- I've got an iPhone and an Android device that will go in a drawer as soon as I can figure out how to get the Z10 to access my company's email.
The iPhone and the Android both access my corporate email via a certificate that the IT folks issue to me. I install the certificate onto the device and I've got access to email, calendar, and contacts. Works like a charm. I've been wrestling with how to import the certificate onto the Z10 and so far I'm losing the fight. I've searched all the BlackBerry Support and CrackBerry forums and no luck. There's 1 screen on the internal Z10 help, but it doesn't seem to work.
My IT guys are telling me that the only way to push a certificate to a Z10 is via BES 10 and since I work for a US-based company that won't get access to the new devices for another 2-3 months at least, we won't be upgrading our BES servers until then.
Does anybody have any tips/tricks on how to push a certificate to a Z10 and how to import it into the device? Any help at all is appreciated!02-08-13 09:29 AMLike 0 - Hi there,
I just signed up to specifically answer this for you.
We use 802.1X WiFi, and don't have a BES10 server yet. So it's very possible to do this without a BES10 server.
You have to create a certificate request, and I use Mac OSX Keychain to do this. Once I feed this into my Microsoft Active Directory Certificate Authority, it spits out my certificate.
I then import the certificate back into my Mac, as I need the private key assosciated with the certificate I just created.
Once, imported, I then export the certificate and private key into a .p12 file.
Once I have this file, the trick is to import it onto the Z10.
Connect your Z10 to your computer via USB.
Install Link
Once link is installed, get the IP address of your Z10.
You can get this in the settings, and under Hardware, (sorry I don't have my Z10 in front of me)
Once you get your IP address, you connect to it via \\169.83.234.30 (for example)
Once connected you should have 3 shares pop up.
One of them is a Cert's share.
Dump your .p12 file into this.
Then you import them on your Z10 from the security menu>certificates. Make sure you select Personal certificate (2nd option, remeber I don't have my Z10 on me)
I hope this helps.
We were able to successfully install certificates to the Z10 this way.
With BES10, you can push the certificates with SCEP server and enjoy auto certificate enrollment.
I hope this helps.
If you have any question, please let me know.Mr. Black likes this.02-08-13 09:45 AMLike 1 - Thanks for the tip. I found some similar instructions on the BlackBerry support page here Import a certificate from your computer - How To - BlackBerry Z10 Smartphone - 10.0.0
The piece that's got me pulling my hair out is that as soon as I connect to the Z10 (in my case, from a Mac), it asks me if I want to connect as a guest or as a registered user. I've tried guest, with no luck. I've also tried the registered user option but ti asks me for the name and password for the device. I've tried every option I can think of and have even wiped the drive back to factory defaults, all with no luck. I've searched through the BB support pages but there's no mention of this anywhere.02-08-13 10:12 AMLike 0 - I couldn't get it to connect via my iMac either, or through my parallels VM running on my iMac, even with Link installed. I had to plug it into a PC Laptop, and then install all the BlackBerry Link software. Once I did that, I was able to copy the certs. to the Certs folder.02-08-13 11:02 AMLike 0
- OmnitechDragon Slayer
Also, the Z10 PDF documentation says NOTHING about how to import certificates. All it says is "Talk to your administrator".
In fact, I never saw that Blackberry documentation article before either, I'll bet it was just created in the last few days. Because I searched all over their support site for an answer to that question just a few days ago. (Maybe the problem is that their search engine sucks, since apparently it must have existed at least by 2/8 or segri01 wouldn't have found it on that date.)02-16-13 05:22 AMLike 0 - I think it is self signed, but not 100% sure exactly what that means. For Android our IT department emails you a certifcate and a password, during the activesync account set up on Andorids native mail client you can select a cert and import it, you then enter the password IT gave you and viola a few IT policies are pushed to the device and you start getting mail. On iOS the set-up involves you going to a website, logging in with corp username and RSA token credentials then it walks you through a profile installation which imports a certificate and prompts for the cert password (which IT sends you in advance). Not the most elegant solutions from a user standpoint but they work, when it comes to BB10 the cert import process is straight forward but it breaks down when it comes to setting up the activesync account there is no way to tell the device to use that cert when trying to connect to our mail server so it can't connect or authenticate against the mail server. Any suggestions?02-20-13 08:24 AMLike 0
- Many companies use self-signed certificates on internal networks because they are not public networks using public IP addresses, among other things. (Public certificate authorities are of no use if the host in question does not have an internet-resolvable hostname. Many companies use internal DNS via Microsoft Active Directory because AD pretty much requires you to do so unless you want a big headache.)
