Universal Device Service Administration Guide 1320166294125 6.0 En

7/30/2019 Universal Device Service Administration Guide 1320166294125 6.0 En

1/51

Universal Device ServiceAdministration GuideVersion: 6.0


2/51

Published: 2012-03-23SWD-20120323132801312


3/51

Contents1 Related resources................................................................................................................................6

2 About the Universal Device Service...................................................................................................... 7

Using the Universal Device Service........................................................................................................................................... 7

Log in to the Administration Console......................................................................................................................................... 8

3 Creating administrator accounts...........................................................................................................9

Create an administrator account...............................................................................................................................................9

Administrative roles and permissions...................................................................................................................................... 10

Administrator permissions............................................................................................................................................... 10

4 Creating and managing user accounts................................................................................................13

Add a user account.................................................................................................................................................................13

View a user account................................................................................................................................................................14

Edit user account information.................................................................................................................................................15

Change the user's device activation password ........................................................................................................................15

Delete a user account............................................................................................................................................................. 15

5 Understanding and installing APNs certificates.................................................................................. 16

About APNs............................................................................................................................................................................16

Determine the status of the APNs certificate...........................................................................................................................16

Request a signed CSR from RIM............................................................................................................................................. 16

Request an APNs certificate from Apple................................................................................................................................. 17

Upload an APNs certificate.....................................................................................................................................................17

Import the .pfx file into the certificate store.............................................................................................................................17

Change the private key access permissions of the certificate...................................................................................................18

Troubleshooting APNs............................................................................................................................................................18

6 Activating devices..............................................................................................................................20

Sending an activation email message......................................................................................................................................20

Activate an iOS device............................................................................................................................................................ 20

Activate an Android device..................................................................................................................................................... 21

7 Managing devices.............................................................................................................................. 23

Protecting lost or stolen devices..............................................................................................................................................23

Users with multiple devices.....................................................................................................................................................24

Jailbroken or rooted status......................................................................................................................................................24

View and save a device report................................................................................................................................................. 24

View device communication logs.............................................................................................................................................24

8 Using groups to manage similar accounts...........................................................................................25


4/51

Create a group........................................................................................................................................................................25

Change the properties of a group............................................................................................................................................ 25

Assign an account to a group..................................................................................................................................................26

Remove an account from a group............................................................................................................................................26

Active directory group synchronization....................................................................................................................................26

Delete a group........................................................................................................................................................................27

9 Managing IT policies.......................................................................................................................... 28

Add an IT policy......................................................................................................................................................................28

Assign an IT policy to a user account.......................................................................................................................................28

Assign an IT policy to a group..................................................................................................................................................28

Change an IT policy................................................................................................................................................................ 29

Delete an IT policy.................................................................................................................................................................. 29

Policy groups in the Universal Device Service..........................................................................................................................29

IT policy rules in the Password policy group.............................................................................................................................30

10 Creating and assigning profiles...........................................................................................................32

Create a SCEP profile..............................................................................................................................................................32

Create a certification authority certificate profile.....................................................................................................................32

Create a shared certificate profile........................................................................................................................................... 33

Create a Microsoft ActiveSync profile......................................................................................................................................33

Create a user certificate profile and assign it to a user account................................................................................................34

Create a Wi-Fi profile.............................................................................................................................................................. 34

Create a VPN profile............................................................................................................................................................... 35

Assign a profile to a user account............................................................................................................................................36

Assign a profile to a group.......................................................................................................................................................36

Use custom variables..............................................................................................................................................................37

11 Managing applications....................................................................................................................... 38

Create an application definition.............................................................................................................................................. 38

Create a software configuration.............................................................................................................................................. 38

Assign a software configuration to a user account................................................................................................................... 39

Assign a software configuration to a group.............................................................................................................................. 39

12 Managing the Universal Device Service settings................................................................................. 40

Configure SMTP server settings.............................................................................................................................................. 40

Configure the default settings to activate a device...................................................................................................................40

Update the template for the activation email message.............................................................................................................41

Configure the Microsoft Active Directory settings.................................................................................................................... 41

Configure the external SCEP settings...................................................................................................................................... 42

Configure the push server settings.......................................................................................................................................... 42

Add a Universal Device Service CAL key..................................................................................................................................43

Configuring device compliance settings.................................................................................................................................. 43

Configure device compliance settings.............................................................................................................................. 43


5/51

Update the template for the device compliance notification..............................................................................................45

Configuring device communication settings............................................................................................................................ 45

Polling intervals for device communication settings ......................................................................................................... 45

Configure the device communication settings...................................................................................................................46

13 Logging..............................................................................................................................................47

Log files..................................................................................................................................................................................47

Audit logs............................................................................................................................................................................... 47

14 Glossary.............................................................................................................................................48

15 Legal notice....................................................................................................................................... 49


6/51

Related resources

To read the following resources, visit www.blackberry.com/go/serverdocs

Resource Information

Universal Device Service Release

Notes

Description of known issues and potential workarounds

Universal Device Service Installationand Configuration Guide

System requirements

Installation instructions

Universal Device Service Feature and

Technical Overview Architecture diagrams

Description of features and components

Data flows

Universal Device Service

Administration Guide Instructions for creating user accounts, groups, and administrator accounts

Instructions for activating devices

Instructions for creating and assigning IT policies and profiles

Instructions for managing applications on devices

1

Administration Guide Related resources

6
http://www.blackberry.com/go/serverdocs


7/51

About the Universal Device Service

The Universal Device Service is designed to permit you to manage devices that run iOS or Android OS in yourorganization's environment.

If you activate devices using the Universal Device Service, you can use the Universal Device Service to:

Manage devices using the IT policies and IT administration commands that the devices support

Configure profiles for devices so that you can control the connections to your organization's environment (Wi-Fi

profiles and certificate profiles for iOS devices and Android devices, VPN profiles and email profiles for iOS devices) Provision and manage work applications on devices

View the device inventory for your organization

To provide a single interface for helpdesk administrators to manage all the devices in your organization's environment,you can connect BlackBerry Mobile Fusion Studio to the Universal Device Service.

You can purchase and download the Universal Device Service from www.blackberry.com/support/downloads.

Using the Universal Device Service

Feature Description

Drag and dropfunctionality

When viewing a group or user account, you can quickly apply IT policies, profiles andsoftware configurations using drag and drop functionality.

User list In the user list, each row is a link that you can click to view the properties of the useraccount. You can sort and reverse sort the information in the user list by clicking any of thecolumn headers. To display user accounts with multiple devices, sort by user.

