Skip Navigation

Create an activation profile

If you enable attestation for your organization’s 
BlackBerry UEM
 instance, during 
Android
 device activation, the authenticity and integrity of the device is checked. Ensure that users have 
BlackBerry UEM Client
 for 
Android
 version 12.9 MR1 or later installed on their devices before you enable this feature.
  1. On the menu bar, click 
    Policies and Profiles
    .
  2. Click 
    Policy > Activation
    .
  3. Click  .
  4. Type a name and description for the profile.
  5. In the 
    Number of devices that a user can activate
     field, specify the maximum number of devices the user can activate. 
  6. In the 
    Device ownership
     drop-down list, select the default setting for device ownership. Perform one of the following actions:
    • If some users activate personal devices and some users activate work devices, select 
      Not specified
      .
    • If users typically activate work devices, select 
      Work
      .
    • If users typically activate personal devices, select 
      Personal
      .
  7. Optionally, select an organization notice in the 
    Assign organization notice
     drop-down list. If you assign an organization notice, users activating 
    BlackBerry 10
    Windows 10
    iOS
    , or 
    macOS
     devices must accept the notice to complete the activation process.
  8. In the 
    Device types that users can activate
     section, select the device types as required. Device types that you don't select are not included in the activation profile and users can't activate those devices.
  9. Perform the following actions for each device type included in the activation profile:
    • Click the tab for the device type.
    • In the 
      Device model restrictions
       drop-down list, select whether to allow or restrict specified devices or to have no restrictions. Click 
      Edit
       to select the devices you want to restrict or allow, and click 
      Save
      .
    • In the 
      Allowed version
       drop-down list, select the minimum allowed version.
    • On the 
      Windows
       tab, you can select one or both form factor options and choose whether to allow or disallow those form factors in the 
      Device model restrictions
       drop-down list.
    • In the 
      Activation type
       section, select an activation type.
      • For 
        Android
         devices, you can select multiple activation types and rank them to meet your organization's requirements.
      • The "
        MDM controls
        " activation type is deprecated for devices with 
        Android
         10 and later.
      • For 
        Android
         devices, if you select an 
        Android Enterprise
         activation type, you can select the 
        When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus.
         option to enable 
        BlackBerry Secure Connect Plus
         and 
        KNOX
         Platform for Enterprise features (for devices that support 
        Samsung KNOX
        ).
      • For 
        Android
         devices, if you select the "
        MDM controls
        " activation type and you do not want 
        KNOX
         MDM policy rules to be applied to the devices, clear the 
        Activate Samsung KNOX APIs on MDM Controls activations
         check box. This setting applies only to devices that support KNOX MDM. 
      • For 
        Android
         devices, if you select one of the 
        Samsung KNOX
         activation types and want to use 
        Google Play
         to manage work apps, select 
        Google Play app management for Samsung Knox Workspace devices
        . This option is available only if you have configured a connection to a 
        Google
         domain. For more information, see the Configuration content.
      • For 
        iOS
         devices, if you select the "
        User privacy
        " activation type and you want to enable SIM-based licensing, you must select the 
        Allow access to SIM card and device hardware information to enable SIM-based licensing
         option.
      • For 
        iOS
         devices, if you select the "MDM controls" or 
        User privacy
         (with SIM-based licensing) activation types, you can restrict unsupervised devices by selecting "Do not allow unsupervised devices to activate."
  10. For 
    Android
     devices, in the 
    SafetyNet attestation options
     section, you can optionally select an attestation method. The choices are: 
    • Perform SafetyNet attestation for device: 
      BlackBerry UEM
       sends challenges to test the authenticity and integrity of devices.
    • Perform SafetyNet attestation on device activation: 
      BlackBerry UEM
       sends challenges to test the authenticity and integrity of devices when they are activated.
    • Perform SafetyNet attestation on 
      BlackBerry Dynamics
       app activation: 
      BlackBerry UEM
       sends challenges to test the authenticity and integrity of 
      BlackBerry Dynamics
       apps when they are activated.
  11. For 
    Android
     devices, in the 
    Hardware attestation options
     section, you can optionally select an attestation method. 
    • Perform hardware attestation on device activation: 
      BlackBerry UEM
       sends challenges to devices when they are activated to ensure the required security patch level is installed
  12. For 
    iOS
     devices, in the 
    iOS app integrity check
     section, you can optionally select an attestation method. The choices are:  
    • Perform periodic app integrity checks: 
      BlackBerry UEM
       sends challenges to devices check the integrity of 
      iOS
      work apps.
    • Perform app integrity check on 
      BlackBerry Dynamics
       app activation: 
      BlackBerry UEM
       sends challenges to devices when they are activated to check the integrity of 
      iOS
      work apps 
  13. Click 
    Add
If necessary, rank profiles.