Also, the Z10 PDF documentation says NOTHING about how to import certificates. All it says is "Talk to your administrator".
In fact, I never saw that Blackberry documentation article before either, I'll bet it was just created in the last few days. Because I searched all over their support site for an answer to that question just a few days ago. (Maybe the problem is that their search engine sucks, since apparently it must have existed at least by 2/8 or segri01 wouldn't have found it on that date.)02-20-13 10:56 AMLike 0 - OmnitechDragon SlayerI think it is self signed, but not 100% sure exactly what that means. For Android our IT department emails you a certifcate and a password, during the activesync account set up on Andorids native mail client you can select a cert and import it, you then enter the password IT gave you and viola a few IT policies are pushed to the device and you start getting mail. On iOS the set-up involves you going to a website, logging in with corp username and RSA token credentials then it walks you through a profile installation which imports a certificate and prompts for the cert password (which IT sends you in advance). Not the most elegant solutions from a user standpoint but they work, when it comes to BB10 the cert import process is straight forward but it breaks down when it comes to setting up the activesync account there is no way to tell the device to use that cert when trying to connect to our mail server so it can't connect or authenticate against the mail server. Any suggestions?
If your IT dept is using an internal certificate authority (CA), then you will need to import their CA certificate so the device trusts it. (It comes pre-loaded with CA certs from a variety of known/trusted public CA's, but those won't help you as per my previous comment if your company uses an internal CA.) When we say "self-signed" that generally means a certificate which does not link back to a known public CA. (Or your internal CA if you have already imported their root CA cert.)
The other type of cert is a personal cert, ie to authenticate yourself as a member of staff, in order to use their WiFi network, or to use their email server, etc. Here is a link to a document from Microsoft that describes the process of setting up an Exchange server to use certificates for user authentication.
So you're saying that you believe that the process of importing the personal cert into the Z10 worked OK, but when it came to the point where you needed to connect to your mail server, there was no mechanism to select that newly-imported cert to identify you to the server?
Is SSL turned-on for the Exchange account on the Z10? There are some screenshots showing this in another thread here.
Some info I've seen (ie this page) suggests that in some cases, connecting via WiFi, at least initially, might be more successful for getting EAS working than using the cellular data link.02-21-13 12:31 AMLike 0 - Omnitech, based on your above comment I would say 100% we are dealing with a personal cert. as described in this Microsoft Article you sent the link for, copied below:
Once the certificate is on the device, the user can configure the Exchange ActiveSync client (usually a mail app) on the device. When configuring EAS for the first time, users will be required to enter their credentials. When the device communicates with the Client Access Server for the first time, users will be prompted to select their certificate. After this is configured, if users check the account properties, they'll see a message similar to the following:
Microsoft Exchange uses certificates to authenticate users when they log on. (A user name and password is not required.)
Question: On iOS and Android we have a working process as I previsouly stated. Being a former RIM employee I reached out to a friend at RIM who definitely has the right background to answer this question, he said Certificate based authentication (CBA) must be facilitated by the BES10 as it stands now and that BB10 would eventually support CBA on device but its coming in a future update. I simply can't accept that BlackBerry 10 wouldn't be able to connect while Android and iOS can it just seems backwards given RIM's business roots.
If anyone has suggestions happy to hear them.
Thanks!02-25-13 08:33 AMLike 0 - OmnitechDragon SlayerQuestion: On iOS and Android we have a working process as I previsouly stated. Being a former RIM employee I reached out to a friend at RIM who definitely has the right background to answer this question, he said Certificate based authentication (CBA) must be facilitated by the BES10 as it stands now and that BB10 would eventually support CBA on device but its coming in a future update. I simply can't accept that BlackBerry 10 wouldn't be able to connect while Android and iOS can it just seems backwards given RIM's business roots.
If anyone has suggestions happy to hear them.
Thanks!
If the Android and iOS devices at your company are connecting, most likely they are just connecting to a standard MS Exchange server, not through BES10.
I can't tell from your comments if your RIM staff friend meant that CBA doesn't work on BB10 devices for ANY MS Exchange connection, or whether it was just a BES10 limitation.
