Transcription

BlackBerry UEMAdministrationWindows 10 Planning and Deployment

2019-08-17Z 2

ContentsIntroduction to Windows 10 deployment with BlackBerry UEM. 5Key features for Windows 10 devices in UEM.5Checklist for managing devices with UEM only. 8Checklist for managing devices with UEM and SCCM. 9Enrolling Windows 10 devices with BlackBerry UEM. 10Enrolling a device to be managed with BlackBerry UEM. 10Create an activation profile for Windows 10 devices. 10Simplifying Windows 10 activations. 11Activate a Windows 10 device. 14Install a certificate to activate a Windows 10 device with Windows Autopilot.15Enrolling an unmanaged device with BlackBerry Access for Windows. 16Setting up UEM policies and profiles to manage Windows 10 devices. 17Import SCCM group policies to UEM. 17Restricting or allowing device capabilities.17Setting device password requirements. 18How BlackBerry UEM chooses which IT policy to assign. 18Creating and managing IT policies.18Create an IT policy.18Copy an IT policy. 18Rank IT policies.19View an IT policy. 19Change an IT policy.19Remove an IT policy from user accounts or user groups. 19Delete an IT policy. 20Export IT policies. 20Sending certificates to devices using profiles.20Choosing profiles to send client certificates to devices. 21Sending CA certificates to devices. 21Using SCEP to send client certificates to devices. 22Setting up work email for devices.23Create an email profile.23Create an IMAP/POP3 email profile. 24Using Exchange Gatekeeping.24Allow a device to access Microsoft ActiveSync. 24Block a device from accessing Microsoft ActiveSync.25Verifying that a device is allowed to access work email and organizer data.25Creating a gatekeeping profile.25Setting up work VPNs for devices.26 iii

Create a VPN profile.26Enabling per-app VPN.27Setting up work Wi-Fi networks for devices. 27Create a Wi-Fi profile.27Enforcing compliance rules for devices.28Create a compliance profile.28Windows: Compliance profile settings.28Setting up Windows Information Protection for Windows 10 devices. 31Create a Windows Information Protection profile.31Windows 10: Windows Information Protection profile settings.32Managing Windows 10 devices that are enrolled in UEM and SCCM.36Configuring policies in SCCM. 36Configuring UEM to manage apps for Windows 10 devices. 38Connecting BlackBerry UEM to Microsoft Azure.38Create a Microsoft Azure account. 39Synchronize Microsoft Active Directory with Microsoft Azure.39Create an enterprise endpoint in Azure. 39Configuring BlackBerry UEM to synchronize with the Windows Store for Business.40Specify the shared network location for storing internal apps. 42Add a Windows 10 app to the app list. 43Allowing users to install online Windows 10 apps. 43Add an app category for a Windows 10 app.43App behavior on Windows 10 devices. 44Setting up network connections for BlackBerry Dynamics apps. 45Create a BlackBerry Dynamics connectivity profile. 45Add an app server to a BlackBerry Dynamics connectivity profile. 45BlackBerry Dynamics connectivity profile settings. 46Remote management for Windows 10 devices.48Sending commands to users and devices.48Send a command to a device.48Send a bulk command. 48Set an expiry time for commands.50Commands reference. 50Locate a device. 51Managing Windows 10 device updates with BlackBerry UEM. 52Using BlackBerry Intelligent Security. 53Deactivating devices. 54Related information.55Legal notice. 56 iv

