RRAS for BlackBerry UEM

Thanks

So the bb10/ android device connects as below?

Mobile > Blackberry NOC > RRAS server > resources

Is that correct? What's so different from the usual way BB devices connect in that has never had a need for this RRAS component?

Yes for secure connect. See this for use case if direct connect is used that bypass BB NOC

Enterprise connectivity for BlackBerry Dynamics apps does not use the BlackBerry Infrastructure. Instead, data in transit between BlackBerry Dynamics apps and BlackBerry Proxy can travel through the BlackBerry Dynamics NOC or can bypass the NOC using BlackBerry Dynamics Direct Connect.

http://help.blackberry.com/en/blackberry-uem/12.6/architecture/Communication_Through_BBI.html

RRAS in a way is setup since connect plus requires them too. As long as you need UEM services then BB NOC is inevitable. Secure connect is to create end to end encrypted channel such that going thru NOC does not reveal in transit. Catch the 3 main use cases.

1. Use case w/o going through BB NOC and no need for UEM for direct connect for internal application or content server (recommend for VPN for remote user)
http://help.blackberry.com/en/blackberry-uem/12.6/architecture/lsh1412972714422.html

2.Use case going through BB NOC w/o Secure connect to UEM
http://help.blackberry.com/en/blackberry-uem/12.6/architecture/lsh1412961707892.html

3.Use case going through BB NOC with need for secure connect
http://help.blackberry.com/en/blackberry-uem/12.6/architecture/lsh1428958213732.html

Can SOCKS be used instead of RRAS?

Yes specifically BB supports it.
http://help.blackberry.com/en/blackberry-uem/12.6/configuration/mgr1411316184818.html

Sure, but as a replacement for RRAS?

as mentioned in earlier posts, UEM requires RRAS. It is for remote access requirement like the same for OpenVPN-TAP Windows.
Instead, the proxy is actually optional if you refer to the architecture shared again. By default, BES12 makes a direct connection to the BlackBerry Infrastructure over port 3101, and you do not need to install more routing components. However, if your organization's security policy requires that internal systems cannot make connections directly to the Internet, you can install the BlackBerry Router or a TCP proxy server.

http://help.blackberry.com/en/blackberry-uem/12.6/installation-and-upgrade/preinstallation-and-preupgrade-checklist.html

Thank you but I guess I am still not understanding the need for RRAS (or even Secure Connect). We use the NOC, not Direct Connect, so the below link  applies

http://help.blackberry.com/en/blackberry-uem/12.6/architecture/lsh1428958213732.html

Reading this, the app traffic is still via the NOC, but within this data flow a secure tunnel is created. What's the benefit of this? BB NOC traffic is already encrypted, is this to give us some further security ourselves since - presumably the TLS connection is between the device and the Secure Connect server? Or is there some performance benefit?

If the former, since it's a TLS connection within the existing data flow, is there not a performance hit?

And, finally, is the RRAS piece needed for the "per-app VPN" portion of this data flow, or does it perform some routing? If the latter, can we disable the ability for RRAS to perform as a router somehow?

RRAS is primarily for remote access. I see it as part of the need for the VPN. The best way is to test it out for yourself in staging environment and seek BB support for more specific advice.
http://help.blackberry.com/en/blackberry-uem/12.6/administration/mca1424978967191.html