Enable and configure onboarding and offboarding
You can automatically onboard users that are members of universal and global groups. Onboarding is not supported for domain local groups.
- Verify that a company directory synchronization is not in progress. You cannot save the changes you make to the company directory connection until the synchronization is complete.
- To onboard members of global groups, you must enable support for global groups in your Microsoft Active Directory connection settings.
- On the menu bar, clickSettings > External integration > Company directory.
- Click the company directory name that you want to edit.
- On theSync settingstab, select theEnable directory-linked groupscheck box.
- Select theEnable onboardingcheck box.
- Perform the following actions for each group that you want to configure for onboarding with a device activation option:
- Click
. - Type a company directory group name. Click
. - Select the group. ClickAdd.
- Optionally, selectLink nested groups.
- In theDevice activationsection, select whether you want onboarded users to receive an autogenerated activation password or no activation password. If you select the autogenerated password option, configure the activation period and select an activation email template.
- To onboard users withBlackBerry Dynamics, select theOnboard users with BlackBerry Dynamics apps onlycheck box.
- Perform the following actions for each group that you want to onboard with activation forBlackBerry Dynamicsapps only:
- Click.
- Type a company directory group name. Click.
- Select the group. ClickAdd.
- Optionally, selectLink nested groups.
- Select the number of access keys to generate per user added, the access key expiration, and the email template.
- To delete device data when a user is offboarded, select theDelete device data when the user is removed from all onboarding directory groupscheck box. Select one of the following options:
- Delete only work data
- Delete all device data
- Delete all device data for corporate owned/delete only work data for individually owed
- To delete a user account fromBlackBerry UEMwhen a user is removed from all onboarding groups, selectDelete user when the user is removed from all onboarding directory groups. The first time that a synchronization cycle occurs after a user account is removed from all onboarding directory groups, the user account is deleted fromBlackBerry UEM.
- To prevent user accounts or device data from being deleted fromBlackBerry UEMunexpectedly, selectOffboarding protection.Offboarding protection means that users will not be deleted fromBlackBerry UEMuntil two hours after the next synchronization cycle.
- To force the synchronization of company directory groups, select theForce synchronizationcheckbox.If selected, when a group is removed from your company directory, the links to that group are removed from onboarding directory groups and directory-linked groups. If not selected, if a company directory group is not found, the synchronization process is canceled.
- In theSync limitfield, type the maximum number of changes you want to allow for each synchronization process.The default setting is five.If the number of changes to be synchronized exceeds the synchronization limit, you can prevent the synchronization process from running. Changes are calculated by adding the following: users to add to groups, users to remove from groups, users to be onboarded, users to be offboarded.
- In theMaximum nesting level of directory groupsfield, type the number of nested levels to synchronize for company directory groups.
- ClickSave.