Enable and configure onboarding and offboarding
When you enable onboarding, you add universal or global directory groups to
UEM
as onboarding directory groups (onboarding is not supported for domain local groups). During a synchronization process, if UEM
detects a directory user in an onboarding directory group that does not have a corresponding UEM
user account, it creates that user account in UEM
. When you enable onboarding you can also configure offboarding; when you disable or remove a user from an onboarding directory group, UEM
can delete device data and remove the user from UEM
.
When offboarding is enabled, any
UEM
user accounts that are not members of an onboarding directory group, regardless of how they were added to UEM
, are offboarded during the next synchronization process.- Connect to your organization's directory:
- Verify that a company directory synchronization is not in progress. You cannot save the changes you make to the company directory connection until the synchronization is complete.
- To onboard members of global groups, you must enable support for global groups in your Microsoft Active Directory connection settings.
- In the management console, on the menu bar, clickSettings > External integration > Company directory.
- Click a company directory connection.
- On theSync settingstab, select theEnable directory-linked groupscheck box.
- Select theEnable onboardingcheck box.
- Do any of the following:TaskStepsAdd onboarding directory groups and configure device activation options.
- Click .
- Search for and add universal or global directory groups.
- For each directory group, select whether you want to link nested groups.
- In theDevice activationsection, select whether you want onboarded users to receive an autogenerated activation password and email, or no activation password. If you select the autogenerated password option, configure the activation period and select an activation email template.
Onboard users that you only want to useBlackBerry Dynamicsapps.Follow these steps if you want to onboard users who will useBlackBerry Dynamicsapps only. These users will not activate their devices onUEMusing theUEM Clientand their devices will not be managed byUEM.- Select theOnboard users with BlackBerry Dynamics apps onlycheck box.
- Click .
- Search for and add universal or global directory groups.
- For each directory group, select whether you want to link nested groups.
- Specify the number of access keys to generate per user, the access key expiration period, and the email template.
Configure offboarding.If you want to delete device data when a user is offboarded fromUEM, select theDelete device data when the user is removed from all onboarding directory groupscheck box. Do the following:- Select the appropriate option for the data that you want to remove from the device.
- If you want to remove a user fromUEMwhen that user is removed from all onboarding directory groups, select theDelete user when the user is removed from all onboarding directory groupscheck box.
- If you want to delay the deletion of users and device data for two hours after a synchronization cycle, select theOffboarding protectioncheck box. This option can help avoid unexpected deletions because of directory replication latency.
- If you want to force the synchronization of company directory groups, select theForce synchronizationcheck box.If enabled, when a group is removed from the company directory, the links to that group are removed from directory-linked groups and onboarding directory groups. If all of the company directory groups associated with a directory-linked group are removed, the directory-linked group is converted to a local group.
- In theSync limitfield, type the maximum number of changes that each synchronization process can complete.If the number of changes to be synchronized exceeds the synchronization limit, you can prevent the synchronization process from running.UEMdetermines a total of the following changes: users to add to groups, users to remove from groups, users to be onboarded, and users to be offboarded.
- In theMaximum nesting level of directory groupsfield, type the number of nested levels to synchronize for company directory groups.
- ClickSave.
Optionally, configure directory synchronization.