Whats new in 
BlackBerry UEM
 12.11

Security

  • Use this feature in a beta environment only.
    iOS
     app integrity check
    : You can use the 
    iOS
     app integrity check framework to check the integrity of 
    iOS
     work apps that have been published to the App Store. This feature uses 
    Apple
     DeviceCheck and other methods to provide a way to identify that your app is running on a valid 
    Apple
     device and that the app is published by the specified 
    Apple
     Team ID. For more information on 
    Apple
     DeviceCheck, see the information from Apple. This setting applies only to devices running 
    iOS
     11 and later. Activation of 
    BlackBerry Dynamics
     apps that were built using 
    BlackBerry Dynamics
     SDK for 
    iOS
     version 5.0 or earlier will fail if you enable the ‘Perform app integrity check on 
    BlackBerry Dynamics
     app activation’ option in the activation profile and if you add those apps for 
    iOS
     app integrity check. If a 
    BlackBerry Dynamics
     app that was built using 
    BlackBerry Dynamics
     SDK for 
    iOS
     version 5.0 or earlier is already activated, and you select the 'Perform periodic app integrity checks' option in the Activation profile, the app will fail the periodic attestation check and the device will be subject to the enforcement action specified in the compliance profile that is assigned to the user.
    Note
    : You cannot enable the 
    iOS
     app integrity checking on enterprise apps that your organization has developed and distributed internally using the 
    Apple
     Enterprise Distribution program.

Management Console

  • BlackBerry Dynamics
     Connectivity profile change
    : The Route All option has been replaced with a Default Route option in the 
    BlackBerry Dynamics
     Connectivity profile allowing for more detailed control over how 
    BlackBerry Dynamics
     apps built using the latest 
    BlackBerry Dynamics
     SDK can connect to app servers. This allows you to configure rules to avoid double tunneling the UEM App Store and UEM hosted application push. 
  • BlackBerry Dynamics
     access keys
    : You can now generate 
    BlackBerry Dynamics
     access keys for users that do not have an email address.
  • Notifications for changes to 
    Android Enterprise
     apps
    : Administrators can now receive notifications when the status of an 
    Android Enterprise
     app on 
    Google Play
     has changed and requires review. When an app requires review, 
    UEM
     marks the apps listed on the Apps screen. Administrators can apply a filter to easily see the apps that need to be reviewed or approved and take the appropriate action. From the Settings > Event notifications menu, you can set the types of events that you want administrators to be notified about. For example, you can notify administrators if an app requires review if changes were made to the app’s availability, version, approval status, permissions, app configuration schemas, or if an app was not successfully installed on a user’s device.
  • Whitelist antivirus vendors for 
    Windows
     devices
    : In the compliance profile, in the “Antivirus status” rule for 
    Windows
     devices, you can now choose to allow antivirus software from any vendor, or allow only those that you added to the “Allowed antivirus vendors” list. The rule will be enforced if a device has antivirus software enabled from any vendor that is not whitelisted. 
  • User credential profiles support using 
    Entrust
     for 
    BlackBerry Dynamics
     apps
    : You can now use your 
    Entrust
     PKI connection to enroll certificates for 
    BlackBerry Dynamics
     apps using the User credential profile.
  • Compliance violation reporting
    : When a device is out of compliance, violations and any applicable actions display on the device summary page. To see which apps are in a noncompliant state, click on the ‘View noncompliant apps’ link. A device with performance alerts or compliance violations is flagged with a caution icon. Types of violations that are reported include:
    • Rooted OS or failed attestation (
      Android
       only)
    • SafetyNet attestation failure (
      Android
       only)
    • Jailbroken OS (
      iOS
       only)
    • Restricted OS version is installed (
      iOS
      Android
      macOS
      Windows
      )
    • Restricted device model detected (
      iOS
      Android
      macOS
      Windows
      )
    • BlackBerry Dynamics
       library version verification  (
      iOS
      Android
      macOS
      Windows
      )
    • BlackBerry Dynamics apps connectivity verification (
      iOS
      Android
      macOS
      Windows
      )
    • Antivirus status (
      Windows
       only)
    In the management console, you can filter on any of the compliance rules when they occur.
  • Device compliance report
    : On the dashboard, the device compliance report now includes if either the 
    BlackBerry UEM Client
     or a 
    BlackBerry Dynamics
     app is out of compliance.
  • Device report update
    : The device report now includes the 
    BlackBerry Dynamics
     compliance rule status.
  • Automatic device and OS metadata updates
    : If a user activates a device with a model or OS version that is unknown to 
    BlackBerry UEM
    UEM
     automatically adds the new device or version metadata to the 
    UEM
     database so that the metadata is available for Activation, Compliance, and Device SR profiles.
  • Enable 
    Android
     keyboard restricted mode
    : You can now use the ‘Enable Android keyboard restricted mode’ option in a 
    BlackBerry Dynamics
     profile to force custom keyboards into incognito mode. 
  • Shared device groups:
     Migration is not supported for shared device groups. Users who belong to a shared device group do not appear in the Migrate users list. Devices that are part of a shared device group do not appear in the Migrate devices list.  
  • New Event Notifications
    BlackBerry UEM
     can now email event notifications to administrators for the following events:
    • iOS
       VPP account expiry
    • DEP token expiry
    • IT policy pack updated
    • Metadata updated

