The hardware does not work or does not meet UEM requirements
· Not all hardware is available
Mitigation options
Before the planned installation date:
· Check all hardware before the planned installation date to verify that it is
in working order and that it meets all hardware requirements.
· Prepare one or two extra computers in case a computer stops working on the
planned installation date.
During installation, if you must install multiple instances of UEM, stage the
deployment so that you complete a full installation on one computer first to
make sure that all hardware is working.
Software issues
Possible issues
· Port conflicts · The computers operating
system does not meet UEM requirements · The UEM setup application does not
work
Mitigation options
Before the planned installation date:
· Run the UEM Readiness Tool on the computers you plan to install UEM on. The
Readiness Tool helps you determine whether or not the computers meet the
minimum requirements for installing UEM.
· Make sure all application servers, such as Exchange ActiveSync and the mail
servers, are active, running, and tested.
Network issues
Possible issues
Mitigation options
Required firewall ports are not open
· UEM instances cannot communicate with each other
· UEM cannot communicate with the BlackBerry Infrastructure
· UEM cannot communicate with application or content servers
Before the planned installation date:
· Run the UEM Readiness Tool on the computers that you plan to install UEM on.
The Readiness Tool helps you determine whether or not the computers meet the
minimum requirements for installing UEM.
· Create a detailed list of the ports that are required. Confirm with your
networking team that the ports are open.
· UEM services do not support SSL Termination, SSL Offloading, SSL Packet
Inspection or Deep Packet Inspection. Ensure these endpoint services are not
enabled on your proxy/firewall. For more information, see KB 36470.
The UEM database does not install
Before the planned installation date:
· Check all hardware before the planned installation date to verify that it is
in working order and that it meets all UEM hardware requirements.
· Verify that SQL Server permissions are set to allow the creation of the
database.
· Install and test the database using createdb. For instructions, see the
Installation and upgrade content.
· Test all connectivity between the computer that will host UEM and the
database.
Returning to a previous environment
Most organizations cannot afford a long service interruption while
troubleshooting. Before a database upgrade, you should plan for the ability to
return to the previous environment, in case any issues arise.
Returning to the previous environment is not as simple as stopping the
upgrade, especially if data was being migrated when an issue occurred. To
prepare to return to your previous environment, before the planned
installation date:
· Back up the existing databases. (By default, the UEM setup application backs
up the existing database.) · If you use a virtual environment, take a snapshot
of it.
If you encounter an issue during or after installing UEM, collect data about
the issue before you return to your previous environment so that you can
determine the root cause.
For more information about backing up the UEM database, see the Installation
and upgrade content.
Legal notice
©2024 BlackBerry Limited. Trademarks, including but not limited to BLACKBERRY,
BBM, BES, EMBLEM Design, ATHOC, CYLANCE and SECUSMART are the trademarks or
registered trademarks of BlackBerry Limited, its subsidiaries and/or
affiliates, used under license, and the exclusive rights to such trademarks
are expressly reserved. All other trademarks are the property of their
respective owners.
Patents, as applicable, identified at:
www.blackberry.com/patents.
This documentation including all documentation incorporated by reference herein such as documentation provided or made available on the BlackBerry website provided or made accessible “AS IS” and “AS AVAILABLE” and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies (“BlackBerry”) and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.
This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or thirdparty websites (collectively the “Third Party Products and Services”). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES
WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION,
BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN
CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR
STRICT LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A)
IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU
INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT
LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR
BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY
REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES,
THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE
PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE
PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT
CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL
ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR
OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM
OR RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry’s products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so.
If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry’s products and services are provided as a convenience to you and are provided “AS IS” with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry.
The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.
BlackBerry Enterprise Software incorporates certain third-party software. The license and copyright information associated with this software is available at http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp.
BlackBerry Limited 2200 University Avenue East Waterloo, Ontario Canada N2K
0A7
BlackBerry UK Limited Ground Floor, The Pearce Building, West Street,
Maidenhead, Berkshire SL6 1RL United Kingdom
References
- Android | Do More With Google on Android Phones and Devices
- gwupload.good.com
- BlackBerry Public Knowledge Base
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>