Install Guide BES12 v12.0 En

Installation GuideBlackBerry Enterprise Service 12

Version 12.0

Published: 2014-11-20SWD-20141120124702839

ContentsAbout this guide............................................................................................................... 5

What is BES12?................................................................................................................ 6Key features of BES12.......................................................................................................................................................6

Comparing BES12 with previous EMM solutions from BlackBerry.......................................................................................7

Preinstallation tasks......................................................................................................... 8Configure permissions for the service account................................................................................................................... 8

Configuring connections for the BES12 database.............................................................................................................. 8

Specifying database permissions to create the BES12 database................................................................................. 9

Using the BES12 Readiness Tool.......................................................................................................................................9

Preparing a BES5 database for an upgrade to BES12...................................................................................................... 10

Configuring database high availability using Microsoft SQL Server AlwaysOn.................................................................... 11

AlwaysOn high availability........................................................................................................................................ 11

Preinstallation tasks.................................................................................................................................................13

Install BES12 and configure support for database high availability............................................................................ 13

How BES12 selects listening ports during installation...................................................................................................... 14

Prerequisites: Installing the BES12 software....................................................................15

Installing the BES12 software......................................................................................... 16Install BES12 ................................................................................................................................................................. 16

Installing BES12 in a DMZ............................................................................................................................................... 18

Installing a standalone BlackBerry Router....................................................................... 19Install a standalone BlackBerry Router............................................................................................................................ 19

Logging in to BES12 for the first time...............................................................................20Log in to BES12 for the first time..................................................................................................................................... 20

Modify the default variables for the management console and BES12 Self-Service........................................................... 21

Additional information.................................................................................................... 22Best practice: Running BES12........................................................................................................................................ 22

Configuring database permissions using Microsoft SQL Server roles.................................................................................22

Configure minimum database permissions for the service account or Microsoft SQL Server account......................... 23

BES12 listening ports......................................................................................................................................................23

Troubleshooting BES5 roles............................................................................................................................................ 25

The setup application detected incompatible roles in the BES5 database................................................................. 25

The setup application could not complete the role compatibility check on the BES5 database.................................. 26

Removing the BES12 software........................................................................................................................................ 26

Remove the BES12 software.................................................................................................................................... 26

Remove a BES12 instance from the database.......................................................................................................... 27

Glossary......................................................................................................................... 28

Product documentation..................................................................................................29

Provide feedback............................................................................................................32

Legal notice ...................................................................................................................33

About this guide

BES12 helps you manage BlackBerry 10, BlackBerry OS (version 5.0 to 7.1), iOS, Android, and Windows Phone devices for your organization. This guide provides instructions on how to install BES12.

This guide is intended for senior IT professionals who are responsible for installing the product. After you complete the tasks in this guide, you must activate licenses and configure BES12. You can find instructions for activating licenses in the BlackBerry Enterprise Service 12 Licensing Guide. You can find instructions on configuring BES12 in the BlackBerry Enterprise Service 12 Configuration Guide.

1

About this guide

5

What is BES12?

BES12 is an EMM solution from BlackBerry. EMM solutions help you do the following:

Manage mobile devices for your organization to protect business information

Keep mobile workers connected with the information that they need

Provide administrators with efficient business tools

With BES12, you can manage the following device types:

BlackBerry 10

BlackBerry OS (version 5.0 to 7.1)

iOS

Android

Windows Phone

You can manage these devices from a single, simplified UI with industry-leading security.

Key features of BES12Feature Description

Management of many types of devices You can manage BlackBerry 10, BlackBerry OS (version 5.0 to 7.1), iOS, Android, and Windows Phone devices.

Single, unified UI You can view all devices in one place and access all management tasks in a single, web-based UI. You can share administrative duties with multiple administrators who can access the management console at the same time.

Trusted and secure experience Device controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information.

Balance of work and personal needs BlackBerry Balance and Secure Work Space technologies are designed to make sure that personal information and work information are kept separate and secure on devices. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device.

2

What is BES12?

6

Comparing BES12 with previous EMM solutions from BlackBerryEMM solution Supported device types Description

BES12 BlackBerry 10


iOS

Android

Windows Phone

You can manage the server, user accounts, and all device types with a single UI, the management console. The software architecture has been simplified for easier management, increased scalability, and additional multiplatform features.

For high availability, you can install additional active servers that share the management load automatically.

BlackBerry Enterprise Service 10

BlackBerry 10


BlackBerry PlayBook

iOS

Android

You can manage the server, devices, and user accounts with dedicated, advanced UIs for different device types. You can also use BlackBerry Management Studio as a single, unified UI for basic administration of all devices.

To manage BlackBerry OS (version 5.0 to 7.1) devices, you can install BlackBerry Enterprise Service 10 on the same computer as BlackBerry Enterprise Server 5.0 SP4 and use BlackBerry Management Studio for basic administration.

