: This service allows users to look up other users by first name, last name, and associated photo or avatar from the company directory.
BlackBerry Follow-Me: This feature supports the BlackBerry Dynamics Launcher BlackBerry Work A hybrid modern authentication environment (for example, on-premises Microsoft Exchange Server Microsoft Office 365 ), allows the on-premises Microsoft Exchange Serverto use a more secure user authentication and authorization by consuming OAuth access tokens obtained from the cloud. For more information on how to configure an on-premises
Microsoft Exchange Server Verify that you have the following information and completed the appropriate tasks. If you have a hybrid Microsoft Office 365 and on-premises Microsoft Exchange Server environment, and you enable Modern Authentication, make sure that the on-premises Microsoft Exchange Serveris configured to use hybrid modern authentication. For more information, see How to configure Exchange Server on-premises to use Hybrid Modern Authentication. If the
Microsoft Exchange Server is not configured appropriately, users won't receive email notifications. Microsoft Office 365 environment, if you plan to enable modern authentication, verify that you completed the following:If you enable modern authentication using client-certificate authentication, do one of the following:
If you have configured conditional access for your organization, make sure that the BlackBerry Connectivity Node is installed and configured in your environment. Configure email notifications for BlackBerry Work In an on-premises Microsoft Exchange environment, make sure that the Microsoft Exchange Serveris updated to support TLS 1.2 or push notifications will fail. Weaker cipher suites such as TLSv1 or TLS 1.0 are disabled by default. Disabling the cipher suites provides enhanced security.
If you use Passive Authentication, verify that you have the App ID for BEMS using credential authentication.
If you use SSL for SCP lookup, verify that you exported the Microsoft Active Directory SSL certificate. In the management console, click Settings > BlackBerry Dynamics > Email notifications Authentication typesection, select an authentication type based on your environment and complete the associated tasks to allow
to communicate with the Microsoft Exchange Server Microsoft Office 365 Authentication type Description Credential This option uses a defined username and password to authenticate to the Microsoft Exchange Server Microsoft Office 365 using Basic Authentication. Service account username field, enter the username of the service account. Microsoft Office 365 , enter the service account's User Principal Name (UPN). For on-premises Microsoft Exchange Server , use the format < Service account password field, enter the password for the service account. Client Certificate This option uses a client certificate to allow the service account to authenticate to the Microsoft Exchange Server Microsoft Office 365 Beside the Certificate file (.pfx) field, click . Navigate to and select the client certificate file. field, enter the password for the client certificate. Passive authentication This option uses an identity provider (IDP) to authenticate the user and provide with OAuth tokens to authenticate to Microsoft Office 365 In a hybrid environment, authenticates to on-premises Microsoft Exchange Server Authentication Authority field, enter the Authentication Server URL that accesses and retrieves the OAuth token for authentication with Microsoft Office 365 (for example, https://login.microsoftonline.com/common). Client Application ID field, enter theapp ID for the credential authentication. For instructions, see the App ID for BEMS using credential authentication.
Server Name field, enter the FQDN of the Microsoft Office 365 server. By default, the the server name is https://outlook.office365.com. Redirect URIfield displays the URL that the IDP redirects the administrator to when the client app ID is authorized and the authentication tokens are provided. This field is prepopulated with the partition information and can't be modified.
Enter the credentials for the service account. to acknowledge that the authentication tokens were obtained.Cloud doesn't automatically refresh the OAuth tokens. Repeat steps e to g to refresh the OAuth tokens. The tokens expiration time depends on your tenant policy (by default, the token expiration is 90 days). When the OAuth tokens expire, email notifications on the users' devices stop. The OAuth token expiration is displayed after you login to the IDP.
Microsoft Exchange Server on-premises must be configured to use hybrid modern authentication. If you connect to a Microsoft Office 365 environment, do the following to enable modern authentication: Select the Enable Modern Authentication Authentication authority field, enter the Authentication Server URL that accesses to retrieve the OAuth token for authentication with Microsoft Office 365 (for example, https://login.microsoftonline.com/ tenantname or https://login.microsoftonline.com/ Client application ID field, enter one of the following app IDs depending on the authentication type you selected. Do one of the following to obtain an Server name field, enter the FQDN of the Microsoft Office 365 server (for example, https://outlook.office365.com). Optionally, select the Use credentials if modern authentication fails check box to allow to communicate with Microsoft Office 365 in the event that can't access the modern authentication source. When you select this check box, you must provide the service account credentials. When you configure modern authentication, all nodes use the specified configuration. Service account username field, enter the username that is used to log in to the Microsoft Exchange Server Microsoft Office 365 server. The username must be in one of the following formats: If your environment uses an on-premises Microsoft Exchange Server If your environment uses Microsoft Office 365 Service account password field, enter the password for the service account username you provided. Optionally, in the Autodiscover URL override field, enter the Autodiscover URL to allow to obtain user information from the Microsoft Exchange Server Microsoft Office 365 server when it discovers users for BlackBerry Push Notifications If you don't enter a URL, uses Autodiscover to locate the Microsoft Exchange Server Microsoft Office 365 server to obtain user information. Select the Allow HTTP redirection and DNS SRV recordcheck box to allow HTTP Redirection and DNS SRV lookups for retrieving the Autodiscover URL when discovering users for
BlackBerry Push Notifications . By default, this feature is enabled. Select the Use BlackBerry Connectivity Node route Cloud to connect to the Microsoft Exchange Server Microsoft Office 365 using the corporate network rather than using a direct connection from the BlackBerry Cloud infrastructure. This setting requires that the BlackBerry Connectivity Node is installed and configured in your environment. If your environment uses conditional access, make sure that this option is selected. If your environment uses an internal URL to access and communicate with an on-premises Microsoft Exchange Server , select the Use internal Exchange Web Services URLcheck box. This setting requires that the "Use BlackBerry Connectivity Node route" setting is enabled. This option is not available if modern authentication is enabled.
Optionally, select the Enable SCP Lookup check box to query Microsoft Active Directoryusing LDAP and locate Autodiscover endpoint URLs. This setting is valid only if the "Credential" authentication is selected and that a
BlackBerry Connectivity Nodeis installed and configured in your environment. This option is not available when the "Autodiscover URL override" is specified.
Select the Enable SSL for SCP check box. This allows to communicate with the Microsoft Active Directoryusing SSL. This setting requires that the "Enable SCP Lookup" is selected. If you enable this feature, you must add the
Microsoft Active Directory SSL certificate to the If you enabled Enable SCP Lookup Enable SCP Lookup Enable SSL for SCP , specify the Domain Controllers for SCPto configure LDAP over SCP. If you have multiple domain controllers, separate the domain controllers using commas (for example, domaincontroller1.example.com,domaincontroller2.example.com, and so forth).
Optionally, in the User email address field, enter an email address to test the connection to the Microsoft Exchange Server Microsoft Office 365 server. Click Test connection. If the test fails, resolve the issues that are identified and try the test again. You can delete the email address after you complete the test.
Test the connection to the on-premises Microsoft Exchange Server Microsoft Office 365 server and Autodiscover. Refresh or reopen the Email notifications screen. Click Test connectionMake sure that the connection test is successful before provisioning devices to avoid any Autodiscover issues. If devices are activated prior to configuring the email notification service, have users log out of
BlackBerry Workand then log in. If the test returns an error message, complete the tasks to resolve the issue and test the connection again.
Assign the BlackBerry Cloud Enterprise Services (com.blackberry.gdservice-entitlement.cloud) entitlement to users to receive email notifications for