Overview: BlackBerry Directory Sync Tool

The BlackBerry Directory Sync Tool is an application that you can use to synchronize the membership of security groups and distribution groups in Microsoft Active Directory with groups on a Universal Device Service. After you map one-to-one relationships between Microsoft Active Directory groups and Universal Device Service groups, you can start the synchronization process manually, or you can use a task scheduling application to run the synchronization at a set interval.

When you run the synchronization process, it compares the Microsoft Active Directory group to the Universal Device Service group that you mapped it to. If the tool finds any differences in group membership, it assigns user accounts to, or removes user accounts from, the Universal Device Service group until the membership matches the Microsoft Active Directory group. For more information about synchronization rules, see Synchronization and provisioning rules.

The tool can synchronize groups only if the user accounts in Microsoft Active Directory have matching user accounts on the Universal Device Service. If matching user accounts do not exist on the Universal Device Service, you can add the user accounts manually using the Administration Console, or you can enable the provisioning feature so that the tool can add user accounts during the synchronization process.

When you enable provisioning, you map Microsoft Active Directory groups to virtual provisioning groups. During the synchronization process, the tool identifies the Microsoft Active Directory users that do not have matching user accounts on the Universal Device Service, and adds the user accounts as necessary. If you enable deprovisioning, the tool identifies user accounts that are not mapped to a virtual provisioning group and removes them from the Universal Device Service. For more information about provisioning rules, see Synchronization and provisioning rules.

If you enable provisioning and deprovisioning, it is a best practice to add and remove user accounts from the Universal Device Service using the tool only, instead of adding and removing the user accounts manually using the Administration Console. For more information, see Prerequisites and Synchronization and provisioning rules.