For high availability, you can install standby instances of the server.

BlackBerry Enterprise Server 5


You can manage the server, devices, and user accounts with the BlackBerry Administration Service. For high availability, you can install standby instances of most server components.

What is BES12?

7

Preinstallation tasks

Configure permissions for the service accountA service account is a Windows account that runs the services for BES12. The service account must be a member of the local Administrators group on the computer that you install BES12 on, and must have the Log on as a service permission. The service account must also have permission to access the Microsoft SQL Server.

If your organization's environment includes another EMM solution from BlackBerry, you can use the same service account to install BES12. Otherwise, create a service account in your company directory or a local Windows account on the computer that you want to install BES12 on.

Note: If you use Microsoft SQL Server authentication to connect to the BES12 database, the BES12 services run under the Local System account.

1. On the taskbar, click Start > Administrative Tools > Computer Management.

2. In the left pane, expand Local Users and Groups.

3. Navigate to the Groups folder.

4. In the right pane, double-click Administrators.

5. Click Add.

6. In the Enter the object names to select field, type the name of the service account (for example, BESAdmin).

7. Click OK.

8. Click Apply.

9. Click OK.

10. On the taskbar, click Start > Administrative Tools > Local Security Policy.

11. In the left pane, expand Local policies.

12. Click User rights agreement.

13. Configure Log on as a service permission for the service account.

Configuring connections for the BES12 databaseThe BES12 setup application creates the BES12 database. BES12 can connect to the BES12 database using Windows authentication or Microsoft SQL Server authentication.

3


8

You can connect to the BES12 database using one of the following:

Service account that you use to complete the installation process

Windows administrator account that has create_db role permissions

Microsoft SQL Server account that you specify during the installation process

Specifying database permissions to create the BES12 databaseDepending on the database option and the type of authentication that you select, you might need to assign database creator permissions to one of the following:

Service account that you use to complete the installation process

Microsoft SQL Server account that you specify during the installation process

Database option Database permission

Install Microsoft SQL Server Express during the BES12 installation

If you choose Windows authentication, the setup application automatically assigns the required database permissions to the service account

Use an existing Microsoft SQL Server in your organization's environment

You must add the service account or Microsoft SQL Server account to the dbcreator server role

Using the BES12 Readiness ToolYou can use the BES12 Readiness Tool to check system requirements before you run the BES12 setup application. The BES12 Readiness Tool checks the following requirements:

Proxy server setting validation

Minimum operating system requirements

Minimum hard disk space

Secure connection

SRP connection

Required ports

Account permissions

Database validation

The BES12 Readiness Tool does not check for the following requirements:

Microsoft .NET Framework 4.5


9

The BES12 Readiness Tool is included with the BlackBerry Enterprise Service 12 software. You can also download the tool from the Enterprise section of www.blackberry.com.

Preparing a BES5 database for an upgrade to BES12You must prepare the BES5 database before you upgrade it to BES12.

BES5 software version

Before you upgrade from BES5 to BES12, make sure that the BES5 database is at version 5.0.4 MR10 or later.

Database compatibility

The BES5 database must be compatible with the version of Microsoft SQL Server used for BES12. The compatibility level of the BES5 database must be 100 or higher. You can check and set the compatibility level using Microsoft SQL Server Management Studio:

To check the compatibility level, type and execute the following query in Microsoft SQL Server Management Studio: SELECT compatibility_level FROM sys.databases WHERE name = '';

If the compatibility level is less than 100, type and execute the following query in Microsoft SQL Server Management Studio: ALTER DATABASE [] SET COMPATIBILITY_LEVEL = 100

Note: Replace with the name of the BES5 database.

Database backup

Before you upgrade your BES5 environment to BES12, back up the BES5 databases.

CAUTION: After an upgrade from BES5 to BES12, you cannot roll back to the BES5 database.

BES5 roles

After an upgrade, the roles from BES5 are available in BES12 and you can manage them using the BES12 management console. However, BES12 handles roles differently than BES5:

BES12 allows only one role for each user.

BES12 requires that an entire role to be assigned to one, some, or all groups.

During an upgrade from BES5 to BES12, if a user has more than one role assigned, BES12 combines the roles. BES12 resolves the roles so that the permissions remain as close as possible to the original permissions in BES5. If there are conflicting permissions that BES12 cannot resolve, the setup application stops and you must resolve the conflict in BES5 manually.

You should review role permissions in BES5 and resolve potential conflicts before you upgrade to BES12. For more information, see Troubleshooting BES5 roles.


10

Configuring database high availability using Microsoft SQL Server AlwaysOnBefore you install BES12, decide if you want to configure high availability for the BES12 database. Database high availability allows you to retain database service and data integrity if issues occur with the BES12 database.

