What's new in BlackBerry UEM 12.10

Android
 

Enable 
Android Enterprise
 for all 
Android Enterprise
 instances
: The configuration wizard that appears on initial log in to 
BlackBerry UEM
 now allows administrators to configure 
Android Enterprise
. (JI 2539585)
Android
 
SafetyNet
 improvements: The following improvements were made for 
Android
 SafetyNet support:
  •  A 
    Google
     
    SafetyNet
     attestation failure option was added to the compliance profile. This option creates a compliance rule that specifies the actions that occur if devices do not pass 
    SafetyNet
     attestation.
  •  An app grace period was added to the 
    Android
     
    SafetyNet
     configuration.
  •  You can add a list of 
    BlackBerry Dynamics
     apps that receive attestation challenges.
Policies for 
Android Enterprise
 devices
: Policies have been added for logging of SMS, MMS and phone calls on 
Android Enterprise
 devices.  You can enable the logging in a server group or in the default settings of the 
BlackBerry Connectivity Node
 setup page. You must upgrade the 
BlackBerry Connectivity Node
 to the most recent version before you can use this feature. (JI 856189)
Specify which certificates are used with 
Android
 apps
: A new certificate mapping profile allows you the specify which user credential, SCEP, or shared certificate profile is used when an Android app requires a certificate. (JI 2517869)
Android
 app-based PKI
: You can now use an app-based PKI solution such as 
Purebred
 with 
BlackBerry Dynamics
 apps on 
Android
 devices. (JI 1965015)
Samsung KNOX
 support
BlackBerry UEM
 now supports devices running 
Samsung KNOX
 3.2. (JI 2573555) 
Support for 
Samsung KNOX
 policies on 
Android Enterprise
 for all 
BlackBerry UEM
 activations
: The benefits of 
Samsung KNOX
 are now available to 
Samsung KNOX
 devices when the devices are activated with an 
Android Enterprise
 activation type. 
Samsung KNOX
 devices that are activated with an 
Android Enterprise
 activation type now have 
Samsung KNOX
 policies applied. Even though devices already activated with a 
Samsung KNOX
 activation type continue to work, the Android Enterprise activation types are recommended for new activations. (JI 2510232)
 
Samsung KNOX
 activation type
Recommended 
Android Enterprise
 activation type
Work and personal - full control
 (
Samsung KNOX
)
Not applicable. Continue to use the 
Work and personal - full control
  (
Samsung KNOX
) activation type. 
Work and personal - user privacy
 - (
Samsung KNOX
)
Work and personal - user privacy
 -  (
Android Enterprise
): No 
KNOX
 policies are applied to the device. If you want to apply 
KNOX
 policies in the work space, select “When activating 
Android Enterprise
) devices, enable premium 
UEM
 functionality such as 
BlackBerry Secure Connect Plus
Work space only
 - (
Samsung KNOX
)
Work space only (
Android Enterprise
): 
KNOX
 MDM policies are applied to the device. If you want to apply 
KNOX
 policies in the work space, select “When activating 
Android Enterprise
 devices, enable premium 
UEM
 functionality such as 
BlackBerry Secure Connect Plus
.”

iOS
 

Event notification
: A new Administration section was added to the Event notifications page. The section contains a field that allows you to set up a notification that is sent when an administrator account gets locked. (JI 2529062) 
Device unenrollment notification
: The event notification that you receive for device unenrollment now includes the reason that the unenrollment occurred. (JI 2565941) 
New S/MIME settings
: New settings are available for 
iOS
 12 and later devices. (JI 2571842)
 
iOS
: email profile settings
Description
User can toggle S/MIME signing
This setting specifies whether a user is allowed to turn the signing setting on/off. This setting applies only to 
iOS
 12.0 and later devices
User can change signing credentials
This setting specifies whether a user is allowed to change signing credentials. This setting applies only to 
iOS
 12.0 and later devices.
User can override S/MIME encryption
This setting specifies whether a user is allowed to turn the encryption setting on/off. This setting applies only to 
iOS
 12.0 and later devices.
User can override S/MIME encryption credentials
This setting specifies whether a user is allowed to change S/MIME encryption credentials. This setting applies only to 
iOS
 12.0 and later devices.
Per-app notification
: When you are configuring per-app notifications for an 
iOS
 device, you can select the following new options:
  •  Enable critical alert: This option specifies whether a critical alert can override the do not disturb profile and notification settings. This setting applies only to 
    iOS
     12.0 and later devices. 
  •  Show in CarPlay: This option specifies whether notifications display in 
    Apple
     CarPlay. This setting applies only to 
    iOS
     12.0 and later devices.
Work app catalog search
: Users can now perform a search in the work app catalog to easily find apps that are assigned to them.

