Skip to main content

BlackBerry integration guide

BlackBerry presently has two products that interact with Bitdefender Mobile Security:

  • Unified Endpoint Management Server (previously known as BES)

  • BlackBerry Dynamics (formerly known as Good Dynamics)

Prerequisites

For MDM device integration with UEM, a connection between the Bitdefender Mobile Security console and the UEM API server is required. SSL on TCP ports 17433 and 18084 is used to achieve this over the Internet. In addition, for an on-premise UEM management server, the mobile console must be able to connect to the API Server on port 17433 or 18084.

Item

Specifics

UEM MDM enrolled device

UEM V12.4  

Note

iOS app configuration is only supported in UEM V12.6+.

API Administrator Account in UEM management console.

Discover how to setup the API administrator account here.

Access to certain TCP ports on the UEM Server

TCP 17433 and 18084

MDM Password

Do not use a colon (:) in the MDM access password field or use `password` as a password value.

Note

The MDM integration does not support the UEM Cloud version (SaaS management server) because it does not support the APIs needed for MDM integration. MDM integration supports the on-premise UEM product.

MDM and the Security for Mobile console communication

The Mobile Security Console has been set up to enable API access for the purpose of information sharing with the UEM console. Upon detecting an event, the GravityZone MTD references the device's existing threat policy and communicates any specified MDM action to the Mobile Security console server. The server establishes communication with the appropriate UEM API Server and transmits the necessary commands to execute the specified action.

Console integration: BlackBerry UEM & the Mobile Security console

Full MDM synchronization

Following the primary complete synchronization during the MDM integration configuration, a synchronized process is scheduled to run at regular intervals according to the hardcoded frequency.

  • New Enrollments: If the new users in the User Group(s) are used for synchronization, they are added along with the devices to the Mobile Security Console.

  • Unenrolled Users/Devices (removed via UEM MDM): If the users are unenrolled, then they are removed from the Mobile Security Console. Doing this does not remove any of the events associated with that user or device.

On-Demand device synchronization

The Mobile Security Console performs an on-demand device synchronization when a newly enrolled device has the app pushed down to it and attempts to log in before the device is synchronized with the MDM. The Mobile Security Console gets the identification information from the GravityZone MTD used for authentication and matches it up with the proper UEM MDM for authentication. Once that happens, the Mobile Security Console retrieves that device and user information from the MDM configured, allowing the app to be authenticated and allowed to proceed. This type of synchronization adds devices over time as the devices are activated.

Prerequisites

For synchronization to work correctly, the GravityZone MTD must be deployed as follows:

  • iOS: This requires associating an app configuration with the application that pushes down the tenant ID and default channel for the on-demand device sync.

  • Android: This requires Android for Enterprise for auto-activation. Use the Mobile Security Console activation URLs for native Android.

Synchronization setup

To set up synchronization, perform these steps described in these sections.

Setting up the UEM administrator user

To set up and create a UEM administrator with the proper role access follow this procedure:

Select Administrators, and then select Roles.
  1. In the navigation panel, select Settings.

  2. Select Administrators, and then select Roles.

  3. Click on the icon to add a role.

  4. Enter the name and description.

  5. Select the checkboxes for the following:

    • Group Management

      • All groups and users

    • User and Devices

    • View users and activated devices

      • Manage devices

      • Manage BlackBerry Dynamics apps

      • View group settings

Setting up User Groups in UEM

Create one or more User Groups that contain the devices to protect if one is not already selected. The Mobile Security Console uses User Groups to synchronize users and devices. Ensure TCP port 18084 is open and that you add the users to the User Group.

Set Up User and Device Synchronization in Bitdefender Mobile Security console

To set up the MDM integration in Mobile Security Console:

  1. Log in to Mobile Security console.

  2. Go to the Manage page.

  3. Select Integrations.

  4. Click on Add MDM and select the MDM integration you want to use.

    Mobile_security_dashboard_add_MDM_step_1.png
  5. Enter information pertinent to the UEM integration list in the table, and click Next.

    Field

    Description

    URL

    URL of the UEM API Server. For example, append ‘:18084/SRP_ID’ to the end of the URL, where SRP_ID is the Server Routing Protocol Identifier (SRP ID). This SRP ID can be found under the user’s BlackBerry ‘My Account’ tab under servers.

    Each server has a different SRP ID. An alternative is to contact the BlackBerry representative for assistance. For instance: https://se-lab-uem2.zdtmdc.com:18084/S62887113

    Username

    UEM Administrator created with the needed roles access.