You can use one of the following Microsoft SQL Server features for database high availability:

AlwaysOn Failover Cluster Instances (FCI) for Microsoft SQL Server 2012 or 2014 (Standard Edition)

AlwaysOn Availability Groups for Microsoft SQL Server 2012 or 2014 (Enterprise Edition)

Database mirroring for Microsoft SQL Server 2008 or 2012

If you want to use an AlwaysOn feature, you must complete configuration steps before you install BES12. This section gives you instructions for configuring database high availability using AlwaysOn.

You can configure database mirroring any time after you install BES12. For instructions, visit docs.blackberry.com/BES12 to read the BlackBerry Enterprise Service 12 Configuration Guide.

Note: Microsoft recommends using AlwaysOn because database mirroring will be deprecated in a future version of Microsoft SQL Server.

AlwaysOn high availabilityBES12 supports AlwaysOn using a Failover Cluster Instance (FCI) or availability group. Both methods require a Windows Server Failover Clustering (WSFC) cluster where independent servers interact to provide a high availability solution for databases. For more information about WSFC, visit the MSDN Library to see Windows Server Failover Clustering (WSFC) with SQL Server.

Instance-level high availability using an AlwaysOn Failover Cluster Instance


11

An FCI is an instance of Microsoft SQL Server that is installed across multiple computers (or nodes) in a WSFC cluster. The nodes are members of a resource group, and all nodes have shared access to the BES12 database. One of the nodes has ownership of the resource group and gives the BES12 components access to the BES12 database. If the node that owns the resource group becomes unavailable (for example, a hardware or OS failure), a different node takes ownership of the resource group. As a result, BES12 database service continues with minimal interruption.

For more information, visit the MSDN Library to see AlwaysOn Failover Cluster Instances (SQL Server).

Database-level high availability using an AlwaysOn availability group


12

To use an availability group, you configure a WSFC cluster with multiple nodes. Each node is a separate computer that has an instance of Microsoft SQL Server. One of the nodes hosts the primary BES12 database and gives the BES12 components read-write access. This node is the primary replica. The WSFC cluster can have one to eight other nodes, each hosting a secondary database (a read-only copy of the BES12 database). These nodes are secondary replicas.

The primary database synchronizes data with the secondary databases. Data is synchronized with each secondary database independently. If one secondary database is unavailable, it does not affect the other secondary databases. You can configure the data synchronization to be asynchronous (delayed synchronization with minimal transaction latency) or synchronous (faster synchronization with increased transaction latency). Automatic failover requires the primary replica and secondary replicas to use synchronous-commit mode.

If you configure an availability group for automatic failover and the primary database becomes unavailable, one of the secondary replicas becomes the primary replica. That replicas secondary database becomes the primary database. As a result, BES12 database service continues with minimal interruption.

For more information, visit the MSDN Library to see Overview of AlwaysOn Availability Groups (SQL Server) and AlwaysOn Availability Groups (SQL Server).

Preinstallation tasksBefore you install BES12, perform the following actions:

Create a WSFC cluster. It is recommended to use static port 1433 for the database server. For requirements and instructions, visit the Technet Library to see Create a Failover Cluster.

If you want to use an AlwaysOn FCI:

Verify that your environment meets Microsoft requirements. Visit the MSDN Library to see Before Installing Failover Clustering.

Configure the FCI. Visit the MSDN Library to see Create a New SQL Server failover Cluster (Setup).

If you want to use an AlwaysOn availability group:

Verify that your environment meets Microsoft requirements. Visit the MSDN Library to see Prerequisites, Restrictions, and Recommendations for AlwaysOn Availability Groups (SQL Server).

Enable the availability groups feature and complete the initial setup tasks, including creating an availability group listener. You will set up the primary replica and secondary replicas after you install BES12 and create the BES12 database. Visit the MSDN Library to see Getting Started with AlwaysOn Availability Groups.

Install BES12 and configure support for database high availability1. Verify that your environment meets the requirements for installing BES12. See Prerequisites: Installing the BES12

software.


13

2. Follow the instructions in Installing the BES12 software. When you run the setup application:

On the Database information screen, when you specify the Microsoft SQL Server name, type one of the following:

If you are using an AlwaysOn FCI, type the SQL Virtual Server Network Name for the WSFC cluster (for example, CompanySQLCluster).

If you are using an AlwaysOn availability group, type the Availability Group Listener Virtual Network Name (for example, CompanyListener).

On the Database information screen, it is recommended that you use the Static port option and use the default port 1433.

3. Complete any postinstallation tasks described in this guide.

After you finish:

If you want to install another BES12 instance connecting to the same BES12 database, repeat these steps.

If you are using an FCI, use the Failover Cluster Manager tool to manage the FCI and failover settings.

If you are using an availability group, use Microsoft SQL Server Management Studio to set up the primary replica and secondary replicas and to configure failover settings. Visit the MSDN Library to see Getting Started with AlwaysOn Availability Groups and Use the Availability Group Wizard (SQL Server Management Studio). Choose the option to create a full backup for the secondary databases and specify a shared network location that all replicas can access.