Unfortunately as BB10 was written from scratch it appears that there are a variety of examples where traditional BBOS functionality did not make it into the initial BB10 release. Some of those cases were clearly intentional (ie trying to simplify things for the kind of customer that would normally find Apple devices appealing), some were probably due to time/resource constraints, and some may be simply because many of the QNX people are not the same people that designed the traditional JavaME-based Blackberry platform, and are still in the process of digesting some of the traditional elements of it.
I have seen fairly concrete evidence that BBRY is planning to add some of the things that traditional BB users are missing in BB10 so far, such as more flexible notifications, better "bedside-mode", tethered syncing with Outlook, etc. So in this case I would be very surprised if this is indeed a missing feature, if it does not re-appear.
In the meantime, if it turns out that CBA is totally unsupported on BB10 at the moment, can you ask your Exchange admin if s/he can write a policy exception for you to allow you a different form of authentication for your Z10 until that changes? I believe you can make device-by-device policy exceptions in Exchange, though not being an MS Exchange or BES admin myself I'm not 100% sure.02-25-13 04:55 PMLike 0 -
- Omnitech,
Let me clarify a few things. My company is not using BES10 or any other MDM solution they are try to avoid the overhead costs of running a server side solution. Everything connects through active sync and a device side user certificate.
My RIM staff friend basically said that CBA would require the BES10 to facilitate the certificate authentication through SCEP
Slightly over my head but that's the answer I got. The capability of assigning a user cert during the active sync account set up on the device is coming however no ETA not even on the road map.
I like your idea about getting an exception with my IT department to authenticate with some other means might give that a try.
I also tried side loading the touchdown android app which used to be required to connect up certain android devices that didn't support CBA but haven't had success setting it up it doesn't see the cert on my SD card probably something to do with it being an Android app and might not have access to device storage.
I love the Z10 its way better then the HTC One X I was forced to use after leaving RIM but not having Corp mail is a real short coming. Right now I am swapping back and forth between my one X and Z10 for this reason.
Posted via CB10RezzaBuh likes this.02-25-13 07:34 PMLike 1 - OmnitechDragon SlayerMy company is not using BES10 or any other MDM solution they are try to avoid the overhead costs of running a server side solution. Everything connects through active sync and a device side user certificate.
My RIM staff friend basically said that CBA would require the BES10 to facilitate the certificate authentication through SCEP
SCEP is just an easier way to distribute personal certs by allowing a device to request a certificate at the time of the initial connection attempt. I've never actually used it because I typically work with smaller organizations, but it seems to be a popular way to address the issue of trying to distribute certificates to users in a secure and organized way.
I like your idea about getting an exception with my IT department to authenticate with some other means might give that a try.
I also tried side loading the touchdown android app which used to be required to connect up certain android devices that didn't support CBA but haven't had success setting it up it doesn't see the cert on my SD card probably something to do with it being an Android app and might not have access to device storage.
Besides the possibility of a per-device policy exception for ActiveSync on your Z10, is it even remotely feasible to use Outlook Web Access/Exchange Web Connect to access your company email temporarily? Or IMAP?02-25-13 09:42 PMLike 0 -
SCEP is just an easier way to distribute personal certs by allowing a device to request a certificate at the time of the initial connection attempt. I've never actually used it because I typically work with smaller organizations, but it seems to be a popular way to address the issue of trying to distribute certificates to users in a secure and organized way.
Here is where my situation is unique, my company does not use Microsoft exchange rather we use an email solution that supports using the activesync protocol. A policy exception is likely my only option and I don't beleive it will be easy to get that exception.02-26-13 09:32 AMLike 0 - OmnitechDragon Slayer
In my own case, looking to replace my own outdated email server with something new, I finally found a product that is available for free or low cost that not only is not limited to something like 5 users (I don't have a bunch of users but I do have a bunch of independent accounts for myself), it also has the ability to support Exchange ActiveSync. The product is called Axigen.
Most of the servers out there that I'm aware of that have an EAS option also have a webmail option. Here's Microsoft's current list of licensees:
Exchange ActiveSync Protocol and licensees
Other products I'm familiar with that support both EAS and webmail include AtMail (@Mail), Icewarp, Imail (Ipswitch), Kerio mail server, MailEnable, SmarterMail, Zimbra.. probably several others.02-26-13 02:22 PMLike 0 - My company uses Zimbra and it does have a Web mail option however it requires that you log in with an RSA token. Not the most convenient option.