    Password

    The password of the UEM Administrator.

    MDM Name

    Internal name used to represent this MDM Integration in the Mobile Security Console.

    Background Sync

    Check this box to ensure users/devices are synchronized on a regular synchronization window with the UEM User Groups chosen on the next page.

    Mask Imported User Information

    Check this box to mask personally identifiable information about the user, for instance, name and email address.

    Send Device Activation email via Mobile Security Console for iOS Devices

    Check this box to send an email to the user for every iOS device synced with the MDM.

    Send Device Activation email via Mobile Security Console for Android Devices

    Check this box to send an email to the user for every Android device synced with the MDM.

    Mobile_security_dashboard_add_MDM_step_2.png
  6. Click Next and choose the User Group(s) to synchronize. The available groups show up in the Available Device Groups list and can be moved to the Selected Mobile Security Console Groups list by clicking on the plus sign (‘+’). This can be reversed by clicking on the minus sign (‘-’).

  7. Click Next.

  8. Specify the MDM alerts if you want to be notified when there are MDM sync errors. If you want more than one email address, separate them by a comma.

  9. Click Finish to save the configuration and start the first synchronization by clicking Sync Now.

Application deployment and activation

For deploying the application via UEM, you can download the iOS and Android versions from their respective app stores.

To publish the app on the public store:

  1. Create a new app on the App Store or Google Play Store and search for the GravityZone Security for Mobile app.

  2. Add the apps as public applications and, if using auto-activation, configure the app using the values specified in the iOS and Android for Enterprise Activation sections.

  3. Assign the User Group to the app and publish it.

  4. The app will be installed on the devices of the assigned User Group

Zero-Touch Activation for iOS GravityZone MTD

This functionality enables an administrator to enable threat protection on managed devices without necessitating end-user interaction with the installed application. This figure gives an overview of the interactions.

Setup Overview

This describes the items that are set up for zero-touch activation and threat reporting:

  • The BlackBerry UEM has a user group for devices.

    • The device is registered with the MDM.

    • The VPN profile is initially pushed to the device.

    • The app is pushed to the device.

  • The Mobile Security Console has the MDM defined as an integration.

  • The Mobile Security Console has the MDM Action, and Mitigation Action set for the “App Pending Activation” threat.

These steps describe a sample flow once zero-touch activation is configured:

  1. The Mobile Security Console Policy page has the “App Pending Activation” threat with an MDM Action to put the device into the user group that is associated with the VPN profile, and this installs the VPN profile.

    The Mitigate Action field is set to Remove, and once the GravityZone MTD is activated, the VPN profile is removed from the device.

  2. The MDM pushes the app and the VPN profile to the device.

  3. There is an “Install app” notification on the device from the VPN Profile, but the end-user does not activate the app yet.

  4. A threat is generated on the device, such as a “Device Pin” threat.

  5. The VPN profile shows a notification of the threat on the device, and the Mobile Security is still not launched.

  6. The threat is visible on the Mobile Security Console Threat Log page and:

    • The App Name shows “VPN Extension.”

    • The Detection Status shows “Active” for the device.

    • The App Status shows “Pending Activation” for the device.

      Note

      This threat is logged after the dormancy period that is set for Allowed Inactivity Time on the Manage page of the Mobile Security Console.

  7. The user launches the GravityZone MTD and activates it.

    • The Detection Status shows “Active” for the device.

    • The App Status shows “Active” for the device.

Setting Up Zero-touch configuration

This set of instructions describes setting up zero-touch app activation and the workflow. This option provides threats being detected without the activation of the GravityZone MTD on the end user’s device, where the app is pushed from the MDM. The user is prompted to open GravityZone MTD, but it is not a required action. A VPN profile runs on the device until the user activates the app.

To configure zero-touch activation, perform these steps:

  1. Log in to the BlackBerry UEM console.

  2. Ensure that the following are configured, which are described here.

  3. Create the shared certificate profile on the BlackBerry UEM console by navigating to this location and clicking the plus icon.

    Policy and profiles > Certificates > Shared Certificates

    Note

    The certificate contents are flexible and simply need to exist, so any certificate is acceptable with the .pfx or .p12 extension.

  4. Navigate to this location Policy and profiles > Networks and Connections > VPN, click the plus icon, and add a VPN profile.

  5. Open the user group that you created in the initial steps. Make sure that your VPN profile is associated with the user group, your shared certificate is associated with the user group, and the appropriate app is a required assigned app.