How BES12 selects listening ports during installationWhen you install BES12 for the first time, the setup application determines whether default listening ports are available for use. To review the list of default listening ports and the purpose of each port connection, see BES12 listening ports. If a default port is not available, the setup application assigns a port value from the range of 12000 to 12999. The setup application stores the port values in the BES12 database.

When you install an additional BES12 instance in the domain, the setup application retrieves the listening port values from the database and uses those values for the current installation. If a defined listening port is not available, you receive an error message stating that you cannot complete the installation until the port is available for use.

For more information about the port connections that you must open in your organization's firewall after you install BES12, visit docs.blackberry.com/BES12 to read the BlackBerry Enterprise Service 12 Configuration Guide.


14

Prerequisites: Installing the BES12 software

Verify that you opened the necessary ports on your organization's firewall.

Verify that you installed all required third-party applications.

If you perform the installation process on a computer that has more than one NIC, verify that the production NIC is first in the bind order in the Windows network settings.

If your organization uses a proxy server for Internet access, verify that you have the computer name, port number, and credentials for the proxy server.

When you run the setup application, use only standard characters to specify values. Unicode characters are not supported.

If you want to install BES12 on the same computer as BES10, the setup application may identify that you must remove your static JRE version or install a newer, dynamic JRE version. Install the latest JRE 1.7 family version before you run the setup application.

4

Prerequisites: Installing the BES12 software

15

Installing the BES12 software

Install BES12When you run the setup application, use only standard characters to specify values. Unicode characters are not supported.

Before you begin:

If you are upgrading from BES5 to BES12 during this installation, verify that the BES5 database is at BES5 version 5.0.4 MR10 or later.

If you install BES12 behind a firewall, it cannot connect to the BlackBerry Infrastructure until you configure the proxy server. BES12 prompts you the first time you log in to the BES12 management console.

Installing BES12 or specifying the location of BES12 log files to a mapped network drive is not supported

1. Log in to the computer that you want to install BES12 on using the service account.

2. In the BES12 installation folder, double-click Setup.exe. If a Windows message appears and requests permission for Setup.exe to make changes to the computer, click Yes.

3. In the Java Setup screen, click Install.

4. Click Close.

5. In the BES12 setup application screen, click Next.

6. In the License agreement dialog box, perform the following actions:

a. Select your country or region.

b. Read the license agreement. To accept the license agreement, select I accept the terms of the license agreement.

c. Click Next.

7. In the Installation requirements dialog box, you can check to see if your computer has met the requirements to install BES12. Click Next.

The setup application may display a warning that indicates that Microsoft .NET Framework 4.5 is not installed. You can ignore this warning and proceed with the installation. The setup application will automatically install Microsoft .NET Framework 4.5 for you if it is not detected on your computer.

8. In the Setup type dialog box, perform one of the following actions:

For a new installation of the BES12 software, select Create a new domain. Select Install and use Microsoft SQL Server 2012 Express Edition on this computer if you do not have Microsoft SQL Server installed.

5


16

If you already have a supported version of Microsoft SQL Server installed, select Use an existing Microsoft SQL Server instance in your organizations environment. You can install the database server on the same computer or use an existing database server in your organization's environment (local or remote).

To upgrade an existing BES5 database to BES12, or to use an existing BES12 database, select Use an existing domain.

For more information about how to upgrade from BES10 to BES12, visit docs.blackberry.com/BES12 to read the BlackBerry Enterprise Service 12 Planning Guide.

9. Click Next.

10. In the Database information dialog box, fill out the fields depending on the setup type you selected:

Setup type Steps

Create a new domain and install Microsoft SQL Server 2012 Express

1. Type the Windows password.

2. Click Next.

Create a new domain and use an existing Microsoft SQL Server instance

1. In the Microsoft SQL Server name field, type the name of the computer that hosts the database server.

2. In the Database name field, type a name for the database you are upgrading, or a name for the new database.

3. If you configured the database server to use static ports, select the Static option. If the static port number is not 1433, in the Port field, type the port number.

4. By default, the setup application uses Windows authentication to connect to the existing database. If you select Microsoft SQL Server authentication, specify a Windows account that has access to the Microsoft SQL Server.

5. Click Next.

Use an existing domain 1. In the Microsoft SQL Server name field, type the name of the computer that hosts the database server.

2. In the Database name field, type a name for the database you are upgrading, or a name for the new database.

3. If you configured the database server to use static ports, select the Static option. If the static port number is not 1433, in the Port field, type the port number.

4. By default, the setup application uses Windows authentication to connect to the existing database. If you select Microsoft SQL Server authentication, specify a Windows account that has access to the Microsoft SQL Server.


17

Setup type Steps

5. Click Next.

If you are installing BES12 on a computer that already has an instance of BES5, the setup application automatically completes the fields in the Database information dialog box.

