UK G-Cloud BES10 Cloud and Managed Services March 18, 2016 BlackBerry Confidential BlackBerry Confidential Page 2 of 34 Confidentiality This proposal contains information that is proprietary and confidential to BlackBerry UK Limited. This information is provided for the sole purpose of permitting the recipient to evaluate the proposal. In consideration of receipt of this document, the recipient agrees to treat information as confidential and to not reproduce or otherwise disclose this information to any persons outside the group directly responsible for the evaluation of its contents, without the prior written consent of BlackBerry UK Limited. Personal Information This proposal may contain personal information about identifiable individuals such as the employment or educational history of proposed resources. In consideration of receipt of this document, the recipient agrees that it shall not use or disclose to any other person such personal information for any purpose other than its evaluation of this proposal, without the express consent of BlackBerry UK Limited as required or permitted by law. RIM ON BEHALF OF ITSELF AND ITS AFFILIATES MAKES NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION OR GRAPHICS CONTAINED IN THIS DOCUMENT FOR ANY PURPOSE. THE CONTENT CONTAINED IN THIS DOCUMENT, INCLUDING RELATED GRAPHICS, ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. RIM HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL RIM BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION CONTAINED HEREIN. THIS DOCUMENT, INCLUDING ANY GRAPHICS CONTAINED WITHIN THE DOCUMENT, MAY CONTAIN TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. UPDATES ARE PERIODICALLY MADE TO THE INFORMATION HEREIN AND RIM MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED HEREIN AT ANY TIME Copyright © 2013, Research In Motion Limited. All rights reserved. All other brand names of products mentioned are registered trademarks or trademarks of their respective companies. BlackBerry Confidential Page 3 of 34 Table of Contents 1 Introduction ....................................................................................................................... 4 1.1 1.2 1.3 1.4 Executive Summary ............................................................................................................................4 BlackBerry Solution .............................................................................................................................4 BlackBerry Enterprise Service 10 .......................................................................................................5 Our Value Proposition to the UK Government ....................................................................................6 2 Services Overview ............................................................................................................ 8 2.1 UK G-Cloud Hosting Options ..............................................................................................................8 2.1.1 Information Assurance ...................................................................................................................8 2.1.2 UK G-Cloud Rollout........................................................................................................................9 2.2 BES10 Cloud Core Service .................................................................................................................9 2.2.1 BES10 Readiness Assessment .....................................................................................................9 2.2.2 BES10 Cloud Features ..................................................................................................................9 2.2.3 BES10 Cloud Core Infrastructure ................................................................................................10 2.2.4 Core Configuration .......................................................................................................................10 2.2.5 BES10 Cloud Monitoring & Maintenance.....................................................................................10 2.2.6 BlackBerry Technical Support Services (BTSS) ..........................................................................11 2.3 Optional Managed Services ..............................................................................................................13 2.3.1 Migration and Integration Services ..............................................................................................13 2.3.2 Training ........................................................................................................................................13 2.3.3 Manage on Behalf Of (MOBO) .....................................................................................................14 2.3.4 Manage on Behalf Of plus End User Help Desk ..........................................................................14 3 Infrastructure Operations................................................................................................. 16 3.1 3.2 3.3 3.4 BES10 Cloud Architecture.................................................................................................................16 Security..............................................................................................................................................17 Compliance .......................................................................................................................................17 Disaster Recovery and Failover ........................................................................................................17 4 Customer On-boarding & Off-boarding ............................................................................ 19 4.1 Ordering & Invoicing ..........................................................................................................................19 5 Customer Responsibilities & Technical Requirements..................................................... 21 6 Trial Service .................................................................................................................... 22 7 Pricing ............................................................................................................................. 23 8 Termination Terms .......................................................................................................... 25 9 Appendix A: Readiness Assessment Tasks .................................................................... 26 10 Appendix B: BES10 Core Configuration Tasks ................................................................ 28 11 Appendix C: BES10 Advanced Configuration Tasks ...................................................... 29 12 Appendix D: Service Level Agreements (SLAs)............................................................... 31 12.1 Core Services SLAs ..........................................................................................................................31 12.1.1 BES10 SLA Exclusions ................................................................................................................31 12.2 Managed Services SLAs ...................................................................................................................31 12.3 SLA Recompense .............................................................................................................................32 13 Appendix E: Response to UK G-Cloud Service Definition ............................................... 34 BlackBerry Confidential Page 4 of 34 1 Introduction 1.1 Executive Summary BlackBerry is delighted to provide a proposal to the UK Government for a hosted Enterprise Mobility Management (EMM) solution that addresses the capabilities, security and cost model required by the UK Government. BlackBerry enjoys strong working relationships with a wide range of UK Government customers. In the past, BlackBerry has been unable to provide truly cost effective services due to the complex nature of the supply chain across UK Government. BlackBerry is now able to leverage changing service delivery landscape, and new mechanisms such as PSN and G-Cloud to provide truly cost effective services. BlackBerry has invested heavily in its Enterprise Platform and Operations in the past 18 months resulting in significant improvements and changes to the UK Government’s account management resource and product offerings. The most significant product offering enhancements can be seen in the cross-platform device management and containerisation capabilities supported through BlackBerry Enterprise Service10 (an evolution of BlackBerry’s market leading EMM solution BlackBerry Enterprise Server), and BlackBerry’s new secure multi-tasking device OS BlackBerry10. UK Government currently has an investment of approximately 250,000 BlackBerry devices and hundreds of Enterprise servers to manage these devices. We are concerned by the version of the enterprise software installed and the age of the devices deployed across Government as they are not representative of the current portfolio which offers a greater opportunity to maximise on investments made. An additional concern relates to the knowledge BlackBerry solutions held by companies contracted to manage them on behalf of Government. BlackBerry believes that its product evolution into cross-platform device management and containerization allows the UK Government to leverage its significant investment already made in BlackBerry solutions. The product evolution will allow Government to better meet the needs of new requirements as a result of Bring/Choose-Your-Own-Device (BYOD/CYOD) or Corporate-OwnedPersonally-Enabled (COPE) initiatives and also the known mobility requirements of many areas of the UK government. This proposal addresses the needs of UK Government with a solution that is a simple evolution of the existing on-premises solution to a secure hosted model for BES10 that allows for transparency in the procurement of the services. As a strategic customer of BlackBerry, the UK Government has at their disposal the absolute priority and focus of experienced staff with appropriate security clearance. Benefits include Executive Sponsorship, Direct Account Management, Product Roadmap Visibility and Direct Input into R&D and Software Development. 