Are you suggesting accessing mail through the BB10 browser?
Another work around which does work is setting up a VPN connection on the device and then setting up the active sync account while the VPN is connected. Downside is that with VPN connected personal email and BBM seem to stop working and getting onto the VPN still requires an RSA token.
I failed at getting a IT exception to not use a certificate and IMAP would work according to my IT department however it would need VPN and the inconvenience of always having a hard token nearby.
Posted via CB1002-26-13 02:44 PMLike 0 - OmnitechDragon SlayerMy company uses Zimbra and it does have a Web mail option however it requires that you log in with an RSA token. Not the most convenient option.
Are you suggesting accessing mail through the BB10 browser?
Another work around which does work is setting up a VPN connection on the device and then setting up the active sync account while the VPN is connected. Downside is that with VPN connected personal email and BBM seem to stop working and getting onto the VPN still requires an RSA token.
I failed at getting a IT exception to not use a certificate and IMAP would work according to my IT department however it would need VPN and the inconvenience of always having a hard token nearby.
Well it was just a thought for a workaround.
When you say "RSA token" you mean the keyfob thing?
Probably the reason the other stuff doesn't work when VPN is active is just your IT department's data/firewall policies. Might even have less of a chance asking but you could ask them to poke a hole to your personal email server. I don't know what protocols/ports BBM uses.02-26-13 02:54 PMLike 0 - Yea a keyfob with rolling 6 digit numbers. It seems like there will be no quick fix on this one.
Sadly I would return this phone if I hadn't already talked over 30min on it. Kinda stuck with it now...not really such a bad thing this phone rocks its everything a BlackBerry should be outside of this one flaw.
I really hope it gets fixed but from my inside info its not been a common complaint yet and it's not been included in a road map of feature requests internally at RIM. Given prior experience working there that means 6-12months of waiting.
Posted via CB1002-26-13 03:09 PMLike 0 - Sith_ApprenticeMod Team EmeritusBoth public and private certs can be imported using the method above, you can also do this via WiFi and connect to the device. Make sure under storage settings that WiFi access is enabled. Take your certs (public/private) and dump them into the certificate folder. Then go into the phone, settings, certificates, and import them. Similar process to importing certificates on the PlayBook.
CBA DOES work on both the PlayBook and BB10 devices, when importing the cert make sure you check the appropriate boxes (WiFi, Email, etc).03-04-13 06:35 AMLike 0 - OmnitechDragon SlayerCorrect me if I'm wrong, but I don't think the problem is getting the cert on the device, it's getting the Exchange connection to use a designated cert when setting up the connection.
Edit: Ah, maybe he missed the part about designating the purpose of an imported cert?
But speaking generally, I thought the whole point of SCEP was that the process of connecting was supposed to be straightforward: server offers to download cert to device, user provides previously-provided cert password, connection uses that personal cert for link, done.Last edited by Omnitech; 03-04-13 at 08:21 AM. Reason: typo
03-04-13 06:56 AMLike 0 - Both public and private certs can be imported using the method above, you can also do this via WiFi and connect to the device. Make sure under storage settings that WiFi access is enabled. Take your certs (public/private) and dump them into the certificate folder. Then go into the phone, settings, certificates, and import them. Similar process to importing certificates on the PlayBook.
CBA DOES work on both the PlayBook and BB10 devices, when importing the cert make sure you check the appropriate boxes (WiFi, Email, etc).
Thanks,03-04-13 07:14 AMLike 0 -
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
Import certificate for access to corporate email
Similar Threads
-
Get Access to Android Email Client and Picture Gallery with this App
By ad19 in forum PlayBook Apps & GamesReplies: 1Last Post: 02-22-12, 11:54 AM -
Get Access to Android Email Client and Picture Gallery with this App
By ad19 in forum BlackBerry PlayBookReplies: 1Last Post: 02-22-12, 11:54 AM -
Which App is best for access to Wachovia Online banking?
By nhinrichs in forum BlackBerry OS AppsReplies: 4Last Post: 04-27-09, 04:46 PM -
How to use email on network other than original configured for phone..?
By andy5128 in forum General BlackBerry News, Discussion & RumorsReplies: 1Last Post: 08-26-07, 10:42 AM
LINK TO POST COPIED TO CLIPBOARD