Configure the password expiration warning message
For
Active
Directory
users and user groups that use the PSO (Password Settings Object) method to set the maximum password age, you can configure the BEMS
dashboard and BEMS
Cloud to allow users' BlackBerry Work
apps to display a warning message when their Active
Directory
password is about to expire. By default, this feature is disabled.
In a
BEMS
Cloud environment, you must configure the Email notifications for BlackBerry Work
in the BlackBerry UEM
management console using the Credential authentication type to display the Password expiry tab.For information on displaying a warning message for users that use the GPO (Global Policy Object) method to set the maximum password age, see Configure BlackBerry Work app settings.
- Make sure that you have the following information:
- Logon credentials for the service account that is used to authenticate to the domain controller.
- LDAP server name and port number. The LDAP server name must be one of the Domain Controllers.
- Verify that the service account has READ permissions to the "Password Settings Container". For instructions, see Add Read permission to the account used to authenticate to the LDAP server.
- In aBEMSCloud environment, also verify that aBlackBerry Connectivity Nodeis installed and configured. For more information, see Steps to install and activate the blackberry connectivity node.
- Verify that administrators use the PSO method to set the maximum password age for the users.
- Verify that users in your environment are runningBlackBerry Work3.8 or later.
- Complete one of the following tasks:EnvironmentStepsBEMSon-premises
- In theBlackBerry Enterprise Mobility Server Dashboard, underBlackBerry Configuration, clickMail.
- ClickPassword Expiry Settings.
- Select theEnable LDAP Lookupcheckbox to allowBEMSto queryActive Directoryfor password expiry details for the users.
- In theLDAP Server Namefield, type the name of the LDAP Server (for example, ldap.<DNS_domain_name>).
- In theLDAP Server Portfield, type the port number of the LDAP server. By default, the port number is 389.
- Optionally, select theEnable SSL LDAPcheckbox to tunnel data through an SSL-encrypted connection. If you enable SSL LDAP, the default port is to 636. This step requires you to import the LDAP certificate into theBEMSkeystore. For instructions, see "Upload the Microsoft Exchange Server SSL certificate to the BEMS database" in the BEMS-Core configuration content.
- In theLDAP Base DNfield, enter the base DN for the LDAP search. If this entry is not set,BEMStries to find the base DN in the namingContexts attribute.
BEMSCloud- In theBlackBerry UEM Cloudmanagement console, clickSettings > BlackBerry Dynamics > Email notifications.
- Click thePassword expirytab.
- Click .
- Select theEnable password expirycheckbox to allowBEMSto queryActive Directoryfor password expiry details for the users.
- In theLDAP server namefield, type the name of the LDAP Server (for example, ldap.<DNS_domain_name>).
- In theLDAP portfield, type the port number of the LDAP computer. The default port is 389.
- Enter the LDAP logon account and password. You can enter the logon account in the formatdomain\usernameor User Principal Name (UPN)username@domain.
- In theBase DN (Domain controller)field, enter the base DN for the LDAP search. If this entry is not set,BEMStries to find the base DN in the namingContexts attribute.
- Optionally, select theEnable SSL LDAPcheckbox to tunnel data through an SSL-encrypted connection. If you enable SSL LDAP, type the port number to the LDAP computer that you used in step 6. The default port for is 636. This step requires you to import the LDAP certificate into theBEMSkeystore. For instructions, see Create a trusted connection between BEMS Cloud and Microsoft Exchange Server.
- ClickTestto test the connection to the LDAP server.
- ClickSave.