1.2 BlackBerry Solution BlackBerry has based this proposal to the UK Government on its flagship EMM solution BlackBerry Enterprise Service 10. BlackBerry Enterprise Service 10 (BES10) is architected for the enterprise from the ground up. BES10 delivers the device management, application management and security organisations need whilst embracing consumerisation of the business IT environment through BYOD, CYOD and COPE. The BES10 platform provides comprehensive cross-platform support for smartphones and tablets whether these are corporate or personal owned. Enterprises can now easily manage cross-platform mobile device environments (BB10/iOS/Android) from one unified platform and console with BlackBerry Balance and BlackBerry Secure Work Space. BlackBerry Confidential Page 5 of 34 Underpinning BES10, the trusted BlackBerry Secure Infrastructure enables seamless connections between mobile end points and the corporate environment, behind the firewall, systems and applications. 1.3 BlackBerry Enterprise Service 10 Since launch in January 2013, BES10 has supported Device Management, Application Management and Security needs of customers with complex security and control requirements. This functionality covers not only BlackBerry devices but also iOS and Android smartphones and tablets, but from May 2014 BES10 will also support Windows Mobile 8 devices. BES10 supports both corporate owned and personal owned (BYOD) devices. BlackBerry Balance brings the capability for enterprises to secure corporate data without restricting the user experience and personal privacy, content and applications of the employee. The ability for IT to deploy, secure and manage corporate mobile applications to the end user’s device is built in and seamlessly enabled as a BES10 feature. Working together with BlackBerry World, a flexible corporate app store is delivered through the BlackBerry World for Work feature. This feature enables the enterprise to securely provision employees for mandatory and optional mobile applications. With BES10, BlackBerry has introduced a single solution to fully secure applications and corporate data on iOS and Android devices by providing security of data at rest on these devices. This solution brings the option of secure connectivity to iOS and Android devices, completing a comprehensive device management, application management and security solution for customers with multi-OS environments. BES10 also brings Advanced EMM capabilities enabling BlackBerry 10 devices to be deployed for corporate only use cases, using BlackBerry Balance to allow zero personal data and applications. For instance in certain areas of the UK Government, some features such as Bluetooth or the camera need to be disabled to limit the personal use of the device for either compliance, regulatory or policy reasons. BlackBerry Confidential Page 6 of 34 The BlackBerry platform truly does support all requirements of the UK Government, from low security right up to the highest level of security and management. 1.4 Our Value Proposition to the UK Government The power of the BlackBerry platform in the enterprise goes beyond the smartphone to connect all facets of a traditional office and mobilise it. With BlackBerry at the hub of the UK Government mobile computing environment, real-time information and unified communications are pushed to the device so workers can be “in the office” virtually anywhere. Behind each BlackBerry smartphone in the enterprise is the BlackBerry Enterprise Solution where BlackBerry’s global network infrastructure integrates with the BlackBerry Enterprise Server software to enable access to an organisation’s corporate data and telephone servers; providing a mobile platform that maintains a high level of security outside the boundaries of a traditional office. The functionality, security and reliability of the BlackBerry Enterprise Solution is what allows BlackBerry to be the leader in the enterprise market with Fortune 500 companies worldwide deploying the BlackBerry solution. The always-on connectivity of a BlackBerry smartphone is powered by BlackBerry's BlackBerry Confidential Page 7 of 34 own cloud infrastructure – an infrastructure that has been developed, managed and refined for more than 10 years. Now BlackBerry has extended its cloud architecture to deliver a BES10 Cloud service that offers the UK Government the following benefits: Monitored and maintained in the BlackBerry cloud Provides full functionality of on-premises BlackBerry Enterprise Service 10 Includes BlackBerry Technical Support Services for Client provided BES Administrator Optional BlackBerry EMM services essential to the BES10 Cloud solution Delivered as a per device per month service. Core BES10 Cloud and Optional Managed Services With service availability to the UK scheduled for July 2013, BlackBerry can now work with the UK Government to bring this solution to the G-Cloud CloudStore and continue to evolve the service offering to meet the essential criteria required of a private cloud solution. BlackBerry Confidential Page 8 of 34 2 Services Overview 2.1 UK G-Cloud Hosting Options Hosting options provided by BlackBerry for BES10 Cloud adhere to the UK G-Cloud phase definitions of public and private cloud service: Public Cloud means Utility Computing that is available to individuals, public and private sector organisations. Public Cloud is often non-geographically specific and can be accessed wherever there is an Internet connection. Private Cloud means a Utility Computing infrastructure exclusively for the use of one organisation or community. Hybrid Cloud means a combination of Public and Private Clouds, both remaining separate entities, but with Workload able to migrate between them. Beginning with BlackBerry’s standard public cloud offering for BES10 Cloud, our private cloud offerings will provide progressively higher information assurance at impact level 3 and above through the use of segregated communities of interest and more stringent accredited data center services and infrastructure. BlackBerry’s standard public cloud offering for BES10 Cloud offering provides dedicated, single tenant BES10 services in shared public cloud clusters that are virtually separated by dedicated VLANS. Based in an EU country, this service will meet Impact Level 2 accreditation for non-restricted or protected information, a part of Phase I. For subsequent phases, the same shared public cloud architecture will be applied in a private cloud context by dedicating cloud clusters to specific communities of interest defined by UK government requirements. For example, a separate cloud cluster can be dedicated for the shared use of general public sector consumers or specific communities (such as Police) that have a trusted relationship and need to work closely together. In the most stringent use case, the cloud cluster can be dedicated to one single tenant for their exclusive use. In addition to the BES10 Cloud offering, the option of deploying BES10 services on servers supplied by the public sector consumer in either a traditional on-premises or on a platform-as-a-service scenario is also available. BES10 Public and Private Cloud Phased Approach 2.1.1 Information Assurance The standard public cloud offering will be targeted at IL2 and below. Our private cloud offering, based in the UK, will be targeted at IL3. Each offering shall be evaluated and accredited by the Pan-Government Accreditation Service to their respective Impact Levels, following standard PSN RMARD and GCloud methodologies. Management of smartphones will be performed in accordance with the recommendations made by the Communications Electronics Security Group (CESG) as part of the End User Device Strategy. BlackBerry will sign up to the Open Procedure framework and apply to the Pan Government Accreditor (PGA) for application onto the accreditation cycle. BlackBerry is already an ISO27001-compliant company, providing assurance of our security. We expect that the PGA will request some additional testing to guarantee separation of data between customers and non-government systems, and these recommendations will be fully implemented. BlackBerry Confidential Page 9 of 34 At IL2, data will be held within the EU. It should be noted that very little sensitive data will be persisted within the cloud offerings – these are primarily device management and network traffic routing services. The primary persistent data will be the credentials of users, and log data. At IL3, data will be held within an appropriately accredited facility within the UK. Data aggregation, by both accumulation and association, has been considered and reasonable steps taken to minimise the risks. Nonetheless it is the nature of cloud services that aggregation issues be considered by customers when performing their own risk management exercises. 