11. In the Folder locations dialog box, perform the following actions:

a. Specify the location of the installation folder and log file folder.

b. If you receive a message saying there is not enough space remaining, create extra space to install BES12 on your computer.

c. If you receive a message asking you to create the installation and logs folder locations, click Yes.

12. Click Next.

13. In the Installation summary dialog box, click Install to install BES12.

14. In the Installing dialog box, click Next when the installation is complete.

15. In the Console addresses dialog box, click Close.

After you finish:

If you performed an upgrade from BES5 to BES12, restart the BES5 BlackBerry Administration Service - Application Server service.

If you performed an upgrade from BES5 to BES12, review the BES5 roles.

You can install more than one BES12 instance in the domain to create a high availability configuration that minimizes service interruptions for BlackBerry 10, iOS, Android, and Windows Phone device users. For more information about high availability, visit docs.blackberry.com/BES12 to read the BlackBerry Enterprise Service 12 Configuration Guide.

Installing BES12 in a DMZYou can install BES12 in a DMZ, outside of your organization's firewall. To install BES12, see Install BES12 .

If you install BES12 in a DMZ, verify that you open the required ports on your organization's firewall. For more information about port requirements, visit docs.blackberry.com/BES12 to see the BlackBerry Enterprise Service 12 Configuration Guide.


18

Installing a standalone BlackBerry Router

The BlackBerry Router is an optional component that you can install in a DMZ outside your organization's firewall. The BlackBerry Router connects to the Internet to send data between BES12 and devices that use the BlackBerry Infrastructure.

The BlackBerry Router functions as a proxy server and can support SOCKS v5 (no authentication).

Note: If your current environment contains a TCP proxy server, you do not need to install the BlackBerry Router for BES12.

Install a standalone BlackBerry RouterBefore you begin: Make sure you have the name of the SRP host. The SRP host name is usually .srp.blackberry.com (for example, us.srp.blackberry.com). To verify the SRP host name for your country, visit the SRP Address Lookup page.

Note: Installing the BlackBerry Router on a computer that hosts any components that manage BlackBerry OS devices is not supported.

A standalone BlackBerry Router instance is hosted on a computer that does not host any other BES12 components.

1. Download and extract the BES12 Installation .zip file on your computer.

2. From the extracted BES12 installation files, open the router folder.

3. Extract the setupinstaller .zip file from the router folder. This .zip file contains an Installer folder that has the Setup.exe file to install the BlackBerry Router using the Command Prompt application.

4. Go to Start > All Programs > Accessories > Command Prompt.

5. Right-click the Command Prompt application and select Run as administrator.

6. Navigate to the location of the BlackBerry Router Setup.exe file using the Command Prompt application.

7. In the command prompt window, type Setup.exe -srphost (for example, Setup.exe -srphost ca.srp.blackberry.com).

6

Installing a standalone BlackBerry Router

19

Logging in to BES12 for the first time

The first time that you log in to the management console after you install BES12, you must enter your organization name, SRP ID, and SRP authentication key.

Log in to BES12 for the first timeBefore you begin: Verify that you have the organization name, SRP identifier, and SRP authentication key available.

If the setup application is still open, you can access the management console directly from the Console addresses dialog box.

Note: You may be prompted to provide the IP address and port number of the BlackBerry Router or a TCP proxy server.

1. In the browser, type https://:/admin, where is the FQDN of the computer that hosts the management console. The default port for the management console is port 8008.

2. Do one of the following:

If you upgraded the database from BES5 to BES12, verify that you have restarted the BlackBerry Administration Service services. Click OK.

If you did not upgrade a BES5 database, click OK.

3. Click OK when you receive a reminder to restart the BlackBerry Administration Service services if you have upgraded the database from BES5 to BES12.

If you have not upgraded the database from BES5 to BES12, you can ignore the reminder.

4. In the Username field, type admin.

5. In the Password field, type password.

6. Click Sign in.

7. In the Server location drop-down selection, select the country of the computer that has BES12 installed on it.

8. Click Next.

9. Type the name of your organization, the SRP identifier, and the SRP authentication key.

10. Click Submit.

11. You will be prompted to change your password.

12. Change the temporary password to a permanent password.

13. Click Submit.

7


20

After you finish: When you log in to the management console, you can choose to complete or close the Welcome to BES12 dialog box. If you close the dialog box, it will not appear during subsequent login attempts.

Modify the default variables for the management console and BES12 Self-ServiceYou can modify the default values of the variables for the URLs of BES12 Self-Service and the management console. You use these variables in activation email messages and compliance notifications. You can modify the values so that users can access BES12 Self-Service and the BES12 management console using the links in the email messages and compliance notifications.

If you don't want to change these default variables from the FQDN of the computer you installed BES12 on to the FQDN pool name, you do not need to complete this task.