Activation

  • Activate 
    Android Enterprise
     devices without adding a 
    Google
     account
    : Administrators now have the option to allow 
    Android Enterprise
     devices to be activated without adding a 
    Google Play
     account to the workspace. You might use this option if you do not want to use 
    Google Play
     to manage work apps on 
    Android Enterprise
     devices or you want to activate and use the device without accessing 
    Google
     services. In the activation profile, you specify whether to add 
    Google Play
     to the workspace for 
    Android Enterprise
     devices. By default, the activation profile adds the 
    Google
     account to the work space and 
    Google Play
     manages the apps. If you do not add a 
    Google
     account, apps and app configurations are managed through the 
    BlackBerry UEM
     infrastructure via 
    BlackBerry UEM Client
    .
  • BlackBerry UEM
     now includes Work and personal – full control activations for 
    Android Enterprise
     devices
    : This activation type is for devices running 
    Android
     8 and later. It lets you manage the entire device. It creates a work profile on the device that separates work and personal data but allows your organization to maintain full control over the device and wipe all data from the device. Data in both the work and personal profiles is protected using encryption and a method of authentication such as a password. This activation type supports the logging of device activity (SMS, MMS, and phone calls) in 
    BlackBerry UEM
     log files.
    To activate a device with Work and personal – full control, the user must wipe the device and start the activation in the same way as Work space only activations.
    To enable 
    BlackBerry Secure Connect Plus
     
    KNOX
     Platform for Enterprise support, you must select the "When activating 
    Android Enterprise
     devices, enable premium 
    UEM
     functionality such as 
    BlackBerry Secure Connect Plus
    " option in the activation profile.
    When applying IT policy rules to 
    Android Enterprise
     devices with Work and personal – full control activations, the different rule categories affect different profiles on the device:
    • Global rules apply to the entire device
    • Work profile rules apply to apps and data in the work profile
    • Personal profile rules apply to apps and data in the personal profile
    For example: to apply password requirements to unlock the device, use the Global password rules. To apply password requirements only to the work profile, use the Work profile password rules. To prevent screen capture only of work data, deselect the Work profile “Allow screen capture” rule and select the Personal profile “Allow screen capture” rule. To prevent screen capture of both work and personal data, deselect the Personal profile “Allow screen capture” rule.

Windows 10
 Modern Management

  • Support for 
    Azure
     
    Active Directory
     Join
    BlackBerry UEM
     now supports 
    Azure
     
    Active Directory
     Join which allows a simplified MDM enrollment process for 
    Windows 10
     devices. Users can enroll their devices with 
    UEM
     using their 
    Azure
     
    Active Directory
     username and password.
  • Windows Autopilot support
    Azure
     
    Active Directory
     Join is also required to support 
    Windows
     AutoPilot, which allows 
    Windows 10
     devices to be automatically activated with 
    UEM
     during the 
    Windows 10
     out-of-box setup experience. 
    Note
    : To enable automatic MDM enrollment with 
    BlackBerry UEM
     during the 
    Windows 10
     out-of-box setup, a 
    UEM
     certificate must be installed on the device. 

Intune

  • Microsoft Intune
     app protection support enhancement
    : You can manage and deploy 
    Microsoft Intune
     managed apps from the 
    BlackBerry UEM
     management console when your environment is configured for modern authentication.