2.1.2 UK G-Cloud Rollout BlackBerry has plans to launch our standard public cloud offering for BES10 Cloud in an EU country in Fall 2013. This service is intended to meet the commercial needs of Public and Private sector organisations based in the EMEA region. BlackBerry plans to utilise our public cloud offering to deliver Impact Level 2 services for proof-of-concept and/or pilot scenarios with a select group of UK Government organisaitons. For Impact Level 3 services and higher, it is understood that private cloud deployments must be based in a data center located in the United Kingdom. To meet this requirement, BlackBerry will work with its infrastructure as a service partners and/or many alliance partners with suitable data center services in the UK. Dependent on the timelines of the UK G-Cloud accreditation and G-Cloud4 CloudStore framework processes, BlackBerry intends to begin discussions with UK government organisations regarding proof-of-concept and pilot scenarios to be deployed in an EU country now and be in a position to have UK based services late in 2013/early 2014. 2.2 BES10 Cloud Core Service The Core Service provides the foundation for all BlackBerry solutions and includes a Readiness Assessment, choice of VPN or Excluding VPN deployments, core configuration, BES10 maintenance and monitoring, and Advanced BlackBerry Technical Support Services. 2.2.1 BES10 Readiness Assessment BlackBerry will conduct a preliminary environmental assessment of the customer's environment to uncover gaps, identify potential issues, and validate all requirements are met to ensure a smooth and easy deployment of the BES10 infrastructure. The assessment will include the tasks outlined in Appendix A: BES 10 Cloud Readiness Assessment. 2.2.2 BES10 Cloud Features BES10 Cloud allows for secure access from BlackBerry as well as iOS and Android devices to the customer’s internal network via the Public Services Network (PSN) for IL2 and higher service accreditation. The following chart provides the features of the BES 10 Cloud BES10 Cloud Features Feature VPN Tier BlackBerry World for Work BlackBerry Balance Corporate Controls and Settings Device Side VPN Connectivity BlackBerry Confidential Feature Page 10 of 34 VPN Tier Direct Connectivity to Mail Server (if exposed to Internet) Local Directory Accounts Admin Access over the Internet Admin Access via Secure Channel Regulated Controls and Settings Secure Workspace (iOS/Android) Disaster Recovery High Availability SLA Behind the Firewall Access Intranet Internal Apps Active Directory Integration 2.2.3 BES10 Cloud Core Infrastructure BlackBerry will be responsible for implementing and maintaining the following items as part of the infrastructure required to support BES10 deployments in the BlackBerry cloud. BlackBerry will be responsible for: Deployment, maintenance and monitoring the base cloud infrastructure (Public and Private) Deployment, maintenance and monitoring of the BES10 platform Setup of high availability for the BES10 platform Setup of backups and disaster recovery at appropriate alternative sites for failover purposes Provisioning of additional servers as required to accommodate customer growth Upgrading with software patches the underlying operating system, database servers etc. Upgrading the BES10 platform to the latest version as feature enhancements are released Measuring, meeting, validating, and reporting on SLAs Performing planned maintenances during pre-defined maintenance windows Procuring all required licenses for servers, databases etc. Deployment, maintenance and monitoring of network connectivity up to the demarcation points Ensuring all required BlackBerry Infrastructure components are operational 2.2.4 Core Configuration BlackBerry will configure the BES10 core environment to the specifications outlined in Appendix B: BES 10 Cloud Core Configuration Tasks. 2.2.5 BES10 Cloud Monitoring & Maintenance BlackBerry will monitor the solution end-to-end and perform any required maintenance to ensure the service meets the specified SLAs. The monitoring and maintenance will be performed by the BlackBerry Confidential Page 11 of 34 BlackBerry Network Operations Center and BlackBerry Service Engineering teams. Both of these teams are 24/7 and across all data centers the service is deployed in. Details of BES10 monitoring and maintenance are as follows: The goal of the monitoring systems is to allow BlackBerry teams the insight to proactively isolate potential problems and execute required changes Monitoring data is used for planning purposes to ensure there is ample capacity for the customer as they continue to grow their device base BlackBerry will monitor the service at the infrastructure, application, and service levels Infrastructure monitoring will consist of monitoring virtual servers in the cloud environment, database components, networking components such as F5 load balancers and network switches Application level monitoring will ensure each discrete component that constitutes the BES10 is up, healthy and performing at an expected level Service level monitoring consists of ensuring the service as a whole, from the viewpoint of the customer, is behaving as expected BlackBerry will also monitor any BlackBerry services the BES10 service is dependent on The data monitored will not contain any personally identifiable information but will be sets of customer agnostic metrics designed to determine the health of the infrastructure, application and service as a whole As the BES10 platform evolves, BlackBerry will continue to update the monitoring systems to ensure any new or modified components are monitored and the service as a whole meets the required SLA Predefined maintenance windows will be leveraged to perform upgrades of infrastructure via software patches to the underlying operating system, database servers, as well as for deployment of feature enhancements or fixes related to the BES10 service. 2.2.6 BlackBerry Technical Support Services (BTSS) With mobile solutions increasingly driving essential business functions, even the smallest amount of downtime has the potential to disrupt productivity and impact customer service. The BYOD trend adds another layer of complexity with the need to securely manage both corporate and personal owned devices. In this mission-critical environment, support is a key component of any EMM strategy. Yet not all support is created equal – the UK Government requires a strategic partner who can reinforce mobile business objectives and keep business moving. BlackBerry takes an holistic approach to Enterprise Mobility Management, with an end-to-end platform delivering device management, security, unified communications and applications, all complemented by direct-from the- manufacturer services and technical support. We help you securely manage and support BlackBerry, iOS and Android devices through BES10. We provide everything needed to realize the full potential of the UK Governments’ BlackBerry investment. BlackBerry improves communications and interactions with suppliers, partners, customers and internal teams. Supporting this is key. BlackBerry Technical Support Services deliver the expertise, options and tools. BlackBerry has been providing technical support to customers for over 10 years BlackBerry supports customers in over 90 countries 2.2.6.1 Advanced BlackBerry Technical Support Services (BTSS) BlackBerry offers several levels of support globally to provide a wide range of choices that align to the level of expertise, assistance and resolution time required by the UK Government. The BES10 Cloud Core Service includes a level of support that blends technical knowledge, quicker issue resolution and value added expertise. Advanced BlackBerry Technical Support Services BlackBerry Confidential Page 12 of 34 (BTSS) provides priority queuing and account management direct from BlackBerry to ensure the solution meets expectations and maximises uptime. Advanced BTSS for BES10 Cloud includes: 7/24 Global Support Priority Queuing: Direct to Level 2* 2 hr electronic response 90 second phone pick up BlackBerry Expert Support Center (BESC**) Account Management: Support System Specialist (SSS***) 10 Named Callers Web based training *Direct to Level 2: Your organisation bypasses the general support queue and your technical issues are routed directly to a more experience pool of support analysts. **BlackBerry Expert Support Center: Your one-stop, self-service online resource that provides productivity tools, learning and case management ***Support System Specialist: Your organisation has access to a team of trained escalation professionals who can help manage escalated issues through to resolution, and who will conduct quarterly program reviews with your support staff. This team will also liaise with Problem Management for critical issues. 2.2.6.2 Optional Premium BlackBerry Technical Support Services A Premium level of BlackBerry Technical Support Services (BTSS) is available as an upgrade to the Advanced level of BTSS included with the Core Service. Premium provides relationship based support, access to our most experienced support team, and faster response times for your mission critical mobile environment. Support experts have an intimate knowledge of the customer’s deployment and mobility management goals. Premium BTSS for BES10 Cloud includes: 7/24 Global Support Direct Advanced Response Team (DART*) 1 hour electronic response 90 Second phone Pick up BlackBerry Expert Support Center (BESC) Dedicated Account Management: Support Account Manager (SAM**) 15 Named Callers 2 Days On-Site Training (not applicable for customers with optional Managed on Behalf Of Service). *Direct Advanced Response Team (DART): Your organisation has direct access to our most experienced support team to help resolve complex technical support issues. **Support Account Manager (SAM): This is your trusted advisor at BlackBerry who will proactively notify you of upcoming software releases or known issues that may be of interest, as well as monthly and quarterly reviews. BlackBerry Confidential Page 13 of 34 2.3 Optional Managed Services There are a number of optional Managed Services available to ensure that we provide you with the level of assistance, expertise and partnership essential, to transition, manage your mobile environment and support end users regardless of mobile device. We offer Migration and Integration services, Training, Manage on Behalf Of services, Manage on Behalf Of End User Help Desk Services for Smartphones to align to your mobile business objectives and requirements. 