Skip to content
Help and manuals  >  Enterprise services  >  BlackBerry UEM Cloud  >  Architecture and data flows

BlackBerry UEM Cloud Architecture and data flows

The BlackBerry UEM Cloud architecture was designed to help you manage mobile devices for your organization in a cloud environment and provide a secure link for data to travel between your organization's mail and content servers and your user's devices.

Architecture: BlackBerry UEM Cloud solution

Diagram showing the elements used in the BlackBerry UEM solution



BlackBerry UEM Cloud

BlackBerry UEM Cloud is a service that allows you to manage devices used in your organization's environment.

BlackBerry Infrastructure and BlackBerry Dynamics NOC

The BlackBerry Infrastructure registers user information for device activation and validates licensing information for BlackBerry UEM Cloud. If you enable BlackBerry Secure Connect Plus or the BlackBerry Secure Gateway, data in transit that uses these services passes though the BlackBerry Infrastructure.

The BlackBerry Dynamics NOC is a separately located NOC that provides secure communications between BlackBerry Dynamics apps on devices and BlackBerry Proxy installed behind the firewall as part of the BlackBerry Connectivity Node.


BlackBerry UEM Cloud supports BlackBerry 10, iOS, macOS, Android, and Windows devices.

Notification services

BlackBerry UEM Cloud sends notifications to devices to contact BlackBerry UEM for updates and to report information for your organization's device inventory. These notifications are sent to the BlackBerry Infrastructure, where they are sent to the devices using the appropriate notification service:

  • APNs is a service that Apple provides to send notifications to iOS and macOS devices.
  • GCM is a service that Google provides to send notifications to Android devices.
  • WNS is a service that Microsoft provides to send notifications to Windows devices.

BlackBerry Connectivity Node

The BlackBerry Connectivity Node is an optional component that you install inside your organization's firewall. It includes five components that add functionality to BlackBerry UEM Cloud:

  • The BlackBerry Cloud Connector connects BlackBerry UEM Cloud to your company directory behind the firewall to allow basic attribute synchronization, search functionality, and user authentication services. If you don't install the BlackBerry Connectivity Node and your company directory is behind the firewall, you must create local user accounts in BlackBerry UEM Cloud instead of using the user accounts in your company directory. The BlackBerry Cloud Connector is not required for BlackBerry UEM Cloud to connect to Microsoft Azure Active Directory.
  • BlackBerry Proxy maintains a secure connection between your organization and the BlackBerry Dynamics NOC, which allows BlackBerry Dynamics apps to communicate securely with your organization's resources behind the firewall. It also supports BlackBerry Dynamics Direct Connect, which allows app data to bypass the BlackBerry Dynamics NOC.
  • The BlackBerry Gatekeeping Service sends commands to Exchange ActiveSync to add devices to an allowed list when devices are activated on BlackBerry UEM Cloud. Unmanaged devices that try to connect to an organization's mail server can be reviewed, verified, and blocked or allowed by an administrator using the BlackBerry UEM management console.
  • BlackBerry Secure Connect Plus provides a secure IP tunnel between work apps on devices and your organization's network. One tunnel that supports standard IPv4 (TCP and UDP) data is established for each device through the BlackBerry Infrastructure.
  • The BlackBerry Secure Gateway provides a secure connection through the BlackBerry Infrastructure and BlackBerry UEM Cloud to your organization's mail server for iOS devices.

The BlackBerry Connectivity Node uses port 3101 to communicate with BlackBerry UEM Cloud.

BlackBerry Enterprise Mobility Server

If you have installed the BlackBerry Connectivity Node, you can also install an on-premises BEMS. BEMS consolidates several services used to send work data to and from BlackBerry Dynamics apps:

  • BlackBerry Connect provides secure instant messaging, company directory look-up, and user presence information to iOS and Android devices.
  • BlackBerry Presence provides real-time presence status to BlackBerry Dynamics apps.
  • BlackBerry Docs lets your BlackBerry Dynamics app users access, synchronize, and share documents using their work file server, SharePoint, Box, and content management systems supporting CMIS, without the need for VPN software, firewall reconfiguration, or duplicate data stores.

BlackBerry Enterprise Mobility Server databases

The BEMS databases store user, app, policy, and configuration information.

Company directory

BlackBerry UEM Cloud supports connectivity with your organization's Microsoft Active Directory or LDAP company directory behind the firewall using the BlackBerry Connectivity Node.

Microsoft Azure Active Directory

Microsoft Azure Active Directory is a cloud-based directory management service. If your organization uses Azure Active Directory you can connect to it instead of, or in addition to, a company directory behind the firewall.

Content, application, and mail servers

When you enable BlackBerry Secure Connect Plus or when users have BlackBerry Dynamics apps, devices can connect to your organization's servers without requiring you to open a direct connection between the server and the Internet. Work data in transit between your servers and devices is sent through BlackBerry Secure Connect Plus and the BlackBerry Infrastructure. BlackBerry Dynamics app data is sent through BlackBerry Proxy and the BlackBerry Dynamics NOC.

The BlackBerry Secure Gateway provides a secure connection through the BlackBerry Infrastructure and BlackBerry Connectivity Node between your organization's mail server and iOS devices.

BEMS and BlackBerry plug-ins

The cloud version of BlackBerry Enterprise Mobility Server provides BlackBerry Push Notifications, which accepts push registration requests from iOS and Android devices and then communicates with Microsoft Exchange to monitor the user's work mail account for changes. If Microsoft Exchange is behind your organization's firewall, you must open a port for BEMS to communicate with Microsoft Exchange.

BlackBerry UEM Cloud works with additional BlackBerry enterprise products such as BlackBerry Enterprise Identity, BlackBerry 2FA, and BlackBerry Workspaces, to allow you to extend UEM capabilities in your organization. For more information, see the Discover BlackBerry UEM plug-ins content.