Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.18
  3. Installation and configuration
  4. Configuration
  5. Connecting to your company directories
  6. Connect to a Microsoft Active Directory instance

Connect to a
Microsoft Active Directory
 instance

Create a
Microsoft Active Directory
 account that
BlackBerry UEM
 can use. The account must meet the following requirements:
  • It must be located in a
    Windows
     domain that is part of the
    Microsoft Exchange
     forest.
  • It must have permission to access the user container and read the user objects stored in the global catalog servers in the
    Microsoft Exchange
     forest.
  • The password must be configured not to expire and does not need to be changed at the next login.
  • If you enable single sign-on, constrained delegation must be configured for the account.
  • The UEM server must also be joined to the
    Active Directory
     Domain.
  1. On the menu bar, click
    Settings > External integration > Company directory
    .
  2. Click
    Add a Microsoft Active Directory connection
    .
  3. In the
    Directory connection name
     field, type the name for the directory connection.
  4. In the
    Username
     field, type the username of the
    Microsoft Active Directory
     account.
  5. In the
    Domain
     field, type the name of the
    Windows
     domain that is a part of the
    Microsoft Exchange
     forest, in DNS format (for example, example.com).
  6. In the
    Password
     field, type the account password.
  7. In the
    Kerberos Key Distribution Center selection
     drop-down list, perform one of the following actions:
    • To permit
      UEM
       to automatically discover the key distribution centers (KDCs), click
      Automatic
      .
    • To specify the list of KDCs for
      UEM
       to use for authentication, click
      Manual
      . In the
      Server names
       field, type the name of the KDC domain controller in DNS format (for example, kdc01.example.com). Optionally, include the port number that the domain controller uses (for example, kdc01.example.com:88). Click The add icon to specify additional KDC domain controllers that you want
      UEM
       to use.
  8. In the
    Global catalog selection
     drop-down list, perform one of the following actions:
    • If you want
      UEM
       to automatically discover the global catalog servers, click
      Automatic
      .
    • To specify the list of global catalog servers for
      UEM
       to use, click
      Manual
      . In the
      Server names
       field, type the DNS name of the global catalog server that you want
      UEM
       to access (for example, globalcatalog01.example.com). Optionally, include the port number that the global catalog server uses (for example, globalcatalog01.com:3268). Click The add icon to specify additional servers.
  9. Click
    Continue
    .
  10. In the
    Global catalog search base
     field, perform one of the following actions:
    • To permit
      UEM
       to search the entire global catalog, leave the field blank.
    • To control which user accounts
      UEM
       can authenticate, type the distinguished name of the user container (for example, OU=sales,DC=example,DC=com).
  11. If you want to enable support for global groups, in the
    Support for global groups
     drop-down list, click
    Yes
    .
    If you want to use global groups for onboarding, you must select
    Yes
    . To configure a global group domain, in the
    List of global group domains
     section, click The add icon. In the
    Domain
     field select the domain that you want to add. The default selection for the
    Specify username and password?
     field is No. If you keep this default selection, the username and password for the forest connection is used. If you select Yes, you must provide valid credentials for an
    Active Directory
     account in the domain that you selected. In the
    KDC selection
     field, you can select Automatic to permit
    UEM
     to automatically discover the key distribution centers, or Manual to specify the list of KDCs for
    UEM
     to use for authentication. Click
    Add
    .
  12. If your environment contains a
    Microsoft Exchange
     resource forest, to enable support for linked
    Microsoft Exchange
     mailboxes, in the
    Support for linked Microsoft Exchange mailboxes
     drop-down list, click
    Yes
    .
    To configure the
    Microsoft Active Directory
     account for each forest that you want
    UEM
     to access, in the
    List of account forests
     section, click The add icon. Specify the user domain name (the user may belong to any domain in the account forest), and the username and password. If necessary, specify the KDCs that you want
    UEM
     to search. If necessary, specify the global catalog servers that you want
    UEM
     to access. Click
    Add
    .
  13. To enable single sign-on, select the
    Enable Windows single sign-on
     check box. For more information about single sign-on, see Configuring single sign-on for BlackBerry UEM in the Administration content.  Single-sign on is supported only in an on-premises environment.
  14. To synchronize more user details from your company directory, select the
    Synchronize additional user details
     check box. The additional details include company name and office phone.
  15. Click
    Save
    .
  16. Click
    Close
    .
If you want to add a directory synchronization schedule, see Add a synchronization schedule.