2.3.1 Migration and Integration Services Migration services are available to customers who have chosen the standard deployment option, as a VPN connection is required to complete the automated migration tasks. Customers who opt for the Migration Service will also receive the Advanced Configuration Service as defined. BlackBerry will utilize best in class migration tools (such as the B*Nator Migration Toolkit) to optimize migration to BES10. This tool automates the time intensive process of migrating server settings and devices as follows: Server Configuration Settings: Administrator Users, Roles, Profiles and Policy mapping of current BES4 or BES5 settings are migrated to BES10, which allows the use of comparable security and compliance settings. User Migration: Using the B*Nator Migration Toolkit to automate the normally 17 manual steps and leave only two tasks to schedule user/device migration, and to monitor and troubleshoot the migration process. During decommissioning, the devices data will be backed up, wiped, and prepared for recycling. The device account will then be removed from the BES5 and added to the BES10 server. The provisioning steps include adding the user account, assigning policies, groups, software configurations, profile settings and an Enterprise Activation (EA) password. Entering the EA password is the only manual step required. 2.3.2 Training BlackBerry offers various training programs, delivered by Authorised Trainers, to provide customers with the tools and understanding they need to take full advantage of their BES10 environment. A sample course description for BES10 Cloud is provided below. As part of the Core Service, Web Based Training (WBT) is included which will help provide insight to customers on the new environment, addressing BBOS to BlackBerry 10 differences (such as Routing, ActiveSync, Balance vs. Work Space mode only, Policy Changes and Troubleshooting). For customers who upgrade to Premium Support, 2 days of Onsite Training is included to provide detailed content for Technical Support and BES10 Administrators to manage BlackBerry devices using BES10, as well as troubleshooting BES10 issues within the Cloud Environment. Please note that onsite training is not applicable for customers who choose the optional Managed on Behalf Of. For customers who would like to offer Training for their Help Desk on Supporting BlackBerry 10 OS and BlackBerry Link, there is an Optional Service available to provide the knowledge and confidence to support End Users on BlackBerry 10. BES10 Optional Course for Help Desk Staff Course Title Supporting BlackBerry 10 OS and BlackBerry Link Duration 2 days Who Should Attend Technical Support Representatives Course Overview Through demonstrations and hands-on activities and labs, participants will familiarize themselves with BlackBerry devices running BlackBerry 10 OS. The focus will be on how to troubleshoot the common issues that BlackBerry device users encounter. BlackBerry Confidential Page 14 of 34 2.3.3 Manage on Behalf Of (MOBO) For customers who would prefer to have BlackBerry manage their BES10 environment, 24 x 7 Manage on Behalf Of services are available as an add-on service to the Core Service Offering. It includes the level of BlackBerry Technical Support Services (BTSS) the customer selects, Advanced Configuration Service (see Appendix C: BES 10 Advanced Configuration Tasks), as well as BES10 Administration and Account management. Manage on Behalf Of allows a customer to focus on other strategic initiatives while BlackBerry manages: Initial configurations and management of BES10 settings Settings, profiles, policies, issues Daily Management of Users and Devices* including MACDs Apply settings (groups, policies, profiles) Wipe/lock commands and Password resets This Service allows for 10 of their Help Desk Named Callers to escalate calls into the MOBO Admin for Daily Management of Users and Devices tasks as required (or 15 if the customer has uplifted to Premium Support) As part of this Service, BlackBerry will create and maintain a Joint Operations and Procedures Manual (JOP) that will define the processes and procedures to be used by BlackBerry to manage the customer's BlackBerry environment. 2.3.4 Manage on Behalf Of plus End User Help Desk Another service available is Manage on Behalf of plus End User Help Desk. With this service, the customers’ users are entitled to 24x7 service desk support for mobile and device issues (BlackBerry, iOS, Android) via email and a telephone. The assistance available to end users includes support and troubleshooting for device features & functions, BES10 Enterprise Activation, BlackBerry Balance, BlackBerry ID, and BlackBerry Link. This service must be purchased with the Manage on Behalf Of service offering. Additionally, customers can opt to have a private toll free number reserved for their organization. By purchasing a private toll free number, customers can also opt to give designated individuals access to an expedited higher level of support. Sample tasks included with the Manage on Behalf of plus End User Help Desk have been outlined below. End User Service Desk Support Tasks Support Tasks Daily Management of Users and Devices (*If Help Desk is selected these tasks aren’t done at MOBO Admin level) Basic Feature and Function Support Troubleshooting Tasks Performed User MACD * Apply appropriate settings to users* (e.g. groups, policies, profiles, software configurations) Activate/remove devices* Initiate theft/loss protection commands* (e.g. remote wipe of device data, or remote lock of device) Password reset in cases of forgotten passwords* Corporate email and PIM (calendar, contacts, tasks, notes) configuration Making phone calls Browsing the Internet Device messaging features (e.g. SMS & MMS) Device security features (e.g. device password) Network connections (e.g. Wi-Fi, Bluetooth, VPN) Device options and settings (e.g. notifications, display, language and input, BlackBerry Balance, BlackBerry ID) BlackBerry Link (e.g. device backup/restore, multimedia and document synchronization) Activation issues Corporate email and PIM access from device BlackBerry Confidential Support Tasks Software & Applications Page 15 of 34 Tasks Performed Device network connectivity issues Device messaging features (e.g. SMS & MMS) Hardware issues (e.g. keyboard, touchscreen, Bluetooth, Wi-Fi, camera) Device configuration issues Upgrade/reinstall device software Install/upgrade customer approved device applications A report containing the following information will be provided on a monthly basis. Customer may request up to one call per month to review report and processes. Component Service Desk Call Metrics Problem Reporting Metrics Included Total number of incoming calls Average calls per day Average call duration Average time to answer First call resolution percentage Total lost calls Total support cases opened Total support cases closed Top ten closed cases by category and sub-category Top ten device models by case BlackBerry Confidential Page 16 of 34 3 Infrastructure Operations 3.1 BES10 Cloud Architecture The BES10 Cloud architecture is designed with security and scalability in mind. The current version of the architecture that is available is one in a Shared BlackBerry Cloud Cluster. Within the Shared BlackBerry Cloud Cluster architecture, an EU Country based data center will be used to host the dedicated BES10 instances. The internal network components, the DMZ and management networks will also be securely separated via VLANs. The appropriate firewalls and access control will be implemented. The VPN Tier outlined in more detail in section 2.2.2 offers high availability, disaster recovery (another EU country based data center), and connectivity back to customer’s internal network via the PSN In addition to the Shared BlackBerry Cloud, BlackBerry has three other Private BlackBerry Cloud architectures under development. These will allow for private cloud instances to be deployed solely for the use by that customer. A disaster recovery private cloud will also be deployed to ensure service availability in the event of a disaster. UK G-Cloud Public and Private BES10 Cloud Architectures Phase I: Public Cloud Phase II & III: Private Cloud Public BlackBerry Cloud Cluster Private BlackBerry Cloud Cluster Private BlackBerry Cloud Cluster EEC Country Based Organisation A HMG Cabinet Offices IL3+: Dedicated Confidential Single UK Gov’t Dept. Police Services Police Services Organisation E Police Services Organisation D Police Services Organisation C Police Services Organisation B Organisation A Organisation E Healthcare Services Healthcare Services Local Government Organisation D Local Government Organisation C Local Government Organisation B Organisation A BlackBerry Customer C Specific UK Gov’t Dept(s) BlackBerry IL3: Shared Restricted General UK Gov’t Depts Customer