1. Click Settings.

2. Click General Settings.

3. Click Default variables.

4. Modify the default :8008 for both the %AdminPortalURL% and %UserSelfServicePortalURL% variables to :8008.

5. Click Test connection for both the %AdminPortalURL% and %UserSelfServicePortalURL% variables that you modified.

6. Click Save.


21

Additional information

Best practice: Running BES12Best practice Description

Do not change the startup type for the BES12 services.

When you install or upgrade to BES12, the setup application configures the startup type for the BES12 services as either automatic or manual.

To avoid errors in BES12, do not change the startup type for the BES12 services.

Do not change the account information for the BES12 services.

When you install or upgrade BES12, the setup application configures the account information for the BES12 services.

Do not change the account information for BES12 unless the BES12 documentation specifies that you can.

Configuring database permissions using Microsoft SQL Server rolesThe setup application requires the service account or Microsoft SQL Server account that it uses during the installation or upgrade process to have permissions on the database server to create or upgrade the BES12 database. After the installation or upgrade process completes, you can change the database permissions for the service account or Microsoft SQL Server account to the minimum permissions that BES12 requires to run.

When you change the database permissions, you can use Microsoft SQL Server security to minimize the operations that the service account or Microsoft SQL Server account can perform on the BES12 database. The Microsoft SQL Server roles that are required by the setup application and BES12 are as follows:

Database role Description

db_owner The setup application automatically adds the account that you use to create the BES12 database to this role.

This role contains the minimum permissions that the setup application requires to upgrade the BES12 database.

8


22

Configure minimum database permissions for the service account or Microsoft SQL Server accountYou can configure minimum database permissions for the service account or Microsoft SQL Server account that BES12 uses to connect to the BES12 database.

Before you begin: Add a different Windows account or Microsoft SQL Server account to the db_owner database role for the BES12 database.

1. Open the Microsoft SQL Server Management Studio.

2. Expand Microsoft SQL Server > Security > Logins.

3. Right-click the service account or Microsoft SQL Server account. Click Properties.

4. Click User Mapping. Select the BES12 database.

5. In the Users mapped to this login section, select bes.

6. Remove all other database role memberships except public.

7. Click OK.

BES12 listening portsWhen you install BES12 for the first time, the setup application determines whether the following default listening ports are available for use. If a default port is not available, the setup application assigns a port value from the range of 12000 to 12999. The setup application stores the port values in the BES12 database.

When you install an additional BES12 instance in the domain, the setup application retrieves the listening port values from the database and uses those values for the current installation. If a defined listening port is not available, you receive an error message stating that you cannot complete the installation until the port is available for use.

Port Purpose

1610 The port that the BES12 Core uses to provide SNMP monitoring data.

1620 The port that the BES12 Core uses to send SNMP notifications in an IPv4 environment.

3202 The port that the active BlackBerry Affinity Manager listens on for RCP connections from the BlackBerry Dispatcher.

3203 The port that the BlackBerry Dispatcher listens on for BIPPe connections from the BlackBerry MDS Connection Service.


23

Port Purpose

8000

8008

The ports that BES12 Self-Service and the management console listen on for HTTP connections.

8083 The port that the administration console uses to connect to the BES12 Core.

8085 The port that the active BlackBerry Affinity Manager listens on for REST notifications.

8091 The secure SSL port that the BlackBerry Work Connect Notification Service listens on.

8448 The port that is used for internal communication between the BES12 Core and the management console and BES12 Self-Service.

8881 The port that BES12 uses to receive management requests for BlackBerry 10 devices. The connection uses mutual authentication with ECC certificates.

8882 The port that BES12 uses to receive enrolment requests for BlackBerry 10 devices.

8883 The port that BES12 uses to receive enrolment requests for iOS, Android, and Windows Phone devices.

8884 The port that BES12 uses to receive management requests for iOS, Android, and Windows Phone devices. The connection uses mutual authentication with RSA certificates.

8885 An additional port that BES12 uses to receive management requests for iOS devices. The connection uses mutual authentication with RSA certificates.

8887 The port that BES12 uses for authenticated connections to check the status of BES12 instances.

8900 The secure SSL port that the BlackBerry Gatekeeping Service listens on.

10080 The HTTP port that the BlackBerry MDS Connection Service listens on for enterprise push data.

10443 The HTTPS port that the BlackBerry MDS Connection Service listens on for enterprise push data. This port is used when you turn on push encryption.

18084 The port that applications can use to send data to the BlackBerry Web Services.

38082 The port that the BES12 Core listens on to route email notification traffic through the BlackBerry Infrastructure to the APNs for iOS devices.


24

Port Purpose

38085 The port that supports Secure Work Space traffic from iOS and Android devices through the BES12 Core and BlackBerry Infrastructure to connect to work resources.

38086 The port that your organizations TCP proxy server or the BlackBerry Router listens on for data that BES12 sends to the APNs.

