Blackberry Uem: Installation and Upgrade

BlackBerry UEM
Installation and Upgrade
12.10 Maintenance Release 1

2019-08-16Z
| | 2
Contents
Preinstallation and preupgrade checklist.......................................................... 5
Installation and upgrade....................................................................................7

Steps to install BlackBerry UEM........................................................................................................................... 7
Applications that are installed with BlackBerry UEM...............................................................................7
Supported upgrade environments.........................................................................................................................8
Steps to upgrade BlackBerry UEM version 12.8 or later to BlackBerry UEM version 12.10..............................8
Port requirements...................................................................................................................................................9
Configuring ports........................................................................................................................................ 9
How BlackBerry UEM selects listening ports during installation.......................................................... 14
Preinstallation and preupgrade tasks.................................................................................................................21
Configure permissions for the service account..................................................................................... 22
Set an environment variable for the Java location................................................................................ 22
Configuring connections for the BlackBerry UEM database................................................................. 23
Backing up the databases....................................................................................................................... 24
Creating or upgrading a BlackBerry UEM database using CreateDB....................................................24
Performing a test upgrade of the BlackBerry UEM and BlackBerry Control databases.......................27
BlackBerry UEM Readiness Tool............................................................................................................. 28
Configuring database high availability using Microsoft SQL Server AlwaysOn................................... 28
Prerequisites: Installing or upgrading the BlackBerry UEM software...............................................................31
Installing or upgrading the BlackBerry UEM software...................................................................................... 32
Install a new BlackBerry UEM instance.................................................................................................. 32
Upgrade BlackBerry UEM version 12.8 and later to BlackBerry UEM version 12.10............................ 34
Upgrade a domain that consists of multiple instances of BlackBerry UEM.........................................34
Install or upgrade BlackBerry UEM using the command prompt window............................................ 35
Install the BlackBerry UEM components on separate computers using the command prompt
window..................................................................................................................................................35
Installing BlackBerry UEM in a DMZ....................................................................................................... 38
Creating server groups and installing BlackBerry Connectivity Node instances............................................. 38
Create a server group...............................................................................................................................39
Change the default settings for BlackBerry Connectivity Node instances........................................... 40
Install a BlackBerry Connectivity Node instance....................................................................................40
Activate a BlackBerry Connectivity Node instance................................................................................ 41
Configure proxy settings for a BlackBerry Connectivity Node instance............................................... 42
Manage server groups..............................................................................................................................43
Installing a standalone BlackBerry Router......................................................................................................... 44
Install a standalone BlackBerry Router................................................................................................... 44
Logging in to BlackBerry UEM for the first time............................................................................................... 44
Log in to BlackBerry UEM for the first time........................................................................................... 44
Removing the BlackBerry UEM software........................................................................................................... 45
Remove the BlackBerry UEM software................................................................................................... 45
Remove a instance from the database................................................................................................. 46
Removing the BlackBerry Connectivity Node software.....................................................................................46
Remove the BlackBerry Connectivity Node software............................................................................ 47
Remove a BlackBerry Connectivity Node instance from the database................................................ 47
Troubleshooting BlackBerry UEM installation or upgrade................................................................................ 47
| | iii
Additional information......................................................................................................................................... 47
Best practice: Running BlackBerry UEM................................................................................................. 48
Installing the BlackBerry Collaboration Service......................................................................................48
BlackBerry UEM Configuration Tool........................................................................................................48
Glossary.......................................................................................................... 50
Legal notice.................................................................................................... 52
| | iv
Preinstallation and preupgrade checklist
Verify that the following requirements are met before you install BlackBerry UEM version 12.10.
Read Supported upgrade environments to review upgrade paths to BlackBerry UEM version 12.10.
You can download the BlackBerry UEM software after logging into myAccount.
For more information about configuring BlackBerry UEM, see the Configuration content.
When you verify requirements in this document, see the Compatibility matrix.
You can use the BlackBerry UEM Readiness Tool to check system requirements before you run the BlackBerry
UEM setup application. The BlackBerry UEM Readiness Tool is included with the BlackBerry UEM software. You
can also download the tool separately from myAccount.
Minimum requirements for installing BlackBerry UEM
The following requirements apply when you need to configure computers or devices to support BlackBerry UEM in
your organization.
Complete Requirement
• Verify that your computer is running an operating system that supports BlackBerry UEM.
• Verify that you have installed JRE 8 on the servers where you will install BlackBerry
UEM, and that you have an environment variable that points to its location. For more
information about supported JRE versions, see the Compatibility matrix.
• Verify that your computer is running Windows PowerShell 2.0 or later for the following:
• RRAS for BlackBerry Secure Connect Plus setup during the BlackBerry UEM installation
• Exchange ActiveSync gatekeeping (optional).
• Verify that your ports are configured. For more information, see Port requirements.
• Verify that you have a mail server that supports BlackBerry UEM.

• Verify that the Exchange ActiveSync version meets the minimum requirements.
• Verify that you have Microsoft Exchange Server 2010 or later if you plan to enable Exchange
ActiveSync gatekeeping on the mail server.
• Verify that you have one of the following company directories:

• Microsoft Active Directory and users with Microsoft Active Directory accounts
• LDAP with anonymous authentication or simple bind authentication, with or without SSL
• Verify that your database server has a supported database management system.
• Verify that the TCP/IP network protocols are turned on for your BlackBerry UEM database.
• Verify that you have DNS support for resolving IP addresses into host names.
| Preinstallation and preupgrade checklist | 5

Complete Requirement
• If you have VPN hardware in your environment, verify that you have one of the following:
• IPSec VPN hardware
• SSL VPN hardware
• If you have a remote BlackBerry Router instance or TCP proxy server in your organization,

verify that you have a supported operating system.
• Verify that you have a supported browser on the computers that host the BlackBerry
UEM management console.
• Verify that you configure the following settings to support browser access:
• Support for JavaScript
• Cookies turned on
• Support for TLS
• The SSL certificate is installed to permit trusted connections to the consoles
• Verify that you have supported mobile operating systems for BlackBerry

10, iOS, macOS, Android, and Windows devices.
• If you are upgrading to BlackBerry UEM, ensure that all instances are upgraded
to BlackBerry UEM version 12.8 or 12.9. If the instances are upgraded to 12.8, the
environment must be synchronized before the upgrade to 12.10.
| Preinstallation and preupgrade checklist | 6

Installation and upgrade
Steps to install BlackBerry UEM
The BlackBerry UEM setup application installs the BlackBerry UEM software and creates a BlackBerry
UEM database.
For a new installation of BlackBerry UEM, perform the following actions:
Step Action
Review the port requirements.
Complete the preinstallation tasks.
Verify the prerequisites.
Install a new BlackBerry UEM instance.
Log in to BlackBerry UEM.
Applications that are installed with BlackBerry UEM

You can use the BlackBerry UEM installation process to install the following third-party applications:
• Microsoft .NET Framework 4.5 (if it is available in the setup application to enable through the Windows
Server Manager)
Note: If a later version of Microsoft .NET Framework is already installed, the BlackBerry UEM setup application
does not install Microsoft .NET Framework 4.5.
• Microsoft Visual C++ 2008 SP1 Redistributable Package
• Microsoft Visual C++ 2010 Redistributable Package
• Microsoft SQL Server 2016 Express SP1 (if it is selected during the installation process)
• Microsoft SQL Server 2012 Native Client
• RRAS for Windows Server 2008 or 2012
Note: If the setup application cannot install RRAS on your computer you must stop the installation, install
it manually, and restart the installation. Windows PowerShell 2.0 or later is required to run RRAS when
installing BlackBerry UEM. For more information about installing RRAS manually, visit technet.microsoft.com.
Note: Uninstall the Microsoft SQL Server 2012 Native Client before installing BlackBerry UEM if you are
installing Microsoft SQL Server 2016 Express SP1.
If you want to install Microsoft SQL Server 2016 Express SP1 on a computer that does not host BlackBerry
UEM, you can copy the BlackBerry UEM installation files to the computer that you want to install Microsoft SQL
Server 2016 Express SP1 on. In the BlackBerry UEM installation files, navigate to the Tools > ext folders and run
the sqlexpress.exe file (64-bit).
| Installation and upgrade | 7

Supported upgrade environments
The following are the supported upgrade paths to BlackBerry UEM version 12.10:
• You can use the setup application to upgrade BlackBerry UEM version 12.8 or later to BlackBerry UEM version
12.10. If you have BES12 version 12.5 or earlier, you must first upgrade all instances to BlackBerry
UEM version 12.7 and synchronize the environment, then to BlackBerry UEM version 12.8 or 12.9 before you
can upgrade to BlackBerry UEM version 12.10.
• If you have Good Control version 4.0 and later and Good Proxy version 4.0 and later, you must first upgrade
all instances to BlackBerry UEM version 12.8 and synchronize the environment before you can upgrade
to BlackBerry UEM version 12.10.
• You can install BlackBerry UEM and migrate policy sets, connectivity profiles, app groups, app usage (for
certificates), and certificates from Good Control (standalone) version 5.0 to BlackBerry UEM.
• You can migrate IT policies, profiles, groups, users, and devices from BES10 to BlackBerry UEM version 12.8 or
12.9 and then upgrade or migrate from BlackBerry UEM version 12.8 or 12.9 to version 12.10.
Note: For information about synchronizing the environment for BlackBerry UEM version 12.8 and earlier, read
the Planning content and Installation content for BlackBerry UEM version 12.8.
When you upgrade to the latest version of BlackBerry UEM, you upgrade the management console and the
database.
Steps to upgrade BlackBerry UEM version 12.8 or later to BlackBerry

UEM version 12.10
The BlackBerry UEM version 12.10 setup application upgrades the BlackBerry UEM software and database
to BlackBerry UEM version 12.10.
For more information about upgrading a BlackBerry UEM domain that consists of multiple instances of BlackBerry
UEM, see Upgrade a domain that consists of multiple instances of BlackBerry UEM.
When you upgrade BlackBerry UEM version 12.8 or later to BlackBerry UEM version 12.10, you perform the
following actions:
Step Action
Review the port requirements.
Complete the preupgrade tasks.
Verify the prerequisites.
Upgrade the BlackBerry UEM software.

Port requirements
Before you install or upgrade BlackBerry UEM, familiarize yourself with how BlackBerry UEM uses ports.
Configuring ports
The BlackBerry UEM components use various ports to communicate with the BlackBerry Infrastructure,
the BlackBerry Dynamics NOC, and internal resources (for example, your organization's messaging software).
The topics in this section indicate the default ports that BlackBerry UEM uses for outbound connections, and also
describe the internal connections that you should verify. Note that these port connections are required whether or
not BlackBerry UEM is installed in a DMZ.
Outbound connections: BlackBerry UEM to the BlackBerry Infrastructure
BlackBerry UEM must connect with and receive data from the BlackBerry Infrastructure to perform
tasks. BlackBerry UEM connects with the BlackBerry Infrastructure over the outbound-initiated, two-way port 3101
(TCP).
Your organization's firewall must allow outbound two-way connections over port 3101
to <region>.srp.blackberry.com, <region>.bbsecure.com, and <region>.turnb.bbsecure.com. For more information
about domains and IP addresses to use in your firewall configuration, visit support.blackberry.com/community to
read article 36470.
Note: If you install the device connectivity components (the BlackBerry Connectivity Node) on a separate
computer, your organization's firewall must allow connections from that computer over port 443 through
the BlackBerry Infrastructure (<region>.bbsecure.com) to activate the BlackBerry Connectivity Node. All
other outbound connections from the BlackBerry Connectivity Node use port 3101 through the BlackBerry
Infrastructure (<region>.bbsecure.com). To add a BlackBerry Connectivity Node instance to an existing server
group when you activate it, your organization's firewall must allow connections from that server over port 443
through the BlackBerry Infrastructure (<region>.bbsecure.com) and to the same bbsecure.com region as the Core
server.
You have the option of routing data from BlackBerry UEM through your organization's TCP proxy server or
the BlackBerry Router to the BlackBerry Infrastructure. If you choose to send data through a proxy server,
configure the firewall to allow the following outbound two-way connections:
• Use port 3102 as the default listening port to connect the BlackBerry UEM components to the TCP proxy server
or the BlackBerry Router
• Use port 3101 as the default listening port to connect the components that manage BlackBerry OS devices to
the TCP proxy server or the BlackBerry Router
If you configure BlackBerry UEM to use a TCP proxy server or the BlackBerry Router, verify that the
proxy allows connections over port 3101 to <region>.srp.blackberry.com, <region>.bbsecure.com,
and <region>.turnb.bbsecure.com.

