- The user accounts that you want to synchronize from Microsoft Active Directory groups must have matching user accounts on the Universal Device Service. If matching user accounts do not exist on the Universal Device Service, add the user accounts manually, or enable provisioning so that the tool can add the user accounts to the Universal Device Service during the synchronization process. For more information about the provisioning feature, see Configure provisioning options.
- The Windows account that you use to run the tool must have read permissions for Microsoft Active Directory.
- The administrator account that you configure the tool to use must exist in every MDM domain that you want the tool to connect to. In a Universal Device Service environment, the administrator account must have the Security Admin, Enterprise Admin, or Senior Helpdesk Admin role. In a BlackBerry Enterprise Server or BlackBerry Enterprise Server Express environment, the administrator account must have a role with permissions to view and edit groups, and to create and delete user accounts.
- By default, the tool cannot synchronize changes to Universal Device Service groups that have more than 2000 members. If you want to synchronize changes to Universal Device Service groups that have more than 2000 members, change the maximum group size limit in the configuration file (DirectorySync.exe.Config). For more information about changing the configuration file, see Change the performance and configuration settings for the BlackBerry Directory Synchronization Tool.
- If your organization uses property names for group names, email addresses, or display names that are not standard, add the property names to the configuration file (DirectorySync.exe.Config) so that the tool can retrieve information from Microsoft Active Directory. For more information about adding property names, see Change the performance and configuration settings for the BlackBerry Directory Synchronization Tool.
- If any of the Microsoft Active Directory groups that you want to synchronize have nested subgroups, decide if you want to synchronize the membership of the subgroups as well.
- If you enable provisioning and deprovisioning, it is a best practice to add and remove user accounts from the Universal Device Service using the tool only, instead of adding and removing the user accounts manually using the Administration Console. If you enable deprovisioning and configure the tool to be able to remove user accounts, the tool requires that every user account on the Universal Device Service exists in a Microsoft Active Directory group that is mapped to a virtual provisioning group. If you enable deprovisioning and do not configure and maintain provisioning mappings, the tool could remove user accounts from the Universal Device Service unexpectedly.
- It is a best practice to run the tool during low-usage periods. Depending on the number of changes that must be synchronized, the tool might have a performance impact on your organization's environment.
- It is a best practice to always preview the provisioning and synchronization process so that you can verify that the changes will occur as expected.
Was this information helpful? Send us your comments.