Introduction to Windows 10 deployment with BlackBerryUEMOrganizations across various industries are including Windows 10 tablets and laptops in their mobility strategyplanning. Currently, they might use traditional methods such as Microsoft System Center Configuration Manager(SCCM) or other client management tools to manage Windows 10 devices, while iOS and Android smartphonesand tablets are managed with another MDM solution. To manage Windows 10, iOS, and Android devices in aunified management console, you can use BlackBerry UEM.To support Windows 10 devices, BlackBerry UEM provides multiple deployment options and scenarios: Specialized Windows 10 devices fully managed by BlackBerry UEM: Administrators can manage Windows10 devices from the UEM management console after users activate their devices with UEM. Administratorscan view and manage activated devices through a unified interface. Users can also use the BlackBerryUEM Self-Service console to perform simple administrative actions (for example, wipe work data,locate a lost device, activate new devices, or generate access keys for BlackBerry Dynamics apps).When devices are activated with UEM, you can also easily deploy apps from the app store or enterpriseapps (for example, BlackBerry Access, BBM Enterprise, and BlackBerry Workspaces) to users fromthe UEM management console.Corporate Windows 10 devices managed by BlackBerry UEM and Microsoft SCCM (incoexistence): Administrators can use either BlackBerry UEM and Microsoft SCCM solutions exclusively tomanage Windows 10 devices in their organization or they can adopt the Windows 10 management featuresof BlackBerry UEM together with the group policies of SCCM. UEM and SCCM can co-exist: devices canbe enrolled and managed by both solutions simultaneously.Unmanaged devices (for personal devices, contractors, or external parties): If you don't want tomanage Windows 10 devices but still want users to access your organization's intranet and work email,users can install BlackBerry Access for Windows and activate it using a BlackBerry Dynamics access key.Administrators can generate access keys for users from the UEM management console, and if allowed,users can generate them from the BlackBerry UEM Self-Service console. Any device can activate BlackBerryDynamics apps, even if it is not managed. For more information, see the BlackBerry Access productinformation and BlackBerry Workspaces product information.Key features for Windows 10 devices in UEMThe following table highlights the features available to unmanaged devices and managed devices in BlackBerryUEM. You can manage Windows 10 devices, including Windows 10 tablets and computers. Silver licenses arerequired to activate Windows 10 devices.FeatureDescriptionUnmanaged devices(devices that are notmanaged by UEM)You can enable secure access to work content even if UEM does not manage thedevice.To enable secure access to the work intranet, email, and contacts, youdeploy BlackBerry Access for Windows 10 devices. For more informationabout BlackBerry Access, see the BlackBerry Access Administration Guide.To enable secure file-sharing, you can deploy BlackBerry Workspaces. For moreinformation, see the BlackBerry Workspaces server content. Introduction to Windows 10 deployment with BlackBerry UEM 5

FeatureDescriptionManaged devices(devices that aremanaged by UEM)You can deploy Windows 10 devices to be managed with UEM only, or incoexistence with Microsoft System Center Configuration Manager (SCCM).When you use UEM to manage Windows 10 devices, it allows you to: Apply IT policies and profilesDeploy apps from the Windows Store for Business to the BlackBerry UEM AppCatalogConfigure device update management settingsSet compliance rules (for example, Windows Health Attestation)Device features Wireless activationCustomize terms of use agreementClient app not requiredView and export device details (for example, hardware details)Security features Separation of work and personal dataEncryption of work data at restProtection of devices using remote IT commands (for example, lock the device)Control device capabilities using IT policies (for example, disable camera)Enforce password requirementsEnforce encryption of internal storageSending certificates to devices CA certificate profilesSCEP profilesManaging work connections for devices BlackBerry Dynamics connectivity profilesExchange ActiveSync email profilesIMAP/POP3 email profilesWi-Fi and VPN profiles (with proxy)Windows Information Protection profilesManaging your organization’s standards for devices Activation profiles1App lock mode profilesBlackBerry Dynamics profilesCompliance profiles Introduction to Windows 10 deployment with BlackBerry UEM 6

1Device profilesEnterprise Management Agent profilesOnly for Windows 10 Education and Windows 10 Enterprise devices.Protecting lost or stolen devices Delete all device dataDelete only work dataConfiguring roaming Disable data when roamingManaging apps Distribute public apps from storefront (Windows Store)Manage work app catalog1Manage restricted appsDistribute internal apps1The restricted app list is not required for Windows 10 devices because only apps that an administrator assignscan be installed in the work space or on devices. Introduction to Windows 10 deployment with BlackBerry UEM 7