Required fields Fields that have a red asterisk (*) beside them are required. You must submit a value in allrequired fields to complete a task. Default values, which you can customize, are oftendisplayed in the fields.

Available settings In the Available Settings pane, you can view the number of users that are assigned to an IT

policy, profile, or software configuration. The value shown represents the number of uniqueusers that are assigned to a particular policy, profile, or software configuration. The user isnot counted twice if they are assigned directly and by group assignment.

Online help Click the Help link in the upper-right corner of the screen to access online help. The onlinehelp is updated regularly to provide the most recent information.

2

Administration Guide About the Universal Device Service

7
http://www.blackberry.com/support/downloads


8/51

Log in to the Administration ConsoleTo open the Administration Console, you can use a browser on any computer that has access to the computer that hosts

the Administration Console. When you install the Universal Device Service, you specify the login information that you use

to log in to the Administration Console for the first time.

1. In the browser, type https://:, where is the fully qualified domain name of thecomputer that hosts the Administration Console. The default port for the Administration Console is port 8443.

2. In the User name field, type your username.

3. In the Password field, type your password.

4. Click Log in.

Administration Guide About the Universal Device Service

8


9/51

Creating administrator accounts

You can create administrator accounts to allow administrators in your organization to create and manage user accountsand devices associated with those user accounts. When you create an administrator account, you assign the account oneor more administrator roles. Administrator roles define what information administrators can view and the tasks they canperform in the Administration Console.

Create an administrator accountBefore you begin: If you have configured Microsoft Active Directory settings for the Universal Device Service, you can add

a user account directly from Microsoft Active Directory. If you have not configured these settings, you can create an

administrator account in your local directory.

1. In the left pane, click the + icon.

2. Select User.

3. In the Add a user window, perform one of the following tasks:

Option Step

Add an administrator account fromMicrosoft Active Directory

1. Select the Directory tab.

2. Search for an administrator account.

3. In the Name drop-down list, select the administrator account.

4. If you want to add the administrator account to a group, in the Group

membership drop-down list, select a group.

5. To specify if this administrator will be using a corporate or personaldevice, in the Device ownership drop-down list, select an option.

6. Select Administrator account.

7. In the Administrator role drop-down list, select a role for theadministrator.

Create an administrator account inyour local directory

1. Select the Local tab.

2. Specify the administrator details.

3. If you want to add the administrator account to a group, in the Groupmembership drop-down list, select a group.

4. To specify if this administrator will be using a corporate or personaldevice, in the Device ownership drop-down list, select an option.

5. Select Administrator account.

3

Administration Guide Creating administrator accounts

9


10/51

Option Step

6. Type a password.

7. In the Administrator role drop-down list, select a role for theadministrator.

4. To specify device activation settings for this administrator account, in the Device Activation settings section, selectSet device activation.

5. Specify an activation password for the administrator account and when the password expires.The administrator will require this user name and password to activate their device.

6. To specify a maximum number of activation attempts the administrator is allowed to make before their device islocked, in the Maximum number of activations per device field, type a value.

7. To specify a maximum number of devices the administrator is allowed to have associated with this user account, inthe Maximum number of devices to activate field, type a value.

8. To specify a supported platform for the device, in the Platform field, select one or more platforms.

9. To specify a supported platform version for the device, in the Versions field, select one or more platforms.

10. To send an email message that contains the information that the user requires to activate their device, select Sendactivation email.

11. If you are using custom variables, click on the arrow beside Custom Variables and fill in the fields.12. Do one of the following:

To save this administrator account and create another, click Save & New.

To save this administrator account, click Save.

Administrative roles and permissionsWhen you create administrator accounts, you assign roles to the accounts so that you can control who can perform tasksin the Universal Device Service.

Each role has a set of associated permissions. Permissions specify the information that administrators can view and thetasks that they can perform using the Administration Console. Each action that you perform in the Administration Consoleis associated with a specific permission.

Administrator permissions

Each role contains multiple permissions that are turned on. The roles make sure that administrators who do not have

specific administrative permissions cannot escalate their permissions. For example, junior helpdesk administrators

cannot escalate their roles to senior helpdesk administrator roles.

Permission Security role Enterprise roleSenior Helpdesk

role

Junior Helpdesk

role

Create a group


10


11/51


role

Junior Helpdesk

role

Delete a group

View a group

Edit a group

Create a user

Delete a user

View a user

Edit a user

Assign an administrative role

View a device

Edit a device Specify device ownership

Specify an activation password

Generate an activation email

View device activation settings

Edit device activation settings

Create an IT policy

Delete an IT policy

View an IT policy

Edit an IT policy

Assign an IT policy or a profile to a

user

Create a software configuration

View a software configuration

Edit a software configuration

Delete a software configuration


11


12/51


role

Junior Helpdesk

role

Create an application

View an application

Edit an application

Delete an application

Assign a software configuration to

a user

Delete all device data and remove

device

Delete only the organization data

and remove device


12


13/51

Creating and managing user accounts

You can create user accounts and manage user accounts and their associated devices.

You can manage user accounts by adding user accounts to a group so that the properties of the group are assigned to theuser accounts automatically. A group can contain user accounts that you want to manage collectively. Options that youconfigure at the user level take priority over options that you configure at the group level. You can also assign an IT policyto a user account to control the actions users can perform using their devices.

Add a user accountBefore you begin:

If you have configured Microsoft Active Directory settings for the Universal Device Service, you can add a user

account directly from Microsoft Active Directory. If you have not configured these settings, you can create a user

account in your local directory.

Edit the template for the activation email that you send to users when you add them to the Universal Device Service.You can send the activation email when you add the user, or at anytime after adding a user.


2. Select User.

3. In the Add a user window, perform one of the following tasks:

Option Step

Add a user account fromMicrosoft Active Directory

1. Select the Directory tab.

2. Search for a user account.

3. In the Name drop-down list, select the user account.

4. If you want to add the user account to a group, in the Group membershipdrop-down list, select a group.

5. To specify if this user will be using a corporate or personal device, in theDevice ownership drop-down list, select an option.

6. Leave the Administrator account check box blank.

Create a user account in yourlocal directory

1. Select the Local tab.

2. Specify the user details.

3. If you want to add the user account to a group, in the Group membershipdrop-down list, select a group.

4

Administration Guide Creating and managing user accounts

13


14/51

Option Step

4. To specify if this user will be using a corporate or personal device, in the

Device ownership drop-down list, select an option.5. Leave the Administrator account check box blank.

4. To specify device activation settings for this user account, in the Device Activation settings section, select Setdevice activation.

