The BlackBerry Universal Device Service (UDS) is part of the Mobile Fusion device management solution developed by RIM. The service can be used standalone to manage iOS and Android devices, or in conjunction with an existing BlackBerry Enterprise Server, BlackBerry Enterprise Server Express or BlackBerry Device Service deployment to provide a single point of administration and control for all your mobile devices.
iOS 4.3 or later, and Android 2.2 or later are supported.

The Universal Device Service enables you to:

• Manage the IT policies that the devices support (this level of control will vary across devices), including remote lock and wipe (wipe can include "work only" data), password reset and password history and complexity.
• Configure WiFi and certificate settings profiles for both Android and iOS devices
• Configure VPN and email settings profiles for iOS devices
• Provision and manage work applications on devices
• View device inventory information
• Detect and quarantine jailbroken or rooted devices
• Display messages on devices

The solution can be integrated with Microsoft Active Directory for ease of user and group management.

Architecture

The Universal Device Service consists of four components:

• Core Module - this component handles communication with the configuration database as well as Active Directory, and also sends notifications to the Apple Push Notification Service (APNS)
• Communication Module - this component handles device communication, this component needs to be accessible from the Internet, with an external, "real world" IP address
• Console Services - this component allows administrators to manage user accounts, IT policies, profiles and devices
• Mobile Fusion Client - this component is installed on client devices and manages communication with the Communication Module

These components can all be installed on the same server if desired, or for security reasons, the Communication Module can optionally be installed in a DMZ environment.

NOTE - you cannot install UDS on a server that already hosts either BES or BES Express, or the BlackBerry Device Service for PlayBook.

The port number that devices use to communicate with the Communication Module can be configured during installation, the default value is TCP 443. The Communication Module requires an SSL certificate be assigned to it. This should ideally be a "root-trusted" certificate which devices trust automatically. If a self-signed SSL certificate is assigned, then the root certificate of the Certificate Authority which generated the certificate will need to be deployed to client devices manually.
For iOS device support, the Core Module must be able to communicate with the Apple Push Notification Service (APNS) on port TCP 2195.
Outbound access to RIM's servers on TCP 3101 will also be required to verify licensing information.
(The Apple Push Notification Service is middleware hosted by Apple that enables authenticated delivery of notification messages from the UDS to online iOS devices)
The Core Module also requires access on port TCP 443 to Apple to check the certificate revocation list.

The Universal Device Service can only be installed on a server running Windows Server 2008 R2 and requires IIS (Web Server role) to be installed as well as the .NET Framework 4 package.
Full system requirements can be found in the Installation and Configuration Guide in the File Library (http://ukblog.im-mobility.com/library)

Installation

Before installing the Universal Device Service, a certificate request must be generated, signed and installed on the IIS web server for use by the Communication component. As already mentioned, this certificate can be self-signed, but this will add complexity when setting up client devices remotely.

On the server that is to host the Universal Device Service, launch the IIS Manager and browse to Server Certificates:

Select the option to Create a certificate request:

(Here you can select the option to create a self-signed certificate and submit the request to your internal Certificate Authority, simply enter a name for the certificate)

If you are preparing a request for an external CA to sign, complete the details that the certificate is to contain:

Complete the encryption information:

Save the certificate request to a file:

Submit the certificate request to your online certificate authority and await the signed response.

When you have signed response, within the IIS Manager select the option to Complete certificate request:

Browse to the response file and enter a name to identify the certificate.

The certificate will now be listed in the Server Certificates view. Double click the certificate and click on the Details tab:

Click on the option to Copy to file:

Select the option to export the private key:

Click Next:

Enter a password for the private key file, this can be anything of your choosing.

Save the private key file and make a note of where you have saved it as you will need it later.

Now you are ready to launch the Universal Device Service installer.

You will be prompted to confirm that you are logged in with a suitable user account with administrative privileges on the server:

Click Continue Installation, the following window will be displayed:

Read the license agreement and select the option to accept the terms and conditions. Click Next:

Select the installation method you prefer, in this article I select Advanced. Click Next:

Select the option to Create a management database. In this article I selected the option to install SQL Server Express on the UDS server rather than use a separate dedicated SQL Server. Click Next:

Select the UDS components you wish to install on this server - normally you will be installing all components on the same server unless deploying a DMZ scenario in which case the Communication Module would be installed separately. Click Next:

Enter your CAL and SRP information as provided to you via email. Click Next:

Ensure that all of the system prerequisite checks pass with no warnings or errors. Click Next:

Verify that the server has sufficient disk space available and enter the password for the user account logged into the server. Click Next:

Review your selections and click Install. The required components will now be installed:

When complete, click Next:

Complete the path for the database server, if you chose the option to install SQL Server Express locally, this information will be completed for you. Click Next:

You will be prompted to create the new management database, select Yes. When complete, the following window will be displayed:

Complete the fully qualified domain name of the server and enter a password that will be used to access the core module (only really required in a multi-homed installation)
Select the option to create a website and select an available port that the web site should run on - NOTE this is not the Communication Module that will be accessed by devices, this is the Core Module. Click Next:

