Skip Navigation

Configure single sign-on for
BlackBerry UEM

If you connect
BlackBerry UEM
to
Microsoft Active Directory
, you can configure single sign-on authentication to allow administrators or users to bypass the login page and access the management console or
BlackBerry UEM Self-Service
directly. When administrators or users log in to
Windows
, the browser uses their credentials to authenticate them with
UEM
automatically.
Windows
login information can include
Active Directory
credentials or derived credentials (for example, from CAC readers or digital tokens).
This feature is not supported by
UEM Cloud
.
  • Do the following to configure
    Kerberos
    delegation for the
    Active Directory
    account that
    UEM
    uses for the directory connection:
    1. Use the
      Windows Server
      ADSI Edit tool or setspn command-line tool to add the following SPNs for
      UEM
      to the
      Active Directory
      account:
      • HTTP/
        <host_FQDN_or_pool_name>
        (for example, HTTP/uem01.example.com)
      • BASPLUGIN111/
        <host_FQDN_or_pool_name>
        (for example, BASPLUGIN111/uem01.example.com)
      For example:
      setspn -U -S HTTP/uem01.example.com uemaccount setspn -U -S BASPLUGIN111/uem01.example.com uemaccount
      The name of the
      Active Directory
      account in the command must match the User Principal Name. The password for the
      Active Directory
      account must not contain spaces or any of the following special characters: !, #, $, %, ^, (, ), &, =, ', ", ;, >, <, |, comma (,), or \
    2. In
      Microsoft Active Directory Users and Computers
      , search for the
      Active Directory
      user account. In the account properties, on the
      Delegation
      tab, enable
      Trust this user for delegation to specified services only
      and
      Use Kerberos only
      .
    3. Add the HTTP and BASPLUGIN111 services.
  • If you enable single sign-on for multiple
    Active Directory
    connections, verify that there are no trust relationships between the
    Active Directory
    forests.
  1. In the
    UEM
    management console, on the menu bar, click
    Settings > External integration > Company directory
    .
  2. In the
    Configured directory connections
    section, click an
    Active Directory
    connection.
  3. On the
    Authentication
    tab, select the
    Enable Windows single sign-on
    check box.
  4. Click
    Save
    .
  5. Click
    Save
    again.
  6. Click
    Close
    .
  • Restart the
    UEM
    services on each computer that hosts a
    UEM
    instance.
  • Instruct administrators and
    UEM Self-Service
    users to configure their browsers to support single sign-on for
    UEM
    :
    • Microsoft Edge
      : The management console and
      UEM Self-Service
      URLs must be assigned to the local intranet zone. Enable Integrated
      Windows
      Authentication.
    • Mozilla Firefox
      : In the about:config list, Add https://,
      <host_FQDN_or_pool_name>
      to the "network.negotiate-auth.trusted-uris" preference.
    • Google Chrome
      : The management console and
      UEM Self-Service
      URLs must be assigned to the local intranet zone.
  • Instruct administrators and users to use the following URLs:
    • Management console: https://
      <host_FQDN_or_pool_name>
      :
      <port>
      /admin/index.jsp?tenant=
      <tenant_ID>
      &redirect=no
    • UEM Self-Service
      : https://
      <host_FQDN_or_pool_name>
      :
      <port>
      /mydevice/index.jsp?tenant=
      <tenant_ID>
      &redirect=no
    If you integrate UEM with Entra ID, the
    UEM
    console URLs change to the following ("&redirect=no" is removed from the end of the URL):
    • Management console: https://
      <server_name>
      :
      <port>
      /admin/index.jsp?tenant=
      <tenant_ID>
    • Self-service console: https://
      <server_name>
      :
      <port>
      /mydevice/index.jsp?tenant=
      <tenant_ID>
    Single sign-on authentication takes precedence over other authentication methods. If your organization's security standards require that administrators or users use another authentication method, the single sign-on method can be circumvented by appending ?sso=n to the end of the URLs above.