Apple
 Configurator

  • Enroll 
    Apple
     DEP devices using 
    Apple
     Configurator
    : You can now use a static enrollment challenge to enroll multiple DEP devices using 
    Apple
     Configurator.

BlackBerry Dynamics
 

  • Add public app source files as internal apps
    : You can now add 
    BlackBerry Dynamics
     app source files from the public app stores as internal apps so that users can install the apps without connecting to the stores. 
  • Link to specific apps
    : You can now send users a link or QR code that links directly to the app details page for specific 
    BlackBerry Dynamics
      apps. 
  • Enhancements for certificate enrollment using app-based PKI solutions
    BlackBerry UEM
     has simplified certificate enrollment process for app-based PKI solutions such as 
    Purebred
    . To use app-based certificates with 
    BlackBerry Dynamics
     apps, the "Allow 
    BlackBerry Dynamics
     apps to use certificate, SCEP profiles, and user credential profiles" check box no longer needs to be selected in the 
    BlackBerry UEM Client
    .

Logging

  • Logging changes:
     The 
    BlackBerry UEM
     administrator console includes the following changes for logging:
    • You can now enable SQL logging, CAP payload logging, and HTTP payload logging. These options are available under Settings > Infrastructure > Logging.
    • The Maximum device app audit log file size is now configured as a global setting instead of per instance. If you upgrade from a previous release, the maximum size is initially set to the minimum setting for any existing server instance.
    • Component level logging is now supported for 
      BlackBerry Proxy
       Service. You can enable logging for 
      BlackBerry Proxy
       Service under Settings > Infrastructure > Logging, as well as the Server group and 
      BlackBerry Connectivity Node
       default settings pages. 
  • Trace logging option removed:
     The option to set logging level to Trace has been removed from Service logging override. You can set logging level to Info, Error, Warning, or Debug. 
  • BlackBerry Proxy
     Service:
     Component level logging is now available for 
    BlackBerry Proxy
     Service. You can enable logging for 
    BlackBerry Proxy
     Service on the Server group and 
    BlackBerry Connectivity Node
     default settings pages. 

BlackBerry Connectivity

  • BlackBerry Connectivity
     app updates
    : The 
    BlackBerry Connectivity
     app (version 1.18.0.811) for 
    Samsung KNOX Workspace
     and 
    Android Enterprise
     devices does not include fixes or improvements, but is upversioned so that administrators can assign and update the app on devices. If enterprise connectivity is required, you are now required to use the 
    BlackBerry UEM
     administrator console to add the 
    BlackBerry Connectivity
     app as an internal app and assign it (with a Required disposition) to 
    Samsung KNOX Workspace
     and 
    Android Enterprise
     devices that don't have access to 
    Google Play
    . For more information, visit support.blackberry.com/community to read article 37299.

BlackBerry Web Services

  • Enabling access to the 
    BlackBerry Web Services
     over the 
    BlackBerry Infrastructure
    : If a web service client is outside of your organization’s firewall and it requires access to the 
    BlackBerry Web Services
     APIs (REST or legacy SOAP), the client can connect to the APIs securely over the 
    BlackBerry Infrastructure
    . For more information, see the Getting started page in the REST API reference and the “Access On-Premise UEM web service securely” example.
    UEM
     administrator must explicitly enable access to the 
    BlackBerry Web Services
     APIs over the 
    BlackBerry Infrastructure
    . An administrator can enable or disable this access in the management console in Settings > General settings > 
    BlackBerry Web Services
     access.

Changes to the Planning and the Installation and Upgrade content

Documentation changes
:The Planning and the Installation and Upgrade content have been reorganized for 
BlackBerry UEM
 version 12.11. The major changes are:
  • A new “Preinstallation and preupgrade requirements” section in the Planning content consolidates information that was previously in several places in the Installation content. Most notably, the Preinstallation and preupgrade checklist has been removed from the Installation content and forms part of the new section.
  • Information about ports has moved to the Planning content.
  • Overview information about high availability has been consolidated into the Planning content. It was previously in the Installation content and the Configuration content.

New IT policy rules 

iOS
Allow 
Bluetooth
 (supervised only)
Specify whether users can use 
Bluetooth
 on the device. If you don't want to allow 
Bluetooth
, the "Allow 
Bluetooth
 changes" rule should also not be selected. If "Allow 
Bluetooth
 changes" is selected, users can re-enable 
Bluetooth
 on the device.
Allow modifying personal hotspot settings (supervised only)
Specify whether the user can to modify the personal hotspot settings.
Allow sending 
Siri
 logs to 
Apple
 
Specify whether the device can send 
Siri
 logs to 
Apple
 servers.
 