BlackBerry Dynamics  

App deployment reports
: For 
BlackBerry Dynamics
 apps, you can export app deployment reports to an .html file from the Apps screen in the management console. The report includes information about apps deployed by 
BlackBerry UEM
 and the users that have installed the apps on their devices. The report now includes a Status column that provides a status of the apps on each device, such as installed and not installed. (JI 2565954)
 
BlackBerry Dynamics
  access key email
: When you generate 
BlackBerry Dynamics
 access keys for a user, you can specify whether to send an activation email to the user. (JI 2578997) 
 
SCEP improvement
: You can now configure 
BlackBerry Dynamics
 apps to use SCEP to retrieve certificates. (JI 2532872) 

Installation 

Remove 
BlackBerry Collaboration Service
JRE
, and JCE deployment from setup.exe
: As of 
BlackBerry UEM
 release 12.10, the 
BlackBerry Collaboration Service
 and 
JRE
 are no longer bundled with the installer. If you are installing 
BlackBerry UEM
, you must first download and install 
JRE
 (minimum version 
JRE
 8u151).

Certificates  

Certificate-based authentication improvement: 
BlackBerry UEM
 now supports certificate-based authentication for logging in to the management console and 
UEM Self-Service
. (JI 1465040) 

BlackBerry UEM Notifications
  

User synchronization service from 
UEM
UEM
 administrators can now ensure all of their users are in the 
BlackBerry AtHoc
 system by synchronizing users from within the 
UEM
 console. Administrators can set up a user synchronization service as a system job that updates users periodically and keeps track of the changes.

New IT policy rules

Device type
Group
Name
Description
Android
 
Global (all 
Android
 devices)
Allow outgoing calls
Specify if a user can place outgoing calls. If this rule is not selected, the device can only make emergency calls. All other outgoing calls are blocked.
Android
 
Global (all 
Android
 devices)
Send SMS/MMS logs to the 
BlackBerry Connectivity Node
Specify whether the device synchronizes logs for SMS text messages and MMS messages with your EMM server.
Android
 
Global (all 
Android
 devices)
Send phone logs to the 
BlackBerry Connectivity Node
Specify whether the device synchronizes the call log for the Phone app with your EMM server.
Android
 
Global (
Samsung KNOX
 devices only)
Allow NFC
Specify whether a device can use NFC.
Android
 
Global (
Samsung KNOX
 devices only)
Allow OTA updates
Specify if a device can update its OS using a Firmware Over-The-Air (FOTA) client (for example, 
Samsung KNOX
 EMM or WebSync DM). If this rule is not selected, all wireless update requests (user-initiated, server-initiated, and system-initiated) are blocked. The user may see messages related to new OS updates but any attempt to update the OS fails.
Android
 
Global (
Samsung KNOX
 devices only)
Allow 
Wi-Fi
Specify whether a device can make 
Wi-Fi
 connections. After you deselect this rule and then reselect it, the device cannot use 
Wi-Fi
 until it is restarted.
Android
 
Global (
Samsung KNOX
 devices only)
Allow 
Wi-Fi
 Direct
Specify if a device can use 
Wi-Fi
 Direct. When this rule is selected, the device can make connections using 
Wi-Fi
 Direct. This rule also affects the S Beam feature on 
Samsung
 devices.
Android
 
Global (
Samsung KNOX
 devices only)
Allow tethering
Specify if a device can share its mobile network connection with other devices using 
Bluetooth
. If this rule is not selected, the user cannot change this setting on the device.
Android
 
Global (
Samsung KNOX
 devices only)
Allow Bluetooth  tethering
Specify if a device can share its mobile network connection with other devices using 
Bluetooth
. If this rule is not selected, the user cannot change this setting on the device.
Android
 
Global (
Samsung KNOX
 devices only)
Allow USB tethering
Specify if a device can share its mobile network connection with other devices using USB. If this rule is not selected, the user cannot change this setting on the device.
Android
 
Global (
Samsung KNOX
 devices only)
Allow 
Wi-Fi
 tethering
Specify if a device can share its mobile network connection with other devices using 
Wi-Fi
. If this rule is not selected, the user cannot change this setting on the device.
Android
 
Global (
Samsung KNOX
 devices only)
Allow firmware recovery
Specify if a user can update the operating system of a device using download mode.
Android
 
Global (
Samsung KNOX
 devices only)
Require SD card encryption
Specify if a device must encrypt all data on the external SD card. This rule requires the value of the "Password requirements" rule to be at least "Alphanumeric."
Android
 