5. Specify an activation password for the user account.

6. To specify when the activation password expires, select a time and date in the Activation expiry (date) andActivation expiry (time) fields.The user will require this user name and password to activate their device.

7. To specify a maximum number of activation attempts the user is allowed to make before their device is locked, inthe Maximum number of activations per device field, type a value.

8. To specify a maximum number of devices the user is allowed to have associated with this user account, in theMaximum number of devices to activate field, type a value.

9. To specify a supported platform for the device, in the Platform field, select one or more platforms.

10. To specify a supported platform version for the device, in the Versions field, select one or more platforms.

11. To send an email message that contains the information that the user requires to activate their device, select Sendactivation email.

12. If you are using custom variables, click on the arrow beside Custom Variables and fill in the fields.

13. Do one of the following:

To save this user account and create another, click Save & New.

To save this user, click Save.

View a user accountYou can view information about a user account by accessing the user account in the Universal Device Service. For

example, you can view the following information:

User information such as email address and display name

Smartphone model number or tablet model number, operating system, wireless service provider, phone number,

software version, and current state

Assigned IT policies, profiles, and software configurations

Groups the user account is assigned to


2. In the search results, click the name of a user account.


14


15/51

Edit user account information1. Search for a user account.


3. Click the edit icon.

4. Edit the user account information.

5. Click Save.

Change the user's device activation password



3. Click Device activation settings.

4. In the Device activations settings window, click Set device activation.

5. Select either Use directory password or Specify activation password.

6. If you selected Specify activation password, in the Activation password field, type an activation password.

7. To specify when the activation password expires, select a time and date in the Activation expiry (date) andActivation expiry (time) fields.

8. To send an email message that contains the activation password and a link to activate the device that you assignedto a user account, select Send activation email.

9. Click Save.

Delete a user account



3. Click the delete icon.

4. Click Delete.


15


16/51

Understanding and installing APNs certificates

About APNsYou must use the APNs to manage iOS devices in MDM domains. The Universal Device Service requires the APNs tomanage iOS devices and send push notifications to iOS devices. When the Universal Device Service needs to sendinformation to an iOS device, it sends a notification to the APNs. The APNs authenticates the Universal Device Service

server and then sends the notification to the iOS device. The iOS device receives the notification from the APNs andretrieves the information from the Universal Device Service.

To use APNs, your organization must obtain an APNs certificate for each Universal Device Service deployment. Forexample, if your organization includes a production deployment and a testing deployment, you need two APNscertificates.

You must obtain the APNs certificate through the Universal Device Service interface.

When you renew the APNs certificate, you must use the same Apple ID that you used when the certificate was created.

The Google Chrome browser and Safari browser provide optimal support for displaying functionality.

CAUTION: You must renew the APNs certificate before it expires (each certificate expires after one year). If thecertificate expires, or if you insert a new APNs certificate instead of renewing the old one, iOS devices do not receiveMDM commands, and users must reactivate their devices.

Determine the status of the APNs certificateThe APNs certificate status window shows the status of the APNs certificate (Not Installed, Installed, or Expired). If theAPNs certificate is installed, the window also shows the certificate's expiry date.

1. On the Settings tab, on the left menu, click APNs Certificate.

2. In the APNs certificate status window, click Get APNs Certificate or Renew Certificate.The Get an APNs certificate window appears.

Request a signed CSR from RIM1. In the Step 1 | Request a signed CSR from RIM section, in the Common name field, type a name for the certificate.

2. In the Company name field, type the name of your organization.

3. In the Organizational unit field, type the name of the department that you work in.

4. In the City field, type the name of the city that your organization is located in.

5. In the State or province field, type the state or province that your organization is located in.

6. In the Country or region drop-down list, select the country or region your organization is located in.

5

Administration Guide Understanding and installing APNs certificates

16


17/51

7. In the Contact email address field, type the email address for the Universal Device Service administrator for yourorganization.

8. Select the I agree to sharing the data with Apple check box.

9. Click Send Request to RIM.You receive a prompt to download the resulting signed CSR file (.scsr file).

10. Save the signed CSR file (.scsr file) to your computer.

Request an APNs certificate from Apple

1. In the Step 2 | Request an APNs certificate from Apple section, click the link to the Apple Push Certificate Portal.Follow the instructions to obtain an APNs certificate.

If you want to renew the APNs certificate, ensure that you select Renew in the Apple Push Certificate Portal.

2. In the Apple Push Certificate Portal, upload the most recent signed CSR file (.scsr file) from Research In Motionwhen you receive a prompt.

3. Download the APNs certificate file (.pem file) when you receive a prompt.

4. Save the .pem file to your computer.

Upload an APNs certificate

1. In the Step 3 | Upload an APNs certificate section, browse to the APNs certificate file (.pem file).

2. In the Private key password field and Confirm password field, type a password for the certificate's private key.

3. Click Install APNs Certificate to upload the APNs certificate (.pem file).

4. Download the .pfx file when you receive a prompt.

5. Whether you want to obtain a new certificate or renew an existing certificate, save the .pfx file to your computer.

Import the .pfx file into the certificate storeIn the Step 4 | Import the .pfx file into the certificate store section, you can use the Certificate Import Wizard in the

Microsoft Management Console to import the .pfx file into the certificate store of the computer that hosts the Console

services.

1. To open the Microsoft Management Console, on the Start menu, select Run.

2. In the Open field, type mmc. Click OK.

3. On the File menu, select Add/Remove Snap-in.

4. In the Add or Remove Snap-ins window, in the Available snap-ins list, select Certificates.

5. Click Add.

6. In the Certificates snap-in dialog box, select Computer account.

7. Click Next.


17

Ad i i i G id U d di d i lli APN ifi


18/51

8. Select Local computer.

9. Click Finish.

10. In the Add or Remove Snap-ins window, click OK.

11. In the Microsoft Management Console, expand Certificates (Local Computer) > Personal.

12. Right-click Certificates. Select All Tasks.

13. Click Import.

14. In the Certificate Import Wizard, click Next.

15. Browse to the .pfx file.

In the file type drop-down list, at the bottom-right of the Open window, select Personal Information Exchange(*.pfx, *.p12) so that .pfx files appear.

16. Click Next.

17. Type the password for the certificate.

18. Click Next.

19. Select Place all certificates in the following store.

20. Browse to the Personal certificate store.

21. Click Next.

22. Click Finish.

Change the private key access permissions of the certificate

1. In the right pane, right-click the certificate you just installed.

2. Select All Tasks.

3. Select Manage Private Keys.

4. In the Permissions window, click Add.

5. In the Select Users or Groups window, in the Enter the object names to select field, type Authenticated Users.

6. Click Check Names. Click OK.

7. In the Permissions window, click Authenticated Users.

8. Select the check box to allow read permission. Click OK.

Troubleshooting APNs

Error message that you receive when you request the signed CSR from RIM

If you receive an error message when you request a signed CSR from Research In Motion, you should make sure that the

Administration Console can communicate with RIM.

