Get the PDF

Configuring BlackBerry UEM for the first time
- Administrator permissions required to configure BlackBerry UEM
- Obtaining and activating licenses
Changing BlackBerry UEM certificates
- Considerations for changing BlackBerry Dynamics certificates
- Change a BlackBerry UEM certificate
Configuring BlackBerry UEM to send data through a proxy server
- Sending data through a TCP proxy server to the BlackBerry Infrastructure
- Sending data through the BlackBerry Router to the BlackBerry Infrastructure
  - Configure BlackBerry UEM to use the BlackBerry Router
Configuring connections through internal proxy servers
- Configure server-side proxy settings
Connecting to your company directories
Connecting to an SMTP server to send email notifications
- Connect to an SMTP server to send email notifications
Configuring database mirroring
Connecting BlackBerry UEM to Microsoft Azure
Enable access to the BlackBerry Web Services over the BlackBerry Infrastructure
Obtaining an APNs certificate to manage iOS and macOS devices
Configuring BlackBerry UEM for DEP
Configuring BlackBerry UEM to support Android Enterprise devices
Simplifying Windows 10 activations
Migrating users, devices, groups, and other data from a source server
Configuring BlackBerry UEM to support BlackBerry Dynamics apps
Integrating BlackBerry UEM with Cisco ISE

Configuring
Kerberos
PKINIT

BlackBerry UEM

supports

Kerberos

PKINIT for

BlackBerry Dynamics

user authentication using PKI certificates.

If you want to use

Kerberos

PKINIT for

BlackBerry Dynamics

apps, your organization must meet the following requirements:

Key points

Kerberos

Constrained Delegation must not be enabled.

The KDC host must be added to the Allowed Domains list in the

BlackBerry Dynamics

Connectivity Profile.

The KDC host must be listening on TCP port 88 (the

Kerberos

default port).

BlackBerry Dynamics

doesn't support KDC over UDP.

The KDC must have an

record (IPv4) or

AAAA

record (IPv6) in your DNS.

BlackBerry Dynamics

doesn't use

Kerberos

configuration files (such as

krb5.conf

) to locate the correct KDC.

The KDC can refer the client to another KDC host.

BlackBerry Dynamics

will follow the referral, as long as the KDC host that is referred to is added to the Allowed Domains list in the

BlackBerry Dynamics

Connectivity Profile.

The KDC can obtain the TGT transparently to

BlackBerry Dynamics

from another KDC host.

Server certificates

Windows

KDC server certificates issued via the Active Directory Certificate Services must come only from the following

Windows Server

versions. No other server versions are supported.

Internet Information Server with

Windows Server

2008 R2

Internet Information Server with

Windows Server

2012 R2

Valid KDC service certificates must be located either in the

BlackBerry Dynamics

Certificate Store or the Device Certificate Store.

Client certificates

The minimum keylength for the certificates must be 2,048 bytes.

Client certificates must include the User Principal Name (for example, user@domain.com) in the Subject Alternative Name of object ID szOID_NT_PRINCIPAL_NAME 1.3.6.1.4.1.311.20.2.3, as specified by Microsoft at https://support.microsoft.com/en-us/kb/287547.

The domain of the User Principal Name must match the name of the realm of the Windows KDC service.

The Extended Key Usage property of the certificate must be

Microsoft

Smart Card logon (1.3.6.1.4.1.311.20.2.2).

Certificates must be valid. Validate them against the servers listed above.

Section:

Configuring Kerberos for BlackBerry Dynamics apps

Configuring Kerberos PKINIT

Key points

Server certificates

Client certificates

Configuring
Kerberos
PKINIT