Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Work 2.17
  3. Configuring Office 365 Modern Authentication for BlackBerry Dynamics Apps
  4. Additional configuration options
  5. Configure single sign-on for BlackBerry Dynamics apps in BlackBerry UEM

Configure single sign-on for 
BlackBerry Dynamics
 apps in 
BlackBerry UEM

You can enable single sign-on for 
BlackBerry Dynamics
 apps in an environment that's already set up for 
Microsoft Office 365
 with 
Microsoft Active Directory
 Federation Services and single sign-on.
Before you begin, make sure that you have configured the following: 
  • Configure single sign-on in 
    Office 365
     with 
    Active Directory
     Federation Services version 2.0 or 3.0, relying on 
    Windows
     Authentication and 
    Kerberos
    .
  • Configure 
    BlackBerry UEM
     for 
    Kerberos
     constrained delegation.
  1. Verify the SPN for 
    Active Directory
     Federation Services. For 
    Active Directory
     Federation Services to use 
    Kerberos
    , the 
    Active Directory
     Federation Services service must have registered an SPN. This SPN should already be registered by the prerequisite 
    Active Directory
     Federation Services configuration in 
    Office 365
    1. Open a command prompt on a computer with 
      Active Directory
       RSAT tools installed.
    2. Enter the command: 
      setspn -q HOST/
      fqdn.of.adfs.server,
       where 
      fqdn.of.adfs.server
       is the FQDN of your 
      Active Directory
       Federation Services server.
    This command exposes the name service account that serves 
    Active Directory
     Federation Services. For a safer form of delegation (HOST allows any protocol, only HTTP is needed) you might want to register the HTTP SPN of the 
    Active Directory
     Federation Services service account with the following command: 
    setspn -S HTTP/fqdn.of.adfs.server
    ADFS_service_account
    , where 
    ADFS_service_account
     is the name of the 
    Active Directory
     Federation Services service account shown in the previous command.
  2. Enable the User Agent in 
    Active Directory
     Federation Services. By default, 
    Active Directory
     Federation Services allows only known user agents to use 
    Windows
     Authentication. All other user agents are considered external and are served with Forms Based Authentication (FBA) or certificate authentication.
    1. To enable single sign-on in 
      BlackBerry Dynamics
       apps, you need to add the 
      BlackBerry Dynamics
       app user agent string to 
      Active Directory
       Federation Services to allow 
      Windows
       Authentication for the 
      BlackBerry Dynamics
       app and 
      Kerberos
       constrained delegation. For all platforms, the
      BlackBerry Dynamics
       app user agent string begins with 
      Mozilla/5.0.
      .
    2. To verify the 
      Active Directory
       Federation Services user agents, enter the following command: 
      Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
    3. Edit and run the following script to add the new user agent to 
      Active Directory
       Federation Services. 
      $NewUserAgent
       must be edited to the value that you will add.
      $NewUserAgent = "Mozilla/5.0"
$CurrentUserAgents = Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
$UserAgentAddArray = $CurrentUserAgents + $NewUserAgent
Set-ADFSProperties -WIASupportedUserAgents $UserAgentAddArray
    4. To verify that the 
      Active Directory
       Federation Services user agent has been added, run the 
      Get-ADFSProperties
       command again: 
      Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
    5. Restart the 
      Active Directory
       Federation Services service.
  3. Set delegation on the 
    Kerberos
     account.
    1. Log in to 
      BlackBerry UEM
      .
    2. Click 
      Settings
       > 
      BlackBerry Dynamics
       > 
      Properties
      .
    3. Scroll to find the value of the 
      gc.krb5.principal.name
       property. Set this object name in 
      Microsoft Active Directory
      .
    4. On your 
      Microsoft Active Directory
       server, click the 
      Delegation
       tab.
    5. Click 
      ADD
       and enter the 
      Active Directory
       Federation Services service account name that you discovered in step 1.
    6. Add the HTTP SPN.
    7. Click 
      OK
      .