In your browser, navigate to http://www.rim.com. If the website does not open, make sure that the firewall is configured

correctly. For more information about firewalls, see the Universal Device Service Installation and Configuration Guide.


18

http://www.rim.com/http://www.rim.com/http://www.rim.com/http://www.rim.com/


19/51

Error message that you receive when you upload an APNs certificate

You may receive an error message when you upload an APNs certificate to the Universal Device Service if you did not

upload the most recent signed CSR file from Research In Motion to the Apple Push Certificate Portal. If you downloaded

multiple CSRs from RIM, only the last one that you downloaded is valid.

I cannot set the access permissions for the certificate's private key

If you do not see the option to set the access permissions for the certificate's private key, make sure you imported

the .pfx file, not the .pem file.

I cannot activate iOS devices

If you are unable to activate iOS devices, the APNs certificate may not be correctly installed. Perform one or more of thefollowing actions:

Make sure that the APNs certificate status window shows that the certificate is installed

Make sure that you installed the .pfx file into the certificate store, and not the .pem file

Make sure that you set the private key access permissions of the certificate to Authenticated Users.

Restart Microsoft IIS.


19

Administration Guide Activating devices


20/51

Activating devices

If you add a user account to the Universal Device Service, and assign the appropriate profiles and software configurationsto the user account, you can send an activation email message to the user that contains the information the user needs toactivate the device.

After a user activates the device, the device is associated with the user account in the Universal Device Service so thatyou can view and manage the device. You can view information about the device such as the device model, softwareversion, and whether the device is jailbroken or rooted. You can use IT administration commands to protect a lost orstolen device, for example, to lock the device, change the password, or delete data.

During the activation process, a user must provide a username and password. If the user account is associated with aMicrosoft Active Directory account, you can ask the user to provide their Microsoft Active Directory username andpassword, or you can create an activation password.

If the user account is not associated with a Microsoft Active Directory account, you must create a username andpassword for the user.

Sending an activation email messageWhen you add a user account to the Universal Device Service you can select the Send activation email check box toautomatically send an activation email message to a user. The text in the email message that you send to the user iscreated using a template that you can customize in the Device Activation Email option in the Settings menu. In the emailmessage, you can advise the user that the user account was created in the Universal Device Service and you can providethe instructions that the user needs to activate the device.

Activate an iOS deviceBefore you begin:

Create a user account and assign profiles (for example, Wi-Fi profile, email profile, VPN profile, or certificate profile)

and software configurations to the user account, if required.

Send an activation email message to the user.

You or a user must perform the following actions on the device.

1. If you used an SSL certificate during installation that is not trusted by default on iOS devices, you or the user needsto perform the following actions. Otherwise, start at step 2.

a. On the device, open the browser and navigate to your organization's certification authority website. You needto provide the location of the website to your users.

b. Tap Install CA Certificate.

c. Tap Install and tap Install Now.

d. Tap Done.

6


20



21/51

2. On the device, install the Mobile Fusion Client. You can download the Mobile Fusion Client from the App Store.

3. On the device, tap the Mobile Fusion icon to open the application and tap Continue.

4. If you are prompted to turn on location services, complete the following steps:

a. Tap Settings.b. Make sure Location Services is turned on.

c. Make sure Mobile Fusion is turned on.

d. Close Settings.

5. Read the end user agreement and tap I Agree.

6. Type your organization's server name and tap Go. Users can find the server name for your organization in theactivation email message that you send to them.

7. Type the username and password and tap Activate My Device. If you created the user account using MicrosoftActive Directory, the user types the Microsoft Active Directory username and password. If you created a local useraccount, the user types the username and password that you created.

8. Click OKto install the required certificate.

9. Follow the instructions on the screen to complete the activation.

10. If you are prompted to enter the password for your email account or the passcode for your device, follow theinstructions on the screen.

After you finish: To verify that the activation process completed successfully, perform one of the following actions: On the device, open the Mobile Fusion app and tap About. In the Activated Device section, verify that the device

information and the activation time stamp are present.

In the Universal Device Service console, in the user list, verify that the device is showing in the Model column. It can

take up to two minutes for the status to update after the user activates the device.

Activate an Android deviceBefore you begin:

Create a user account and assign profiles (for example, Wi-Fi profiles or certificate profiles) and software

configurations to the user account if required.

Send an activation email message to the user.

You or a user must perform the following actions on the device.

1. On the device, install the Mobile Fusion Client. You or the user can download the Mobile Fusion Client from GooglePlay.

2. On the device, tap the Mobile Fusion icon to open the application.

3. Read the end user agreement and tap I Agree.

4. Type your organization's server name and tap Next. Users can find the server name for your organization in theactivation email message that you send to them.


21



22/51

5. Type the username and password and tap Activate My Device. If you created the user account using MicrosoftActive Directory, type the Microsoft Active Directory username and password. If you created a local user account,type the username and password that you created.

6. Tap Activate to activate the security policies.

After you finish: To verify that the activation process completed successfully, perform one of the following actions:

On the device, open the Mobile Fusion app and tap About. In the Activated Device section, verify that the device

information and the activation time stamp are present.

In the Universal Device Service console, in the user list, verify that the device is showing in the Model column. It can

take up to two minutes for the status to update after the user activates the device.

g

22

Administration Guide Managing devices


23/51

Managing devices

The Universal Device Service includes IT administration commands that you can send to devices over the wirelessnetwork to protect data on devices. You can view detailed information about individual devices in device reports and viewa history of all communication that occurs between devices and the Universal Device Service in the communication logs.If devices are jailbroken or rooted, the Universal Device Service displays an indicator beside the name of the user accountthat is associated with the jailbroken device or rooted device in the list of user accounts.

Protecting lost or stolen devicesThe Universal Device Service includes IT administration commands that you can send over the wireless network to helpprotect your organization's data on a device. If the device supports the commands, you can use them to lock the device,reset device passwords, permanently delete work data, and return the device settings to the default values.

IT administration command Description

Specify device password and lock For Android devices, this command allows you to create a new password andlock the device. When the user unlocks the device, the device prompts the userto accept or reject the new password.

You can use this command if the device is lost or stolen.

Lock device This command locks a device. When the user unlocks the device, the deviceprompts the user to type the password, if a password is set for the device.

