Specifications

When a user activates a device, the device generates a key pair and sends the public key to the BlackBerry Device Service

in a CSR. The BlackBerry Device Service creates a client certificate and sends the enterprise management root certificate

and client certificate to the device. The BlackBerry Device Service and device automatically renew the client certificate

when it expires after one year.

The device uses the enterprise management root certificate to verify the server certificate for the Enterprise Management

Web Service. The BlackBerry Device Service and the device use the client certificate to authenticate the user, work space,

and device.

Related information

Data flow: Activating a device over a work Wi-Fi connection or a VPN connection, 31

Data flow: Activating a device over a connection to the BlackBerry Infrastructure, 33

You can use SCEP to enroll client certificates to devices so that the devices can connect to a work Wi-Fi network, work VPN

network, or work messaging server using Microsoft ActiveSync. Certificate enrollment starts after a device receives a Wi-Fi

profile, VPN profile, or email profile that has an associated SCEP profile that you configured using the BlackBerry Device

Service. Devices can receive a SCEP profile from the BlackBerry Device Service during the activation process, when you

change a SCEP profile, or when you change another profile that has an associated SCEP profile. After the certificate

enrollment completes, the client certificate and its certificate chain and private key are stored in the work keystore on the

device.

The CA that you use must support challenge passwords. You set the challenge password in the SCEP profile. All devices

that use the SCEP profile use the same challenge password. To help protect this password, the password is not sent to the

devices.