Activities initiated by the BlackBerry UEM Core over the port 3101 connection to the BlackBerry Infrastructure

Purpose Description
Authenticate BlackBerry
Connect to the authentication service to authenticate the BlackBerry UEM installation
UEM and allow the components to use the BlackBerry Infrastructure services.
Enable licenses Connect to the licensing infrastructure to activate your organization’s server licenses
and to enable BlackBerry 10, iOS, Android, and Windows devices to use SIM licenses
obtained from your service provider.
Request a signed Connect to the signing infrastructure so you can request a certificate signing request
CSR (CSR) from BlackBerry. You use the signed CSR to obtain and register an Apple Push
Notification Service (APNs) certificate, which you require to manage iOS devices.
Activate and Connect to the BlackBerry Infrastructure to:

manage BlackBerry
• Activate and manage BlackBerry 10 devices
10 devices
• Enable the work space on BlackBerry 10 devices
Communicate Connect to the BlackBerry Infrastructure to send data to the appropriate notification

with notification service for supported device types (APNs, FCM, or WNS).
services
Communicate with Connect to the BlackBerry push data service so that you can manage and configure
the BlackBerry push settings for BlackBerry 10 devices.
data service
Discover server Connect to the discovery service so that BlackBerry UEM can find and use the server
connection during connection automatically when users activate devices. If you turn off this connection,
activation users must specify the server manually when they activate devices.
Update device OS Connect to the BlackBerry Infrastructure each day at midnight to check a hosted

data metadata file for new device or OS data. Updates are downloaded to the BlackBerry
UEM database.
Search for apps Connect to the BlackBerry Infrastructure and then to the App Store or BlackBerry

World so that you can search for apps to add to the available app list.
Purchase and push Connect to the BlackBerry Infrastructure and then to the App Store to allow you to buy
apps to iOS devices and push apps to iOS devices.
Activities initiated by the BlackBerry Affinity Manager over the port 3101 connection to the BlackBerry
Infrastructure

Purpose Description
Send and receive Connect to the BlackBerry Infrastructure to send and receive data for BlackBerry
data for BlackBerry 10 devices, including Exchange ActiveSync data and enterprise connectivity data (for
10 devices example, intranet browsing and third-party app data).
Activities initiated by BlackBerry Secure Connect Plus over the port 3101 connection to the BlackBerry
Infrastructure

Purpose Description
Secure connection Connect to the BlackBerry Infrastructure to provide BlackBerry 10, Android Enterprise,

from work apps to and KNOX Workspace devices with a secure connection to work resources
work resources using BlackBerry Secure Connect Plus.
Activities initiated by the components of the BlackBerry Connectivity Node over the port 3101 connection to
the BlackBerry Infrastructure

Purpose Description
Establish secure You can install one or more instances of the BlackBerry Connectivity Node to add
device connections additional instances of the device connectivity components to your organization’s
to work resources domain. Each BlackBerry Connectivity Node contains the following BlackBerry
UEM components:
• BlackBerry Secure Connect Plus: Connects to the BlackBerry Infrastructure to provide
devices with a secure connection to work resources
• BlackBerry Secure Gateway: connects to the BlackBerry Infrastructure to
provide iOS devices with the MDM controls activation type with a secure connection
to your organization’s mail server
• BlackBerry Gatekeeping Service: Connects through the BlackBerry Infrastructure to
the primary BlackBerry UEM components and the Microsoft Exchange
Server or Microsoft Office 365 for Exchange ActiveSync gatekeeping
• BlackBerry Cloud Connector: Connects to the BlackBerry Infrastructure to
allow the BlackBerry Connectivity Node components to communicate with the
primary BlackBerry UEM components
The BlackBerry Connectivity Node also includes the BlackBerry Proxy, which maintains
the secure connection between your organization and the BlackBerry Dynamics NOC.
The BlackBerry Proxy does not use the 3101 connection.
Outbound connections: BlackBerry UEM to the BlackBerry Dynamics NOC
Your organization's firewall must allow TCP connections to the following IP ranges so that theBlackBerry
Proxy can connect to the BlackBerry Dynamics NOC:
• 206.124.114.1 to 206.124.114.254 (206.124.114.0/24) on port 443
• 206.124.121.1 to 206.124.121.254 (206.124.121.0/24) on port 443
• 206.124.122.1 to 206.124.122.254 (206.124.122.0/24) on port 443
Alternatively, you can configure your organization's firewall to allow connections to the following host names:
• gdentgw.good.com on port 443
• gdrelay.good.com on port 443
• gdweb.good.com on port 443
• gdmdc.good.com on port 443
If you do not configure a web proxy server for a BlackBerry Proxy instance, your organization’s internal and
external firewalls must allow connections over port 17533. If you configure BlackBerry Proxy to use BlackBerry

Dynamics Direct Connect, your organization’s external firewalls must allow connections over port 17533. For
more information about configuring BlackBerry Proxy, see the Configuration content.
Note: If you are using Samsung KNOX with BlackBerry Secure Connect Plus, all the device traffic, including
HTTP and TCP traffic, is redirected to BlackBerry UEM. For information on which ports must be open, visit
support.blackberry.com/community to read article 36470.
Outbound connections: Devices on a work Wi-Fi network
BlackBerry 10, iOS, Android, and Windows devices that use your work Wi-Fi network use the following outbound
ports to connect to the BlackBerry Infrastructure and external services. Configure your organization's firewall to
allow outbound two-way connections over these ports.
From To Purpose Protocol Port
BlackBerry 10 BlackBerry To connect to 1. HTTP CONNECT 443

Infrastructure *.rdns.blackberry.net to BlackBerry
and primary DNS host Infrastructure;
iceberg.blackberry.com if "Use creates tunnel from
cloud services to find more info device to BlackBerry
about the contacts that you add UEM outbound
to the Contacts app" is enabled to BlackBerry
in the Contacts settings. Infrastructure
2. TLS session between
device and BlackBerry
UEM

Infrastructure the <region>.bbsecure.com to BlackBerry
iOS
subdomain when activating the Infrastructure; creates
Android device. tunnel from device
to BlackBerry UEM
Windows devices
UEM

Infrastructure the <region>.bbsecure.com to BlackBerry
Android
subdomain so that Infrastructure; creates
administration commands can tunnel from device
be applied to the devices. to BlackBerry UEM
UEM
iOS BlackBerry To connect to TLS 443

Infrastructure the <region>.bbsecure.com
subdomain so that
administration commands can
be applied to the devices.

From To Purpose Protocol Port
Windows devices BlackBerry To connect to HTTPS; includes TLS 443

Infrastructure the <region>.bbsecure.com handshake using SNI
subdomain so that
administration commands can
be applied to the devices.
iOS APNs To connect to TCP 5223

gateway.push.apple.com to
receive notifications from
APNs.
Android FCM To connect to TCP 5228

android.apis.google.com
5229
(ports 5228 and 5229) and
android.googleapis.com (port 5230
5230) to receive notifications
from FCM.
Devices with BlackBerry Dynamics apps require outbound connections over the following ports:
• bxcheckin.good.com:443
• gdentgw.good.com:443
• gdmdc.good.com:49152
• gdmdc.good.com:443
• gdrelay.good.com:15000
• gdrelay.good.com:443
• gdweb.good.com:443
Intranet connections
Connections initiated by the BlackBerry UEM Core
To simplify administration and support certain device features, the BlackBerry UEM Core must be able to connect
to your organization's intranet applications. Examples of intranet applications include Microsoft Active Directory,
an LDAP directory, Microsoft Exchange, or an SMTP server.
Consult the documentation or support resources for your organization’s applications to identify the ports
that BlackBerry UEM must be able to access.
Intranet port configurations for BlackBerry Proxy
On each computer that hosts BlackBerry Proxy, verify that the following inbound ports are open, available, and not
used by other servers or processes:
• 17080
• 17433
The computer that hosts BlackBerry Proxy should have at least 30,000 ports in the dynamic TCP port allocation
for outbound connections to the BlackBerry Dynamics NOC (when Direct Connect is configured, these ports
become inbound).

To route connections from BlackBerry Dynamics apps through a web proxy server, the proxy server must support
the HTTP Connect command and must not require authentication. Your organization’s internal firewall must allow
connections over port 17533. If you do not configure a web proxy server for a BlackBerry Proxy instance, your
organization’s internal and external firewalls must allow connections over port 17533. For more information about
configuring BlackBerry Proxy, see the Configuration content.
Connections initiated by BlackBerry 10 devices
BlackBerry 10 devices can access your organization's internal applications through BlackBerry UEM using the
outbound-initiated port 3101 connection. Examples of internal applications include your organization's messaging
software, or work browser access to intranet sites (HTTP/HTTPS).
Consult the documentation or support resources for your organization’s applications to identify additional ports
that BlackBerry UEM must be able to access.
Access to internal data from devices
For iOS, Android, and Windows devices, BlackBerry UEM sends and receives only activation and management

data through the outbound-initiated port 3101 connection to the BlackBerry Infrastructure and the 443 connection
to the BlackBerry Dynamics NOC.
All other data, such as messaging data and data from third-party applications, require alternate inbound
connections from devices directly to the application. Consult the documentation or support resources for your
organization's messaging software and third-party applications to identify the ports that you must open, or
investigate alternate access methods such as VPN.
How BlackBerry UEM selects listening ports during installation

When you install BlackBerry UEM for the first time, the setup application determines whether default listening
ports are available for use. If a default port is not available, the setup application assigns a port value from the
range of 12000 to 12999. The setup application stores the port values in the BlackBerry UEM database.
When you install an additional BlackBerry UEM instance in the domain, the setup application retrieves the listening
port values from the database and uses those values for the current installation. If a defined listening port is not
available, you receive an error message stating that you cannot complete the installation until the port is available
for use.
The default values of some listening ports may have changed over the course of BlackBerry UEM releases. When
you upgrade BlackBerry UEM to a new version, the upgrade process retains the listening port values that were
defined by the original installation.
BlackBerry UEM listening ports
The following is a list of the default ports that the BlackBerry UEM setup application tries to use when you install
the first BlackBerry UEM instance in your organization’s domain. If a default port is not available, the setup
application assigns a port from the range of 12000 to 12999. Some listening ports require the default port and
cannot be assigned a different port value (see notes in the table below).
To check the minimum ports that must be open between BlackBerry UEM instances, or any assigned listening
port, see Check the ports assigned by the BlackBerry UEM setup application.
Note: BlackBerry UEM uses port 8889 for identity management for BlackBerry 10 devices and to handle SCEP
requests for BlackBerry Secure Connect Plus. BlackBerry UEM must be able to access this port to support devices
running BlackBerry 10 OS version 10.3 or later.

Default Name in database Purpose
port
1610 mdm.snmp.monitoring.udpport The BlackBerry UEM Core uses this port to provide

SNMP monitoring data.
1611 com.rim.p2e.snmp.monitoring.udpport SNMP clients can use this port to query monitoring
data for BlackBerry Secure Connect Plus.
1612 com.rim.asp.snmp.monitoring.udpport This is the default port that is used for SNMP
monitoring for the BlackBerry Secure Gateway. This
port can be changed in the management console.
1613 com.rim.platform.mdm.zed.snmp.monitoring.udpport
This is the default port that is used for SNMP
monitoring for the BlackBerry Cloud Connector.
1620 mdm.snmp.eventing.ipv4.udpport The BlackBerry UEM Core uses this port to send

SNMP notifications in an IPv4 environment.
3202 ec.gme.common.rcp.internal.port The active BlackBerry Affinity Manager listens

for RCP connections from the BlackBerry
Dispatcher on this port.
3203 ec.gme.common.bipp.bippe.port The BlackBerry Dispatcher listens for BIPPe

connections from the BlackBerry MDS Connection
Service on this port.
8000 ui.port.ssp BlackBerry UEM Self-Service and the management

console listen for HTTPS connections on this port.
443 ui.port.admin
If 443 is not available, the setup application tries
to use port 8008. If port 8008 is not available, the
setup application assigns a port from the range of
12000 to 12999.
8085 ec.gme.affinityManager.notification.port The active BlackBerry Affinity Manager listens on

for REST notifications on this port.
8087 com.rim.asp.proxy.listenPort The primary BlackBerry UEM components and

any BlackBerry Connectivity Node instances
send BlackBerry Secure Gateway traffic to this port.
8091 tomcat.bwcn.https.port The BlackBerry Work Connect Notification

Service listens on this secure SSL port.
8095 tomcat.public.https.port This port is reserved for secure REST

communication between external systems
and BlackBerry UEM plug-ins.
8100 ui.port.healthcheck The BlackBerry UEM Core uses this port to check

the status of the UEM management console.