Setting up Zero-Touch Activation on Mobile Security console

To integrate the Mobile Security Console with the BlackBerry UEM MDM for zero-touch activation, perform these steps:

  1. Log in to the Mobile Security Console.

  2. Navigate to the Manage page and the Integrations tab, and add the BlackBerry UEM MDM.

  3. Navigate to the threat policies on the Policy page and the Threat Policy tab.

  4. Select the group from the Selected Group field. This value is the original user group for devices.

  5. Update the App Pending Activation threat with MDM Action and Mitigation Action field values.

  6. Save and Deploy your changes.

iOS: GravityZone MTD Auto-Activation configuration

When the app is pushed down to the device, the GravityZone MTD takes advantage of the app configuration. This gives the finest iOS user experience by allowing the user to launch GravityZone MTD for iOS without entering any passwords. The app configuration pre-loads the necessary information into the iOS app. To begin, make GravityZone MTD for iOS a public application. This configuration takes place within UEM. There is an opportunity to define the add an app configuration during the add application step.

  1. If an app is currently defined, edit the app and scroll to the bottom.

  2. Click on the plus sign (+) to add an app configuration with the key and the value.

  3. Click Save.

  4. When assigning this app to a group, ensure to select the app configuration to be used.

Android: GravityZone MTD Auto-Activation configuration

Android Enterprise (Android for Work) users can use the managed app config for activations. The admin must verify that the correct device identifier value is being passed for the configuration parameter.

For native Android devices, activations require the use of activation URLs. These are sent to end-users via the Mobile Security Console or the MDM. Clicking on GravityZone MTD without the link does not activate the app for Android devices. When a user runs the app with the activation URL link, it activates and downloads the proper threat policy. These can be sent to end-users via the Mobile Security Console or the MDM.

To access activation links, go to the Mobile Security Console Manage page, and select the Integrations tab. After the MDM is added, the activation link is provided for devices. This activation link is used along with appending the MDM device identifier. The Mobile Security Console page displays the expiration date and time, and if needed, the link can be regenerated.

The administrator sends the concatenated activation link by email or text to users, along with instructions to accept the app being pushed to them.

BlackBerry Dynamics (MAM / Containerization Option)

The Dynamics Secure Mobility Platform in UEM provides additional protection for company intellectual property. BlackBerry users are synchronized with the Mobile Security console, which communicates to BlackBerry Dynamics what actions to use to protect the device in different situations/threats. These actions are selected through the Threat Policy.

Prerequisite Requirements

Item

Specifics

Administrator Account in the BlackBerry Dynamics or UEM Management console

Ensure the Administrator account has the role defined below.

Public SSL certificate on BlackBerry Dynamics Server

The public certificate is trusted externally (trusted CA).

Access to certain TCP ports on the BlackBerry Dynamics Server

TCP/18084 TCP/17433

Approval to run GravityZone MTD for BlackBerry Dynamics during a trial or POC.

Navigate to the request URL

BlackBerry Dynamics and Mobile Security console communication

The Mobile Security Console is configured to share information with the BlackBerry Dynamics server through API access. When GravityZone MTD detects an event, it consults the current threat policy and if there is a specific compliance action defined, it is communicated to the Mobile Security Console server.

Console integration

Mobile Security console and BlackBerry Dynamics console

Devices are managed through a scheduled synchronization process, with additional users added to the Mobile Security Console and removed from the console. Currently, all devices active on the BlackBerry Dynamics console are synchronized.

To set up synchronization:

  1. Create a BlackBerry Dynamics Administrator account with the role with these authorizations.

  2. Navigate to Settings and then select Administrators.

  3. Select Roles.

  4. Click the icon to add a role.

  5. This account is used for synchronization.

  6. Ensure the following ports are opened inbound to the UEM Dynamics server:

  7. In the Mobile Security Console, create the MDM integration by performing these steps:

    1. Click Manage in the navigation menu and select the Integrations tab.

    2. Click Add MDM.

    3. Choose the BlackBerry UEM icon.

    4. Enter the values specific to the integration.

    5. Click Next and choose which user groups to synchronize. The available user groups are shown in the Available Device Groups list and can be moved to the Selected Mobile Security Console Groups list by clicking on the plus sign (‘+’). This can be reversed by clicking on the minus sign (‘-’).

    6. Click Next.

    7. Specify the MDM alerts if you want to be notified when there are MDM sync errors. If you want more than one email address, separate them by a comma.

    8. Click Finish.