Configure single sign-on for
BlackBerry UEM

If you connect

BlackBerry UEM

Microsoft Active Directory

, you can configure single sign-on authentication to allow administrators or users to bypass the login page and access the management console or

BlackBerry UEM Self-Service

directly. When administrators or users log in to

Windows

, the browser uses their credentials to authenticate them with

UEM

automatically.

Windows

Active Directory

credentials or derived credentials (for example, from CAC readers or digital tokens).

This feature is not supported by

UEM Cloud

Do the following to configure

Kerberos

delegation for the

Active Directory

account that

UEM

uses for the directory connection:

Use the

Windows Server

ADSI Edit tool or setspn command-line tool to add the following SPNs for

UEM

to the

Active Directory

account:

HTTP/<host_FQDN_or_pool_name> (for example, HTTP/uem01.example.com)

BASPLUGIN111/<host_FQDN_or_pool_name> (for example, BASPLUGIN111/uem01.example.com)

For example:

setspn -U -S HTTP/uem01.example.com uemaccount

setspn -U -S BASPLUGIN111/uem01.example.com uemaccount

The name of the

Active Directory

account in the command must match the User Principal Name. The password for the

Active Directory

account must not contain spaces or any of the following special characters: !, #, $, %, ^, (, ), &, =, ', ", ;, >, <, |, comma (,), or \

Microsoft Active Directory Users and Computers

, search for the

Active Directory

user account. In the account properties, on the

Delegation

tab, enable

Trust this user for delegation to specified services only

and

Use Kerberos only

Add the HTTP and BASPLUGIN111 services.

If you enable single sign-on for multiple

Active Directory

connections, verify that there are no trust relationships between the

Active Directory

forests.

In the

UEM

management console, on the menu bar, click

Settings > External integration > Company directory

In the

Configured directory connections

section, click an

Active Directory

connection.

On the

Authentication

tab, select the

Enable Windows single sign-on

check box.

Click

Save

Click

Save

again.

Click

Restart the

UEM

services on each computer that hosts a

UEM

instance.

Instruct administrators and

UEM Self-Service

users to configure their browsers to support single sign-on for

UEM

Microsoft Edge

: The management console and

UEM Self-Service

URLs must be assigned to the local intranet zone. Enable Integrated

Windows

Authentication.

Mozilla Firefox

: In the about:config list, Add https://, <host_FQDN_or_pool_name> to the "network.negotiate-auth.trusted-uris" preference.

Google Chrome

: The management console and

UEM Self-Service

URLs must be assigned to the local intranet zone.

Instruct administrators and users to use the following URLs:

Management console: https://<host_FQDN_or_pool_name>:<port>/admin/index.jsp?tenant=<tenant_ID>&redirect=no

UEM Self-Service

: https://<host_FQDN_or_pool_name>:<port>/mydevice/index.jsp?tenant=<tenant_ID>&redirect=no

If you integrate UEM with Entra ID, the

UEM

console URLs change to the following ("&redirect=no" is removed from the end of the URL):

Management console: https://<server_name>:<port>/admin/index.jsp?tenant=<tenant_ID>

Self-service console: https://<server_name>:<port>/mydevice/index.jsp?tenant=<tenant_ID>

Single sign-on authentication takes precedence over other authentication methods. If your organization's security standards require that administrators or users use another authentication method, the single sign-on method can be circumvented by appending ?sso=n to the end of the URLs above.

Section:

Configuring console login options

Configure single sign-on for BlackBerry UEM

Configure single sign-on for
BlackBerry UEM