port
8102 com.rim.p2e.monitoringservice.listenerPort The BlackBerry UEM Core uses this port to check

the status of BlackBerry Secure Connect Plus.
8103 com.rim.asp.monitoringservice.listenPort The BlackBerry UEM Core uses this port to obtain

the status of the BlackBerry Secure Gateway. The
status is displayed in the management console.
8182 bcs.mgmt.port The BlackBerry UEM Core uses this port to obtain

the status of the BlackBerry Collaboration Service.
8448 ui.port.internal-api The BlackBerry UEM Core and the management

console and BlackBerry UEM Self-Service use this
port for internal communication.
8543 The BlackBerry UEM management console uses

this port when an administrator or user logs in to
the management console or BlackBerry UEM Self-
Service using certificate-based authentication.
8881 tomcat.bdmi.certicom.https.port The BlackBerry UEM Core uses this port to receive

management requests for BlackBerry 10 devices.
The connection uses mutual authentication with
ECC certificates.
8882 tomcat.enrol.http.port The BlackBerry UEM Core uses this port to receive

enrolment requests for BlackBerry 10 devices.
8883 tomcat.enrol.https.port The BlackBerry UEM Core uses this port to receive

enrolment requests for iOS, Android, and Windows
Phone devices.
8884 tomcat.bdmi.bouncycastle.https.port The BlackBerry UEM Core uses this port to

receive management requests for iOS, Android,
and Windows Phone devices. The connection uses
mutual authentication with RSA certificates.
8885 tomcat.applemdm.https.port The BlackBerry UEM Core uses this additional port

to receive management requests for iOS devices.
The connection uses mutual authentication
with RSA certificates.
8887 tomcat.ipc.https.port The BlackBerry UEM Core and the management

console use this port for authenticated connections
to check the status of BlackBerry UEM instances.

port
8889 tomcat.scep.https.port The BlackBerry UEM Core uses this port for identity

management for BlackBerry 10 devices and to
handle SCEP requests for BlackBerry Secure
Connect Plus (the BlackBerry UEM Core acts as the
CA).
Note: BlackBerry UEM must be able to access port
8889 to support devices running BlackBerry 10 OS
version 10.3 or later.
8890 tomcat.e2c.https.port When BlackBerry Secure Connect Plus and

the BlackBerry Gatekeeping Service are installed
remotely as part of a BlackBerry Connectivity
Node, these components use this port to
obtain configuration and authorization data
and certificates. The BlackBerry Gatekeeping
Service also uses this port for gatekeeping
operations.
8891 tomcat.i2c.https.port Certain BlackBerry Infrastructure services use

this mutually authenticated port to connect
with BlackBerry UEM.
8892 tomcat.e2c.local.https.port When BlackBerry Secure Connect Plus and

the BlackBerry Gatekeeping Service are installed
with the primary BlackBerry UEM components,
they use this port to obtain configuration and
authorization data and certificates. The BlackBerry
Gatekeeping Service also uses this port for
gatekeeping operations.
8893 tomcat.bb2fa.local.http.port This port supports connections to the BlackBerry

UEM Core from the BlackBerry 2FA app
on BlackBerry 10 devices (10.3.2 or earlier).
8894 tomcat.core.health.check.http.port The BlackBerry UEM Core health can be collected

on this port. This functionality is available only for
deployments of BlackBerry UEM Cloud.
8895 tomcat.i2c.basic.https.port The BlackBerry UEM Core uses this port is to

receive requests from external services such
as BEMS, BlackBerry Connect, and BlackBerry
Workspaces.
8896 tomcat.dynamics.apps.https.port BlackBerry UEM listens on this port for REST

requests from BlackBerry Dynamics apps. This port
uses GDAuthToken-based authentication.

port
8897 tomcat.bdmi.wp8.https.port BlackBerry UEM listens on this port when you

are upgrading BlackBerry UEM so that it can
communicate with Windows Phone 8 devices. For
more information, visit support.blackberry.com/
community to read article 48098.
8900 winservice.bgs.https.port The BlackBerry Gatekeeping Service listens on this

secure SSL port.
10080 ec.gme.mdscs.web.server.listenport The BlackBerry MDS Connection Service listens for

enterprise push data on this HTTP port.
10443 ec.gme.mdscs.web.server.listensslport The BlackBerry MDS Connection Service listens for

enterprise push data on this HTTPS port. This port
is used when you turn on push encryption.
11001 com.rim.p2e.endpoint.listenerPort BlackBerry Secure Connect Plus uses this port to

listen for signaling requests from the BlackBerry
Infrastructure.
17080 good.proxy.appservers.http.listening.port BlackBerry Proxy listens on this port for

connections from application servers.
Note: The default port must be used. The setup
application does not assign an alternate port if the
default port is not available.
17317 good.control.container.management.listening.port
BlackBerry UEM listens on this port for BlackBerry
Dynamics container management data.
17433 good.proxy.appservers.ssl.listening.port BlackBerry Proxy listens on this port for SSL

17533 good.proxy.container.ssl.listening.port BlackBerry Proxy listens on this port for SSL

connections.
18084 tomcat.bws.port Applications can use this port to send data to

the BlackBerry Web Services.

port
38082 com.rim.platform.mdm.core.proxy.adam.endpoint.port
The BlackBerry UEM Core listens on this port
to route email notification traffic through
the BlackBerry Infrastructure to the APNs
for iOS devices.
38083 com.rim.platform.mdm.core.proxy.direct.endpoint.port
The BlackBerry UEM Core listens on this port
for migration requests when you move devices
from BES10 to BlackBerry UEM.
38086 com.rim.platform.mdm.core.proxy.apns.endpoint.port
Your organization’s TCP proxy server or
the BlackBerry Router listens on this port for data
that BlackBerry UEM sends to the APNs.
38087 com.rim.platform.mdm.core.proxy.cirr.endpoint.port
The BlackBerry UEM Core listens on this
port to route traffic for BlackBerry Enterprise
Identity through the BlackBerry Infrastructure.
Minimum ports to open between BlackBerry UEM instances
If your organization’s domain has more than one BlackBerry UEM instance, note the following requirements:
• The active BlackBerry Affinity Manager must be able to connect to and poll the health of each instance
of the BlackBerry Dispatcher in the domain. For this purpose, ports 139 and 445 must be open between
each BlackBerry UEM instance.
• If you install the device connectivity components (the BlackBerry Connectivity Node) on a separate
computer, your organization's firewall must allow connections from that computer over port 443 through
the BlackBerry Infrastructure (<region>.bbsecure.com) to activate the BlackBerry Connectivity Node. All
other outbound connections from the BlackBerry Connectivity Node use port 3101 through the BlackBerry
Infrastructure (<region>.bbsecure.com).
• If you are migrating data from one BlackBerry UEM instance to another, the ports that must be open between
the source and destination servers are 8887 (TCP) and 35844 (TCP) for BlackBerry UEM and static ports 1433
(TCP) and 1434 (UDP) for Microsoft SQL Server.
• The following listening ports must be open between each instance. The default port values are listed. After
you install the first instance, you can verify the listening port values that the setup application defined. For
instructions, see Check the ports assigned by the BlackBerry UEM setup application.

port
3202 ec.gme.common.rcp.internal.port The active BlackBerry Affinity Manager listens

for RCP connections from the BlackBerry
Dispatcher on this port.

port
8000 ui.port.ssp BlackBerry UEM Self-Service and the management

console listen for HTTPS connections on this port.
443 ui.port.admin
If 443 is not available, the setup application tries
to use port 8008. If port 8008 is not available, the
setup application assigns a port from the range of
12000 to 12999.
8085 ec.gme.affinityManager.notification.port The active BlackBerry Affinity Manager listens for

REST notifications on this port.
8448 ui.port.internal-api The BlackBerry UEM Core, the management

console, and BlackBerry UEM Self-Service use this
port for internal communication.
8887 tomcat.ipc.https.port BlackBerry UEM uses this port for authenticated

connections to check the status of BlackBerry
UEM instances.
8896 tomcat.dynamics.apps.https.port BlackBerry UEM listens on this port for REST

requests from BlackBerry Dynamics apps. This port
uses GDAuthToken-based authentication.
17080 good.proxy.appservers.http.listening.port BlackBerry Proxy listens on this port for

Note: The default port value must be used. The
setup application does not assign an alternate port
value if the default port is not available.
17317 good.control.container.management.listening.port
BlackBerry Control listens on this port
for BlackBerry Dynamics container management
data.
17433 good.proxy.appservers.ssl.listening.port BlackBerry Proxy listens on this port for SSL

17533 good.proxy.container.ssl.listening.port BlackBerry Proxy listens on this port for SSL

connections.

Check the ports assigned by the BlackBerry UEM setup application
When you install the first instance of BlackBerry UEM, the setup application assigns the listening ports and stores
them in the BlackBerry UEM database. You can run the following script on the BlackBerry UEM database to check
the minimum ports that must be open between each BlackBerry UEM instance.
You can change the "WHERE name in" portion of this script to retrieve the port value for any listening port by
adding the database name of the port. See BlackBerry UEM listening ports for the database name associated with
each listening port.
SELECT vgcs.name, vgcs.value

FROM v_global_cfg_setting vgcs WHERE name in
('ec.gme.common.rcp.internal.port',
'ui.port.ssp',
'ui.port.admin',
'ec.gme.affinityManager.notification.port',
'tomcat.udui.http.port',
'tomcat.dynamics.apps.https.port',
'ui.port.internal-api',
'tomcat.ipc.https.port',
'good.proxy.appservers.http.listening.port',
'good.control.container.management.listening.port',
'good.proxy.appservers.ssl.listening.port',
'good.proxy.container.ssl.listening.port')
ORDER BY name;
Preinstallation and preupgrade tasks

Complete the following tasks, if required, before you install or upgrade to BlackBerry UEM.
Task Install BlackBerry Upgrade

UEM to BlackBerry UEM
Log into myAccount and download the BlackBerry UEM software Yes Yes

under Product Resources > Server Software Download.
Configure permissions for the service account Yes Yes
Set an environment variable to point to the Java location on each Yes Yes

server where you will install BlackBerry UEM.
Configuring connections for the BlackBerry UEM database Yes Yes
Backing up the databases No Optional
Creating or upgrading a BlackBerry UEM database using Optional Optional

CreateDB
Performing a test upgrade of the BlackBerry UEM and BlackBerry No Optional

Control databases
BlackBerry UEM Readiness Tool Optional Optional

Task Install BlackBerry Upgrade
UEM to BlackBerry UEM
Activate all BlackBerry Connectivity Nodes No Yes
Configuring database high availability Optional Optional
Make sure that your perpetual licenses are supported. See the Yes Yes
Licensing content or visit support.blackberry.com/community to
read article 36537.
Configure permissions for the service account

A service account is a Windows account that runs the services for BlackBerry UEM. The service account
must be a member of the local Administrators group with default policy settings on the computer that you
install BlackBerry UEM on, and must have the Log on as a service permission. The service account must also have
permission to access the Microsoft SQL Server.
If your organization's environment includes another EMM solution from BlackBerry, you can use the same
service account to install BlackBerry UEM. Otherwise, create a service account in your company directory or a
local Windows account on the computer that you want to install BlackBerry UEM on.
Note: If you use Microsoft SQL Server authentication to connect to the BlackBerry UEM database, the BlackBerry
UEM services run under the Local System account.
1. On the taskbar, click Start > Administrative Tools > Computer Management.
2. In the left pane, expand Local Users and Groups.
3. Navigate to the Groups folder.
4. In the right pane, double-click Administrators.
5. Click Add.
6. In the Enter the object names to select field, type the name of the service account (for example, BESAdmin).
7. Click OK.
8. Click Apply.
9. Click OK.
10.On the taskbar, click Start > Administrative Tools > Local Security Policy.
11.In the left pane, expand Local policies.
12.Click User Rights Assignment.
13.Configure Log on as a service permission for the service account.
Set an environment variable for the Java location

BlackBerry UEM requires you to install a JRE 8 implementation on the servers where you will install BlackBerry
UEM, and that you have an environment variable that points to the Java home location. For more information
about supported JRE versions, see the Compatibility matrix. When you begin the installation, BlackBerry
UEM verifies that it can find Java. If you have installed the Oracle Java SE Runtime Environment in the default
location, BlackBerry UEM will find it and automatically set the environment variable. If BlackBerry UEM can't find
Java, the setup application will stop and you must set an environment variable for the Java location and ensure
that the Java bin folder is included in the Path system variable.
Before you begin: Verify that you have installed a supported JDK on the server where you will be
installing BlackBerry UEM.

