Skip Navigation

Connect to a 
Microsoft Active Directory
 instance

Create a 
Microsoft Active Directory
 account that 
BlackBerry UEM
 can use. The account must meet the following requirements:
  • It must be located in a 
    Windows
     domain that is part of the 
    Microsoft Exchange
     forest.
  • It must have permission to access the user container and read the user objects stored in the global catalog servers in the 
    Microsoft Exchange
     forest.
  • The password must be configured not to expire and does not need to be changed at the next login.
  • If you enable single sign-on, constrained delegation must be configured for the account.
  • The UEM server must also be joined to the Active Directory Domain.
  1. On the menu bar, click 
    Settings > External integration > Company directory
    .
  2. Click 
    Add a Microsoft Active Directory connection
    .
  3. In the 
    Directory connection name
     field, type the name for the directory connection.
  4. In the 
    Username
     field, type the username of the 
    Microsoft Active Directory
     account.
  5. In the 
    Domain
     field, type the name of the 
    Windows
     domain that is a part of the 
    Microsoft Exchange
     forest, in DNS format (for example, example.com).
  6. In the 
    Password
     field, type the account password.
  7. In the 
    Kerberos Key Distribution Center selection
     drop-down list, perform one of the following actions:
    • To permit 
      BlackBerry UEM
       to automatically discover the key distribution centers (KDCs), click 
      Automatic
      .
    • To specify the list of KDCs for 
      BlackBerry UEM
       to use for authentication, click 
      Manual
      . In the 
      Server names
       field, type the name of the KDC domain controller in DNS format (for example, kdc01.example.com). Optionally, include the port number that the domain controller uses (for example, kdc01.example.com:88). Click   to specify additional KDC domain controllers that you want 
      BlackBerry UEM
       to use.
  8. In the 
    Global catalog selection
     drop-down list, perform one of the following actions:
    • If you want 
      BlackBerry UEM
       to automatically discover the global catalog servers, click 
      Automatic
      .
    • To specify the list of global catalog servers for 
      BlackBerry UEM
       to use, click 
      Manual
      . In the 
      Server names
       field, type the DNS name of the global catalog server that you want 
      BlackBerry UEM
       to access (for example, globalcatalog01.example.com). Optionally, include the port number that the global catalog server uses (for example, globalcatalog01.com:3268). Click   to specify additional servers.
  9. Click 
    Continue
    .
  10. In the 
    Global catalog search base
     field, perform one of the following actions:
    • To permit 
      BlackBerry UEM
       to search the entire global catalog, leave the field blank.
    • To control which user accounts 
      BlackBerry UEM
       can authenticate, type the distinguished name of the user container (for example, OU=sales,DC=example,DC=com).
  11. If you want to enable support for global groups, in the 
    Support for global groups
     drop-down list, click 
    Yes
    If you want to use global groups for onboarding, you must select 
    Yes
    . To configure a global group domain, in the 
    List of global group domains
     section, click  . In the 
    Domain
     field select the domain that you want to add. The default selection for the 
    Specify username and password?
     field is No. If you keep this default selection, the username and password for the forest connection is used. If you select Yes, you must provide valid credentials for a 
    Microsoft Active Directory
     account in the domain that you selected. In the 
    KDC selection
     field, you can select Automatic to permit 
    BlackBerry UEM
     to automatically discover the key distribution centers, or Manual to specify the list of KDCs for 
    BlackBerry UEM
     to use for authentication. Click 
    Add
    .
  12. If your environment contains a Microsoft Exchange resource forest, to enable support for linked 
    Microsoft Exchange
     mailboxes, in the 
    Support for linked Microsoft Exchange mailboxes
     drop-down list, click 
    Yes
    .
    To configure the 
    Microsoft Active Directory
     account for each forest that you want 
    BlackBerry UEM
     to access, in the 
    List of account forests
     section, click  . Specify the user domain name (the user may belong to any domain in the account forest), and the username and password. If necessary, specify the KDCs that you want 
    BlackBerry UEM
     to search. If necessary, specify the global catalog servers that you want 
    BlackBerry UEM
     to access. Click 
    Add
    .
  13. To enable single sign-on, select the 
    Enable Windows single sign-on
     check box. For more information about single sign-on, see the Administration content.  Single-sign on is supported only in an on-premises environment.
  14. To synchronize more user details from your company directory, select the 
    Synchronize additional user details
     check box. The additional details include company name and office phone.
  15. Click 
    Save
    .
  16. Click 
    Close
    .
If you want to add a directory synchronization schedule, see Add a synchronization schedule.