You can use this command if the device is lost or stolen.

Delete only work data This command deletes the work email account, calendar, contacts, VPNprofile, Wi-Fi profile, and certificates, and removes the device from theUniversal Device Service. Work apps that are installed on the device are notdeleted.

You can send this command to a personal device when a user no longer worksat your organization and you want to delete work data from the device.

The user account is not deleted when you send this command.

Delete all device data This command deletes all user information and application data that the devicestores and removes the device from the Universal Device Service.

You can send this command to a device that you want to distribute to anotheruser in your organization, or to a device that is lost and that the user might notrecover. You can also specify whether you want to delete or disable a useraccount from the Universal Device Service after the device deletes all userinformation and application data.

The user account is not deleted when you send this command.

7

23

Administration Guide Managing devices


24/51

Users with multiple devicesUsers can activate multiple devices with the Universal Device Service. If a user activates multiple devices, you can viewthe list of device models that are associated with the user account in the user list, beside the user account name. To seedetails about each device, you can click on the user account name and select the tab for a specific device.

Jailbroken or rooted status

If a device is jailbroken or rooted, someone ran software or performed an action on the device that allows the user to haveroot access to the operating system of the device.

The Universal Device Service is designed to detect if a device is jailbroken or rooted and displays an indicator beside thename of the user account in the list of user accounts.

If you configure device compliance settings, users can be notified or required to remove jailbreaking software or rootingsoftware from their devices.

You might have to assist a user when the user removes the jailbreaking software or rooting software from the device or

perform an action on the device to restore the device to the default state.

View and save a device reportYou can view detailed information about each device that is associated with the Universal Device Service by generating a

device report.

1. Search for a user account.2. In the search results, click the name of a user account.

3. In the Manage Device window, click the View device report icon.

4. Click File > Save As... to save the device report to a file on the computer, if required.

View device communication logsYou can view the device communication logs to find out the history of all communication between a device and the

Universal Device Service. Each device has its own communications log.



3. In the Manage Device window, click the Device communications icon.

24

Administration Guide Using groups to manage similar accounts


25/51

Using groups to manage similar accounts

You can manage user and administrator accounts by adding similar accounts to a group based on custom criteria, suchas user location, organizational group, or device type.

You can assign group properties, such as software configurations or IT policies, to manage the accounts. Properties thatyou assign to a group are assigned to all user accounts in the group. You can create and assign properties to useraccounts using the Administration Console.

If you remove a user account from a group, the account name remains in the global list of user accounts but it does not

appear in the group list.

Create a group


2. Select Group.

3. In the Group name field, type a name for the group.4. To add an IT policy, certificate, or profile to the group, in the IT policies and profiles section, click the + icon.

a. Select an IT policy, certificate, or profile in the drop-down list.

b. Select the specific IT policy, certificate, or profile in the drop-down list.

c. Click Apply.

5. When you are finished specifying the group properties, click Add.

Change the properties of a groupAfter you create a group, you can change the properties for the group. When you add user and administrator accounts toa group, the accounts inherit the properties of the group.

1. In the left pane, click the name of the group you want to change.

2. To change the name of the group, click the edit icon, type a new name for the group, and click Save.

3. To change the properties of the group, click the Settings tab and do the following:

Option Step

Change the IT policies and profilesapplied to the group

1. In the IT policies and profiles section, click the + icon.

2. Select an IT policy, certificate or profile in the drop-down list.

3. Select the specific IT policy, certificate or profile in the drop-down list.

4. Click Apply.

8

25



26/51

Option Step

Change the software

configurations applied to thegroup

1. In the Software configurations section, click the + icon.

2. Select the software configuration in the drop-down list.

3. Click Apply.

Delete a group property Click the delete icon beside the group property you would like to remove fromthe group.

Assign an account to a groupA user or administrator account can only be in one group at a time. If you assign an account to a new group, the account

is removed from their current group.

1. In the left pane, click All Users.

2. Click the selection box beside the names of the accounts you want to add to a group.

3. Click Assign To Group.

4. In the New group drop-down list, select a group.5. Click Assign.

Remove an account from a groupUser or administrator accounts that are removed from a group are not deleted.

1. In the left pane, click the name of a group.

2. Click the selection box beside the names of the accounts you want to delete from the group.

3. Click Remove From Group.

4. Click Remove.

Active directory group synchronizationYou can use the BlackBerry Directory Sync Tool to synchronize the membership of security groups and distributiongroups in Microsoft Active Directory with groups in the Universal Device Service. After you map one-to-one relationshipsbetween Microsoft Active Directory groups and Universal Device Service groups, you can start the synchronizationprocess manually, or you can use a task scheduling application to run the synchronization at a set interval.

When you run a synchronization process using the BlackBerry Directory Sync Tool, it compares the Microsoft ActiveDirectory group to the Universal Device Service group that you mapped it to. If the tool finds any differences in groupmembership, it assigns user accounts to, or removes user accounts from, the Universal Device Service group until the

membership matches the Microsoft Active Directory group.

26



27/51

The tool can synchronize groups only if the user accounts in Microsoft Active Directory have matching user accounts inthe Universal Device Service. If matching user accounts do not exist in the Universal Device Service, you can add the useraccounts manually using the Administration Console, or you can enable the provisioning feature so that the tool can adduser accounts during the synchronization process.

Delete a groupIf you delete a group, the user accounts in the group are not deleted.

1. In the left pane, click the name of the group you want to delete.

2. Click the delete icon beside the name of the group.

3. Click Delete.

27

Administration Guide Managing IT policies


28/51

Managing IT policies

IT policy rules permit your organization to control features and behaviors on a device. You can view and edit IT policyrules when you manage IT policies in the Administration Console. If you do not apply an IT policy to a user account orgroup, the Default IT policy is applied by default. You cannot apply the Default IT policy directly to a user account orgroup.

Add an IT policyThe Default IT policy includes the default settings for IT policy rules. You can edit the Default IT policy but you cannot

delete it.

1. In the IT Policies pane, click the + icon.

2. Type a name and description for the IT policy.

3. Configure the appropriate values for the IT policy rules.

4. Click Add.

Assign an IT policy to a user accountWhen you assign an IT policy to a user account, it replaces the IT policy that is currently applied.

1. In the Administration Console, search for a user account.

2. In the search results, click the name of a user account.3. In the IT policies and profiles section, click the + icon.

4. Click IT policy.

5. In the drop-down list, select the IT policy that you want to assign to the user account.

6. If no IT policy is applied to the group, click Apply. If an IT policy is already assigned to the group, click Replace.