1. Open the Windows Advanced system settings dialog box.
2. Click Environment Variables.
3. Under the System variables list, click New.
4. In the Variable name field, type BB_JAVA_HOME.
5. In the Variable value field, type the path to the Java installation folder and click OK.
6. In the System variables list, select Path and click Edit.
7. If the Path doesn't include the Java bin folder, click New and add %BB_JAVA_HOME%\bin to the Path.
8. Move the %BB_JAVA_HOME%\bin entry high enough in the list that it won't be superseded by another
entry and click OK.
Configuring connections for the BlackBerry UEM database

The BlackBerry UEM database is created using the BlackBerry UEM setup application or by running CreateDB
using the command prompt window. BlackBerry UEM can connect to the BlackBerry UEM database
using Windows authentication or Microsoft SQL Server authentication.
You can connect to the BlackBerry UEM database using one of the following:
• Service account that you use to complete the installation process
• Windows administrator account that has create_db role permissions
• Microsoft SQL Server account that you specify during the installation process
Specifying database permissions to create the BlackBerry UEM database
Depending on the database option and the type of authentication that you select, you might need to assign
database creator permissions to one of the following:
• Service account that you use to complete the installation process
• Microsoft SQL Server account that you specify during the installation process
Database option Database permission
Install Microsoft SQL If you choose Windows authentication, the setup application

Server Express during automatically assigns the required database permissions to the service
the BlackBerry UEM installation account
Use an existing Microsoft SQL You must add the service account or Microsoft SQL Server account to
Server in your organization's the dbcreator server role
environment
Verifying database permissions to upgrade the BlackBerry UEM database
BlackBerry UEM connects to the BlackBerry UEM database on the database server using the login information that
you specified during the installation process (Windows authentication or Microsoft SQL Server authentication).
If you want to use the setup application to upgrade BlackBerry UEM, the service account or Microsoft SQL
Server account must have permissions on the database server.
You can configure database permissions using Microsoft SQL Server roles. You must verify that the service
account or Microsoft SQL Server account is a member of the dbcreator server role.
The Microsoft SQL Server account must have dbo as its default schema. For more information, visit http://
support.blackberry.com/kb to read article 39316.

Configuring database permissions using Microsoft SQL Server roles
The setup application requires the service account or Microsoft SQL Server account that it uses during the
installation or upgrade process to have permissions on the database server to create or upgrade the BlackBerry
UEM database. After the installation or upgrade process completes, you can change the database permissions for
the service account or Microsoft SQL Server account to the minimum permissions that BlackBerry UEM requires
to run.
When you change the database permissions, you can use Microsoft SQL Server security to minimize
the operations that the service account or Microsoft SQL Server account can perform on the BlackBerry
UEM database. The Microsoft SQL Server roles that are required by the setup application and BlackBerry UEM are
as follows:
Database role Description
db_owner The setup application or CreateDB automatically adds the account that
you use to create the BlackBerry UEM database to this role.
This role contains the minimum permissions that the setup application
or CreateDB requires to upgrade the BlackBerry UEM database.
Configure minimum database permissions for the service account or Microsoft SQL Server account
You can configure minimum database permissions for the service account or Microsoft SQL Server account
that BlackBerry UEM uses to connect to the BlackBerry UEM database.
Before you begin: Add a different Windows account or Microsoft SQL Server account to the db_owner database
role for the BlackBerry UEM database.
1. Open the Microsoft SQL Server Management Studio.
2. Expand Microsoft SQL Server > Security > Logins.
3. Right-click the service account or Microsoft SQL Server account. Click Properties.
4. Click User Mapping. Select the BlackBerry UEM database.
5. In the Users mapped to this login section, select bes.
6. In the Database role membership for section, select rim_db_bes_server.
7. Remove all other database role memberships except for rim_db_bes_server and public.
8. Click OK.
Backing up the databases

The setup application automatically backs up the databases as part of the upgrade process.
You can also use the backup tool that is a part of Microsoft SQL Server to back up the BlackBerry
UEM and BlackBerry Control databases. For more information, see the Microsoft documentation for Microsoft
SQL Server.
Creating or upgrading a BlackBerry UEM database using CreateDB

Note: You cannot upgrade a BES10 database to a BlackBerry UEM database.
If your organization's security policies do not allow applications to have permissions to create or upgrade
databases, you can run CreateDB on the database server to create a BlackBerry UEM database or upgrade to
a BlackBerry UEM database instead of using the setup application. After you create or upgrade to the BlackBerry

UEM database using CreateDB, you can run the setup application using a service account that has minimum
permissions on the database server.
Create a BlackBerry UEM database using CreateDB
Before you begin: Verify that you configured the correct permissions on the database server.
Note: If you do not want to run CreateDB on the database server, you must run it on a computer where BlackBerry
UEM is installed. The computer must be able to connect to the computer that hosts the database server that you
want to create or upgrade the BlackBerry UEM database on.
1. If you use a Windows account to create the BlackBerry UEM database, log in to the computer using
a Windows account that has database creator permissions.
2. Copy the BlackBerry UEM installation files to the computer and extract the contents to a folder.
Do not copy used installation files from another computer. You must re-extract the installation files on each
computer.
3. Navigate to <extracted_folder>\tools\ext.
4. Double-click the jre.exe file.
5. In the Java Setup screen, click Install.
6. Click Close.
7. Navigate to <extracted_folder>\tools\ext\UnlimitedJCEPolicyJDK8.
8. Copy all of the files from the UnlimitedJCEPolicyJDK8 folder.
9. Navigate to <java_install_dir>\lib\security.
10.Paste the files that you copied from the UnlimitedJCEPolicyJDK8 folder in the security folder.
11.Navigate to <extracted_folder>\db.
12.Open the CreateDB.properties file in a text editor.
13.Change the file to include information that is specific to your organization's environment.
For more information on the contents of the createDB. properties file, see CreateDB.properties file .
14.Save and close the file.
15.Open a command prompt window.
16.Change the directory to <extracted_folder>\db.
17.Type one of the following commands to create or upgrade to a BlackBerry UEM database:
Database configuration Steps
Create a BlackBerry Type CreateDB.bat install CreateDB.properties.

UEM database Press ENTER.
Upgrade to a BlackBerry Type CreateDB.bat upgrade CreateDB.properties.

UEM database Press ENTER.
After you finish: Delete the CreateDB.properties file after you create or upgrade the BlackBerry UEM database.
CreateDB.properties file
The following properties apply to the CreateDB.properties file, which contains configuration information for
CreateDB.

Property Description
Database type (BlackBerry UEM) This property specifies the type of database for BlackBerry UEM.
By default, the database type property is
"configuration.database.ng.type=SQL_SERVER".
You should not modify this property as it is a default setting.
Database server name (BlackBerry This property specifies the database server name that hosts the
UEM) database to create or upgrade to BlackBerry UEM.
By default, the database server name property is
"configuration.database.ng.server=localhost".
Database instance name This property specifies the database instance name to create or upgrade
(BlackBerry UEM) to BlackBerry UEM.
If you use a Microsoft SQL Server instance name;
by default, the database instance name property is
"configuration.database.ng.instance=Microsoft_SQL_Server_instance
name".
Note: The default Microsoft SQL Server instance name in the
CreateDB.properties file is UEM.
If you use another Microsoft SQL Server instance name than UEM,
configure the database instance name property to change UEM to your
Microsoft SQL Server instance name.
If you do not use a Microsoft SQL Server named instance, verify that
the Microsoft_SQL_Server_instance name value is deleted.
Database port (BlackBerry UEM) This property specifies the port that the database server uses.
If you use a dynamic port configuration, verify that you have no ports
listed for this property.
By default, the database port property uses a dynamic port configuration
and you do not need to configure this property.
If you use a static port configuration, configure your database port as
"configuration.database.ng.port=static_port_number".
Note: If you specify a static port, leave the database instance name
property blank.
Database name (BlackBerry UEM) This property specifies the name of the Microsoft SQL Server database
for BlackBerry UEM.
By default, the database name property is
"configuration.database.ng.name=UEM".

Authentication type (BlackBerry This property specifies the authentication type as follows:
UEM)
• Windows authentication - by default, configured as INTEGRATED in
this properties file
• Microsoft SQL Server authentication - can be configured as USER in
this properties file
If you use Windows authentication, by default your authentication type is
"configuration.database.ng.authenticationtype=INTEGRATED".
Note: If you use Windows authentication, you do not need to configure a
user and password in the createdb.properties file.
If you use Microsoft SQL Server authentication,
configure your authentication type as
"configuration.database.ng.authenticationtype=USER".
Username and Password If you use Microsoft SQL Server database authentication, these

- Microsoft SQL properties specify the username and password for the database account
Server authentication (USER) that has database creator permissions.
(BlackBerry UEM)
By default, the username property you configure
for Microsoft SQL Server authentication (USER) is
"configuration.database.ng.user=user_name".
By default, the password property you configure
for Microsoft SQL Server authentication (USER) is
"configuration.database.ng.password=password".
Performing a test upgrade of the BlackBerry UEM and BlackBerry Control databases

You can perform a test upgrade of the BlackBerry UEM and BlackBerry Control databases to help you identify and
address issues that might occur during the database upgrade without affecting your production environment. You
can also find out how long it takes to upgrade the BlackBerry UEM and BlackBerry Control databases.
To perform a test upgrade of the BlackBerry UEM and BlackBerry Control databases, complete the following
steps:
1. Back up the BlackBerry UEM database.
2. Back up the BlackBerry Control database.
3. Restore the backup versions of the BlackBerry UEM and BlackBerry Control databases to a database server
that does not host the BlackBerry UEM and BlackBerry Control databases.
4. Run CreateDB using the command prompt window.
Perform a test upgrade of the BlackBerry UEM and BlackBerry Control databases
This task should be performed by a database administrator with the appropriate permissions to back up, restore,
and upgrade the BlackBerry UEM and BlackBerry Control databases.
Note: If you do not want to run CreateDB on the database server, you must run it on a computer where BlackBerry
UEM is installed. The computer must be able to connect to the computer that hosts the database server that you
want to perform a test upgrade of the BlackBerry UEM and BlackBerry Control databases on.
Before you begin: Verify that you configured the correct permissions on the database server that you want to
perform a test upgrade of the BlackBerry UEM and BlackBerry Control databases on.

1. Log in to the computer that hosts the database server for the BlackBerry UEM and BlackBerry
Control databases.
2. Back up the BlackBerry UEM database.
3. Back up the BlackBerry Control database.
4. Log in to a computer that hosts a database server that you want to perform a test upgrade of the BlackBerry
UEM database on.
5. Restore the backup version of the BlackBerry UEM and BlackBerry Control databases.
6. Copy the BlackBerry UEM installation files to the computer.
computer.
7. Extract the contents to a folder on the computer.
8. Navigate to <extracted_folder>\tools\ext\UnlimitedJCEPolicyJDK8.
9. Copy all of the files from the UnlimitedJCEPPolicyJDK8 folder.
10.Navigate to <java_install_dir>\lib\security.
11.Paste all of the files that you copied from the UnlimitedJCEPPolicyJDK8 folder into the security folder.
12.Navigate to <extracted_folder>\db.
13.Open the CreateDB.properties file in a text editor.
14.Change the file to include information that is specific to your organization's environment.
For more information on the contents of the createDB. properties file, see CreateDB.properties file .
15.Save and close the file.
16.Open a command prompt window.
17.Change the directory to <extracted_folder>\db.
18.Type CreateDB.bat upgrade CreateDB.properties and press ENTER.
BlackBerry UEM Readiness Tool

You can use the BlackBerry UEM Readiness Tool to check system requirements before you run the BlackBerry
UEM setup application. The BlackBerry UEM Readiness Tool is included with the BlackBerry UEM software. You
can also download the tool from myAccount
The BlackBerry UEM Readiness Tool checks the following requirements:
• Proxy server setting validation
• Minimum operating system requirements
• Minimum hard disk space
• Secure connection
• SRP connection
• Connection to the BlackBerry Dynamics NOC
• Required ports
• Account permissions
• Database validation
The BlackBerry UEM Readiness Tool does not check for Microsoft .NET Framework 4.5.
Configuring database high availability using Microsoft SQL Server AlwaysOn

Before you install BlackBerry UEM, decide if you want to configure high availability for the BlackBerry
UEM database. Database high availability allows you to retain database service and data integrity if issues occur
with the BlackBerry UEM database.