Troubleshooting BES5 roles

The setup application detected incompatible roles in the BES5 databaseDescription

You may see this error message in the setup application after you click Next on the Database information screen.

Possible cause Possible solution

The BES5 database contains one or more roles that have permissions assigned to more than one group.

Navigate to the BES5UpgradeRoleCheck.txt log file located in C:\Program Files\BlackBerry\BES\Logs\deployment\.

The file lists the names of the roles that contain conflicts.

Using the BlackBerry Administration Service, go to BlackBerry solution management > Role > Manage roles. For each role listed in the log file, make sure that its permissions are either granted to all groups, or that the listed groups are the same for each permission.

Save the changes. Return to the BES12 setup application and click Next to continue the installation.

If a BES5 user has more than one role assigned, when BES12 combined those roles into one role for that user, the new role has permissions assigned to different groups. For example, one BES5 role has the View a group permission assigned to Group A, and the other role has the Edit a device permission assigned to Group B.

Navigate to the BES5UpgradeRoleCheck.txt log file located in C:\Program Files\BlackBerry\BES\Logs\deployment\.

The file lists the names of the roles that contain conflicts.

Using the BlackBerry Administration Service, go to BlackBerry solution management > Role > Manage roles. For each role listed in the log file, make sure that its permissions are either granted to all groups, or that the listed groups are the same for each permission.


25


For all the roles assigned to a BES5 user, make sure that the permissions are granted to all groups, or that the listed groups are the same for each permission.

Save the changes. Return to the BES12 setup application and click Next to continue the installation.

The setup application could not complete the role compatibility check on the BES5 databaseDescription

You may see this error message in the setup application after you click Next on the Database information screen.


Insufficient user permissions Verify that the account you are using has administrator permissions and run the BES12 setup application again.

Hardware errors Replace the hardware or run the BES12 setup application on another computer.

Removing the BES12 softwareYou can use the uninstall application to remove the BES12 software from a computer. The uninstall application can also remove the log files for the existing installation.

The uninstall application does not remove the BES12 database from the database server and it does not remove the database instance that hosts the BES12 database.

CAUTION: You cannot uninstall BES12 and continue to use BES5 after you have upgraded from BES5 to BES12. If you uninstall BES12 after the upgrade, BES5 will not function correctly.

Remove the BES12 software1. On the taskbar, click Start > Control Panel.

2. Click Uninstall a program.

3. Click BES12.

4. Click Uninstall.


26

5. If the uninstall application prompts you to restart the computer to finish removing the BES12 software, click OK.

After you finish: You can remove third-party software that the setup application installed during the BES12 installation process (for example, you can remove the JRE software from the computer).

Remove a BES12 instance from the databaseIf you uninstall a BES12 instance, you must complete the following steps to remove the data for that instance from the BES12 database. If you do not, the BES12 log files indicate that the instance that you removed is not available.

Before you begin: Uninstall a BES12 instance.

1. On the menu bar, click Settings.

2. In the left pane, click Infrastructure > BES12 instances.

3. For the BES12 instance that you removed, click .

4. Click Delete.


27

Glossary

APNs Apple Push Notification service

BES10 BlackBerry Enterprise Service 10

BES12 BlackBerry Enterprise Service 12

CSR certificate signing request

DMZ A demilitarized zone (DMZ) is a neutral subnetwork outside of an organization's firewall. It exists between the trusted LAN of the organization and the untrusted external wireless network and public Internet.

DNS Domain Name System

FQDN fully qualified domain name

HTTPS Hypertext Transfer Protocol over Secure Sockets Layer

IP Internet Protocol

IP address An Internet Protocol (IP) address is an identification number that each computer or mobile device uses when it sends or receives information over a network, such as the Internet. This identification number identifies the specific computer or mobile device on the network.

IPsec Internet Protocol Security

JRE Java Runtime Environment

LAN local area network

NIC network interface card

SRP Server Routing Protocol

9

Glossary

28

Product documentation

To read the following guides or other related materials, visit docs.blackberry.com/BES12.

Category Resource Description

Overview BlackBerry Enterprise Service 12 Product Overview

Introduction to BES12 and its features

Finding your way through the documentation

Architecture

Enterprise Solution Comparison Chart

Comparison of what features are available across different BlackBerry enterprise solutions

BlackBerry Enterprise Service 12 Architecture and Data Flow Reference Guide

Descriptions of BES12 components

Descriptions of activation and other data flows, such as configuration updates and email, for different types of devices

Release notes BlackBerry Enterprise Service 12 Release Notes

Descriptions of known issues and potential workarounds

Installation and upgrade

BlackBerry Enterprise Service 12 Compatibility Matrix

3rd party software that is compatible with BES12

BlackBerry Enterprise Service 12 Performance Calculator

Tool to estimate the hardware required to support a given workload for BES12

BES12 Preinstallation Checklist Checklist of requirements to check before you install or upgrade your environment