Assign an IT policy to a groupWhen you assign an IT policy to a group, it replaces the IT policy that is currently applied to the group.

1. On the menu bar, click Home.


3. On the Settings tab, in the IT policies and profiles section, click the + icon.

4. Click IT policy.

5. In the drop-down list, select the IT policy that you want to assign to the group.

9

28



29/51

6. If no IT policy is applied to the group, click Apply. If an IT policy is already assigned to the group, click Replace.

Change an IT policy1. In the IT Policies pane, click the IT policy name.

2. Click the edit icon.

3. Make changes to the appropriate IT policy rules.

4. Click Save.

Delete an IT policyWhen you delete an IT policy, you delete the IT policy from any user accounts that use it and the Default IT policy is

applied to the user accounts instead.

1. In the IT Policies pane, click the IT policy name.

2. Click the delete icon.

3. Click Delete.

Policy groups in the Universal Device ServiceThe mobile operating system defines the rules that the device supports. For more information, visit www.apple.com for

iOS devices and developer.android.com for Android devices.

Policy OS supported Description

Browser iOS 4.0 and later The IT policy rules in this policy group specify restrictions

for the default browser on the device.

Camera and video iOS 4.0 and later

(Hide the default camera

application available for

Android OS 4.0)

The rules in this policy group specify restrictions for

camera features, and if available, video features.

Certificates iOS 5.0 and later The rules in this policy group specify whether to allow

users to accept untrusted certificates.

Cloud service iOS 5.0 and later The rules in this policy group specify restrictions for cloud

services.

Connectivity iOS 4.0 and later The rules in this policy group specify restrictions for

network connectivity.

29

http://developer.android.com/http://www.apple.com/http://www.apple.com/http://developer.android.com/http://www.apple.com/


30/51

Policy OS supported Description

(except Disable data

service when roaming foriOS 5.0 and later)

Content iOS 4.0 and later The rules in this policy group specify restrictions for

content on iOS devices. This includes hiding explicit

content and setting the maximum allowed rating for

applications, movies, and TV shows.

Encryption iOS 4.0 and later

(Apply encryption rules

available for Android OS

3.0 and later)

The rules in this policy group specify whether to encrypt

internal device storage, and if available, external devicestorage.

Online store iOS 4.0 and later The rules in this policy group specify restrictions for online

stores available on iOS devices.

Phone and messaging iOS 4.0 and later The rules in this policy group specify restrictions for the

default phone application.

Social iOS 4.0 and later The rules in this policy group specify restrictions for social

applications.

Storage and backup iOS 4.0 and later The rules in this policy group specify restrictions for device

backup.

IT policy rules in the Password policy group

IT policy rules in the Password group OS supported Description

Define password properties iOS 4.0 and later

Android OS 3.0 and later

The Define Password properties

specify if a device password requires a

minimum number of letters, numbers,

special characters, lowercase letters,or uppercase letters. For iOS devices,

you can also specify if passwords

should avoid repetition and simple

patterns.

Delete data and applications from the

device after incorrect password

attempts

iOS 4.0 and later


For Android devices, this IT policy rule

specifies the maximum number of

incorrect password attempts before all

30



31/51

IT policy rules in the Password group OS supported Description

user information and application data

on the device is permanently deleted.

Device password iOS 4.0 and later


This rule specifies the auto-lock period

for Android devices or the lock grace

period for iOS devices.

Limit password age iOS 4.0 and later


This rule specifies when a device

password expires and the user must

set a new password.

Limit password history iOS 4.0 and later


This rule specifies the number of

previous passwords that the device

checks to prevent a user from reusing

previous passwords.

Restrict password length iOS 4.0 and later


This rule specifies the number of

characters that are allowed in a device

password. You can specify the

maximum number of characters, and

for Android devices, you can also

specify the minimum number of

characters.

31

Administration Guide Creating and assigning profiles


32/51

Creating and assigning profiles

The profiles that you create are available in the Profiles pane. You can use profiles to manage device settings. You can setup and assign profiles to a user account or a group of user accounts.

Create a SCEP profile

You can create a SCEP profile to specify the settings that allow devices that support SCEP to obtain certificates from yourorganization's certification authority using SCEP. SCEP is a protocol that facilitates the roll out of certificates by

automating the process of submitting SCEP requests to a SCEP service and issuing certificates to authenticate devices.

SCEP profiles are not supported on Android devices.

Before you begin: To configure the Universal Device Service to use a dynamic password obtained from an external SCEP

service, set up the external SCEP settings. For information about external SCEP settings, see Configure the external SCEP

settings.

1. In the Profiles pane, click the + icon.

2. Click SCEP.

3. In the Profile name field, type a name for the SCEP profile.

4. In the Key size for certificate generation field, type the key size. The default value is 1024.

5. In the Subject field, if necessary for your organization's SCEP configuration, typeCN=,O=.

6. If you select External as the SCEP server configuration type, the system uses the information defined in the external

SCEP settings.7. If you select Defined as the SCEP server configuration type, perform the following actions:

a. In the CA-IDENT attribute of the SCEP configuration field, type the name of the certification authority.

b. In the Pre-shared secret type to use in certificate generation drop-down list, if you select Plain text, type thepre-shared secret.

c. In the Base URL of the SCEP server field, type the URL for the SCEP server.

8. Click Add.

Create a certification authority certificate profileIf you have a certificate with a .cer, .crt, or .der file extension, you can create a certification authority certificate profile.


2. Click CA certificate.

3. In the Certificate name field, type a name for the certification authority certificate profile.

10

32



33/51

4. In the Certificate description field, type a description for the certification authority certificate profile.

5. In the Certificate file field, click Browse to specify the location of the certificate file.

6. Click Add.

Create a shared certificate profileIf you have a certificate with a .pfx file extension and you plan to assign the certificate to multiple user accounts, you can

create a shared certificate profile.


2. Click Shared certificate.3. In the Certificate name field, type a name for the shared certificate profile.

4. In the Certificate description field, type a description for the shared certificate profile.

5. In the Password field, type a password for the shared certificate profile.

6. In the Certificate file field, click Browse to specify the location of the certificate file.

7. Click Add.

Create a Microsoft ActiveSync profileBefore you begin: If you use certificate credentials, create a certification authority certificate profile, shared certificate

profile, user certificate profile, or SCEP profile.

Microsoft ActiveSync profiles are not supported on Android devices.

1. In the console, in the Profiles pane, click the + icon.

2. Click Microsoft ActiveSync.

3. In the Profile name field, type the profile name.

4. In the Credentials drop-down list, perform one of the following actions:

If you select Certificate as the authentication type, and Single reference as the type of certificate linking, in theCertificate identifier drop-down list, select a certificate.

