Key features for each device type

iOS
 devices

Feature
Description
Run app lock mode
On 
iOS
 devices that are supervised using 
Apple Configurator
 2, you can use an app lock mode profile to limit the device to run only one app. For example, you can limit access to a single app for training purposes or for point-of-sales demonstrations.
Device activation
You can use 
Apple Configurator
 2 to prepare devices for activation in 
BlackBerry UEM
. Users can activate the prepared devices without using the 
BlackBerry UEM Client
 app.
Filter web content on 
iOS
 7 and later devices
For devices that run 
iOS
 7.0 and later, you can use web content filter profiles to limit the websites that a user can view on a device. You can enable automatic filtering with the option to allow and restrict websites, or allow access only to specific websites.
Link 
Apple
 VPP accounts to a 
BlackBerry UEM
 domain
The Volume Purchase Program (VPP) allows you to buy and distribute 
iOS
 apps in bulk. You can link 
Apple
 VPP accounts to a 
BlackBerry UEM
 domain so that you can distribute purchased licenses for 
iOS
 apps associated with the VPP accounts.
Apple
 Device Enrollment Program
You can configure 
BlackBerry UEM
 to use the 
Apple
 Device Enrollment Program (DEP) so that you can synchronize 
BlackBerry UEM
 with the DEP. After you configure 
BlackBerry UEM
, you can use the 
BlackBerry UEM
 management console to manage the activation of the 
iOS
 devices that your organization purchased for the DEP. You can use multiple DEP accounts.
You can link multiple 
Apple
 DEP accounts to one 
BlackBerry UEM
 domain.
For more information about configuring 
BlackBerry UEM
 and activating 
iOS
 devices that are enrolled in the DEP, see the Configuration content and the Administration content.
Support for app-based PKI solutions
Added support for app-based PKI solutions, such as 
Purebred
, which can enroll certificates for 
BlackBerry Dynamics
 apps. You can now install the PKI app on devices and allow the latest versions of 
BlackBerry Dynamics
 apps, such as 
BlackBerry Work
 and 
BlackBerry Access
, to use certificates enrolled through the PKI app. 
Use custom payload profiles
You can use custom payload profiles to control features on 
iOS
 devices that are not controlled by existing 
BlackBerry UEM
 policies or profiles. You can create 
Apple
 configuration profiles using 
Apple Configurator
 and add them to 
BlackBerry UEM
 custom payload profiles. You can assign the custom payload profiles to users, user groups, and device groups.
BlackBerry Secure Gateway
The 
BlackBerry Secure Gateway
 allows 
iOS
 devices with the MDM controls activation type to connect to your work email server through the 
BlackBerry Infrastructure
 and 
BlackBerry UEM
. If you use the 
BlackBerry Secure Gateway
, you don't have to expose your mail server outside of the firewall to allow users with these devices to receive work email when they are not connected to your organization's VPN or work 
Wi-Fi
 network.
Integration with 
BlackBerry Dynamics
You can use the 
BlackBerry Dynamics
 profile to allow 
iOS
 devices to access 
BlackBerry Dynamics
 productivity apps such as 
BlackBerry Work
BlackBerry Access
, and 
BlackBerry Connect
. You can assign the 
BlackBerry Dynamics
 profile to user accounts, user groups, or device groups. Multiple devices can access the same apps.
 The profile allows you to enable 
BlackBerry Dynamics
 for users that are not already 
BlackBerry Dynamics
 enabled.
Per-app VPN
You can set up per-app VPN for 
iOS
 devices to specify which apps on devices must use a VPN for their data in transit. Per-app VPN helps decrease the load on your organization’s VPN by enabling only certain work traffic to use the VPN (for example, accessing application servers or webpages behind the firewall). This feature also supports user privacy and increases connection speed for personal apps by not sending the personal traffic through the VPN.
For 
iOS
 devices, apps are associated with a VPN profile when you assign the app or app group to a user, user group, or device group.
Apple
 Activation Lock
The Activation Lock feature on 
iOS
 7 and later devices requires the user's 
Apple
 ID and password before a user can turn off Find My iPhone, erase the device, or reactivate and use the device. You can bypass the activation lock to give a COPE or COBO device to a different user.
Personal app lists
You can view a list of apps that are installed in a user's personal space on 
iOS
 devices in your environment. You can view a list of personal apps installed on a user’s device on the User Details page or view a list of all personal apps installed in users’ personal spaces on the Personal apps page in the management console.
Lost Mode for supervised 
iOS
 devices
Lost Mode allows you to lock a device, set a message that you want to display, and view the current location of the lost device. You can enable Lost Mode for supervised 
iOS
 devices running 
iOS
 9.3 or later.
IBM Notes Traveler
 support
iOS
 devices can now connect to 
IBM Notes Traveler
 through the 
BlackBerry Secure Gateway
.
Face ID support
BlackBerry UEM
 supports Face ID for device authentication and to open 
BlackBerry Dynamics
 apps.
Shared device management
You can allow multiple users to share an 
iOS
 device. You can customize terms of use that users must accept to check out shared devices. A user can check out a device using local authentication and when they are done using it, they can check it in and the device is available for the next user. Shared devices remain managed by 
BlackBerry UEM
 during the check-out and check-in process. This feature was designed for supervised devices with the following configuration:
  • App lock mode enabled
  • VPP apps assigned