Checklist for managing devices with UEM onlyThe following check list is intended for administrators that want to manage Windows 10 devices with BlackBerryUEM only.StepDescriptionConfigure the latest version of BlackBerry UEM (12.10 or later)or BlackBerry UEM Cloud according to your organization's specifications.For more information, refer to the following: BlackBerry UEM Installation GuideBlackBerry UEM Configuration GuideBlackBerry UEM Cloud Configuration GuideConfigure IT policies and profiles for Windows devices. Assign thepolicies and profiles to the appropriate users and user groups.You must allow Windows devices to be activated in the activationprofile. For more information, see Enrolling a device to be managedwith BlackBerry UEM.Configure UEM to manage apps for Windows 10 devices. Assign theapps to the appropriate users and user groups.Activate a Windows 10 device.After activation, you can manage Windows 10 devices in UEM. For example, you can make changes to IT policiesand profiles at any time. They will be enforced on the users and user groups that they are assigned to. You canalso manage the device remotely (for example, wipe the device), and define when Windows updates are allowedto occur. Checklist for managing devices with UEM only 8

Checklist for managing devices with UEM and SCCMThe checklist in the following section is intended for administrators that want to manage Windows 10 deviceswith both BlackBerry UEM and SCCM.StepDescriptionConfigure the latest version of BlackBerry UEM (12.10 or later)or BlackBerry UEM Cloud according to your organization's specifications.For more information, refer to the following: BlackBerry UEM Installation GuideBlackBerry UEM Configuration GuideBlackBerry UEM Cloud Configuration GuideVerify that the following requirements are met: Administrators must be running SCCM version build 1710 or laterUsers must be running Windows 10 build 1709 or later on theirdevicesUsing the MDM Migration Analysis Tool (MMAT), determine the policiesthat can be managed with UEM. SCCM will continue to manage anygroup policy that does not have an equivalent MDM policy.1. Download the MMAT.2. Run the tool in the SCCM environment. The result is an output of thelist of group policies that are currently in use and the equivalent policythat is available in MDM management. For more information, seethe Microsoft CSP reference.3. If necessary, use the information generated from the tool to createIT policies and profiles for Windows devices in UEM in the followingstep.Configure IT policies and profiles for Windows devices. Assign thepolicies and profiles to the appropriate users and user groups.You must allow Windows devices to be activated in the activationprofile. For more information, see Enrolling a device to be managedwith BlackBerry UEM.Configure UEM to manage apps for Windows 10 devices. Assign theapps to the appropriate users and user groups.Activate a Windows 10 device.After activation, you can manage Windows 10 devices in UEM. For example, you can make changes to IT policiesand profiles at any time. They will be enforced on the users and user groups that they are assigned to. You canalso manage the device remotely (for example, wipe the device), and define when Windows updates are allowedto occur.For any group policy that is not assigned by an IT policy in UEM, you can continue to manage the policy in SCCM. Checklist for managing devices with UEM and SCCM 9

Enrolling Windows 10 devices with BlackBerry UEMIn this section you can find information about how to enroll Windows 10 devices.Enrolling a device to be managed with BlackBerry UEMAdministrators can manage Windows 10 devices with MDM management controls when they are activatedwith BlackBerry UEM. When a device is managed with UEM, you can use UEM to apply IT policies and profiles,push apps from the Windows Store for Business, configure device update management settings, and setcompliance rules.To enroll devices and manage them with UEM, do the following in the BlackBerry UEM management console:StepDescriptionVerify that the activation settings are configured in the BlackBerryUEM console:1. Configure default activation settings in BlackBerry UEM.2. Set up an email template for activation.Create an activation profile for Windows 10 devices.Set an activation password for the user.Activate the Windows 10 device.Create an activation profile for Windows 10 devicesBefore users can activate a Windows 10 device, an activation profile that allows Windows 10 activations must beassigned to their accounts. You can create or modify an activation profile to allow Windows 10 activations. Formore information about using and assigning profiles in UEM, see Using profiles, variables, and email templates.1. On the menu bar, click Policies and Profiles.2. Click Policy Activation.3. Click .4. Type a name and description for the profile.5. In the Number of devices that a user can activate field, specify the maximum number of devices the user canactivate.6. In the Device ownership drop-down list, select the default setting for device ownership. Perform one of thefollowing actions: If some users activate personal devices and some users activate work devices, select Not specified.If users typically activate work devices, select Work.If users typically activate personal devices, select Personal. Enrolling Windows 10 devices with BlackBerry UEM 10

