Synchronization and provisioning rules

One-way synchronization

The tool synchronizes changes from Microsoft Active Directory groups to BlackBerry Enterprise Server groups. Changes made to BlackBerry Enterprise Server groups using the BlackBerry Administration Service do not affect the membership of Microsoft Active Directory groups.

Does not manage user accounts that are not integrated with Microsoft Active Directory

The tool does not manage user accounts that have no Microsoft Active Directory identifiers, for example, default system accounts like system administrator.

The tool can only manage user accounts that are associated with Microsoft Active Directory user accounts (user accounts that were added to the BlackBerry Enterprise Server by importing user information from Microsoft Active Directory).

Does not add groups

The tool does not create new groups on the BlackBerry Enterprise Server.

One-to-one mappings

The tool supports one-to-one mappings of Microsoft Active Directory groups to BlackBerry Enterprise Server groups. You can configure as many one-to-one mappings as required.

For example, if you want to map both Group A and Group B in Microsoft Active Directory to Group 1 on the BlackBerry Enterprise Server, you can configure two mappings: Group A to Group 1 and Group B to Group 1.

Nested subgroups

You can configure the tool to synchronize nested groups in Microsoft Active Directory with BlackBerry Enterprise Server groups. The tool does not create new subgroups on the BlackBerry Enterprise Server.

For example, Group A in Microsoft Active Directory has a nested subgroup called Group B. You create Group 1 with no members on the BlackBerry Enterprise Server. You map Group A to Group 1 and you permit the tool to synchronize nested groups. When you run the tool, the user accounts in Group A and the nested Group B are assigned to Group 1.

Synchronization outcomes

Force synchronization option

If you select this option, always preview the provisioning and synchronization process so that you can verify that the changes will occur as expected.

Provisioning resolves before synchronization

If you configured mappings of Microsoft Active Directory groups to virtual provisioning groups and mappings of Microsoft Active Directory groups to BlackBerry Enterprise Server groups, the synchronization process resolves the provisioning tasks first (adding or removing user accounts), then performs the synchronization tasks.

Does not add user accounts

If the tool identifies a Microsoft Active Directory user account that does not have a matching user account on the BlackBerry Enterprise Server, the tool does not add the user to the BlackBerry Enterprise Server, and cannot synchronize the user account to a BlackBerry Enterprise Server group. The tool writes details to the report and log file.

Adds user accounts

You map a Microsoft Active Directory group to a virtual provisioning group and start the synchronization process. If the tool identifies a Microsoft Active Directory user account that does not have a matching user account on the BlackBerry Enterprise Server, the tool adds the required user account to the BlackBerry Enterprise Server.

If the Microsoft Active Directory group is mapped to the Provision User as Device Enabled virtual provisioning group, the tool adds a device-enabled user account. If the Microsoft Active Directory group is mapped to the Provision User virtual provisioning group, the tool adds an administrator account that is not device-enabled.

When the tool adds a device-enabled user account to the BlackBerry Enterprise Server, the BlackBerry Enterprise Server does not send an activation email to users. You must send the activation information to users.

Does not assign roles

When the tool adds an administrator account that is not device-enabled to the BlackBerry Enterprise Server, it does not assign an administrative role to the account.

It is a best practice to assign roles to administrator accounts by mapping the accounts to BlackBerry Enterprise Server groups that are already associated with roles. You can also assign roles to administrator accounts using the BlackBerry Administration Service.

Deprovisioning

If you enable deprovisioning, every user account on the BlackBerry Enterprise Server must have a matching user account in a Microsoft Active Directory group that is mapped to one of the virtual provisioning groups. If the tool identifies a user account that does not exist in a provisioning mapping, the tool removes the user account from the BlackBerry Enterprise Server (if the De-provisioning action is set to Delete users). The tool does not remove user accounts that are not integrated with Microsoft Active Directory.

Deprovisioning options

Provisioning priority

If a Microsoft Active Directory user account is mapped to both types of virtual provisioning groups, and the user does not currently have a matching user account on the BlackBerry Enterprise Server, the tool adds the user to the BlackBerry Enterprise Server as a device-enabled user account.

Provisioning conflicts

If you add an administrator account to the BlackBerry Enterprise Server that is not device-enabled, and you later try to add the user to the BlackBerry Enterprise Server again as a device-enabled user account, the tool does not complete the task and writes details to the report and log file. You can remove and add the user again using the BlackBerry Administration Service, or you can configure mappings to remove the user account and add the user account again.

If you add a device-enabled user account to the BlackBerry Enterprise Server, and you later try to add the user to the BlackBerry Enterprise Server again as an administrator account that is not device-enabled, the tool does not complete the task and writes details to the report and log file. You can remove and add the user again using the BlackBerry Administration Service, or you can configure mappings to remove the user account and add the user account again.