Android
 devices

Feature
Description
Manage devices using 
Android
 MDM
Android
 MDM uses the basic management options that are native to the 
Android OS
 to manage the device. A separate, protected container is not created. For more information about managing devices using 
Android
 MDM, see the Administration content.
Manage devices using 
KNOX
 MDM and 
KNOX Workspace
BlackBerry UEM
 can manage 
Samsung
 devices using 
Samsung KNOX
 MDM and 
Samsung KNOX Workspace
KNOX Workspace
 provides an encrypted, password-protected container on a 
Samsung
 device that includes your work apps and data. It separates a user’s personal apps and data from your organization’s apps and data and protects your apps and data using enhanced security and management capabilities that 
Samsung
 developed.
When a device is activated, 
BlackBerry UEM
 automatically identifies whether the device supports 
KNOX
. In addition to the standard 
Android
 management capabilities, 
BlackBerry UEM
 includes the following management capabilities for devices that support 
KNOX
:
  • An enhanced set of IT policy rules
  • Enhanced application management including silent app installations and uninstallations, silent uninstallations of restricted apps, and prohibitions to installing restricted apps
  • App lock mode
For more information about supported devices, see the Compatibility matrix. For more information about 
KNOX
, visit https://www.samsungknox.com. For more information about managing devices using 
KNOX
see the Administration content.
Manage Android Enterprise devices
You can activate 
Android
 devices that run 
Android OS
 5.1 or later to use Android Enterprise which is a feature developed by 
Google
 that provides additional security for organizations that want to manage 
Android
 devices and allow their data and apps on 
Android
 devices. For more information about managing Android Enterprise devices, see the Administration content.  
Integration with 
BlackBerry Dynamics
You can use the 
BlackBerry Dynamics
 profile to allow 
Android
 devices to access 
BlackBerry Dynamics
 productivity apps such as 
BlackBerry Work
BlackBerry Access
, and 
BlackBerry Connect
. You can assign the 
BlackBerry Dynamics
 profile to user accounts, user groups, or device groups. Multiple devices can access the same apps.
The profile allows you to enable 
BlackBerry Dynamics
 for users that are not already 
BlackBerry Dynamics
 enabled.
Per-app VPN
You can enable per-app VPN for 
Android
 devices that have a work profile to restrict the use of 
BlackBerry Secure Connect Plus
 to specific work space apps that you add to an allowed list.
Zero-touch enrollment
BlackBerry UEM
 supports only devices running 
Android
 8.0 or later, that have been enabled for zero touch enrollment. Zero-touch enrollment offers a seamless deployment method for organization-owned Android devices making large-scale device deployment fast, easy, and secure for the organization and employees. Zero-touch enrollment makes it simple for IT administrators to configure devices online and have enforced management ready when employees receive their devices. See the information from 
Google
Zero-touch enrollment management, and the zero-touch enrollment overview information. You can get started with zero-touch enrollment in just a few steps: purchase devices, assign the devices to users, configure policies for your organization, and deploy the devices to users. You need to work with your reseller or carrier to get access to the Zero-touch portal and get devices configured in the portal.
Support for app-based PKI solutions
Added support for app-based PKI solutions, such as 
Purebred
, which can enroll certificates for 
BlackBerry Dynamics
 apps. You can now install the PKI app on devices and allow the latest versions of 
BlackBerry Dynamics
 apps, such as 
BlackBerry Work
 and 
BlackBerry Access
, to use certificates enrolled through the PKI app. 
Android
 
SafetyNet
When administrators enable 
Android
 
SafetyNet
 attestation, 
BlackBerry UEM
 sends challenges to test the authenticity and integrity of 
Android
 devices that have been activated with the 
Android Enterprise
Samsung KNOX
, and MDM controls activation types in your organization's environment. 
Derived smart credentials
Use 
Entrust IdentityGuard
 derived smart credentials for signing, encryption, and authentication for 
BlackBerry Dynamics
 apps and apps in the work space on 
Android
 work profile and 
Samsung KNOX Workspace
 devices.

Windows
 devices

Feature
Description
Support for 
Windows 10
 devices
You can manage 
Windows 10
 devices, including 
Windows
 10 Mobile devices and 
Windows 10
 tablets and computers. 
Silver
 licenses are required to activate 
Windows 10
 devices.
Proxy support for 
Windows 10
 devices
You can configure VPN and Wi-Fi work connections for 
Windows 10
 devices and you can set up a proxy server as part of the 
Wi-Fi
 profile for 
Windows 10 Mobile
 devices.
Per-app VPN
You can set up per-app VPN for 
Windows 10
 devices to specify which apps on devices must use a VPN for their data in transit. Per-app VPN helps decrease the load on your organization’s VPN by enabling only certain work traffic to use the VPN (for example, accessing application servers or webpages behind the firewall). This feature also supports user privacy and increases connection speed for personal apps by not sending the personal traffic through the VPN.
For 
Windows 10
 devices, apps are added to the app trigger list in the VPN profile.
Windows
 Information Protection for 
Windows 10
 devices
You can configure 
Windows
 Information Protection profiles to separate personal and work data on devices, prevent users from sharing work data outside of protected work apps or with people outside your organization, and audit inappropriate data sharing practices. You can specify which apps are protected and trusted to create and access work files.

BlackBerry 10
 devices

Feature
Description
Manage work information separately on a 
BlackBerry 10
 device
BlackBerry Balance
 technology makes sure that personal and work information and apps are separated on 
BlackBerry 10
 devices. It creates a personal space and a work space and provides full management of the work space. For government and regulated industries that want to lock the device down further, additional options include full control over the work space and some control over the personal space, or you can create only a work space on the device to give your organization full control over the device.