7. Optionally, select an organization notice in the Assign organization notice drop-down list. If you assign anorganization notice, users activating Windows 10 devices must accept the notice to complete the activationprocess.8. In the Device types that users can activate section, select the device types as required (forexample, Windows). Device types that you don't select are not included in the activation profile and users can'tactivate those devices.9. On the Windows tab, do the following: In the Allowed device form factor section, select Phone if you want to allow Windows 10 smartphones tobe activated, and select Tablet or computer to allow Windows 10 tablets and computers to be activated. In the Device model restrictions drop-down list, select whether to allow or restrict specified devices or tohave no restrictions. Click Edit to select the devices you want to restrict or allow and click Save. In the Allowed version drop-down list, select the minimum allowed version.10.Click Add.After you finish: If necessary, rank profiles.Activation types: Windows devicesActivation typeDescriptionMDM controlsThis activation type provides basic device management using devicecontrols made available by Windows 10. A separate work space is notinstalled on the device, and there is no added security for work data.You can control the device using commands and IT policies. Windows10 users activate devices through the Windows 10 Work access app.Simplifying Windows 10 activationsYou can simplify the activation of Windows 10 devices with UEM using the following methods: Deploy a discovery service: If you use the discovery service, users don't need to type a server addressduring the activation process. If you choose not to use a discovery service, users can still activate Windows10 devices but they will be required to type the server address when prompted. A UEM certificate can beinstalled manually or administrators can deploy the certificate using SCCM. For information about how todeploy the discovery service, see the BlackBerry UEM configuration content.Integrate BlackBerry UEM with Azure Active Directory join: When Azure Active Directory join is configured,users can activate their devices using only their Azure Active Directory username and password. A UEMcertificate can be installed manually or administrators can deploy the certificate using SCCM. An Azure ActiveDirectory premium license is required.Configure Windows Autopilot: When you configure Windows Autopilot, the enrollment is part of the outof-box setup experience and the device is automatically activated when the user completes it usingonly their Azure Active Directory username and password. A UEM certificate must be installed manually beforethe user completes the out-of-box setup. Integration with Azure Active Directory join and an Azure ActiveDirectory premium license are required.Integrating UEM with Azure Active Directory joinYou can integrate BlackBerry UEM with Azure Active Directory join for a simplified enrollment processfor Windows 10 devices. When it’s configured, users can enroll their devices with UEM using their Azure ActiveDirectory username and password. Azure Active Directory join is also required to support Windows Autopilot, Enrolling Windows 10 devices with BlackBerry UEM 11

which allows Windows 10 devices to be automatically activated with UEM during the Windows 10 out-of-the-boxsetup experience.To integrate Azure Active Directory join with UEM, you do the following:StepDescriptionUse the value of the %ClientlessActivationURL% default variable in UEM todetermine the following URLs so that you can integrate UEM with Azure ActiveDirectory join. For example, in the user details screen of a user that uses the defaultactivation email template, you can click View activation email to find the value of%ClientlessActivationURL% in the Windows 10 server name field.1. Determine the MDM terms of use URL. The URL uses the following seFor example, if the %ClientlessActivationURL% variable resolves to https://enrol.example.net/S123456789/win/mdm, then use /termsofuse.2. Determine the MDM discovery URL. The URL uses the following yFor example, if the %ClientlessActivationURL% variable resolves to https://enrol.example.net/S123456789/win/mdm, then use /discovery.3. Determine the App ID URI using only the host name of the %ClientlessActivationURL% default variable.For example, if the %ClientlessActivationURL% variable resolves to https://enrol.example.net/S123456789/win/mdm, then use https://enrol.example.net.Integrate UEM with Azure Active Directory join.Integrate UEM with Azure Active Directory joinBefore you begin: Determine the MDM terms of use URL, MDM discovery URL, and App ID URI. For moreinformation, see Integrating UEM with Azure Active Directory join.1. Sign in to the Microsoft Azure management portal at https://portal.azure.com.2. Navigate to Mobility (MDM and MAM).3. Click Add application.4. Click On-premise MDM application. Enter a friendly name (for example, BlackBerry UEM).5. Click Add.6. Click on the application that you added in the previous step to configure its settings.7. Specify the user scope, Some or All. If applicable, select the groups.8. In the MDM terms of use URL field, specify the URL.9. In the MDM discovery URL field, specify the URL.10.Click Save.11.Click On-premises MDM application settings Properties. Enrolling Windows 10 devices with BlackBerry UEM 12

