Qlik Sense integration with BlackBerry Dynamics
This article is a comprehensive guide on the current integration of Qlik Sense with BlackBerry Dynami...
Qlik Sense integration with BlackBerry Dynamics
This article is a comprehensive guide on the current integration of Qlik Sense with BlackBerry Dynamics as at January 2019.
Qlik Sense requires that clients and intermediate infrastructure support websocket connectivity that is used between the Qlik Visualizations and the Qlik Sense Proxy service for retrieval of Associative datasets. Websockets are part of the HTML5 standard, but many proxy servers fail to support it; iOS v11 has resolved previous issues with routing websocket traffic via any per-App VPN. Remaining connectivity problems are now due to configuration/limitations of EMM and other network infrastructure.
BlackBerry UEM (Unified Endpoint Management) is a superset of BlackBerry Dynamics (formerly Good Dynamics) which also includes the older conventional Mobile Device Management (MDM) "BES" product, BlackBerry Secure Connect Plus (BSCP) VPN, and greater Self Service capabilities. Though there are benefits in upgrading from Dynamics to UEM, this document focuses only on Qlik Sense integration with BlackBerry Dynamics.
Unlike most applications developed for mobile devices, which require that the Enterprise Mobility Management (EMM) Administrator has visibility and control of the entire device via Mobile Device Management (MDM) capabilities, BlackBerry Dynamics applications are self-contained (including secure connectivity) and can be individually administered using Mobile Application Management (MAM) techniques. While MDM has long been acceptable for Corporate Owned Devices, the MAM approach is much more appealing for Bring Your Own Device (BYOD) environments.
The BlackBerry Access browser has supported the required websocket connectivity since v2.7.2 (released approx May 2017). It is also available for iOS, Android, Windows and MacOS.
The diagram shows a simple deployment of BlackBerry Dynamics. The Good Control component would be connected to Active Directory and may be configured to provide Kerberos Constrained Delegation (KCD) authentication capabilities.
BlackBerry Good Administrator enables Device Registration, App usage, and whitelists the Qlik Sense URLs for access through the Good Proxy(s). Policies are propagated to the BlackBerry Network Operations Center (NOC)
BlackBerry Good Proxy initiates an encrypted connection to the NOC through which user traffic will be received
User downloads BlackBerry Access browser from the Apple AppStore, and registers it using the AccessKey supplied by the BlackBerry Good Administrator. Whenever activating the App, the current Policy is downloaded from the BlackBerry NOC. Policy includes Corporate Bookmarks, Proxy settings, Usage constraints and other properties.
When browsing to an internal resource, BlackBerry Access makes a connection to the NOC, which forwards the traffic through the already-opened SSL Tunnel to the Good Proxy. This path may suffer from Network Latency as it routes traffic via the NOC in the USA which may not be desirable/acceptable for organizations in different geographies. If the Good Proxy is placed in a DMZ and “Direct Connect” is enabled, then data traffic can bypass the NOC and latency may be reduced.
The connection via Good Proxy may be enhanced with Kerberos Constrained Delegation for simpler User Authentication, and forwards traffic to Qlik Sense.
Many other deployment models are possible, including exposing the Good Proxy to direct connectivity from the BlackBerry Access browser, placing an outbound Proxy between the Good Proxy and Good NOC, and placing an inbound Proxy between the Good Proxy and internal resources such as Qlik Sense.
Qlik does recommend that customers adopt the "Direct Connect" configuration (below) of the Good Proxy to reduce Network Latency between the BlackBerry Access browser and Qlik Sense.
BlackBerry Good Administrator enables Device Registration, App usage, and whitelists the Qlik Sense URLs for access through the Good Proxy(s). Policies are propagated to the NOC
User downloads BlackBerry Access browser from the Apple AppStore, and registers using the AccessKey supplied by the BlackBerry Good Administrator. Whenever activating the App, the current Policy is retrieved from the BlackBerry NOC. Policy includes Corporate Bookmarks, Proxy settings, Usage constraints and other properties
When browsing to an internal resource, BlackBerry Access makes a Direct HTTP Anonymous Connection to the Proxy Appliance in DMZ. This can be configured in Good Control > Settings > Servers > Direct Connect.
Direct Connect (Yes)
Hostname (do not change)
Proxy/LoadBalancer (F5 Appliance in diagram)
The Proxy Appliance may perform SSL Packet decryption, inspection then reencryption, before Load Balancing and distributing requests to the Good Proxy instance(s) inside the Intranet
The Good Proxy may be configured with Kerberos Constrained Delegation for simpler User Authentication, and forwards traffic to Qlik Sense
A diagnostic webpage can be downloaded from https://developer.qlik.com/garden/56728f52d1e497241ae69865 and should be deployed into the Qlik Sense Content Library via the QMC. Access this deployed content using BlackBerry Access to confirm that the browser, BlackBerry Dynamics and any other network infrastructure between the Good Proxy and Qlik Sense support websocket connectivity. Load Balancers between the Good Proxy and Qlik Sense Proxy instances may require additional configuration to support websocket traffic.
Qlik Sense Mobile
Qlik Sense Mobile provides an online alternative to a browser, and implements our Associative Engine on iOS to also provide offline data analysis on Qlik documents that have been synchronized to the device. It is however developed for deployment only with generic EMM/VPN solutions that do not provide the same security of Data in Transit or Data at Rest as offered by applications which embed the BlackBerry Dynamics SDK.
Currently (January 2019), joint Qlik/BlackBerry customers can only use BlackBerry Access for online interaction with Qlik Sense via BlackBerry Dynamics infrastructure, providing security of Data in Transit. No data is retained on the Browser.
Qlik acknowledges the interest from highly regulated and security conscious customers (particularly in Financial Services, Pharmaceutical and Defence industries) in a BlackBerry Dynamics variant of Qlik Sense Mobile. Qlik Sense Mobile for BlackBerry is in (March 2019) the closing phases of development and planned to be be released to market in April 2019. This product leverages the BlackBerry Dynamics SDK for more secure storage of data at rest, and data in transit via Dynamics infrastructure.