Configure certificate-based console authentication
In an on-premises
BlackBerry UEM
environment, you can set up certificate-based authentication so that administrators can log in using an authentication certificate. UEM
verifies certificates against the issuer, verifies that the certificate is valid using the certificate OCSP or CRL settings, and verifies that the certificate matches a user in the UEM
database. This feature is not supported for UEM Cloud
.Get copies of the CA certificates that distribute your administrators' and users' client certificates in .cer or .der format.
- In the management console, on the menu bar, clickSettings > General settings > Certificate-based console authentication.
- Select theEnable certificate-based authenticationcheck box.
- ClickBrowseand navigate to the CA certificate files.UEMtrusts all certificates issued by that CA. Repeat this step to upload additional certificates.
- To requireUEMto verify that the user principal name in the certificate matches a user in theUEMdatabase, select theCheck for user principal name for SANcheck box.If the user principal name in the certificate matches a known user,UEMgrants access according to the user's permissions.
- To requireUEMto verify that the user email address in the certificate matches a user email address in theUEMdatabase, select theCheck for email addresscheck box.If the user email address in the certificate matches a known user,UEMgrants access according to the user's permissions. If you select bothCheck for user principal name for SANandCheck for email address,UEMchecks the principal name before the email address and grants access if the principal name matches. If neither check finds a match between the certificate and a known user,UEMdenies access.
- ClickSave.
If users access
UEM
using Mozilla Firefox
, the user must add their client certificate to the Firefox
certificate store to authenticate with UEM
using certificate-based authentication.