B IL2+: Shared Protected Public Community Customer A IL2: Shared Protected Private BlackBerry Cloud Cluster UK Country Based The diagram below shows a detailed view of the Shared BlackBerry Cloud cluster architecture which is currently available. UK G-Cloud BES10 Cloud IL2 Architecture G-Cloud BES 10 Cloud – Hosted ISO 27001 Certified IL2 Architecture ITSHC Accrediation Monitoring DMZ VLAN E Internal Network NOC DMZ Firewall C Dedicated VPN or MPLS Secure Connectivity Customer B (or B+C) Segmented Secure Network Dedicated BES 10 Internet or PSN Dedicated VPN or MPLS Secure Connectivity Firewall B BlackBerry Infrastructure BlackBerry Router Pool (Shared) Customer A Segmented Secure Network Firewall A Dedicated BES 10 User Interfaces User Interfaces Universal Device Service Universal Device Service BlackBerry Device Service BlackBerry Device Service Local User Support Local User Support Customer AD Integration Customer AD Integration Shared SQL DB Server Management Network VLAN F Customer A BlackBerry Router Shared Secure Network Firewall E Bastion Host iOS/ Android Schema C Schema D Schema n BlackBerry Cloud Infrastructure Single Altus Zone BlackBerry 10/ PlayBook BlackBerry Confidential Page 17 of 34 3.2 Security The solution has been designed in accordance with industry best practices. Data separation is provided through use of bare-metal hypervisors, VLANs, and switch partitioning. Customer separation will be generally managed by each customer having their own BES server – this provides separation of accounts, as well as separation of network traffic. Only smartphones activated against the customer’s own BES server will be allowed to access the customer’s internal network via the VPN (if used). There may optionally be the facility to share VPNs between multiple customers. Management within BlackBerry will only be performed by staff with appropriate approvals and clearance levels. At IL2 this refers to BS7858 or equivalent, at IL3 this may include BPSS as needed. All management activities are performed via the use of Bastion Hosts (also known as Jump Boxes), allowing a centralised focus of audit, access control, and overall management. Audit logs will be maintained by management access, and stored securely. Customers may be allowed to perform some management activities on the BES servers themselves. Each customer will only be allowed to access their own server, and management activities will be limited to user administration, access to user activity logs, and activities which cannot adversely impact the security of that customer’s instance – for example the customer will be able to review IT policies, but not amend them. By design no customer can impact the security of any other customer. Where customers are allowed some level of self-administration, access controls will be enforced by the BES software’s group-based access control. Where self-administration is not allowed, this will be further enforced by network access controls. Physical access to data centers hosting the cloud offerings will be limited to only those with necessary access. Any devices storing data, such as hard drives, will be wiped in accordance with required levels prior to destruction. Limited automated analysis will be performed of logs, in accordance with requirements of IL2. For the IL3 offering, we will aim to meet the audit and protective monitoring requirements of CESG GPG13, with the exact scope to be determined following discussion with the PGA. 3.3 Compliance BlackBerry is an ISO27001-compliant company, certified by BSI Group. We have extensive experience working with governments around the world. Our smartphone and server offerings have been approved for government use at IL3/RESTRICTED since 2005, and we have a close working relationship with CESG. We meet international security levels within a large numbers of nations, ranging from the 5-Eyes community to countries in Eastern Europe, Africa, Asia, and the Americas. The overall architecture of each instance within the cloud offerings is compliant with the CESG guidelines for use at OFFICIAL produced as part of the End User Strategy. For BlackBerry 10 management this means use of the BlackBerry VPN with a BlackBerry Router DMZ component. For iOS and Android management, this means use of an appropriately configured VPN gateway within the DMZ, with an overall Walled Garden architecture. Our IL3 cloud offering will be compliant with any CESG Security Procedures for use of smartphones at IL3. Currently this is limited to only BlackBerry OS 7.1 and earlier, and iOS 6.1. Management of the solution will be performed by the customers themselves, and by BlackBerry personnel. BlackBerry personnel with access to the system have all been hired through, and vetted according to, standards equivalent to BS 7858. 3.4 Disaster Recovery and Failover BlackBerry will implement a DR strategy that will have the service active within two paired data centers. The paired data centers will be in an active/active state and in a high availability (HA) cluster. SQL mirroring will be used for the databases. If the need for a DR is invoked, an automatic failover to the paired data center will be executed which will include an automated rebuild and re-install of the service. BlackBerry Confidential Page 18 of 34 BlackBerry’s disaster recovery targets for the BES10 Cloud service are: Target Name Maximum Tolerable Outage (MTO) Recovery Time Objective (RTO) Recovery Point Objective (RPO) Target Time 6 hours 4 hours 1 hour BlackBerry Confidential Page 19 of 34 4 Customer On-boarding & Off-boarding BlackBerry will employ an easy three step process to successfully onboard the customer onto the BlackBerry Cloud Cluster. The onboarding process is also presented using an ITIL Service Lifecycle view below. The first stage in onboarding is Discovery, Planning and Deployment. During this stage, BlackBerry will provide an overview of the entire BES10 Cloud service. BlackBerry and the customer will discuss high level strategic topics regarding mobility within their organisation. BlackBerry will request information regarding the customer’s current mobility setup and the current mobility services in use as outlined in Section 2.2.1. Subsequent to these discussions, there will be discussions to completely understand the customer needs and requirements, including location, security and network. In the second phase of the onboarding process, BlackBerry will build a Pilot/Trial environment for the customer to use. The environment will be fully featured and will allow the customer to become intimately familiar with the feature set prior to moving into the Production stage. Section 7 contains more detail on the Trial Service. In the third stage, the customer’s production environments (primary and DR site) will be created as per specifications and requirements discussed earlier. Deployment options and service tiers are discussed in Section 2.2.2. Any migrations that need to occur will be completed by BlackBerry staff. The customer will receive additional training if required. BlackBerry will monitor the environment 24/7 for performance and security issues and take appropriate pre-defined actions to resolve the issues as agreed up. Section 2.2.3 discusses the responsibilities of BlackBerry once the customer is in production. BlackBerry Onboarding Process with ITIL Service Lifecycle View Service Strategy •Kick-off Meeting with BES10 Cloud Service Overview •Customer Engagement •Trial Service Discussion Service Design •Customer Needs and Requirements •Technical & Support Plan •Allocation of server space in appropriate data centers •Disaster Recovery Site Selection Service Transistion Service Operation •BES 10 Environment Preparation •Joint Setup and Configuration •IT Admin Training •EMM Migrations •Gap and Issue Resolution •Deployment verification •24/7 Performance Monitoring •24/7 Security Monitoring •Adding server capacity as required •Event, Incident and Problem Management •Adherence to SLAs Continual Service Improvement •Application server upgrades •Underlying operating system upgrades •Security patch upgrades •Cloud infrastructure upgrades •Comparison of performance with baseline 4.1 Ordering & Invoicing Customers will have the ability to select BES10 from the online “CloudStore”. BlackBerry will respond directly to confirm contact information and perform a high level needs assessment. This will qualify the customer and ensure an optimal fit with the desired service. A quote will be prepared for the customer. Pending customer acceptance of the offer, BlackBerry will perform a detailed needs assessment with applicable service provisioning to initiate the BlackBerry Enterprise Service 10 Cloud solution. BlackBerry Confidential Page 20 of 34 BlackBerry will generate monthly invoice statements for the customer based on the number and type of device activations on their BES. Device charges will be calculated based on month end snapshots, using full-month costs regardless of specific activation date within the month. Customer contact info that will be requested: Company Name Company Location Billing Address Delivery Address Customer Contact Name Title Email address Phone number Customer VAT number(s) BlackBerry proposes to work with our long term trusted Elite Systems Integration Partners, DMI and ISec7, who have formed a strategic partnership to provide world-wide Managed Mobility Services. In providing these services to UK Government customers, BlackBerry will use ISec7’s proven B*Nator tool to automate most of the processes required to rapidly and securely transition Government users from the BlackBerry BES platform to the BES10 Cloud service. B*Nator can also be