Configuring BlackBerry UEM
Changing the certificates that BlackBerry UEM uses for secure communication
- Considerations for changing BlackBerry Dynamics certificates
- Change a BlackBerry UEM certificate
Installing the BlackBerry Connectivity Node to connect to resources behind your organization's firewall
- Steps to install and activate the BlackBerry Connectivity Node
- Requirements: BlackBerry Connectivity Node
- Install and configure the BlackBerry Connectivity Node
  - Install the BlackBerry Connectivity Node for UEM Cloud using the command prompt
- Create a server group to manage regional connections
- Troubleshooting: BlackBerry Connectivity Node
Configuring BlackBerry UEM to send data through a proxy server
- Sending data through a TCP proxy server to the BlackBerry Infrastructure
  - Configure BlackBerry UEM to use a transparent TCP proxy server
  - Enable SOCKS v5 on a TCP proxy server
- Install a standalone BlackBerry Router in a UEM Cloud environment
Configure connections through internal proxy servers
Connect to an SMTP server to send email notifications
Connecting to your company directories
- Connect to a Microsoft Active Directory instance
- Connect to an LDAP directory
- Enable directory-linked groups
- Enable and configure onboarding and offboarding
- Synchronize a directory connection
Connect BlackBerry UEM to Entra ID to create directory user accounts
Configuring BlackBerry UEM to manage Microsoft Intune app protection profiles
- Prerequisites to support Intune app protection
- Create an app registration in Entra
- Configure BlackBerry UEM to synchronize with Microsoft Intune
Configuring BlackBerry UEM as an Intune compliance partner in Entra
- Prerequisites to configure Entra ID conditional access
- Configure Entra ID conditional access
Obtaining an APNs certificate to manage iOS and macOS devices
- Request and register an APNs certificate
- Troubleshooting: APNs
Configure BlackBerry UEM for DEP
Configuring BlackBerry UEM to support Android Enterprise devices
- Configure BlackBerry UEM to support Android Enterprise devices
Configuring BlackBerry UEM to support Android Management devices
- Configure Android Management in the Google Cloud console
- Configure Android Management in BlackBerry UEM
Extending the management of Chrome OS devices to BlackBerry UEM
- Create a service account to authenticate with the Google domain
- Enable UEM to synchronize Chrome OS data
- Integrate UEM with the Google domain
Simplifying Windows 10 activations
- Integrate UEM with Entra ID join
  - Configure Windows Autopilot for device activation
Migrating users, devices, groups, and other data from a source server
- Prerequisites: Migrating users, devices, groups, and other data from a source BlackBerry server
- UEM migration best practices and considerations
- Connect to a source server
- Migrate IT policies, profiles, and groups from a source server
- Migrate users from a source server
- Migrate devices from a source server
Configuring network communication and properties for BlackBerry Dynamics apps
- Manage BlackBerry Proxy clusters
- Configure Direct Connect using port forwarding
- Configure BlackBerry Dynamics properties
- Configure communication settings for BlackBerry Dynamics apps
- Sending BlackBerry Dynamics app data through an HTTP proxy
  - Considerations for using a PAC file with BlackBerry Proxy
  - Configure BlackBerry Dynamics app proxy settings
- Methods for routing traffic for BlackBerry Dynamics apps
  - Example routing scenarios for BlackBerry Dynamics traffic
- Configuring Kerberos authentication for BlackBerry Dynamics apps
Encrypt the connection between BlackBerry UEM and Microsoft SQL Server
Integrating BlackBerry UEM with Cisco ISE
- Managing network access and device controls using Cisco ISE
- Requirements: Integrating BlackBerry UEM with Cisco ISE
- Connect BlackBerry UEM to Cisco ISE
Set up VPN using Knox StrongSwan for UEM dark site environments

Enable and configure onboarding and offboarding

When you enable onboarding, you add universal or global directory groups to

UEM

as onboarding directory groups (onboarding is not supported for domain local groups). During a synchronization process, if

UEM

detects a directory user in an onboarding directory group that does not have a corresponding

UEM

user account, it creates that user account in

UEM

. When you enable onboarding you can also configure offboarding; when you disable or remove a user from an onboarding directory group,

UEM

can delete device data and remove the user from

UEM

When offboarding is enabled, any

UEM

user accounts that are not members of an onboarding directory group, regardless of how they were added to

UEM

, are offboarded during the next synchronization process.