Here are the settings for the externally-facing web site. Complete the fully qualified domain name of the server. Select the option to create a website and specify the port that the web site should run on.
Browse to the location for the certificate response file you saved earlier and enter in the same password you specified when exporting the private key. Click Next:

Here you will be prompted to enter details for the administration web site used to configure the solution. Specify the ports you wish the web site to run on and enter default administrator password details. Click Next:

The required system services will now start following final configuration. Verify that all services start successfully. Once complete, click Next:

The installation is now complete, make a note of the administration web interface address if required (if you intend to access the web interface from another machine on the LAN), but a shortcut will be added to the Start menu:

Launch the Administration Console to begin configuring the solution.

Configuration

When accessing the administration web interface for the Universal Device Service, only the following browsers are supported:

• Microsoft Internet Explorer 8,9
• Mozilla Firefox 6.0 or later
• Google Chrome 12 or later
• Safari 5 for Mac or later

Log in using the administrator details you specified during the installation:

Here you can add and remove users and groups, configure IT policies and application packages.

Click on the Settings link in the top menu to finalise the configuration of the UDS server:

Create an SCEP profile if you intend to allow devices that support SCEP to obtain certificates from your internal certificate authority automatically.

Enter details of a user account that can perform lookups on Active Directory and enter details of the LDAP server

Run through the APNS certificate wizard to enable push notifications with iOS devices - I have detailed this procedure separately in this article - http://ukblog.im-mobility.com/configuring-apple-push-notification-servic...

Enter details of an email relay server that the UDS can use to send activation and administrative emails to users.

The Licensing section allows you to review license usage and add additional licenses as required.

The Device Compliance section allows you to specify what should happen to devices that do not meet the compliance requirements of the organisation (such as if the device is detected to have been rooted or jailbroken): options include the ability to deny access to corporate resources, to simply warn the user, or to automatically wipe the device (which might be a full device wipe or only data that is deemed to belong to the organisation). Read the documentation for a full description of available options.

The Compliance Notification section allows you to edit the email or device message that will be displayed to users should their device not meet organisational compliance requirements.

The Device Activation Defaults section allows you to specify which platforms can be used with the solution, how many times each device can be activated, how long activation passwords last for before they expire, and the default ownership of devices upon activation: whether employee owned or company owned.

The Device Activation Email section allows you to edit the default email that is sent to users when they are added to the UDS server and assigned an activation password

The Device Communication section allows you to specify device polling intervals if required.

Management

Applications

The Library is where you can add applications and software configurations.

Adding an application is a matter of entering a name and description for the app, and the source where the app can be obtained.

Application sources for iOS devices will be the address of the app in the iTunes Store rather than a locally-stored IPA file. Android applications can be sourced from a locally-stored stored APK file.

Once application packages have been created they can be assigned to users or groups.

Users

Users can be added either locally, using a manually-specified password, or can be imported from Active Directory. Provided that you have installed and configured the Active Directory Sync Tool, which I will look at in a separate article, entire Active Directory security groups can be imported into groups created on the UDS and membership changes updated automatically.

Permitted devices for users can be defined, as well as activation passwords and whether the user should be sent an activation email with instructions on how to activate their device:

IT Policies

Multiple IT Policies can be defined and assigned to users and groups as required. When creating a policy the available values indicate whether they apply only to iOS or Android, or both, and what version of the platform. Available values include:

Profiles

Profiles allow you to define connection parameters for WiFi, ActiveSync Email, VPN, SCEP and certificates:

VPN (iOS only) - L2TP, IPSec, Juniper, Cisco, etc

WiFi (iOS and Android)

Microsoft ActiveSync (iOS only)

SCEP (iOS only)

CA Profile (iOS and Android)

Shared Certificate (iOS and Android)

Device Activation

When a user is added to the server, they can optionally receive an email containing their activation password, the details of the UDS server ad where they can obtain the required Mobile Fusion device client from.

The Android Mobile Fusion client is available from the Google Play Store here - https://play.google.com/store/apps/details?id=com.rim.mobilefusion.client

The iOS Mobile Fusion client is available from the iTunes Store here - http://itunes.apple.com/app/id505157728

Once installed on the device, the user will need to enter in the external fully qualified domain name, or IP address, of the UDS server (or specifically the UDS Communications component), followed by their UDS username and activation password.

Once activated, the client will then verify that the device passes compliance (if enabled):

Users can then view what applications and policies are assigned to them:

As well as details of the UDS server for reference:

Once the device has been activated, it will be displayed in the UDS administration interface:

From here you can view a detailed inventory report about the device's hardware and software, change the device password and lock it, lock it without changing the password, erase all work data from the device or perform a full factory reset on the device.

IT policies can be applied, and software packages delivered.

Read the documentation for full details on all available options.

Summary

The below table provides an overview of the features available for both iOS and Android:

Download the Platform Feature Comparison Chart PDF Here.