If you select Certificate as the authentication type, and Variable injection as the type of certificate linking, typethe profile name of the certificate profile. For SCEP, type scep-- where

is the name of the SCEP profile and is the name of the user who is assignedthe SCEP profile.

5. Type the domain name of the Microsoft ActiveSync server.

6. Perform one of the following actions:

If the profile is for one user, type the email address for the user in the Email address field.

If the profile is for multiple users, in the Email address field, type %UserEmailAddress%.

7. Type the host name or IP address for the Microsoft ActiveSync server.

8. Perform one of the following actions:

33


34/51



35/51

10. If you select Personal as the security type, perform the following actions:

a. In the Password field, type the password.

b. In the Security type of the personal Wi-Fi profile drop-down list, select the security type.

c. Click Add to create the profile.11. If you select Enterprise as the security type, in the Security type of the enterprise Wi-Fi profile drop-down list,

select the security type.

12. On the Protocols tab, select the protocols that apply to your network.

13. On the Authentication tab, perform the following actions:

a. If required, in the Identification for TTLS, PEAP and EAP-FAST field, type the appropriate identifier.

b. If your organization requires that users provide a username and password to access the Wi-Fi network, in theUser name field, type %UserName%.

c. If you select Certificate as the authentication type, and Single reference as the type of certificate linking, inthe Certificate identifier drop-down list, select a certificate.

d. If you select Certificate as the authentication type, and Variable injection as the type of certificate linking,type the profile name of the certificate profile. For SCEP, type scep--where is the name of the SCEP profile and is the name of the user who isassigned the SCEP profile.

14. On the Trust tab, perform the following actions:

a. To specify an expected certificate common name, click the + icon next to Certificate common names

expected by the authentication server and type the common name.b. If you select Single reference as the type of certificate linking, click the + icon next to Trusted certificate

identifiers expected for authentication server and select a certificate identifier.

c. If you select Variable injection as the type of certificate linking, click the + icon next to Trusted certificatenames expected for authentication server. Type the profile name of the certificate profile. For SCEP, type thevirtual certificate name.

d. If you want the network to give users the ability to allow exceptions to trust rules, select the Trust userdecisions check box .

15. Click Add.

Create a VPN profileBefore you begin: If you use certificate authentication, create a certification authority certificate profile, shared

certificate profile, user certificate profile, or SCEP profile and assign it to users.

VPN profiles are not supported on Android devices.


2. Click VPN.

3. In the Profile name and Description of the VPN profile fields, type the name and description of the profile.

4. In the VPN profile type drop-down list, select the appropriate type for your organization.

5. In the Authentication drop-down list, select the type of authentication used by your organization. The availableauthentication types depend on the profile type that you selected.

35



36/51

6. Specify the VPN settings for your organization, the required settings depend on the selected profile type andauthentication type that you select. Perform any of the following actions:

If your organization requires that users provide a username and password to access the VPN gateway, in the

User name for authenticating connection field, type %UserName%. If you select Credentials as the authentication type, type the password and shared secret and set the

appropriate options.

If you select RSA SecurID as the authentication type, type the shared secret and set the appropriate options.

If you select Certificate as the authentication type, and Single reference as the type of certificate linking, in theCertificate identifier drop-down list, select a certificate and set the appropriate options.

If you select Certificate as the authentication type, and Variable injection as the type of certificate linking, in theCertificate name field, type the name of the certificate profile and set the appropriate options. For SCEP, typescep-- where is the name of the SCEP profileand is the name of the user who is assigned the SCEP profile.

If you select Password as the authentication type, set the appropriate options.

7. In the Hostname or IP address of VPN server field, type the host name or IP address of the VPN gateway.

8. In the User name for authenticating connection field, type the user name that the device uses to authenticate withthe VPN gateway.

9. In the Proxy type drop-down list, select the type of proxy configuration that the device uses for VPN connections

10. Click Add.

Assign a profile to a user accountBefore you begin:

Create a SCEP profile, certification authority certificate profile, shared certificate profile, Microsoft ActiveSync profile,

Wi-Fi profile, or VPN profile.

To assign a SCEP profile to a user account, the device must be able to access the SCEP server.

1. In the Administration Console, search for a user account.


3. In the IT policies and profiles section, click the + icon.

4. Click the type of profile that you want to assign.

5. In the drop-down list, select the profile that you want to assign to the user account.

6. Click Apply.

Assign a profile to a groupBefore you begin:

Create a SCEP profile, certification authority certificate profile, shared certificate profile, Microsoft ActiveSync profile,

Wi-Fi profile, or VPN profile.

36



37/51

To assign a SCEP profile, the device must be able to access the SCEP server.



3. On the Settings tab, in the IT policies and profiles section, click the + icon.

4. Click the type of profile that you want to assign to the group.

5. In the drop-down list, select the profile that you want to assign to the group.

6. Click Apply.

Use custom variablesUse custom variables to allow users to define their own attributes, such as passwords, when you apply a profile to theusers.

For example, you can use a custom variable if you want to use the same VPN profile for several users, and have each user

create their own password.

1. Type the VPN password in the field Custom variable 1.

2. In the Add a VPN profile window, enter %Custom1% in the Password field.

The VPN profile will work for all users because the password is variable and is automatically filled in with the user's

password.

37

Administration Guide Managing applications


38/51

Managing applications

You can manage applications on devices by creating a software configuration that includes one or more applicationdefinitions, and then assigning the software configuration to a user account or group.

Create an application definitionCreate an application definition for an application that you want to install on a device. An application definition can

include many application sources for one application but only one application for each platform.

1. On the menu bar, click Library.

2. In the Application Definitions pane, click the + icon.

3. Type a definition name and definition description.

4. In the Applications sources section, click the + icon.

5. In the Application name field, type the application name.

6. In the Vendor field, type the name of the application vendor.7. In the Application version field, type the version of the application.

8. In the Platform drop-down list, select a platform.

9. In the Application icon field, click Browse. Locate and select an icon for the application.

10. In the Application identifier field, type the identifier.

11. In the Application Source drop-down list, select the source of the application.

Note: For iOS only: Do not use an application file (.ipa file) as the application source. Use the application web

address as the application source, which is the web address of the application in the App Store.12. Do one of the following:

If you selected Application web address as the application source, type the web address for the application inthe Application web address field.

If you selected Application file (.apk, .ipa) as the application source, type the file name for the application in theApplication file (.apk, .ipa) field or click Browse and locate the application file.