BlackBerry Enterprise Service 12 Planning Guide

System requirements

Planning BES12 deployment for an installation or an upgrade from BES5 or BES10

BlackBerry Enterprise Service 12 Installation Guide

Installation instructions

Configuration BlackBerry Enterprise Service 12 Licensing Guide

Descriptions of different types of licenses

Instructions for activating and managing licenses

10


29


BlackBerry Enterprise Service 12 Configuration Guide

Instructions for how to configure server components before you start administering users and their devices

Instructions for migrating BES10 data from an existing BES10 database

Administration BlackBerry Enterprise Service 12 Administration Guide

Basic and advanced administration for all supported device types, including BlackBerry 10 devices, iOS devices, Android devices, Windows Phone devices and BlackBerry OS (version 5.0 to 7.1) and earlier devices

Instructions for creating user accounts, groups, roles, and administrator accounts

Instructions for activating devices

Instructions for creating and assigning IT policies and profiles

Instructions for managing apps on devices

Descriptions of profile settings

BlackBerry Enterprise Service 12 Policy Reference Spreadsheet

Descriptions of IT policy rules for BlackBerry 10 devices, iOS devices, Android devices, Windows Phone devices and BlackBerry OS (version 5.0 to 7.1) and earlier devices

Supported Features by Device Type

Comparison of what device management features are supported for each type of device in BES12

Getting started. 5 Steps To Get Your Devices Active

Minimum requirements to configure to get you started with activating devices

Security BlackBerry 10 Security Overview Introduction to BlackBerry 10 security

Description of how BlackBerry 10 protects data at rest and in transit

Description of our security platform, from the device to the BlackBerry Infrastructure

BlackBerry Enterprise Service 12 Security Guide for BlackBerry

Description of the security maintained by BES12, the BlackBerry Infrastructure, and BlackBerry 10 devices to protect data and connections

Description of the BlackBerry 10 OS


30


Description of how work data is protected on BlackBerry 10 devices when you use BES12

BlackBerry Enterprise Service 12 Security Guide for iOS, Android, and Windows Phone

Description of the security maintained by BES12, the BlackBerry Infrastructure, and work space-enabled devices to protect work space data at rest and in transit

Description of how work space apps are protected on work space-enabled devices when you use BES12

Resources for enterprise users

BES12 Self-Service User Guide Instructions for activating devices

Instructions for protecting a lost device


31

Provide feedback

To provide feedback on this content, visit www.blackberry.com/docsfeedback.

11

Provide feedback

32

Legal notice

2014 BlackBerry. All rights reserved. BlackBerry and related trademarks, names, and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world.

Apple is a trademark of Apple Inc. iOS is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS is used under license by Apple Inc. Android is a trademark of Google Inc. Microsoft, Internet Explorer, SQL Server, and Windows are trademarks of Microsoft Corporation. Java and JRE are trademarks of Oracle and/or its affiliates. Wi-Fi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of their respective owners.

This documentation including all documentation incorporated by reference herein such as documentation provided or made available at www.blackberry.com/go/docs is provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.

This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way.

EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES

12

Legal notice

33

REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.

THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.

IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.

Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry.

Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server, BlackBerry Desktop Software, and/or BlackBerry Device Software.

The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.

Legal notice

34

BlackBerry Limited2200 University Avenue EastWaterloo, OntarioCanada N2K 0A7

BlackBerry UK Limited200 Bath RoadSlough, Berkshire SL1 3XEUnited Kingdom

Published in Canada

Legal notice

35

About this guideWhat is BES12?Key features of BES12Comparing BES12 with previous EMM solutions from BlackBerry

Preinstallation tasksConfigure permissions for the service accountConfiguring connections for the BES12 databaseSpecifying database permissions to create the BES12 database

Using the BES12 Readiness ToolPreparing a BES5 database for an upgrade to BES12Configuring database high availability using Microsoft SQL Server AlwaysOnAlwaysOn high availabilityPreinstallation tasksInstall BES12 and configure support for database high availability

How BES12 selects listening ports during installation

Prerequisites: Installing the BES12 softwareInstalling the BES12 softwareInstall BES12Installing BES12 in a DMZ

Installing a standalone BlackBerry RouterInstall a standalone BlackBerry Router

Logging in to BES12 for the first timeLog in to BES12 for the first timeModify the default variables for the management console and BES12 Self-Service

Additional informationBest practice: Running BES12Configuring database permissions using Microsoft SQL Server rolesConfigure minimum database permissions for the service account or Microsoft SQL Server account

BES12 listening portsTroubleshooting BES5 rolesThe setup application detected incompatible roles in the BES5 databaseThe setup application could not complete the role compatibility check on the BES5 database

Removing the BES12 softwareRemove the BES12 softwareRemove a BES12 instance from the database

GlossaryProduct documentationProvide feedbackLegal notice

Documents

Install Guide BES12 v12.0 En