Work profile (
Samsung KNOX
 devices only)
Require certificate revocation (CRL) check for apps
Specify if apps must check for revoked certificates in the server certificate chain when opening SSL connections in 
KNOX Workspace
.  This rule applies only to apps that use the standard 
Java
 SSL sockets and TrustManager implementation (including most native apps), but does not apply to third-party browsers. The certificate revocation check uses CRLs from the CRL distribution point listed in the certificates. If the "Require OCSP check" rule is selected, apps first check for certificate revocation using OCSP. If OCSP fails, then apps check the CRLs.
Android
 
Work profile (
Samsung KNOX
 devices only)
Require OCSP check for apps
Specify if apps must use OCSP before using CRLs to check for revoked certificates when opening SSL connections in 
KNOX Workspace
. The OCSP check uses the OCSP response server in the "Authority Information Access" extension in the certificate.
Android
 
Work profile (
Samsung KNOX
 devices only)
Validate end-user installed certificates
Specify whether the device validates certificates installed by end users. If one of the validation checks (for example, certification path, expiration date, or revocation status) fails, the device blocks the installation of the certificate.
Android
 
Work profile (
Samsung KNOX
 devices only)
Allow "Share via" list
Specify whether a work app can display the "Share via" list to allow a user to share content across work apps in the Workspace.
Android
 
Work profile (
Samsung KNOX
 devices only)
Allow audio recording
Specify whether a device can record audio. If this rule is not selected, the user can still make calls and use audio streaming using the device microphone. This rule applies to phone calls, voice recognition, and VoIP. If an app declares a use type and does something else, then this rule cannot block the app. If you deselect this rule, any ongoing audio recording is interrupted. Video recording is still allowed if no audio recording is attempted. This rule applies to the Workspace only.
Android
 
Work profile (
Samsung KNOX
 devices only)
Allow 
Google
 auto-sync
Specify if 
Google
 accounts and apps can sync automatically. This rule does not block 
Google Play
from updating installed apps. Users can still manually sync from some apps, including Gmail.
Android
 
Work profile (
Samsung KNOX
 devices only)
Allow video recording
Specify if a device can record video. If this rule is not selected, the camera is still available so that a user can take pictures and use video streaming. If you deselect this rule, any ongoing video recording is interrupted.
Android
 
Work profile (
Samsung KNOX
 devices only)
Enable 
JavaScript
Specify whether the native Android browser prevents the browser from running 
JavaScript
 code for a website. If this rule is not selected, a website that requires 
JavaScript
 to be active to execute a function (for example, an animation) cannot execute the function. If this rule is not selected, a user cannot change the setting on the device.
Android
 
Work profile (
Samsung KNOX
 devices only)
Allow fingerprint authentication
Specify whether the user can use fingerprint authentication for the 
KNOX Workspace
.
Android
 
Work profile (
Samsung KNOX
 devices only)
Allow iris authentication
Specify whether a user can authenticate with the work space using an iris scan.
Android
 
Work profile (
Samsung KNOX
 devices only)
Allow password visibility
Specify whether the Workspace password is visible when a user is typing it. If this rule is not selected, users and apps cannot change the visibility setting.
iOS
 
Security and privacy
Allow managed apps to add contacts to unmanaged accounts
Specify whether users can add contacts from managed apps to unmanaged contacts accounts.
iOS
 
Security and privacy
Allow unmanaged apps to read contacts from managed accounts (supervised only)
Specify whether unmanaged apps can read contacts from managed contacts accounts.
Windows Phone
Security and privacy
Default app access to diagnostic information
Specify whether apps can access device diagnostic information about other apps by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access diagnostic information. If you select "Disallow," apps can't access diagnostic information.
Windows Phone
Security and privacy
Apps allowed access to diagnostic information
Specify the list of apps that are always allowed to access device diagnostic information. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to diagnostic information" rule.
Windows Phone
Security and privacy
Apps not allowed access to diagnostic information
Specify the list of apps that are never allowed to access device diagnostic information. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to diagnostic information" rule.
Windows Phone
Security and privacy
App access to diagnostic information controlled by user
Specify the list of apps that users can choose to allow to access device diagnostic information. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to diagnostic information" rule.
Windows Phone
Security and privacy
Default apps can run in background
Specify whether apps can run in background by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can run in background. If you select "Disallow," apps can't run in background.
Windows Phone
Security and privacy
Apps allowed to run in background
Specify the list of apps that are always allowed to run in background. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default apps can run in background" rule.
Windows Phone
Security and privacy
Apps not allowed to run in background
Specify the list of apps that are never allowed to run in background. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default apps can run in background" rule.
Windows Phone
Security and privacy
App ability to run in background controlled by user
Specify the list of apps that users can choose to allow to run in background. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default apps can run in background" rule.