12.In the App ID URI field, specify the URL.13.Click Save.Configuring Windows Autopilot in Microsoft AzureTo support Windows Autopilot device activation, you do the following:StepDescriptionIntegrate UEM with Azure Active Directory join.Create a Windows Autopilot deployment profile in Azure and assign it to user groupsin Azure.Import Windows Autopilot devices to Azure.Create a Windows Autopilot deployment profile in AzureYou must assign a Windows Autopilot deployment profile to the appropriate user groups in Azure to allow usersto activate their device using Windows Autopilot.1.2.3.4.5.6.7.Sign in to the Microsoft Azure management portal at https://portal.azure.com.Navigate to Device enrollment Windows enrollment Windows Autopilot deployment profiles.Create a Windows Autopilot deployment profile.Enter a name and description for the profile.Configure the out-of-box experience settings.Assign the profile to the appropriate user groups.Click Save.Import Windows Autopilot devices to AzureComplete these steps to import each Windows 10 device that you want to allow to be activated with WindowsAutopilot.1.2.3.4.5.Turn on the Windows 10 device to load the device out-of-the-box setup.Connect to a Wi-Fi network with an internet connection.On the keyboard, press CTRL SHIFT F3 or CTRL Fn SHIFT F3. The device restarts and enters audit mode.Run Windows PowerShell as an administrator.Run Save-Script -Name Get-WindowsAutoPilotInfo -Path C:\Windows\Temp to inspectthe Windows PowerShell script.6. Run Install-Script -Name Get-WindowsAutoPilotInfo to install the script.7. Run Get-WindowsAutoPilotInfo.ps1 -OutputFile C:\Windows\Temp\MyComputer.csv to savethe device information to a .csv file.8. To import the .csv file into Microsoft Azure, perform the following actions:a) In the Azure portal, navigate to Device enrollment Windows enrollment Windows Autopilot devices. Enrolling Windows 10 devices with BlackBerry UEM 13

b) Click Import.c) Select the .csv file.9. In the System Preparation Tool dialog, do the following:a) In the System Cleanup Action field, select Enter System Out-of-Box Experience (OOBE) anddeselect Generalize.b) In the Shutdown Options field, select Reboot.Activate a Windows 10 deviceYou can activate your Windows 10 tablet or computer to associate it with your organization's environment so thatyou can access work data on your device.Before you begin: In BlackBerry UEM Self-Service, Create an activation password or QR code.Watch a video tutorial available at /blackberry-uemactivation-videos.1. To activate your Windows 10 tablet or computer on BlackBerry UEM, you must install a certificate. You canfind a link to the certificate in the activation email you received. If you did not receive a link to the certificate,contact your administrator for assistance. Using the Microsoft Outlook app, or using your online email servicein the browser, open your Inbox.2. In your Inbox, tap the activation email message that you received from your administrator.3. Tap the link to the certificate server.4. In the certificate download notification, tap Open.5. Tap Install Certificate.6.

To manage Windows 10, iOS, and Android devices in a unified management console, you can use BlackBerry UEM. To support Windows 10 devices, BlackBerry UEM provides multiple deployment options and scenarios: Specialized Windows 10 devices fully managed by BlackBerry UEM: Administrators can manage Windows