You can use one of the following Microsoft SQL Server features for database high availability:
• AlwaysOn Failover Cluster Instances (FCI) for Microsoft SQL Server 2012, 2014, or 2016 (Standard Edition)
• AlwaysOn Availability Groups for Microsoft SQL Server 2012, 2014, or 2016 (Enterprise Edition)
• Database mirroring for Microsoft SQL Server 2012 or 2014
If you want to use an AlwaysOn feature, you must complete configuration steps before you install BlackBerry
UEM. This section gives you instructions for configuring database high availability using AlwaysOn.
You can configure database mirroring any time after you install BlackBerry UEM. For instructions, see the
Configuration content.
Note: Microsoft recommends using AlwaysOn because database mirroring will be deprecated in a future version
of Microsoft SQL Server.
AlwaysOn high availability
BlackBerry UEM supports AlwaysOn using a Failover Cluster Instance (FCI) or availability group. Both methods
require a Windows Server Failover Clustering (WSFC) cluster where independent servers interact to provide a high
availability solution for databases. For more information about WSFC, visit the MSDN Library to see Windows
Server Failover Clustering (WSFC) with SQL Server.
Instance-level high availability using an AlwaysOn Failover Cluster Instance

An FCI is an instance of Microsoft SQL Server that is installed across multiple computers (or “nodes”) in a
WSFC cluster. The nodes are members of a resource group, and all nodes have shared access to the BlackBerry
UEM database. One of the nodes has ownership of the resource group and gives the BlackBerry UEM components
access to the BlackBerry UEM database. If the node that owns the resource group becomes unavailable (for
example, a hardware or OS failure), a different node takes ownership of the resource group. As a result, BlackBerry
UEM database service continues with minimal interruption.
For more information, visit the MSDN Library to see AlwaysOn Failover Cluster Instances (SQL Server).
Database-level high availability using an AlwaysOn availability group

To use an availability group, you configure a WSFC cluster with multiple nodes. Each node is a separate computer
that has an instance of Microsoft SQL Server. One of the nodes hosts the primary BlackBerry UEM database
and gives the BlackBerry UEM components read-write access. This node is the “primary replica.” The WSFC
cluster can have one to eight other nodes, each hosting a secondary database (a read-only copy of the BlackBerry
UEM database). These nodes are “secondary replicas.”
The primary database synchronizes data with the secondary databases. Data is synchronized with each
secondary database independently. If one secondary database is unavailable, it does not affect the other
secondary databases. You can configure the data synchronization to be asynchronous (delayed synchronization
with minimal transaction latency) or synchronous (faster synchronization with increased transaction latency).
Automatic failover requires the primary replica and secondary replicas to use synchronous-commit mode.
If you configure an availability group for automatic failover and the primary database becomes unavailable, one
of the secondary replicas becomes the primary replica. That replica’s secondary database becomes the primary
database. As a result, BlackBerry UEM database service continues with minimal interruption.
For more information, visit the MSDN Library to see Overview of AlwaysOn Availability Groups (SQL
Server) and AlwaysOn Availability Groups (SQL Server).
Preinstallation tasks
Before you install BlackBerry UEM, perform the following actions:

• Create a WSFC cluster. It is recommended to use static port 1433 for the database server. For requirements
and instructions, visit the Technet Library to see Create a Failover Cluster.
• If you want to use an AlwaysOn FCI:
• Verify that your environment meets Microsoft requirements. Visit the MSDN Library to see Before Installing
Failover Clustering.
• Configure the FCI. Visit the MSDN Library to see Create a New SQL Server failover Cluster (Setup).
• If you want to use an AlwaysOn availability group:
• Verify that your environment meets Microsoft requirements. Visit the MSDN Library to see Prerequisites,
Restrictions, and Recommendations for AlwaysOn Availability Groups (SQL Server).

• Enable the availability groups feature and complete the initial setup tasks, including creating an availability
group listener. You will set up the primary replica and secondary replicas after you install BlackBerry
UEM and create the BlackBerry UEM database. Visit the MSDN Library to see Getting Started with AlwaysOn
Availability Groups.
Install BlackBerry UEM and configure support for database high availability
1. Verify that your environment meets the requirements for installing BlackBerry UEM.
2. Follow the instructions in Installing or upgrading the BlackBerry UEM software. When you run the setup
application:
• On the Database information screen, when you specify the Microsoft SQL Server name, type one of the
following:
•
If you are using an AlwaysOn FCI, type the SQL Virtual Server Network Name for the WSFC cluster (for
example, CompanySQLCluster).
• If you are using an AlwaysOn availability group, type the Availability Group Listener Virtual Network
Name (for example, CompanyListener).
• On the Database information screen, it is recommended that you use the Static port option and use the
default port 1433.
3. Complete any postinstallation tasks described in this guide.
After you finish:
• If you want to install another BlackBerry UEM instance connecting to the same BlackBerry UEM database,
repeat these steps.
• If you are using an FCI, use the Failover Cluster Manager tool to manage the FCI and failover settings.
• If you are using an availability group, use Microsoft SQL Server Management Studio to set up the primary
replica and secondary replicas and to configure failover settings. Visit the MSDN Library to see Getting Started
with AlwaysOn Availability Groups and Use the Availability Group Wizard (SQL Server Management Studio).
Choose the option to create a full backup for the secondary databases and specify a shared network location
that all replicas can access.
Prerequisites: Installing or upgrading the BlackBerry UEM software

For installation and upgrade:
• Verify that you opened the necessary ports on your organization's firewall.
• Verify that you installed all required third-party applications. As of version 12.10, JRE is not installed
with BlackBerry UEM.
• Ensure that Windows is up to date and that you perform any reboot required for the update.
• If you perform the installation or upgrade process on a computer that has more than one NIC, verify that the
production NIC is first in the bind order in the Windows network settings.
• If your organization uses a proxy server for Internet access, verify that you have the computer name, port
number, and credentials for the proxy server.
• When you run the setup application, use only standard characters to specify values. Unicode characters are
not supported.
• If a Windows host operating system is configured in a workgroup instead of a domain, verify that you
configured the primary DNS suffix. For information on configuring the primary DNS suffix, visit the Microsoft
support website.
• If you plan to install BlackBerry UEM in a DMZ, read Installing BlackBerry UEM in a DMZ.

• If you plan to use an existing Microsoft SQL Server to host the BlackBerry UEM database, ensure that the no
count setting for the SQL Server is disabled.
For upgrade only:
• Review Supported upgrade environments.
• Verify that the BlackBerry UEM service account has local administrator permissions on each computer.
• Do not add any files to the folder that contains the BlackBerry UEM installation files. The setup application
removes these files during the upgrade.
• Perpetual licenses are issued for specific versions of BlackBerry UEM and are not compatible with later
versions. If perpetual licenses are covered by a valid support contract, automatic version updates are
supported.
• The Microsoft SQL Server account must have dbo as its default schema.
• If your organization uses Apple VPP accounts, after you upgrade you must generate a new .vpp token file and
edit your Apple VPP account information at Apps > iOS App licenses.
Installing or upgrading the BlackBerry UEM software

Install a new BlackBerry UEM instance
When you run the setup application, use only standard characters to specify values. Unicode characters are not
supported.
If you want to install the device connectivity components only (also known as the BlackBerry Connectivity Node),
see Creating server groups and installing BlackBerry Connectivity Node instances.
Before you begin:
• If you install BlackBerry UEM behind a firewall, it cannot connect to the BlackBerry Infrastructure until
you configure the proxy server. BlackBerry UEM prompts you the first time you log in to the BlackBerry
UEM management console.
• Installing BlackBerry UEM to a mapped network drive is not supported.
Note: Do not add any files to the folder that contains the BlackBerry UEM installation files. The setup application
deletes these files when you reinstall or upgrade BlackBerry UEM.
1. Log in to the computer that you want to install BlackBerry UEM on using the service account.
computer.
3. In the BlackBerry UEM installation folder, double-click Setup.exe. If a Windows message appears and requests
permission for Setup.exe to make changes to the computer, click Yes.
4. In the Language selection dialog box, select your language.
5. Click OK.
6. In the BlackBerry UEM setup application screen, click Next.
7. In the License agreement dialog box, perform the following actions:
a) Select your country or region.
b) Read the license agreement. To accept the license agreement, select I accept the terms of the license
agreement.
c) Click Next.
8. In the Component selection dialog box, check the boxes for the components you want to install on the
computer. Click Next.

For information about the components, see the Planning content. If you want to install the device connectivity
components only (also known as the BlackBerry Connectivity Node), see Creating server groups and
installing BlackBerry Connectivity Node instances.
9. In the Installation requirements dialog box, you can check to see if your computer has met the requirements to
install BlackBerry UEM. Click Next.
The setup application may display a warning that indicates that Microsoft .NET Framework 4.5 is not
installed. You can ignore this warning and proceed with the installation. The setup application will
automatically install Microsoft .NET Framework 4.5 for you if it is not detected on your computer. If a later
version of Microsoft .NET Framework is already installed, the BlackBerry UEM setup application does not
install Microsoft .NET Framework 4.5.
10.In the Setup type dialog box, select Create a BlackBerry UEM database, and then perform one of the following
actions:
• Select Install and use Microsoft SQL Server 2016 Express SP1 on this computer if you do not
have Microsoft SQL Server installed.
• If you already have a supported version of Microsoft SQL Server installed, select Use an existing Microsoft
SQL Server instance in your organization's environment.
You can install the database server on the same computer or use an existing database server in your
organization's environment (local or remote).
11.Click Next.
12.If you selected Use an existing Microsoft SQL Server instance in your organization's environment, in
the BlackBerry UEM database dialog box, fill out the fields:
a) In the Microsoft SQL Server name field, type the name of the computer that hosts the database server.
b) In the Database name field, type a name for the new database.
c) If you configured the database server to use static ports, select the Static option. If the static port number
is not 1433, in the Port field, type the port number.
d) By default, the setup application uses Windows authentication to connect to the existing database. If you
select Microsoft SQL Server authentication, specify a Windows account that has access to the Microsoft
SQL Server.
e) Click Next.
13.In the BlackBerry UEM configuration dialog box, click Next to confirm the BlackBerry UEM host and domain
names.
14.In the Folder locations dialog box, perform the following actions:
a) Specify the location of the installation folder and log file folder.
b) If you receive a message saying there is not enough space remaining, create extra space to
install BlackBerry UEM on your computer.
c) If you receive a message asking you to create the installation and log file folder locations, click Yes.
15.Click Next.
16.In the Service account dialog box, type the Windows password and click Next.
17.In the Installation summary dialog box, click Install to install BlackBerry UEM.
18.In the Installing dialog box, click Next when the installation is complete.
19.In the Console addresses dialog box, perform one of the following actions:
• Click Close if you do not want to export your console addresses to a file.
• Select the Export the console addresses to a file check box and save the file on your computer. Click Close.
After you finish:

• You can install more than one BlackBerry UEM instance in the domain to create a high availability
configuration that minimizes service interruptions for device users. For more information about high
availability, see the Configuration content.
• If you want to configure BlackBerry UEM to use a proxy server, see the Configuration content.
• Do not create a shared folder within the installation folder after you install BlackBerry UEM. If you reinstall or
upgrade BlackBerry UEM, all of the files and folders in the installation folder are deleted, including the shared
folder.
• If an error message for RRAS appears in the Server Manager window, you can disregard it.
Upgrade BlackBerry UEM version 12.8 and later to BlackBerry UEM version 12.10

Before you begin: If you are upgrading multiple instances of BlackBerry UEM, see Upgrade a domain that consists
of multiple instances of BlackBerry UEM.
1. Log in to the computer using the service account that runs the BlackBerry UEM services.
computer.
3. Navigate to <extracted_folder>.
4. In the BlackBerry UEM installation files, double-click setup.exe.
If a Windows message appears and requests permission for setup.exe to make changes to the computer,
click Yes.
6. Click OK.
7. In the BlackBerry UEM setup application screen, click Next to start the upgrade process.
8. In the License agreement dialog box, perform the following actions:
a) Select your country or region.
b) Read the license agreement. To accept the license agreement, select I accept the terms of the license
agreement.
c) Click Next.
9. In the Installation requirements dialog box, you can check to see if your computer has met the requirements to
install BlackBerry UEM. Click Next.
10.In the Service account dialog box, type the Windows password and click Next.
11.In the Installation summary dialog box, click Install.
12.When the upgrade process completes, click Next, then Close.
Upgrade a domain that consists of multiple instances of BlackBerry UEM

Tip: During the first stage of the upgrade, you can set the start.windows.services parameter in the
deployer.properties file to false when you upgrade each instance so that the services do not start automatically
and you can proceed to the second stage.
CAUTION: If the recommended upgrade path is to upgrade BlackBerry UEM versions in stages, then you
must upgrade all instances to the first stage, restart them and upgrade them all to the second stage. For
example, if you are running BES12 version 12.5, you must upgrade all instances to BlackBerry UEM version
12.7 before you upgrade them to BlackBerry UEM version 12.9. After you upgrade the instances to version

12.7, synchronize the environment, restart the instances and upgrade them to BlackBerry UEM version
12.9.
1. Shut down all instances of BlackBerry UEM in the domain.
If you are upgrading from BlackBerry UEM version 12.8.1 or version 12.9.1, you do not have to shut down any
instances of BlackBerry UEM to upgrade them.
2. Upgrade one BlackBerry UEM core instance to BlackBerry UEM version 12.10.
The setup application also backs up and upgrades the BlackBerry UEM database. After the upgrade,
the BlackBerry UEM instance starts automatically.
3. Upgrade the other BlackBerry UEM core or management console instances.
4. Upgrade any BlackBerry Connectivity Node-only instances (that contain only the device connectivity
components) last.
Install or upgrade BlackBerry UEM using the command prompt window

