Get the PDF

Configuring BlackBerry UEM
Changing the certificates that BlackBerry UEM uses for authentication
- Considerations for changing BlackBerry Dynamics certificates
- Change a BlackBerry UEM certificate
Installing the BlackBerry Connectivity Node to connect to resources behind your organization's firewall
Configuring BlackBerry UEM to send data through a proxy server
- Sending data through a TCP proxy server to the BlackBerry Infrastructure
  - Configure BlackBerry UEM to use a transparent TCP proxy server
  - Enable SOCKS v5 on a TCP proxy server
- Install a standalone BlackBerry Router in a UEM Cloud environment
Configure connections through internal proxy servers
Connect to an SMTP server to send email notifications
Connecting to your company directories
Connecting BlackBerry UEM to Microsoft Entra ID
Obtaining an APNs certificate to manage iOS and macOS devices
- Request and register an APNs certificate
- Troubleshooting: APNs
Configure BlackBerry UEM for DEP
Configuring BlackBerry UEM to support Android Enterprise devices
- Configure BlackBerry UEM to support Android Enterprise devices
Configuring BlackBerry UEM to support Android Management devices
- Configure Android Management in the Google Cloud console
- Configure Android Management in BlackBerry UEM
Extending the management of Chrome OS devices to BlackBerry UEM
Simplifying Windows 10 activations
- Integrate UEM with Entra ID join
  - Configure Windows Autopilot for device activation
- Deploy a discovery service to simplify Windows 10 activations
Migrating users, devices, groups, and other data from a source server
Configuring network communication and properties for BlackBerry Dynamics apps
Integrating BlackBerry UEM with Cisco ISE
Set up VPN using Knox StrongSwan for UEM dark site environments

Connect to a
Microsoft Active Directory
instance

The task below applies to a

UEM

on-premises environment. In a

UEM Cloud

environment, install and configure the BlackBerry Connectivity Node to connect to your company directory.

Create a

Microsoft Active Directory

account that

UEM

can use. The account must meet the following requirements:

It must be located in a

Windows

domain that is part of the

Microsoft Exchange

forest.

It must have permission to access the user container and read the user objects stored in the global catalog servers in the

Microsoft Exchange

forest.

The password must be configured not to expire and does not need to be changed at the next login.

If you enable single sign-on, constrained delegation must be configured for the account.

The

UEM

server must also be joined to the

Active Directory

domain.

If your organization uses a

Microsoft Exchange

resource forest, you must create a mailbox in the resource forest for each user account and associate them with the user accounts in the account forests.

UEM

uses the mailboxes to look up the user accounts in the individual domains. To authenticate users who log in to

UEM

must read the user information that is stored in the global catalog servers that are part of the resource forest. You must create a

Microsoft Active Directory

account for

UEM

that is located in a

Windows

domain that is part of the resource forest. When you create the directory connection, you provide the

Windows

credentials for the

Microsoft Active Directory

account, and, if required, the names of the global catalog servers that

UEM

can use.

In the

UEM

management console, on the menu bar, click

Settings > External integration > Company directory

Click

> Microsoft Active Directory connection

In the

Directory connection name

field, type a name for the directory connection.

In the

Username

field, type the username of the

Microsoft Active Directory

account.

In the

Domain

field, type the name of the

Windows

domain that is part of the

Microsoft Exchange

forest, in DNS format (for example, example.com).

In the

Password

field, type the account password.

In the

Kerberos Key Distribution Center selection

drop-down list, do one of the following:

To permit

UEM

to automatically discover the key distribution centers (KDCs), click

Automatic

To specify the list of KDCs for

UEM

to use for authentication, click

Manual

. In the

Server names

field, type the name of the KDC domain controller in DNS format (for example, kdc01.example.com). Optionally, include the port number that the domain controller uses (for example, kdc01.example.com:88). Click The add icon

to specify additional KDC domain controllers that you want

UEM

to use.

In the

Global catalog selection

drop-down list, do one of the following:

If you want

UEM

to automatically discover the global catalog servers, click

Automatic

To specify the list of global catalog servers for

UEM

to use, click

Manual

. In the

Server names

field, type the DNS name of the global catalog server that you want

UEM

to access (for example, globalcatalog01.example.com). Optionally, include the port number that the global catalog server uses (for example, globalcatalog01.com:3268). Click The add icon

to specify additional servers.

Click

Continue

In the

Global catalog search base

field, do one of the following:

To permit

UEM

to search the entire global catalog, leave the field blank.

To control which user accounts

UEM

can authenticate, type the distinguished name of the user container (for example, OU=sales,DC=example,DC=com).

If you want to enable support for global groups, in the

Support for global groups

drop-down list, click

Yes

If you want to use global groups for onboarding, you must select

Yes

. To configure a global group domain, in the

List of global group domains

section, click The add icon

. In the

Domain

field, click the domain that you want to add. The default selection for the

Specify username and password?

field is No. If you keep this default selection, the username and password for the forest connection is used. If you select Yes, you must provide valid credentials for an

Active Directory

account in the domain that you selected. In the

KDC selection

field, you can select Automatic to permit

UEM

to automatically discover the key distribution centers, or Manual to specify the list of KDCs for

UEM

to use for authentication. Click

Add

If your environment contains a

Microsoft Exchange

resource forest, to enable support for linked

Microsoft Exchange

mailboxes, in the

Support for linked Microsoft Exchange mailboxes

drop-down list, click

Yes

To configure the

Microsoft Active Directory

account for each forest that you want

UEM

to access, in the

List of account forests

section, click The add icon

. Specify the user domain name (the user may belong to any domain in the account forest), and the username and password. If necessary, specify the KDCs that you want

UEM

to search. If necessary, specify the global catalog servers that you want

UEM

to access. Click

Add

To enable single sign-on, select the

Enable Windows single sign-on

check box. For more information about single sign-on, see Configure single sign-on for BlackBerry UEM in the Administration content.

To synchronize more user details from your company directory, select the

Synchronize additional user details

check box. The additional details include company name and office phone.

Click

Save

Click

Do any of the following optional tasks:

Enable directory-linked groups.

Enable and configure onboarding and offboarding.

Configure directory synchronization.

If you remove a directory connection, all users that were added to

UEM

from that directory will be converted to local users. Once users are converted to local users they can't be converted back to directory linked users, even if you later re-add the company directory connection. Users will continue to function as local users but

UEM

will not be able to synchronize updates from the company directory.

Section:

Connecting to your company directories

Connect to a Microsoft Active Directory instance

Connect to a
Microsoft Active Directory
instance