Connect to a Microsoft Active
Microsoft Active Directoryinstance
Microsoft Active Directoryaccount that
BlackBerry UEMcan use. The account must meet the following requirements:
- It must be located in aWindowsdomain that is part of theMicrosoft Exchangeforest.
- It must have permission to access the user container and read the user objects stored in the global catalog servers in theMicrosoft Exchangeforest.
- The password must be configured not to expire and does not need to be changed at the next login.
- If you enable single sign-on, constrained delegation must be configured for the account.
- The UEM server must also be joined to the Active Directory Domain.
- On the menu bar, clickSettings > External integration > Company directory.
- ClickAdd a Microsoft Active Directory connection.
- In theDirectory connection namefield, type the name for the directory connection.
- In theUsernamefield, type the username of theMicrosoft Active Directoryaccount.
- In theDomainfield, type the name of theWindowsdomain that is a part of theMicrosoft Exchangeforest, in DNS format (for example, example.com).
- In thePasswordfield, type the account password.
- In theKerberos Key Distribution Center selectiondrop-down list, perform one of the following actions:
- To permitBlackBerry UEMto automatically discover the key distribution centers (KDCs), clickAutomatic.
- To specify the list of KDCs forBlackBerry UEMto use for authentication, clickManual. In theServer namesfield, type the name of the KDC domain controller in DNS format (for example, kdc01.example.com). Optionally, include the port number that the domain controller uses (for example, kdc01.example.com:88). Click to specify additional KDC domain controllers that you wantBlackBerry UEMto use.
- In theGlobal catalog selectiondrop-down list, perform one of the following actions:
- If you wantBlackBerry UEMto automatically discover the global catalog servers, clickAutomatic.
- To specify the list of global catalog servers forBlackBerry UEMto use, clickManual. In theServer namesfield, type the DNS name of the global catalog server that you wantBlackBerry UEMto access (for example, globalcatalog01.example.com). Optionally, include the port number that the global catalog server uses (for example, globalcatalog01.com:3268). Click to specify additional servers.
- In theGlobal catalog search basefield, perform one of the following actions:
- To permitBlackBerry UEMto search the entire global catalog, leave the field blank.
- To control which user accountsBlackBerry UEMcan authenticate, type the distinguished name of the user container (for example, OU=sales,DC=example,DC=com).
- If you want to enable support for global groups, in theSupport for global groupsdrop-down list, clickYes.If you want to use global groups for onboarding, you must selectYes. To configure a global group domain, in theList of global group domainssection, click . In theDomainfield select the domain that you want to add. The default selection for theSpecify username and password?field is No. If you keep this default selection, the username and password for the forest connection is used. If you select Yes, you must provide valid credentials for aMicrosoft Active Directoryaccount in the domain that you selected. In theKDC selectionfield, you can select Automatic to permitBlackBerry UEMto automatically discover the key distribution centers, or Manual to specify the list of KDCs forBlackBerry UEMto use for authentication. ClickAdd.
- If your environment contains a Microsoft Exchange resource forest, to enable support for linkedMicrosoft Exchangemailboxes, in theSupport for linked Microsoft Exchange mailboxesdrop-down list, clickYes.To configure theMicrosoft Active Directoryaccount for each forest that you wantBlackBerry UEMto access, in theList of account forestssection, click . Specify the user domain name (the user may belong to any domain in the account forest), and the username and password. If necessary, specify the KDCs that you wantBlackBerry UEMto search. If necessary, specify the global catalog servers that you wantBlackBerry UEMto access. ClickAdd.
- To enable single sign-on, select theEnable Windows single sign-oncheck box. For more information about single sign-on, see the Administration content. Single-sign on is supported only in an on-premises environment.
- To synchronize more user details from your company directory, select theSynchronize additional user detailscheck box. The additional details include company name and office phone.
If you want to add a directory synchronization schedule, see Add a synchronization schedule.