Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.19
  3. Managing administrators, users, and groups
  4. Configuring console login options
  5. Configure single sign-on for BlackBerry UEM

Configure single sign-on for
BlackBerry UEM

If you connect
BlackBerry UEM
 to
Microsoft Active Directory
, you can configure single sign-on authentication to allow administrators or users to bypass the login webpage and access the management console or
BlackBerry UEM Self-Service
 directly. When administrators or users log in to
Windows
, the browser uses their credentials to authenticate them with
UEM
 automatically.
Windows
 login information can include
Active Directory
 credentials or derived credentials (for example, from CAC readers or digital tokens).
This feature is not supported by
UEM Cloud
.
  • Do the following to configure constrained delegation for the
    Active Directory
     account that
    UEM
     uses for the directory connection:
    1. Use the
      Windows Server
       ADSI Edit tool or setspn command-line tool to add the following SPNs for
      UEM
       to the
      Active Directory
       account:
      HTTP/
      <host_FQDN_or_pool_name>
       (for example, HTTP/domain123.example.com)
      BASPLUGIN111/
      <host_FQDN_or_pool_name>
       (for example, BASPLUGIN111/domain123.example.com)
    2. In
      Microsoft Active Directory Users and Computers
      , in the
      Microsoft Active Directory
       account properties, on the
      Delegation
       tab, enable
      Trust this user for delegation to specified services only
       and
      Use Kerberos only
      .
    3. Add the SPNs to the list of services.
  • If you enable single sign-on for multiple
    Active Directory
     connections, verify that there are no trust relationships between the
    Active Directory
     forests.
  1. In the
    UEM
     management console, on the menu bar, click
    Settings > External integration > Company directory
    .
  2. In the
    Configured directory connections
     section, click an
    Active Directory
     connection.
  3. On the
    Authentication
     tab, select the
    Enable Windows single sign-on
     check box.
  4. Click
    Save
    .
  5. Click
    Save
     again.
  6. Click
    Close
    .
  • Restart the
    UEM
     services on each computer that hosts a
    UEM
     instance.
  • Instruct administrators and users to use the following URLs:
    • Management console: https://
      <host_FQDN_or_pool_name>
      :
      <port>
      /admin/index.jsp?tenant=
      <tenant_ID>
      &redirect=no
    • UEM Self-Service
      : https://
      <host_FQDN_or_pool_name>
      :
      <port>
      /mydevice/index.jsp?tenant=
      <tenant_ID>
      &redirect=no
    If you integrate UEM with Entra ID, the
    UEM
     console URLs change to the following ("&redirect=no" is removed from the end of the URL):
    • Management console: https://
      <server_name>
      :
      <port>
      /admin/index.jsp?tenant=
      <tenant_ID>
    • Self-service console: https://
      <server_name>
      :
      <port>
      /mydevice/index.jsp?tenant=
      <tenant_ID>
    Single sign-on authentication takes precedence over other authentication methods. If your organization's security standards require that administrators or users use another authentication method, the single sign-on method can be circumvented by appending ?sso=n to the end of the URLs above.
  • Instruct administrators and
    UEM Self-Service
     users to configure their browsers to support single sign-on for
    UEM
    :
    • Microsoft Edge
      : The management console and
      UEM Self-Service
       URLs must be assigned to the local intranet zone. Enable Integrated
      Windows
       Authentication.
    • Mozilla Firefox
      : In the about:config list, Add https://,
      <host_FQDN_or_pool_name>
       to the "network.negotiate-auth.trusted-uris" preference.
    • Google Chrome
      : The management console and
      UEM Self-Service
       URLs must be assigned to the local intranet zone.