You can install BlackBerry UEM server software using the command prompt window. Prior to installing the
software using this method, you as an individual or on behalf of your company or other entity on whose behalf
you are authorized to act must acknowledge your acceptance of the terms and conditions of the BlackBerry
Solution License Agreement for your jurisdiction in the manner provided below. Please review the BlackBerry
Solution License Agreement for your jurisdiction (“BBSLA”) at the following link: http://us.blackberry.com/legal/
blackberry-solution-license-agreement.html prior to installing or using the BlackBerry UEM server software. By
acknowledging your acceptance of the BBSLA in the manner provided below or by installing or using the software,
you are agreeing to be bound by the terms and conditions of the BBSLA.
You can install or upgrade to BlackBerry UEM using the command prompt window.
1. Download the BlackBerry UEM software.
2. Extract the BlackBerry UEM installation files.
3. Open a text editor in administrator mode.
4. Use the text editor to open the deployer.properties file.
5. Change the deployer.properties file to include information that is specific to your organization's environment.
6. In a command prompt window, in the directory where you extracted the BlackBerry UEM installation files,
type setup.exe --script --iAcceptBESEULA.
• Add the parameter --installSQL if you want to install a local Microsoft SQL Server database.
• Add the parameter --showlog if you want to see the progress of the installation on the computer screen.
Install the BlackBerry UEM components on separate computers using the command prompt window
You can install BlackBerry UEM server software using the command prompt window. Prior to installing the
software using this method, you as an individual or on behalf of your company or other entity on whose behalf
you are authorized to act must acknowledge your acceptance of the terms and conditions of the BlackBerry
Solution License Agreement for your jurisdiction in the manner provided below. Please review the BlackBerry
Solution License Agreement for your jurisdiction (“BBSLA”) at the following link: http://us.blackberry.com/legal/
blackberry-solution-license-agreement.html prior to installing or using the BlackBerry UEM server software. By
acknowledging your acceptance of the BBSLA in the manner provided below or by installing or using the software,
you are agreeing to be bound by the terms and conditions of the BBSLA.
After you install BlackBerry UEM on a computer, you can install the BlackBerry UEM management console, the
primary BlackBerry UEM components, and the BlackBerry Connectivity Node on separate computers using the
command prompt window. For more information about the BlackBerry Connectivity Node, see Creating server
groups and installing BlackBerry Connectivity Node instances.
1. Download the BlackBerry UEM software.

2. Extract the BlackBerry UEM installation files.
3. Open a text editor in administrator mode.
4. Use the text editor to open the deployer.properties file.
5. Change the following properties in the deployer.properties file:
• Add or change information that is specific to your organization's environment.
• If you want to install the BlackBerry UEM management console, set the deploy.ui property to True, and set
the deploy.mdm.ec and deploy.bcn properties to False.
• If you want to install the primary BlackBerry UEM components, set the deploy.mdm.ec property to True,
and set the deploy.ui and deploy.bcn properties to False.
• If you want to install the BlackBerry Connectivity Node, set the deploy.bcn property to True, and set
the deploy.ui and deploy.mdm.ec properties to False.
6. In a command prompt window set to the folder where you extracted the BlackBerry UEM installation files,
type setup.exe --script --iAcceptBESEULA.
Add the parameter --showlog if you want to see the progress of the installation on the computer screen
when you use the command prompt window.
deployer.properties file
The following properties apply to the deployer.properties file.
db.authentication.type For Microsoft SQL Server authentication, type USER. For Windows

authentication, type INTEGRATED.
The default entry is INTEGRATED.
db.backup.folder Specify a location for the database backup file. To use the default
backup folder, enter a period (.). To skip a database backup, leave this
field blank.
The default entry is a period (.).
db.host1 Specify the name of the database server that hosts the BlackBerry
UEM database.
The default entry is localhost.
db.instance If your environment uses named instances, specify the name of the
database instance. If your environment does not use named instances,
leave it blank.
The default entry is UEM.
db.name Specify the name of the BlackBerry UEM database.

The default BlackBerry UEM database name is UEM.
db.pass This field is required if you are using Microsoft SQL

Server authentication. Specify the password for the Microsoft
SQL Server database. Leave this blank if you are
using Windows authentication.

db.port Specify the port that the database server uses to connect to BlackBerry
UEM. For a dynamic port, leave this field blank. For a static port, type the
port number.
The default entry is blank.
Note: If you specify a static port, leave the db.instance field blank.
db.static.port.enablement For a dynamic port, set this field to #. For a static port, leave this field
blank.
The default entry is #.
db.user This field is required if you are using Microsoft SQL

Server authentication. Specify the username for the Microsoft
SQL Server database. Leave this blank if you are
using Windows authentication.
deploy.bcn Set to true to install the device connectivity components.

The default entry is true.
deploy.mdm.ec Set to true to install the primary BlackBerry UEM components.

deploy.ui Set to true to install the BlackBerry UEM management console.

install.path Specify the location for the installation files.

The default location for the installation files is C:/Program Files/
BlackBerry/UEM.
logging.common.path Specify the location for the log files.

The default location for the log files is C:/Program Files/
BlackBerry/UEM/Logs.
service.account.password This field is required. Specify the password for the Windows service

account.
service.account.name This field is automatically populated.
start.windows.services Set to true to start the BlackBerry UEM services after the installation is

complete.
Set to false if you do not want the BlackBerry UEM services to start after
the upgrade is complete.
ui.port Specify the port used by the BlackBerry UEM management console.

The default port is 443.

Installing BlackBerry UEM in a DMZ
You can install BlackBerry UEM in a DMZ, outside of your organization's firewall.
If you install BlackBerry UEM in a DMZ:
• Verify that you open the required ports on your organization's firewall. For more information, see Port
requirements.
• Manually stop the BlackBerry Proxy service.
Creating server groups and installing BlackBerry Connectivity

Node instances
You can install one or more instances of the BlackBerry Connectivity Node to add additional instances of the
device connectivity components to your organization’s domain. Each BlackBerry Connectivity Node instance
contains the following BlackBerry UEM components: BlackBerry Secure Connect Plus, the BlackBerry Gatekeeping
Service, the BlackBerry Secure Gateway, BlackBerry Proxy, and the BlackBerry Cloud Connector.
You can also create server groups. A server group contains one or more instances of the BlackBerry Connectivity
Node. When you create a server group, you specify the regional data path that you want the components to
use to connect to the BlackBerry Infrastructure. You can associate email and enterprise connectivity profiles
with a server group. Any device that is assigned those profiles uses that server group’s regional connection to
the BlackBerry Infrastructure when it uses any of the components of the BlackBerry Connectivity Node.
For more information about planning for server groups and BlackBerry Connectivity Node instances, see the
Planning content.
To create server groups and install one or more instances of the BlackBerry Connectivity Node, perform the
following actions:
Step Action
Create server groups (optional).
Change the default settings for BlackBerry Connectivity Node instances (optional).
Install a BlackBerry Connectivity Node instance.
Activate a BlackBerry Connectivity Node instance.
Configure proxy settings for a BlackBerry Connectivity Node instance (optional).
Add a BlackBerry Connectivity Node instance to a server group (optional).

Create a server group
Before you begin: Install an additional BlackBerry Connectivity Node
1. On the menu bar, click Settings > External integration > BlackBerry Connectivity Node setup.
2.
Click .
3. Type a name and description for the server group.
4. In the Country drop-down list, select the country where one or more instances of the BlackBerry Connectivity
Node will be installed. The BlackBerry Connectivity Node instances that are added to the server group will use
the selected country's regional connection to the BlackBerry Infrastructure.
Note: You cannot change this setting after the server group is created.
5. By default, the BlackBerry Gatekeeping Service in each BlackBerry Connectivity Node instance is active. If you
want gatekeeping data to be managed only by the BlackBerry Gatekeeping Service that is installed with the
primary BlackBerry UEM components, select the Override BlackBerry Gatekeeping Service settings check box
to disable each BlackBerry Gatekeeping Service in the server group.
6. If you want to use DNS settings for BlackBerry Secure Connect Plus that are different from the default settings
that are configured at Settings > Infrastructure > BlackBerry Secure Connect Plus, select the Override DNS
servers check box. Perform the following tasks:
a) In the DNS servers section, click . Type the DNS server address in dot-decimal notation (for example,
192.0.2.0). Click Add. Repeat as necessary.
b) In the DNS search suffix section, click . Type the DNS search suffix (for example, domain.com).
Click Add. Repeat as necessary.
For more information, see “Enabling and configuring enterprise connectivity and BlackBerry Secure Connect
Plus” in the Administration content.
7. If you want to configure logging settings for the BlackBerry Connectivity Node instances in the server group,
select the Override logging settings check box. Perform any of the following tasks:
• In the Server log debug levels drop-down list, select the appropriate log level.
• If you want to route log events to a syslog server, select the Syslog check box and specify the host name
and port of the syslog server.
• If you want to specify maximum limits for log file size and age, select the Enable local file
destination check box. Specify the size limit (in MB) and the age limit (in days).
8. Click Save.
After you finish:
• If you disabled the BlackBerry Gatekeeping Service instances in a server group and you want to enable them
again, in Settings > External integration > BlackBerry Connectivity Node setup, select the server group and
select the Enable the BlackBerry Gatekeeping Service check box. Each instance must be able to access your
organization’s gatekeeping server.
• Install a BlackBerry Connectivity node instance. You can add an instance to a server group when you activate
a BlackBerry Connectivity Node instance or manually in the management console (see Manage server
groups).
• For more information about associating an email profile with a server group, see “Create an email profile” in
the Administration content.
• For more information about associating an enterprise connectivity profile with a server group, see “Enabling
and configuring enterprise connectivity and BlackBerry Secure Connect Plus” in the Administration content.

Change the default settings for BlackBerry Connectivity Node instances
By default, the BlackBerry Gatekeeping Service in each BlackBerry Connectivity Node instance is active. If you
want gatekeeping data to be managed only by the BlackBerry Gatekeeping Service that is installed with the
primary BlackBerry UEM components, you can change the default behavior to disable the BlackBerry Gatekeeping
Service in each instance. You can also specify the default logging settings for all BlackBerry Connectivity
Node instances.
The default settings apply to each BlackBerry Connectivity Node instance that is not in a server group. When an
instance is part of a server group, it uses the default settings configured for that server group.
1. In the BlackBerry UEM management console, on the menu bar, click Settings > External integration >
BlackBerry Connectivity Node setup.
2.
Click .
3. If you want to disable the BlackBerry Gatekeeping Service in each instance, select the Override BlackBerry
Gatekeeping Service settings check box.
4. If you want to configure logging settings, select the Override logging settings check box. Perform any of the
following tasks:
• In the Server log debug levels drop-down list, select the appropriate log level.
• If you want to route log events to a syslog server, select the Syslog check box and specify the host name
and port of the syslog server.
• If you want to specify maximum limits for log file size and age, select the Enable local file
destination check box. Specify the size limit (in MB) and the age limit (in days).
5. Click Save.
After you finish: If you disabled the BlackBerry Gatekeeping Service instances and you want to enable them again,
select the Enable the BlackBerry Gatekeeping Service check box. Each instance must be able to access your
organization’s gatekeeping server.
Install a BlackBerry Connectivity Node instance

You must install each BlackBerry Connectivity Node instance on a separate computer. Perform the following
steps for each instance you want to install.
1. Log in to the computer that you want to install the BlackBerry Connectivity Node instance on.
Unless you are installing the BlackBerry Connectivity Node instance in a DMZ, it is a best practice to use the
same service account that was used to install the primary BlackBerry UEM components.
2. Copy the BlackBerry UEM installation files to the computer.
computer.
3. In the BlackBerry UEM installation folder, double-click Setup.exe. If a Windows message appears and requests
permission for Setup.exe to make changes to the computer, click Yes.
5. Click OK.
6. In the BlackBerry UEM setup application screen, click Next.
7. In the License agreement dialog box, select your country or region, then review and accept the license
agreement.
8. Click Next.
9. In the Component selection dialog box, clear the Management console and Primary components check boxes,
and select the Device connectivity components check box.

For information about the components that will be installed, see the Architecture content and the Planning
content.
10.Click Next.
11.In the Installation requirements dialog box, you can check to see if your computer has met the requirements to
install the BlackBerry Connectivity Node. Click Next.
12.In the BlackBerry UEM configuration dialog box, confirm the host name. Click Next.
13.In the Folder locations dialog box, perform the following actions:
a) Specify the location of the installation folder and log file folder.
b) If you receive a message saying there is not enough space remaining, create extra space to install
the BlackBerry Connectivity Node.
c) If you receive a message asking you to create the installation and logs folder locations, click Yes.
14.Click Next.
15.In the Service account dialog box, type the password for the service account. Click Next.
16.In the Installation summary dialog box, click Install.
17.In the Installing dialog box, click Next when the installation is complete.
18.In the Console addresses dialog box, you can select the Export the console addresses to a file check box to
save the address of the BlackBerry Connectivity Node console (http://localhost:8088) to a text file on your
computer.
You can open the BlackBerry Connectivity Node console at any time from the Start menu.
19.Click Close. If you chose to save the address of the console, specify the location.
After you finish: Activate a BlackBerry Connectivity Node instance.
Activate a BlackBerry Connectivity Node instance

To activate a BlackBerry Connectivity Node instance, you must generate and download an activation file from
the BlackBerry UEM management console and upload it to the BlackBerry Connectivity Node console. The
activation process connects that instance to the primary BlackBerry UEM components.
The activation file is valid for 60 minutes only after you download it. If you generate and download multiple
activation files, only the latest file is valid. If you need to activate multiple instances of the BlackBerry Connectivity
Node, complete the steps below for each instance.
Note: When a new BlackBerry Connectivity Node is configured, the first packet is not encrypted (non-SSL)
and is used to establish encrypted (SSL) communications. All subsequent packets are encrypted (SSL). If your
organization has a firewall rule for port 443 that allows only SSL packets, you must set a firewall exception for the
initial activation of the BlackBerry Connectivity Node. You can remove the exception after activation.
2.
Click .
3. If you want to add the BlackBerry Connectivity Node instance to an existing server group when you activate it,
in the Server group drop-down list, click the appropriate server group.
4. Click Generate.
5. Save the activation file to the computer that hosts the BlackBerry Connectivity Node.