used to transition user accounts from competing MDM platforms to BES10. DMI is a leading provider of mobile solutions and services for smart devices, with a turnover of $250 million. DMI has been an elite BlackBerry Alliance Partner for more than 10 years and is BlackBerry’s North American training Partner for Customers and other Partners. DMI’s commitment to excellence in Enterprise Mobility and Cybersecurity Solutions, Strategic Consulting, Managed Services, and Application Development has resulted in dramatic growth and an expanding global client base that includes hundreds of commercial clients and all fifteen U.S. Federal Departments. Headquartered in Bethesda, USA, DMI has offices in New York, Barcelona, Chicago, Pune, London, and Washington D.C. For more information, visit www.dminc.com The ISEC7 Group is a global provider of mobile business services and software solutions and has been an elite BlackBerry Alliance Partner for more than 10 years. The company was one of the first movers to mobilise company and business processes. Today, ISEC7 counts numerous renowned companies and governmental organisations as committed customers. The innovative ISEC7 solutions, such as Mobility for SAP, B*Nator and Mobile Exchange Delegate have proven to be ground-breaking in their sector and are always state of the art. ISEC7 was founded in Hamburg in 2003 and has international subsidiaries and offices including Germany, USA, Switzerland, Spain and Brazil. For more information, visit www.isec7.com BlackBerry Confidential Page 21 of 34 5 Customer Responsibilities & Technical Requirements The following are customer requirements and technical customer requirements which BlackBerry needs the customer to adhere to. The list represents the most common requirements but there may be others identified during further analysis of the customer's environment and needs. Customer responsibilities: Ensure attendance of key resources (technical and non-technical) at required meetings (Kick off meeting, pricing discussions, customer needs and requirements discussions etc.) Provide a Project Manager (if complexity of integration requires) Respond to communication in a timely fashion for information, clarification, form completions requests etc. Provide additional requirements in a timely fashion in addition to baseline requirements proposed by BlackBerry Inform BlackBerry of any internal processes relevant to the setup that may impact the build-out and deployment of the customer's BES10 Cloud instance Agree to pricing and legal terms and conditions Provide BlackBerry a notification 4-8 weeks in advance of a large (1000+) increase in user base after the initial user on boarding Provide BlackBerry with any additional 3rd party security checks required Ensure adequate connectivity to the PSN Technical requirements needed by the customer: Provide a clear description of the customer's current network and physical topology Provide a clear description of any on-premises, cloud services or applications in use that require integration with BES10 Cloud Specify technical policies in use that may prohibit integration from the customer's system (on-premises or cloud) to the BES10 Cloud Have the required VPN concentrator equipment with ample capacity to allow for a VPN connection from BES10 Cloud (if applicable) Provide staff for joint configuration of networking equipment with BlackBerry to setup required authentication and encryption schemes (if applicable) Set up and own the MPLS circuit offered by a 3rd party that would connect to BES10 Cloud (if applicable) Ensure the customer's services (on-premises or cloud) have failover capabilities and also have network failover capabilities Allow BlackBerry access to various IP/Ports within the customer's firewalls as required (if applicable) Allow BlackBerry access to the on-premises BES 4/5 installation for migration or management purposes (if applicable) Get an Apple Push Notification Service certificate signed by Apple and return to BlackBerry for the sole use within the customer's BES10 Cloud instance Allow access to the customer's Active Directory for integration with the customer's BES10 Cloud instance (if applicable) BlackBerry Confidential Page 22 of 34 6 Trial Service BlackBerry can provide a fully featured trial BES10 environment to evaluate the service. The BES10 server will: Include the latest version of the BES10 software Offer the complete feature set including BlackBerry 10, iOS and Android EMM, Secure Work Space for iOS and Android etc. Be located in an EU Country Be located in an IL2 data center in a Public Cloud Be securely separated from other tenants Meet all the security guidelines, accreditations and certifications for an IL2 Production data center Allow connection of a pre-defined number of devices for evaluation purposes Allow administration of the BES via secured user interfaces Allow for IPSEC VPN connectivity back to a PSN (if required) Feature disaster recovery and high availability Allow multiple government departments to have their own trial BES10 servers Run for a pre-defined trial duration Be securely cleaned of any data post evaluation BlackBerry Confidential Page 23 of 34 7 Pricing BlackBerry Enterprise Service 10 v10.1 Client Access Licenses are available for purchase on a monthly subscription basis. The prices are summarized below. Price per Month Price per Month Advanced BTSS Premium BTSS BES10 EMM Corporate CAL (BlackBerry 10, iOS, Android) £4.75 £5.40 BES10 Secure Work Space CAL (iOS, Android) £6.95 £7.60 Service Offering Core Service One Time Set Up and Service Charge £975.00 Optional Enterprise Managed Mobility (EMM) Services Manage on Behalf Of (MOBO) £1.80 Manage on Behalf Of (MOBO) Plus End User Help Desk £5.20 Manage on Behalf Of (MOBO) Plus End User Help Desk (Toll Free) £5.36 Manage on Behalf Of (MOBO) Plus End User Help Desk (Toll Free w/ VIP) £5.43 The BlackBerry Enterprise Service 10 Cloud Hosted server offers the following benefits: Provides full functionality of on-premises BlackBerry Enterprise Service 10 for BB10, iOS and Android device management Includes BlackBerry Technical Support Services for Client provided BES Administrator Monitored and maintained in the BlackBerry cloud Optional BlackBerry EMM services essential to the BES10 Cloud solution including Manage on Behalf Of and End User Help Desk Delivered as a per device per month service There is a onetime set up and service charge of £975.00. The minimum contract period for this offer is 2 years as per G-Cloud Framework Agreement. Assumes G-Cloud consumer has connectivity to the Public Services Network (PSN). Also, end user device and data costs are the responsibility of the consumer and not included in this service. The pricing is based on a per device per month basis (minimum 1000 device/month commitment required). Customization and training are not part of the license price and are negotiated separately. Volume discounts are not available. BES10 EMM Corporate CALs for BlackBerry 10, iOS and Android devices includes: BlackBerry Balance Technology (BlackBerry 10 only) BlackBerry secure connectivity which negates the need for 3rd party VPN solutions (BlackBerry 10 only) Enterprise Application store Device Management capabilities Advanced Level Technical Support with optional upgrade to Premium Level T-Support BlackBerry Confidential Page 24 of 34 BES10 Secure Work Space Annual CALs includes: Application containerization for iOS and Android devices BlackBerry proprietary application wrapping technology to easily deploy applications into the Secure Work Space BlackBerry secure connectivity which negates the need for 3rd party VPN solutions Secure Browser Docs to Go Premium Edition Advanced Level Technical Support with optional upgrade to Premium Level T-Support For the cloud infrastructure, BlackBerry will assume responsibility for: Readiness assessment Deployment, maintenance and monitoring the base cloud infrastructure Deployment, maintenance and monitoring of the BES10 platform Setup of high availability for the BES10 platform Setup of backups and disaster recovery at appropriate alternative sites for failover purposes Provisioning of additional servers as required to accommodate customer growth Upgrading with software patches the underlying operating system, database servers etc. Upgrading the BES10 platform to the latest version as feature enhancements are released Measuring, meeting, validating, and reporting on SLAs Performing planned maintenances during pre-defined maintenance windows Procuring all required licenses for servers, databases etc. Deployment, maintenance and monitoring of network connectivity up to the demarcation points Ensuring all required BlackBerry Infrastructure components are operational Advanced and Premium BlackBerry Technical Support Services (BTSS) The Advanced Level Technical Support is included in the Core Service and provides i7/24 global support for 10 named callers with priority queuing direct to Level 2, Account Management from a Support System Specialist, access to the BlackBerry Expert Support Center, and web based training. For customers who want a higher level of support, Premium is available as an option. This Level provides7/24 Global Support for 15 named callers with queuing to our highest level Direct Advanced Response Team (DART) , a dedicated Support Account Manager, access to the BlackBerry Expert Support Center and 2 days on-site training. Optional Enterprise Managed Mobility Services Manage on Behalf Of (MOBO) Service provides the level of BlackBerry Technical Support Services (BTSS) the customer selects, including: 7x24 Manage on Behalf Of whereby BlackBerry manages the BES 10 environment on behalf of the customer Advanced configuration service Initial configurations and management of BES10 settings Settings, profiles, policies, issues Daily management of users and devices including MACDs Apply settings (groups, policies, profiles) Wipe/lock commands and Password resets Ability for 15 Help Desk Named Callers to escalate calls into the MOBO Admin for daily management of users and devices tasks as required The Manage on Behalf plus End User Help Desk includes direct access for end users to receive handheld support on iOS, Android and BlackBerry devices. This service entails support and troubleshooting for device features and functions, BES10 Enterprise Activation, BlackBerry Balance, BlackBerry Confidential Page 25 of 34 BlackBerry ID, and BlackBerry Link. Additionally, customers can opt to have a private toll free number reserved for your organization. Organizations can also opt to receive escalated support access for designated individuals (i.e. VIP) requiring on-going expedited support. 