Configuring BlackBerry UEM for the first time
- Administrator permissions required to configure BlackBerry UEM
- Obtaining and activating licenses
Changing BlackBerry UEM certificates
- Considerations for changing BlackBerry Dynamics certificates
- Change a BlackBerry UEM certificate
Configuring BlackBerry UEM to send data through a proxy server
- Sending data through a TCP proxy server to the BlackBerry Infrastructure
- Sending data through the BlackBerry Router to the BlackBerry Infrastructure
  - Configure BlackBerry UEM to use the BlackBerry Router
Configuring connections through internal proxy servers
- Configure server-side proxy settings
Connecting to your company directories
Connecting to an SMTP server to send email notifications
- Connect to an SMTP server to send email notifications
Configuring database mirroring
Connecting BlackBerry UEM to Microsoft Azure
Enable access to the BlackBerry Web Services over the BlackBerry Infrastructure
Obtaining an APNs certificate to manage iOS and macOS devices
Configuring BlackBerry UEM for DEP
Configuring BlackBerry UEM to support Android Enterprise devices
Simplifying Windows 10 activations
Migrating users, devices, groups, and other data from a source server
Configuring BlackBerry UEM to support BlackBerry Dynamics apps
Integrating BlackBerry UEM with Cisco ISE

Configure
Kerberos
Constrained Delegation

For multi-realm configuration, always start by configuring and testing a single realm first, then proceed to adding the other realms or forests.

If you are configuring KCD for

BlackBerry Docs

, see Configuring Kerberos constrained delegation for the Docs service.

For additional information about the keytab file, visit support.blackberry.com to read article 42712.

Map the

Kerberos

service account to a service principal name (SPN). Open an administrator command prompt on the

Active Directory

server and type

setspn –s GCSvc/UEM_Core_host_machine DOMAIN\Kerberos_service_account

Replace the host server name, domain, and service account variables with values appropriate to your environment.

For example:

 setspn –s GCSvc/uem1.example.com example.com\kcdadmin

The

Kerberos

service account is the service account name under which the KCD service will be configured in

BlackBerry UEM

(gc.krb5.principal.name). This account does not need to be the same as the

BlackBerry UEM

service account, but can be.

Create the

Kerberos

keytab file. You must generate a new keytab file and copy it to the

BlackBerry UEM

server when you change the

Kerberos

account password.

Creating the

Kerberos

keytab file also sets the

Kerberos

account password. The password set in this command sets the password for the account that you specify in the command. If you have already been given a password, ensure you use the same one. If you use a different password, it resets the password. This includes the

BlackBerry UEM

service account password, if you use the UEM service account to create the keytab file. To create the keytab file, perform the following actions:

Open a command prompt window on the KDC server.

Use the ktpass command. For more information about the ktpass command, visit docs.microsoft.com.

 ktpass -out outfilename.keytab -mapuser kerberos_account@REALM_IN_ALL_CAPS -princ kerberos_account@REALM_IN_UPPERCASE/ptype KRB5_NT_PRINCIPAL -pass kerberos_account_password

outfilename	This is the name of the output file.
kerberos_account	This is the name of the Kerberos account.
REALM_IN_UPPERCASE	This is the Kerberos realm. The name must use only uppercase letters.
-pass kerberos_account_password	This is the existing password for the reused Kerberos account. If the kerberos_account_password contains special characters, such as ^, enclose it in double quotation marks.

For example:

ktpass -out outfilename.keytab -mapuser kerberos_account@REALM_IN_UPPERCASE -princ kerberos_account@REALM_IN_UPPERCASE /ptype KRB5_NT_PRINCIPAL -pass kerberos_account_password

ktpass /out outfilename.keytab /mapuser kerberos_account@REALM_IN_UPPERCASE /princ kerberos_account@REALM_IN_UPPERCASE /ptype KRB5_NT_PRINCIPAL /pass kerberos_account_password

Copy the new keytab file (kcdadmin.keytab in the examples) saved in this directory to the

BlackBerry UEM

server. Important: If you have multiple

BlackBerry UEM Core

servers that are configured to use the same KCD admin account, you must copy the keytab file to every

BlackBerry UEM

server.

You can copy the keytab file to any location on the servers, for example, c:\keytab. You will reference this location later on, so make a note of it.

Enable enumeration of AD user objects group membership. For more information, visit docs.microsoft.com to read "Privileged Accounts and Groups in Active Directory".

On the

BlackBerry UEM

server, configure permissions for the

BlackBerry UEM

service account so it can send user credentials to the

Kerberos

system. This is the same account that has the associated service principal name (SPN). To configure permissions, perform the following actions:

Open the

Local Security Policy

pane in the Windows console.

Under

Local Policies

, select

User Rights Assignments

, then right-click

Act

as part of the operating system in the right panel and select

Properties

In the

Properties

window, click on

Add User or Group

, then type the name of the service account and click

Configure

Kerberos

-related properties in

BlackBerry UEM

You can specify only one KDC (domain controller) in the

BlackBerry UEM

configuration for each

BlackBerry UEM Core

server. This means that all KCD-related calls to the domain controller will always go to that single KCD. This could mean that if that one KDC goes down, all KCD calls will fail.

In Settings > BlackBerry Dynamics > Global properties the following settings are required to enable KCD in UEM.

Property	Description
Use explicit UPN	Enable this property to force BlackBerry UEM to perform authentication using the explicit UPN stored in Active Directory instead of the implicit UPN that is generated by combining a user’s alias and domain.”
Enable KCD (gc.krb5.enabled)	Select this check box to enable KCD.

In Settings > BlackBerry Dynamics > Properties (click on the server name), the following settings are required to enable KCD in UEM.

Property	Example	Description
gc.krb5.kdc=<kdc_host_name>	UEM1.EXAMPLE.COM	The fully qualified name for the KDC. It usually corresponds to the FQDN of an Active Directory domain controller.
gc.krb5.keytab.file= <keytab_file_location>	c:/keytab/kcdadmin.keytab	The location of the keytab file. Use forward slashes, not backslashes, in the pathname.
gc.krb5.principal.name= <kcd_service_account>	kcdadmin@EXAMPLE.COM	The name of the service account used by the KCD service.
gc.krb5.realm=<REALM>	EXAMPLE.COM	The name of the Active Directory realm. The value must be in all uppercase letters.

(Optional) Create a krb5.conf file. This is required only if there is a CAPATH trust. Consult your

Active Directory

team if you need to create this file.

The krb5.conf file is required to establish the CAPATH trust relationships of multiple

Kerberos

domains. The location of the krb5.conf file on the

BlackBerry UEM

server must be specified in the server property gc.krb5.config.file.

Sample krb5.conf file:

[libdefaults] default_realm = NA.POD1.COM [realms] NA.POD1.COM = { kdc = pod1-na-ad.na.pod1.com } [ capaths] NA.POD1.COM = { APAC.POD2.COM = POD2.COM POD2.COM = POD1.COM POD1.COM = . } POD2.COM = { NA.POD1.COM = POD1.COM POD1.COM = . } APAC.POD2.COM = { NA.POD1.COM = POD1.COM POD1.COM = POD2POD2.COM POD2.COM = .}

Section:

Configuring Kerberos for BlackBerry Dynamics apps

Configure Kerberos Constrained Delegation

Configure
Kerberos
Constrained Delegation