 
Android Enterprise
 (Global)
Allow users to deactivate devices from 
UEM Client
Specify whether the user can deactivate the device using the 
BlackBerry UEM Client
. If this rule is not selected, the Deactivate My Device button in the 
BlackBerry UEM Client
 is disabled.
Android Enterprise
 (Work profile)
Allow 
Android
 system windows
Specify whether 
Android
 devices can display windows other than app windows; for example, windows for toasts, system error messages, and phone calls.
Allow users to modify apps in Android Settings
Specify whether users can modify apps in Settings or launchers. If this rule is not selected, users can't uninstall apps, disable apps, clear app caches, clear app data, force apps to stop, or clear app defaults from the device Settings or launchers.
Allow system error dialogs
Specify whether system error dialogs for crashed or unresponsive apps display on the device. If this rule is not selected, when an app stops or is unresponsive, the system will force-stop the app as if the user chose the "close app" option in the dialog box. A feedback report isn't collected because users can't provide explicit consent.
Skip first use hints
Specify whether work apps should to skip showing any introductory hints that display the first time the app is launched.
Android Enterprise
 (Personal profile) 
Allow screen capture
Specify if a user can take screen shots of the device.
Allow autofill
Specify whether the device can save user-entered form data to automatically fill future forms.
Allow adding and removing accounts
Specify whether a user can add or remove accounts, such as email accounts, on the device.
Allow additional 
Google
 accounts
Specify whether the user can add additional 
Google
 accounts to the work space.
Disallowed account types
Specify the types of accounts that cannot be added to the work space. If no account types are specified, there is no restriction. Disallowing an account type blocks users and apps from adding the account. Account types are defined by the app that uses the account and so can't be thoroughly documented here. Some useful examples are:
  • BlackBerry Hub
     email: com.blackberry.email.unified
  • BlackBerry Hub
     CalDAV: com.blackberry.dav.caldav
  • BlackBerry Hub
     CardDAV: com.blackberry.dav.carddav
  • Microsoft Outlook
    : com.microsoft.office.outlook.USER_ACCOUNT
  • Gmail
     ActivSync: com.google.android.gm.exchange
  • Gmail
     POP3: com.google.android.gm.pop3
  • Gmail
     IMAP: com.google.android.gm.legacyimap
  • Google
     user account: com.google
  • LinkedIn
    : com.linkedin.android
 
For more information, visit support.blackberry.com/community to read article 46860.
Allow lock screen features
Specify whether special features can be enabled on the device lock screen.
Allow camera on lock screen
Specify whether users can access the device camera on lock screen.
Allow notifications
Specify whether the device can display notifications on the lock screen.
Allow all notification content
Specify whether all notification content can appear on the lock screen or only the notification type.
Allow fingerprint authentication
Specify whether the user can unlock the device using a fingerprint.
Allow trust agents
Specify whether trust agents can unlock the device.
Allow NFC trust agent
Specify if NFC can be used to unlock the device.
Allow tags with basic authentication to unlock the device
Specify if NFC tags that authenticate using the tag ID can be used to unlock the device.
Allow secure NFC tags to unlock the device
Specify if NFC tags that use challenge-response authentication can be used to unlock the device.
Allow 
Bluetooth
 trust agent
Specify if 
Bluetooth
 can be used to unlock the device.
Allow places trust agent
Specify if places can be used to unlock the device.
Allow custom places
Specify if a user can trust places other than Home.
Allow Face trust agent
Specify if face image can be used to unlock the device.
Allow Voice trust agent
Specify if voice can be used to unlock the device.
Allow On-body trust agent
Specify if On-body can be used to unlock the device.
Trust agent inactivity timeout
Specify Device inactivity timeout in minutes. When a device is in an idle state for a certain period of time, trust agents will be revoked.
Allow installation of non Google Play apps
Specify whether a user can install apps using the app installer (the ACTION_INSTALL_PACKAGE mechanism).
Allow developer options
For work space only devices, specify whether users can enable developer options on the device. For Work and personal - user privacy devices, the option for users to turn on developer options can't be disabled. If this rule is not selected the device deletes any apps that aren't on the app list in 
UEM
 that users have installed to the work profile using the developer options.