8 Termination Terms Upon termination or expiration of this Agreement, all authorised users right to use the BES10 Service will immediately cease. BlackBerry retains the right to delete all data from its servers upon termination or expiration of this agreement. You agree that BlackBerry may retain your data for up to ninety (90) days after expiration or termination of this agreement, or for so long as may be required to comply with: (i) any law or regulation applicable to BlackBerry; or (ii) any court, regulatory agency or authority to which BlackBerry is subject. Any data that is not returned or destroyed pursuant to this agreement shall continue to be subject to confidentiality protections described in this agreement for so long as it is in BlackBerry’s possession BlackBerry Confidential Page 26 of 34 9 Appendix A: Readiness Assessment Tasks Stage Customer Engagement Customer Needs and Requirements Joint Setup and Configuration Checklist Acquire basic customer contact information Understand customer's current Enterprise Mobile Computing Strategy (if applicable) Name and details of current MDM provider Current policies such as Bring Your Own Device (BYOD) etc. Existing deployments of BES products Approximate count of devices across supported mobile platforms Understand the customer's current mail platform(s) and associated services Cloud and/or On-Premises Office 365 (Standard, Dedicated, Federated) o Microsoft Exchange o Microsoft Lync o Microsoft Sharepoint IBM Lotus Domino Novel GroupWise Understand the customer's physical and network topologies Understand the customer's specific mobile computing needs such as specific mobile apps Discuss migration to BES10 from an earlier BES product or a competitive MDM platform Discuss any training needs the customer may have Discuss Trial/Pilot environment setup (if required) Trial start date/end date Key success factors Specific customer requirements Discuss customer's need for security and separation in the BlackBerry Cloud Discuss customer's support needs (Ex. BTSS etc.) Other Questions Understand current mobile device connectivity already in use by the customer Discuss active directory integration (if desired) Discuss other specific requirements the customer may have IPSEC VPN and/or MPLS connectivity requires joint co-operation of BlackBerry and the customer BlackBerry has pre-defined processes and forms which provide a clear outline of the steps/input required but are also flexible to accommodate specific customer requirements/needs Sign Apple Push Notification Service Certificate (APNS) for insertion into the BES10 BlackBerry Confidential Stage BES10 Environment Preparation(s) Post Setup Page 27 of 34 Checklist BlackBerry Engineering will create an environment as per the specifications of the customer The data center will meet the location requirements and have the required accreditation and certifications The network setup will meet the customer's requirements and will contain a separate DMZ, Management Network and other network segments as required The environment will also have the required security monitoring in place by the BlackBerry Security Operations Center (SOC) Use of the environment can be for: Trial/Pilot Stage Production/Full Deployment Stage Connectivity to a PSN or other network via IPSEC VPN or MPLS will also be set up High availability will be setup and appropriate disaster recovery sites will also be created 24/7 monitoring will be configured at the infrastructure, application and service layers to meet pre-set SLAs Logging will be securely kept within BlackBerry infrastructure with retention periods as determined by customer/legal requirements Appropriate access level restrictions will be enforced as per customer requirements Device licenses will be configured in the customer's BES instance Customer's Apple Push Notification Service Certificate will be inserted into the BES Any migrations required from an earlier BES instance or a competitive EMM platform will be conducted Verification and validation testing will be done to ensure the setup was successful Customer environment will be monitored for performance by the BlackBerry Network Operations Center and for security threat by the BlackBerry Security Operations Center Customer is able to administer the users or allows BlackBerry to manage on their behalf BlackBerry teams will add more server capacity as required if the number of users expands beyond the capacity of the already deployed server BlackBerry teams will continue to upgrade the operating system, BES platform, DB software etc. as required without any involvement from the customer or any impact to the customer. This will be done during planned maintenance windows. Customer will have access to 24/7 help desk (if applicable) BlackBerry Confidential Page 28 of 34 10 Appendix B: BES10 Core Configuration Tasks Component BlackBerry Device Service Universal Device Service BlackBerry Management Studio BlackBerry Administration Service BlackBerry Collaboration Service (for Standard Deployments) Configuration Tasks Configure the following BlackBerry Administration Service settings: Configure log retention Create one site administrator account Configure SMTP settings Configure device activation settings and email template Create one custom IT policy Create one email profile Application Management Create application repository and specify location in BAS Configure organisation name for BlackBerry World for Work Create one group and associate properties with group Configure deployment job default delay Test configured settings and verify functionality Verify profiles and settings associated with BlackBerry devices are applied (e.g. email profile, IT policy, etc.) Verify BlackBerry devices are able to receive and send email messages and synchronize PIM information (e.g. calendars and contacts) Configure High Availability if implementing a Standard Deployment Create BlackBerry Collaboration Service pool Enable BES10 high availability for automatic failover Configure the following settings in UDS Administration Console: Request and install Apple APNs certificate Integrate UDS with customer's environment for the following if implementing a Standard Deployment: o Active Directory o Microsoft ActiveSync gatekeeping (requires Microsoft Exchange 2010) Configure default device activation settings and customize activation email template Configure device compliance settings Create and configure one device compliance profile Update template for device compliance notification Create one custom IT policy Create one Microsoft ActiveSync profile Create one group and associate properties with group Create one administrator account Test configured settings and verify functionality Verify profiles and settings associated with devices are applied (e.g. ActiveSync, IT policy, etc.) Verify devices are able to receive and send email messages and synchronize PIM information (e.g. calendars and contacts) Add additional EMM domains to BMS Log into BMS and verify access to EMM domain(s) Enter Client Access Licenses Configure BAS (for Standard Deployment) If using Microsoft Office Communications Server 2007 R2 or Microsoft Lync Server 2010 or 2013, provision BlackBerry Collaboration Service as a trusted application in Microsoft Active Directory Publish BlackBerry Enterprise IM client to software repository and create software configuration to deploy client to BlackBerry 10 devices BlackBerry Confidential Page 29 of 34 11 Appendix C: BES10 Advanced Configuration Tasks Component BlackBerry Device Service Universal Device Service BlackBerry Management Studio BlackBerry Configuration Tasks Configure the following BlackBerry Administration Service settings: Create administrator accounts Configure device activation settings and email template Create custom IT policies Create one each of the following profiles: email, Wi-Fi, VPN, Proxy Create SCEP profile, if implementing a Standard Deployment Application Management Create application repository and specify location in BAS Publish internal and/or BlackBerry World applications to repository Create software configurations Configure organisation name for BlackBerry World for Work Create groups and associate properties with group Configure custom background for work perimeter on BlackBerry 10 devices Test configured settings and verify functionality Verify profiles and settings associated with BlackBerry devices are applied (e.g. email profile, IT policy, etc.) Verify BlackBerry devices are able to receive and send email messages and synchronize PIM information (e.g. calendars and contacts) Configure High Availability if implementing a Standard Deployment