6. On the computer that hosts the BlackBerry Connectivity Node, open the BlackBerry Connectivity Node console
from the Start menu or open a browser window and navigate to http://localhost:8088.
7. Select a language from the drop-down list. Click Next.
8. Optionally, you can do any of the following:
• If you want to use a proxy setting other than the default (port 443) to connect to the BlackBerry
Infrastructure (<region>.bbsecure.com) to activate the BlackBerry Connectivity Node, click the "here" link to
configure the proxy settings and enter the information for the enrollment proxy.
Note: The proxy must be able to access port 443 to the BlackBerry Infrastructure. You cannot change the
enrollment proxy setting after you activate the BlackBerry Connectivity Node.
• If you want to send data through an HTTP proxy before it reaches the BlackBerry Dynamics NOC, click
the "here" link. Click Enable HTTP proxy and configure the proxy settings. You cannot change the proxy
settings once they are saved.
Note: The proxy must be able to access port 443 to the BlackBerry Dynamics NOC. For more information
about port requirements, see Outbound connections: BlackBerry UEM to the BlackBerry Dynamics NOC.
• You have the option of configuring other proxy settings at this point as well. For more information about the
available proxy options, see Configure proxy settings for a BlackBerry Connectivity Node instance.
9. Type a name for the BlackBerry Connectivity Node. Click Next.
10.Click Browse. Navigate to and select the activation file.
11.Click Activate.
If you want to add a BlackBerry Connectivity Node instance to an existing server group when you activate it,
your organization's firewall must allow connections from that server over port 443 through the BlackBerry
Infrastructure (<region>.bbsecure.com) to activate the BlackBerry Connectivity Node and to the same
bbsecure.com region as the main BlackBerry Connectivity Node instance.
To view the status of a BlackBerry Connectivity Node instance, in the BlackBerry UEM management console, on
the menu bar, click Settings > External integration > BlackBerry Connectivity Node setup.
After you finish:
• Optionally, Configure proxy settings for a BlackBerry Connectivity Node instance.
• To add a BlackBerry Connectivity Node instance to a server group, or remove an instance from a server group,
see Manage server groups.
• For instructions for configuring the BlackBerry Gatekeeping Service, see the Configuration content.
• For instructions for configuring BlackBerry Proxy and creating clusters, see the Configuration content. For
more information about configuring connectivity for BlackBerry Dynamics apps, see the Administration
content.
• For instructions for enabling BlackBerry Secure Connect Plus, see the Administration content.
• For more information about enabling the BlackBerry Secure Gateway, see the Administration content.
Configure proxy settings for a BlackBerry Connectivity Node instance

You can configure the components of the BlackBerry Connectivity Node to send data through a TCP proxy server
(transparent or SOCKS v5) or an instance of the BlackBerry Router before it reaches the BlackBerry Infrastructure.
For more information about installing the BlackBerry Router, see Installing a standalone BlackBerry Router.
1. On the computer that hosts the BlackBerry Connectivity Node, open the BlackBerry Connectivity Node console
from the Start menu or open a browser and navigate to http://localhost:8088.
2. Click General settings > Proxy.
3. Perform any of the following tasks:

Task Steps
Send data through a. Select the BlackBerry Router option.

a BlackBerry Router b. Click +.
to the BlackBerry c. Type the FQDN or IP address of the BlackBerry Router. Click Add.
Infrastructure d. In the Port field, type the port number that the BlackBerry Connectivity Node
can use to connect to any BlackBerry Router you added. The default port is
3102.
e. Click Save.
Send data through a a. Select the Proxy server option.

SOCKS v5 proxy server b. Select the Enable SOCKS v5 check box.
(no authentication) c. Click +.
to the BlackBerry d. Type the IP address or host name of the SOCKS v5 proxy server. Click Add.
Infrastructure
e. Repeat steps 3 and 4 for each SOCKS v5 proxy server that you want to
configure.
f. In the Port field, type the port number.
g. Click Save.
Send data through Perform any of the following tasks:

a transparent proxy
• In the BlackBerry Connectivity Node fields, type the FQDN or IP address and
server to the BlackBerry
port number of the proxy server.
Infrastructure
• In the Device connectivity components fields, type the FQDN or IP address
and port number of the proxy server. This setting applies to the BlackBerry
Gatekeeping Service and the BlackBerry Secure Gateway.
• In the BlackBerry Secure Connect Plus fields, type the FQDN or IP address
and port number of the proxy server.
4. Click Save.
Manage server groups

You can add a BlackBerry Connectivity Node instance to a server group at any time, or remove an instance from a
server group at any time. If you add an instance to a server group, that instance uses the settings that have been
configured for that server group (for example, the components of that instance will use the specified regional
connection to the BlackBerry Infrastructure). If you remove an instance from a server group, that instance uses
the default settings that are configured on the BlackBerry Connectivity Node setup screen (see Change the default
settings for BlackBerry Connectivity Node instances).
2. Select a BlackBerry Connectivity Node instance.
3. Perform one of the following tasks:
a)
To add an instance to a server group, click . Select the appropriate server group. Click OK.
b)
To remove an instance from a server group, click . In the confirmation dialog box, click OK.

Installing a standalone BlackBerry Router
The BlackBerry Router is an optional component that you can install in a DMZ outside your organization's firewall.
The BlackBerry Router connects to the Internet to send data between BlackBerry UEM and devices that use
the BlackBerry Infrastructure.
The BlackBerry Router functions as a proxy server and can support SOCKS v5 (no authentication).
If you want to configure BlackBerry UEM to use a TCP proxy server, see the Configuration content.
Note: If your current environment contains a TCP proxy server, you do not need to install the BlackBerry Router.
Upgrading a standalone BlackBerry Router
If you want to upgrade your router from BlackBerry UEM version 12.8 or 12.9 to version 12.10, you cannot directly
upgrade it. You must first uninstall the existing router and then install a new one.
Install a standalone BlackBerry Router

Before you begin:
• You must install a standalone BlackBerry Router on a computer that does not host any other BlackBerry
UEM components. You cannot install the BlackBerry Router on a computer that hosts any components that
manage BlackBerry OS (version 5.0 to 7.1) devices.
• Verify that you have the name of the SRP host. The SRP host name is usually <country
code>.srp.blackberry.com (for example, us.srp.blackberry.com). To verify the SRP host name for
your country, visit the SRP Address Lookup page.
1. Download and extract the BlackBerry UEM Installation file (.zip) on your computer.
2. In the router folder, extract the mdm.deployment.router.zip file. This .zip file contains an Installer folder with
the Setup.exe file that you use to install the BlackBerry Router.
3. Double-click the Setup.exe file.
The installation runs in the background and displays no dialog boxes. Once the installation completes, the
BlackBerry Router service appears in the Services window.
Logging in to BlackBerry UEM for the first time

The first time that you log in to the management console after you install BlackBerry UEM, you must enter your
organization name, SRP ID, and SRP authentication key.
CAUTION: Do not reuse the SRP ID from previous BES5, BES10, BES12, or BlackBerry UEM instances
when you install a new instance of BlackBerry UEM. You can view the SRP ID and authentication key for
your BES10 and BlackBerry UEM instances in myAccount, under My Organization > Servers.
Log in to BlackBerry UEM for the first time

Before you begin: Verify that you have the BlackBerry UEM SRP identifier and SRP authentication key available.
If the setup application is still open, you can access the management console directly from the Console
addresses dialog box.
Note: You may be prompted to provide the IP address and port number of the BlackBerry Router or a TCP proxy
server.

Note: If you receive an error message that your SRP ID cannot be used with the BlackBerry UEM instance you
installed, visit support.blackberry.com/community. to read article 37117.
1. In the browser, type https://<server_name>:<port>/admin, where <server_name> is the FQDN of the computer
that hosts the management console. The default port for the management console is port 443.
2. In the Username field, type admin.
3. In the Password field, type password.
4. Click Sign in.
5. In the Server location drop-down selection, select the country of the computer that has BlackBerry
UEM installed on it, and click Next.
6. Type the name of your organization, the SRP identifier, and the SRP authentication key.
7. Click Submit.
8. Change the temporary password to a permanent password.
9. Click Submit.
After you finish:
• When you log in to the management console, you can choose to complete or close the Welcome to BlackBerry
UEM dialog box. If you close the dialog box, it will not appear during subsequent login attempts.
Removing the BlackBerry UEM software

You can use the uninstall application to remove the BlackBerry UEM software from a server. The uninstall
application can also remove the log files for the existing installation.
The uninstall application removes the software from the local server, but it does not do the following:
• Remove the BlackBerry UEM server from the BlackBerry UEM database
• Remove the database instance that hosts the BlackBerry UEM database
• Remove the BlackBerry UEM database
• Deregister the components from the BlackBerry Dynamics NOC
Therefore, before you reinstall the BlackBerry UEM software, you must remove the BlackBerry UEM instance
from the management console. When you remove a BlackBerry UEM instance from the management console,
the BlackBerry Control and BlackBerry Proxy instances are deregistered from the BlackBerry Dynamics NOC. This
is a necessary step for decommissioning.
Note: If this installation was originally BES12 version 12.5 or earlier, before you reinstall, visit visit
support.blackberry.com/community to read article 45102.
Note: If the BlackBerry UEM instance is connected to your Google Cloud or G Suite domain, you must remove
the Google domain connection before you uninstall BlackBerry UEM.
CAUTION: You cannot uninstall BlackBerry UEM and continue to use BES5 after you have upgraded
from BES5 to BlackBerry UEM. If you uninstall BlackBerry UEM after the upgrade, BES5 will not function
correctly.
Remove the BlackBerry UEM software

Important: When you decommission a BlackBerry UEM node or legacy BlackBerry Dynamics server, make sure
that active containers have contacted the new nodes to obtain an updated connectivity profile before the old
nodes are removed. Bring up the new nodes and keep the old nodes running for a transitional period. For example,
if you set the connectivity verification period to 30 days and the inactivity threshold to 60 days, allow 60 days for
the transition to complete.

Before you begin:
• If you have it configured, remove the Google domain connection. For more information, see the Administration
content.
• If you are troubleshooting, back up the following data before decommissioning:
• \Program Files\BlackBerry\UEM\Logs
• BlackBerry UEM database
1. On the taskbar, click Start > Control Panel.
2. Click Uninstall a program.
3. Click BlackBerry UEM.
4. Click Uninstall.
5. If the uninstall application prompts you to restart the computer to finish removing the BlackBerry
UEM software, click OK.
After you finish: You can remove third-party software that the setup application installed during the BlackBerry
UEM installation process (for example, you can remove the JRE software from the computer).
Remove a instance from the database

If you uninstall a BlackBerry UEM instance, you must complete the following steps to remove the data for that
instance from the BlackBerry UEM database. If you do not, the BlackBerry UEM log files indicate that the instance
that you removed is not available.
Before you begin: Uninstall a BlackBerry UEM instance.
1. On the menu bar, click Settings > Infrastructure > Instances.
2.
For the BlackBerry UEM instance that you removed, click .
3. Click Delete.
Removing the BlackBerry Connectivity Node software

You can use the uninstall application to remove the BlackBerry UEM connectivity software from a server. The
uninstall application can also remove the log files for the existing installation.
The uninstall application removes the software from the local server, but it does not do the following:
• Remove the BlackBerry Connectivity Node instance from the BlackBerry UEM database
• Remove the database instance that hosts the BlackBerry UEM database
• Remove the BlackBerry UEM database
• Deregister the components from the BlackBerry Dynamics NOC
Therefore, before you reinstall the BlackBerry UEM connectivity software, you must remove the BlackBerry
Connectivity Node instance from the management console. When you remove a BlackBerry Connectivity
Node instance from the management console, the BlackBerry Proxy instance is deregistered from the BlackBerry
Dynamics NOC. This is a necessary step for decommissioning.
Note: If you upgraded a Good Proxy server to a BlackBerry Connectivity Node instance, the BlackBerry
Proxy service will be registered with the BlackBerry Dynamics NOC. Before you can properly remove
the BlackBerry Connectivity Node, you must activate it, then remove it. See Activate a BlackBerry Connectivity
Node instance.