13. Click Add.

Create a software configuration

You can create a software configuration that you can assign to user accounts and groups. A software configuration is a

collection of application definitions.

1. On the menu bar, click Library.

2. In the left pane, click Software Configurations.

11

38

3 In the Software Configurations pane click the + icon

Administration Guide Managing applications


39/51

3. In the Software Configurations pane, click the + icon.

4. In the Software Configuration name field, type the name.

5. In the Description field, type a description.

6. Click the + icon to add an application definition to the software configuration.7. Select an application definition.

8. Click Add.

9. In the Disposition drop-down list, select Mandatory or Optional.

10. Click Add.

Assign a software configuration to a user account1. In the Administration Console, search for a user account.


3. In the Software configurations section, click the + icon.

4. In the drop-down list, select the software configuration that you want to assign to the user account.

5. Click Apply.

Assign a software configuration to a group



3. On the Settings tab, in the Software configurations section, click the + icon.

4. In the drop-down list, select the software configuration that you want to assign to the group.5. Click Apply.

39

Administration Guide Managing the Universal Device Service settings


40/51

Managing the Universal Device Service settings

Configure SMTP server settings

Configure SMTP settings to specify the server name or IP address that the Universal Device Service uses to send the

device activation email from.

1. On the menu bar, click Settings > SMTP server.2. In the Server name or IP address field, type the server name or IP address that the Universal Device Service uses to

send the device activation email from.

3. In the Port number field, type the port number.

4. In the Authentication type drop-down list, perform one the following actions:

Select Credentials to use username and password credentials. Type the username and password. In theHandshake type drop-down list, select a type of handshake.

Select None.5. If the server or URL uses SSL, select the SSL check box and in the SSL type drop-down list, select an SSL type.

6. Click Save.

Configure the default settings to activate a deviceYou can configure the default settings that are displayed in the Add a user window. You can configure default settings for

the number and types of devices that users can activate, and the login information that they use to activate the devices. Ifnecessary, you can change the default settings when you add a user account to the Universal Device Service.

1. On the menu bar, click Settings > Device Activation Defaults.

2. In the Device ownership drop-down list, perform one of the following actions:

Select Personal if users typically activate personal devices.

Select Corporate if users typically activate devices that belong to your organization.

Select Not specified, if some users activate personal devices and some users activate devices that belong toyour organization.

3. In the Activation password drop-down list, complete one of the following actions:

Select Use directory password if you want the user's Microsoft Active Directory password to be the defaultactivation password.

Select Specify activation password if you want a one-time password that you specify to be the default activationpassword.

4. In the Activation expiry fields, select a default date and time when the user must activate a device by.

12

40

5. In the Maximum number of activations per device field, change the value to be the number of times that a user can



41/51

5. In the Maximum number of activations per device field, change the value to be the number of times that a user canactivate a device.

6. In the Maximum number of devices to activate field, change the value to be the total number of devices that a usercan activate.

7. In the Platform and Version drop-down lists, select one or more platforms and one or more operating systems.Select All if you do not want to restrict the platform or version of the device that a user can activate.

8. Click Save.

Update the template for the activation email message

You need to update the template for the activation email message that you send to users when you add a user account tothe Universal Device Service. You can send the activation email message when you add a user account, or anytime after

you add a user account to the Universal Device Service.

1. On the menu bar, click Settings > Device Activation Email.

2. In the From email address field, type the email address that you want to send the email message from. You mightwant to use an email address that does not accept replies.

3. In the Subject field, update the default text, if required.

4. In the Message field, update the default text to meet your requirements. You can use any of the following variablesin the body text:

%DisplayName%

%UserEmailAddress%

%UserName%

%ActivationExpirationStart%

%ActivationExpirationFinish%

%ActivationPassword%

5. In step 3 of the default text, replace with the publicly accessible DNS name of the computerthat hosts the Communication Module. If you configured a custom port for the Communication Module (such ashostname.domain.com:port) include the port number.

6. In step 4 of the default text, include information about the activation password. The password might be the user'sMicrosoft Active Directory password, or a password that you create. If you create the password, you can insert the%ActivationPassword% variable in the email message to provide the password, or you can send the password to theuser separately.

7. Click Save.

Configure the Microsoft Active Directory settings

You can change the settings for the Microsoft Active Directory server that the Universal Device Service uses to add user

accounts and to authenticate users when they activate devices with the Universal Device Service. You can change the

41

interval for how often the Microsoft Active Directory server polls the Universal Device Service for user account



42/51

y p

information.

1. On the menu bar, click Settings > Microsoft Active Directory.

2. Type the username and password for the authentication credentials for the Microsoft Active Directory server.

3. In the Hostname or IP address field, type LDAP:// where is the name of theMicrosoft Active Directory server.

4. In the Polling interval for directory information field, type how often you want the Universal Device Service to pollMicrosoft Active Directory for user account information (in seconds).

Configure the external SCEP settingsYou can configure external SCEP settings so that the Universal Device Service requests a dynamic password from the

SCEP service, which it injects into the SCEP profile when it is sent to a device.

The default service type for the external SCEP is MSCA-NDES.

1. On the menu bar, click Settings > External SCEP .

2. In the Domain field, type the domain for the external SCEP service.

3. Type the username and password for the external SCEP service.

4. In the URL for generating the challenge secret key of the directory field, type the URL.

5. In the CA-IDENT attribute field, type the CA-IDENT attribute of the external SCEP service instance.

6. In the URL for enrollment requests of the directory field, type the URL.

7. Click Save.

Configure the push server settingsYou configure the default push server settings that the Universal Device Service uses to connect to the push server so

that the Universal Device Service can communicate with devices.

1. On the menu bar, click Settings > Push Server.

2. Click the + icon to add a multiplier.

3. In the Contact delay multiplier field, type the multiplier that the Universal Device Service uses to calculate the

contact period. The contact period is the length of time that the system waits to contact devices that stopresponding. For example, if the default time period is 60 seconds and the contact delay multiplier is two, the systemtries to contact the device after 120 seconds.

4. If you want to add more than one Contact delay multiplier, click the + icon and type additional multipliers. Forexample, if you add three multipliers, two, three, and four, then the system waits 120, 180, and 240 seconds foreach subsequent attempt to contact the device.

5. Click Save.

42



43/51

Add a Universal Device Service CAL key

Universal Device Service Client Access License keys control how many devices the Universal Device Service supports. If

you exceed the number of devices that is supported by your organization's Universal Device Service CAL keys and a user

tries to activate another device, the device cannot activate. You can refer to the server log to find out why the device did

not activate. The

Documents

Universal Device Service Administration Guide 1320166294125 6.0 En