Create BlackBerry Collaboration Service pool Enable BES10 high availability for automatic failover Configure the following settings in UDS Administration Console: Request and install Apple APNs certificate Integrate UDS with customer's environment for SMTP Integrate UDS with customer's environment for the following if implementing a Standard Deployment: o Active Directory o SCEP o Microsoft ActiveSync gatekeeping (requires Microsoft Exchange 2010) Configure default device activation settings and customize activation email template Configure device compliance settings Create and configure device compliance profile Update template for device compliance notification Review IT policy best practices and create IT policies Create each of the following profiles: Microsoft ActiveSync, Wi-Fi, VPN, SCEP (for Standard Deployments), and Certificate (CA, Shared, User) Application Management: Publish application definitions to application repository Create software configurations Create group and associate properties with group Create administrator accounts Test configured settings and verify functionality Verify profiles and settings associated with devices are applied (e.g. ActiveSync, IT policy, etc.) Verify devices are able to receive and send email messages and synchronize PIM information (e.g. calendars and contacts) Add additional EMM domains to BMS Log into BMS and verify access to EMM domain(s) Configure BAS pool (for Standard Deployment) BlackBerry Confidential Component Administration Service BlackBerry Collaboration Service (for Standard Deployments) Daily Management of Users and Devices * Page 30 of 34 Configuration Tasks If using Microsoft Office Communications Server 2007 R2 or Microsoft Lync Server 2010 or 2013, provision BlackBerry Collaboration Service as a trusted application in Microsoft Active Directory Publish BlackBerry Enterprise IM client to software repository and create software configuration to deploy client to BlackBerry 10 devices.= User MACD Apply appropriate settings to users (e.g. groups, policies, profiles, software configurations) Activate/remove devices Initiate theft/loss protection commands (e.g. remote wipe of device data, or remote lock of device) Password reset in cases of forgotten passwords * These functions could be performed by the customer’s Help Desk as they do not have to be performed by the EMM Admin. For customers who select the Optional Service, Manage on Behalf Of plus End User Help Desk, daily management of users and devices will be performed by the EMM End User Help Desk team instead of the EMM Admin. BlackBerry Confidential Page 31 of 34 12 Appendix D: Service Level Agreements (SLAs) To validate our commitment to excellence, all of BlackBerry’s services are delivered under formalised Service Level Agreements (SLAs). The following illustrates typical SLA metrics. 12.1 Core Services SLAs During the Term of the applicable BlackBerry Agreement (the "Agreement"), the BlackBerry BES10 Cloud service will be operational and available to the customer at least 99.9% of the time in any calendar month. If BlackBerry does not meet the BES10 Cloud SLA, and if the customer meets its obligations under this BlackBerry SLA, the customer will be eligible to receive the Service Credits described in section 6. This BES10 Cloud SLA states customer's sole and exclusive remedy for any failure by BlackBerry to meet the BlackBerry BES10 SLA. The following definitions shall apply to the BlackBerry BES10 Cloud SLA: "Downtime" means, for a domain, if there is more than a five percent user error rate. Downtime is measured based on server side error rate. "BlackBerry BES10 Service" means the administration, network (VPN), BDS, and UDS components of the Service. "Monthly Uptime Availability" means for a given month, 1 minus the sum of the impact(s) (where impact = Duration of incidents x % of users) divided by the total number of minutes in a calendar month. As an example, if the total impact for a given month is 40 minutes: Availability = 1 – (total impact/ (30days*24hours*60minutes) = 1 – (40/43200) = 1 – 0.0009259 = 0.9991 * 100 = 99.9% 12.1.1 BES10 SLA Exclusions The BlackBerry BES10 SLA does not apply to any services that expressly exclude this BlackBerry BES10 SLA (as stated in the documentation for such services) or any performance issues that result from the customer's equipment, third party equipment and/or Carrier response/resolution not within the primary control of BlackBerry. Will also exclude scheduled maintenance windows. 12.2 Managed Services SLAs BlackBerry backs up our managed services, including Manage on Behalf Of and Manage on Behalf Of with End User Help Desk with industry leading SLAs that are continuously monitored and measured for conformance. Update Interval SLAs Severity Level 1 Definition A severity one issue is a catastrophic production problem which may severely impact the Customer’s production systems, or in which Customer’s production systems are down or not functioning and no procedural work around exists. Update Interval 1 hour BlackBerry Confidential 2 3 4 Page 32 of 34 A severity two issues is a problem where the Customer’s system is functioning but in a severely reduced capacity. The situation is causing significant impact to portions of the Customer’s business operations and productivity. The system is exposed to potential loss or interruption of service. A severity three issue is a medium to low impact problem which involves partial non-critical functionality loss. One which impairs some operations but allows the client to continue to function. This may be a minor issue with limited loss or no loss of functionality or impact to the client’s operation and issues in which there is an easy circumvention or avoidance by the end user. A severity four issue is for a general usage question or recommendation for a future product enhancement or modification. There is no material impact on the quality, performance, or functionality of the product. 2 hours 4 hours Every 24 hours Response Time SLAs Service Agreement Meet First contact resolution ≥80% Calls answered within 90 seconds ≥80% Voice messages returned < 2 hours ≥80% Advantage Customers Email response time < 2 hours ≥80% Premium Customers Email response time < 1 hour ≥80% Instant Messaging Response Time < 5 minutes < 80% Calls abandoned above 90 seconds ≤10% Device Incident response time within 4 hours ≥80% 12.3 SLA Recompense In general, the SLA recompense for missed service level agreement will follow the following service credit definition for both core service and optional selected services. During the Term of the applicable Service Order, the BES 10 Service will be operational and available to You at least 99.9% of the time in any calendar month. If BlackBerry does not meet the Service Levels, and if You have met Your obligations under these Service Levels, You will be eligible to receive the Service Credits described below. These Service Levels state Your sole and exclusive remedy for any failure by BlackBerry to meet these Service Levels. Definitions. The following definitions shall apply to the BES 10 Service: "Downtime" means, for a domain, if there is more than a five percent user error rate. Downtime is measured based on server side error rate. BlackBerry Confidential Page 33 of 34 "Monthly Uptime Availability" means for a given month, 1 minus the sum of the impact(s) (where impact = Duration of incidents x % of users) divided by the total number of minutes in a calendar month. As an example, if the total impact for a given month is 40 minutes: Availability = 1 – (total impact/ (30days*24hours*60minutes) = 1 – (40/43200) = 1 – 0.0009259 = 0.9991 * 100 = 99.9% Service Level Exclusions. The Service Levels do not apply to any services expressly excluded by these Service Levels (as stated in the documentation for such services) or any performance issues that result from Your equipment or third party equipment, or both (not within the primary control of BlackBerry). The Service Levels also exclude scheduled maintenance windows and are not applicable to the Technical Support Services. Service Level Credits. Credits for the failure to meet the Service Levels will apply to the BES 10 Service as follows: "Service Credit" means the following: Monthly Uptime Availability Percentage of monthly invoice to be reimbursed < 99.9% - >= 99.0% < 99.0% - >= 95.0% < 95.0% 10% 25% 100% Notification. In order to receive any of the Service Credits described above, You must notify BlackBerry within thirty (30) days from the time You become eligible to receive a Service Credit. Failure to comply with this requirement will forfeit Your right to receive a Service Credit. Maximum Service Credit. The aggregate maximum number of Service Credits to be issued by BlackBerry to customer for all Downtime that occurs in a single calendar month shall not exceed that month’s service costs. Service Credits may not be exchanged for, or converted to, monetary amounts. BlackBerry Confidential Page 34 of 34 13 Appendix E: Response to UK G-Cloud Service Definition Response Provided? Reference Section 2.1 Information assurance – Impact Level (IL) at which the G Cloud Service is accredited to hold and process information 2.1.1 Details of disaster recovery and failover 3.4 Training 2.3.2 On-boarding and Off-boarding processes/scope etc. 4 Ordering and invoicing process 4.1 Service Levels Agreement details 12 Financial recompense model for not meeting service levels 12.4 Consumer responsibilities 5 Technical requirements needed by the customer 5 Trial service details 6 Pricing (including unit prices, volume discounts (if any), data extraction etc.) 7 Requirement G-Cloud hosting options