Remove the BlackBerry Connectivity Node software
Before you begin: If you are troubleshooting, back up \Program Files\BlackBerry\UEM\Logs before
decommissioning.
1. On the taskbar, click Start > Control Panel.
2. Click Uninstall a program.
3. Click BlackBerry UEM.
4. Click Uninstall.
5. If the uninstall application prompts you to restart the computer to finish removing the BlackBerry
UEM software, click OK.
After you finish: You can remove third-party software that the setup application installed during the BlackBerry
UEM installation process (for example, you can remove the JRE software from the computer).
Remove a BlackBerry Connectivity Node instance from the database

If you uninstall a BlackBerry Connectivity Node instance, you must complete the following steps to remove the
data for that instance from the BlackBerry UEM database. If you do not, the BlackBerry UEM log files indicate that
the instance that you removed is not available.
Before you begin: Uninstall the BlackBerry UEM connectivity software.
1. On the menu bar, click Settings > External integration > BlackBerry Connectivity Node setup.
2. Select the checkbox beside the BlackBerry Connectivity Node that you want to remove.
3.
Click .
4. Click Delete.
Troubleshooting BlackBerry UEM installation or upgrade

In some cases you might need to troubleshoot a BlackBerry UEM installation or upgrade issue. Some isolated
cases may require you to return to the previous version of the software and then retry the upgrade. The approach
to take depends on the current state of your environment and the BlackBerry UEM software versions involved in
the upgrade.

For detailed information about troubleshooting BlackBerry UEM installation and upgrade,
visit support.blackberry.com/kb to read article 49655.
Additional information

Best practice: Running BlackBerry UEM
Best practice Description
Do not change the startup type for When you install or upgrade to BlackBerry UEM, the setup application
the BlackBerry UEM services. configures the startup type for the BlackBerry UEM services as either
automatic or manual.
To avoid errors in BlackBerry UEM, do not change the startup type for
the BlackBerry UEM services.
Do not change the account When you install or upgrade BlackBerry UEM, the setup application
information for the BlackBerry configures the account information for the BlackBerry UEM services.
UEM services.
Do not change the account information for BlackBerry UEM unless
the BlackBerry UEM documentation specifies that you can.
Do not manually restart You can manually restart the BlackBerry Affinity Manager service, which
the BlackBerry Work Connect controls the restart of the BlackBerry Work Connect Notification Service.
Notification Service.
Installing the BlackBerry Collaboration Service

The BlackBerry Collaboration Service is an optional service that you can install in your BlackBerry
UEM environment. The BlackBerry Collaboration Service provides an encrypted connection between your
organization's instant messaging server and the BlackBerry Enterprise IM app on BlackBerry 10 devices so that
users can start and manage instant messaging conversations on their devices.
You can install the BlackBerry Collaboration Service any time after you install BlackBerry UEM. For
instructions, see the Installation and configuration content.
Note: You cannot install BlackBerry Collaboration Service 12 until you log in to BlackBerry UEM for the first time
to register your SRP ID and SRP authentication key.
BlackBerry UEM Configuration Tool

If your organization plans to support more than 500 users, use the BlackBerry UEM Configuration Tool to calculate
the number of SRP IDs you require. After you install BlackBerry UEM, run the BlackBerry UEM Configuration
Tool to import the SRPs into the BlackBerry UEM database before you add or migrate users. The BlackBerry
UEM Configuration Tool is included with the BlackBerry UEM software. You can also download the tool
from myAccount.
The BlackBerry UEM Configuration Tool allows you to:
• Update or change the following BlackBerry UEM database properties:
• Microsoft SQL Server name
• Database name
• Port configuration
• Database authentication
• Windows username
• Windows password
• Calculate the number of SRP IDs required for BlackBerry UEM based on the projected total number of users
• Import extra SRP IDs into the BlackBerry UEM database

For more details on the BlackBerry UEM Configuration Tool, visit support.blackberry.com/community to read
article 36443.
For more information about obtaining and importing SRP IDs, visit support.blackberry.com/community to read
article 36435.

Glossary
BES5 BlackBerry Enterprise Server 5
BES10 BlackBerry Enterprise Service 10
BES12 BlackBerry Enterprise Service 12
BlackBerry UEM domain A BlackBerry UEM domain consists of a BlackBerry

UEM database and a BlackBerry Control database and
any BlackBerry UEM instances that connect to them.
BlackBerry UEM instance A BlackBerry UEM instance refers to one installation

of the BlackBerry UEM Core and all associated
BlackBerry UEM components that communicate with
it. The components can be installed on the same
server or multiple servers. There can be more than
one BlackBerry UEM instance in a BlackBerry UEM
domain.
DMZ A demilitarized zone (DMZ) is a neutral subnetwork

outside of an organization's firewall. It exists between
the trusted LAN of the organization and the untrusted
external wireless network and public Internet.
DNS Domain Name System
EMM Enterprise Mobility Management
FQDN fully qualified domain name
HTTPS Hypertext Transfer Protocol over Secure Sockets

Layer
IOPS input/output operations per second
IP Internet Protocol
IP address An Internet Protocol (IP) address is an identification

number that each computer or mobile device uses
when it sends or receives information over a network,
such as the Internet. This identification number
identifies the specific computer or mobile device on
the network.
IT policy An IT policy consists of various IT policy rules

that control the security features and behavior of
BlackBerry smartphones, BlackBerry PlayBook tablets,
the BlackBerry Desktop Software, and the BlackBerry
Web Desktop Manager.
| Glossary | 50
IPsec Internet Protocol Security
JRE Java Runtime Environment
LAN local area network
NIC network interface card
RRAS Routing and Remote Access service
SRP Server Routing Protocol
SRP ID The SRP ID is a unique identifier that an EMM

solution from BlackBerry uses to identify itself to the
BlackBerry Infrastructure during SRP authentication.
TCP Transmission Control Protocol
UEM Unified Endpoint Manager
| Glossary | 51
Legal notice
©2019 BlackBerry Limited. Trademarks, including but not limited to BLACKBERRY, BBM, BES, EMBLEM Design,
ATHOC, MOVIRTU and SECUSMART are the trademarks or registered trademarks of BlackBerry Limited, its
subsidiaries and/or affiliates, used under license, and the exclusive rights to such trademarks are expressly
reserved. All other trademarks are the property of their respective owners.
Android is a trademark of Google Inc. Apple and OS X are trademarks of Apple Inc. iOS is a trademark of Cisco
Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS® is used under license by Apple Inc.
Microsoft, ActiveSync, SQL Server, and Windows are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries. Wi-Fi is a trademark of the Wi-Fi Alliance. All other
trademarks are the property of their respective owners.
This documentation including all documentation incorporated by reference herein such as documentation
provided or made available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE"
and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and
its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical,
or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and
confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry
technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained
in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates,
enhancements, or other additions to this documentation to you in a timely manner or at all.
This documentation might contain references to third-party sources of information, hardware or software,
products or services including components and content such as content protected by copyright and/or third-party
web sites (collectively the "Third Party Products and Services"). RIM does not control, and is not responsible for,
any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance,
compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products
and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not
imply endorsement by RIM of the Third Party Products and Services or the third party in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL
CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES,
REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE,
MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR
ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE
DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE,
SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED.
YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY
NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT
PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO
THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO
NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE
SUBJECT OF THE CLAIM.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL RIM
BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE
OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND
SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES:
DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED
DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS,
BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR
CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED
WITH ANY APPLICATIONS USED IN CONJUNCTION WITH RIM PRODUCTS OR SERVICES, DOWNTIME COSTS,
| Legal notice | 52
LOSS OF THE USE OF RIM PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES,
COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER
SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND
EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, RIM SHALL HAVE
NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU
INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE
NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO
BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL
SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS
AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO RIM AND ITS AFFILIATED COMPANIES,
THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED
RIM DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS,
EMPLOYEES, AND INDEPENDENT CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR,
EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM OR ANY AFFILIATES OF RIM
HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to
ensure that your airtime service provider has agreed to support all of their features. Some airtime service
providers might not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service.
Check with your service provider for availability, roaming arrangements, service plans and features. Installation
or use of Third Party Products and Services with RIM's products and services may require one or more patent,
trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are
solely responsible for determining whether to use Third Party Products and Services and if any third party licenses
are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party
Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that
are provided with RIM's products and services are provided as a convenience to you and are provided "AS IS" with
no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by RIM
and RIM assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall
be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable
thereto with third parties, except to the extent expressly covered by a license or other agreement with RIM.
Certain features outlined in this documentation require a minimum version of BlackBerry® Enterprise Server,
BlackBerry® Desktop Software, and/or BlackBerry® Device Software.
The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM
applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN
AGREEMENTS OR WARRANTIES PROVIDED BY RIM FOR PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER
THAN THIS DOCUMENTATION.
BlackBerry Enterprise Software incorporates certain third-party software. The license and copyright information
associated with this software is available at http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp.
BlackBerry Limited
2200 University Avenue East
Waterloo, Ontario
Canada N2K 0A7
BlackBerry UK Limited
200 Bath Road
Slough, Berkshire SL1 3XE
| Legal notice | 53
United Kingdom
Published in Canada
| Legal notice | 54

Blackberry Uem: Installation and Upgrade

Uploaded by

Copyright:

Available Formats

Blackberry Uem: Installation and Upgrade

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Blackberry Uem: Installation and Upgrade

Uploaded by

Copyright:

Available Formats

BlackBerry UEM

Installation and Upgrade

12.10 Maintenance Release 1

Preinstallation and preupgrade checklist.......................................................... 5

Installation and upgrade....................................................................................7

Minimum requirements for installing BlackBerry UEM

• Verify that you have a mail server that supports BlackBerry UEM.

• Verify that you have one of the following company directories:

| Preinstallation and preupgrade checklist | 5

• If you have a remote BlackBerry Router instance or TCP proxy server in your organization,

• Verify that you have supported mobile operating systems for BlackBerry

| Preinstallation and preupgrade checklist | 6

Review the port requirements.

Complete the preinstallation tasks.

Verify the prerequisites.

Install a new BlackBerry UEM instance.

Log in to BlackBerry UEM.

Applications that are installed with BlackBerry UEM

| Installation and upgrade | 7

Steps to upgrade BlackBerry UEM version 12.8 or later to BlackBerry

Review the port requirements.

Complete the preupgrade tasks.

Verify the prerequisites.

Upgrade the BlackBerry UEM software.

| Installation and upgrade | 8

Outbound connections: BlackBerry UEM to the BlackBerry Infrastructure

| Installation and upgrade | 9

Activate and Connect to the BlackBerry Infrastructure to:

Communicate Connect to the BlackBerry Infrastructure to send data to the appropriate notification

Update device OS Connect to the BlackBerry Infrastructure each day at midnight to check a hosted

Search for apps Connect to the BlackBerry Infrastructure and then to the App Store or BlackBerry

| Installation and upgrade | 10

Secure connection Connect to the BlackBerry Infrastructure to provide BlackBerry 10, Android Enterprise,

Outbound connections: BlackBerry UEM to the BlackBerry Dynamics NOC

| Installation and upgrade | 11

Outbound connections: Devices on a work Wi-Fi network

From To Purpose Protocol Port

BlackBerry 10 BlackBerry To connect to 1. HTTP CONNECT 443

BlackBerry 10 BlackBerry To connect to 1. HTTP CONNECT 443

BlackBerry 10 BlackBerry To connect to 1. HTTP CONNECT 443

iOS BlackBerry To connect to TLS 443

| Installation and upgrade | 12

Windows devices BlackBerry To connect to HTTPS; includes TLS 443

iOS APNs To connect to TCP 5223

Android FCM To connect to TCP 5228

Connections initiated by the BlackBerry UEM Core

Intranet port configurations for BlackBerry Proxy

| Installation and upgrade | 13

Connections initiated by BlackBerry 10 devices

Access to internal data from devices

For iOS, Android, and Windows devices, BlackBerry UEM sends and receives only activation and management

How BlackBerry UEM selects listening ports during installation

BlackBerry UEM listening ports

| Installation and upgrade | 14

1610 mdm.snmp.monitoring.udpport The BlackBerry UEM Core uses this port to provide

1620 mdm.snmp.eventing.ipv4.udpport The BlackBerry UEM Core uses this port to send

3202 ec.gme.common.rcp.internal.port The active BlackBerry Affinity Manager listens

3203 ec.gme.common.bipp.bippe.port The BlackBerry Dispatcher listens for BIPPe

8000 ui.port.ssp BlackBerry UEM Self-Service and the management