Connect to your organization's directory:

UEM

on-premises: Connect to a Microsoft Active Directory instance or Connect to an LDAP directory.

UEM Cloud

: Install and configure the BlackBerry Connectivity Node to connect to Microsoft AD or LDAP.

On-premises or Cloud: Connect BlackBerry UEM to Entra ID to create directory user accounts.

Verify that a company directory synchronization is not in progress. You cannot save the changes you make to the company directory connection until the synchronization is complete.

To onboard members of global groups, you must enable support for global groups in your Microsoft Active Directory connection settings.

In the management console, on the menu bar, click

Settings > External integration > Company directory

Click a company directory connection.

On the

Sync settings

tab, select the

Enable directory-linked groups

check box.

Select the

Enable onboarding

check box.

Do any of the following:

Task	Steps
Add onboarding directory groups and configure device activation options.	Click . Search for and add universal or global directory groups. For each directory group, select whether you want to link nested groups. In the Device activation section, select whether you want onboarded users to receive an autogenerated activation password and email, or no activation password. If you select the autogenerated password option, configure the activation period and select an activation email template.
Onboard users that you only want to use BlackBerry Dynamics apps.	Follow these steps if you want to onboard users who will use BlackBerry Dynamics apps only. These users will not activate their devices on UEM using the UEM Client and their devices will not be managed by UEM . Select the Onboard users with BlackBerry Dynamics apps only check box. Click . Search for and add universal or global directory groups. For each directory group, select whether you want to link nested groups. Specify the number of access keys to generate per user, the access key expiration period, and the email template.
Configure offboarding.	If you want to delete device data when a user is offboarded from UEM , select the Delete device data when the user is removed from all onboarding directory groups check box. Do the following: Select the appropriate option for the data that you want to remove from the device. If you want to remove a user from UEM when that user is removed from all onboarding directory groups, select the Delete user when the user is removed from all onboarding directory groups check box. If you want to delay the deletion of users and device data for two hours after a synchronization cycle, select the Offboarding protection check box. This option can help avoid unexpected deletions because of directory replication latency.

In the

Sync limit - percent of users to be off-boarded or removed

field, specify the maximum percentage of users in a group that can be removed or offboarded in a synchronization activity. If this maximum is exceeded,

UEM

does not carry out any removal or offboarding actions on the group during a synchronization. For example, if you specify the limit as 80%, if 81% or more of the users in a group would be removed or offboarded in a synchronization activity,

UEM

will not remove or offboard any users from that group. By default, the limit is 100%, which means that

UEM

will not carry out removal or offboarding actions on a group if all of the users that belong to that group are impacted.

In the

Sync limit - minimum group size threshold field

, specify the minimum number of users that a directory group must contain before

UEM

will apply the maximum limit that you specified in

Sync limit - percent of users to be off-boarded or removed

. The maximum sync limit percentage does not apply to groups with fewer users than the minimum group size that you specify. The default minimum threshold is 10 (a group must contain at least 10 users for

UEM

to factor in the maximum sync limit percentage; the maximum synch limit does not apply to groups of 9 or less users). Type 0 if you want

UEM

to apply the maximum sync limit to all groups regardless of group size.

If you want to force the synchronization of company directory groups, select the

Force synchronization

check box.

If enabled, when a group is removed from the company directory, the links to that group are removed from directory-linked groups and onboarding directory groups. If all of the company directory groups associated with a directory-linked group are removed, the directory-linked group is converted to a local group.

In the

Maximum nesting level of directory groups

field, type the number of nested levels to synchronize for company directory groups.

Click

Save

Optionally, configure directory synchronization.

Section:

Connecting to your company directories