Whats new in BlackBerry UEM 12.11
- : You can use theiOSapp integrity checkiOSapp integrity check framework to check the integrity ofiOSwork apps that have been published to the App Store. This feature usesAppleDeviceCheck and other methods to provide a way to identify that your app is running on a validAppledevice and that the app is published by the specifiedAppleTeam ID. For more information onAppleDeviceCheck, see the information from Apple. This setting applies only to devices runningiOS11 and later. Activation ofBlackBerry Dynamicsapps that were built usingBlackBerry DynamicsSDK foriOSversion 5.0 or earlier will fail if you enable the ‘Perform app integrity check onBlackBerry Dynamicsapp activation’ option in the activation profile and if you add those apps foriOSapp integrity check. If aBlackBerry Dynamicsapp that was built usingBlackBerry DynamicsSDK foriOSversion 5.0 or earlier is already activated, and you select the 'Perform periodic app integrity checks' option in the Activation profile, the app will fail the periodic attestation check and the device will be subject to the enforcement action specified in the compliance profile that is assigned to the user.Note: You cannot enable theiOSapp integrity checking on enterprise apps that your organization has developed and distributed internally using theAppleEnterprise Distribution program.
- : The Route All option has been replaced with a Default Route option in theBlackBerry DynamicsConnectivity profile changeBlackBerry DynamicsConnectivity profile allowing for more detailed control over howBlackBerry Dynamicsapps built using the latestBlackBerry DynamicsSDK can connect to app servers. This allows you to configure rules to avoid double tunneling the UEM App Store and UEM hosted application push.
- : You can now generateBlackBerry Dynamicsaccess keysBlackBerry Dynamicsaccess keys for users that do not have an email address.
- Notifications for changes to: Administrators can now receive notifications when the status of anAndroid EnterpriseappsAndroid Enterpriseapp onGoogle Playhas changed and requires review. When an app requires review,UEMmarks the apps listed on the Apps screen. Administrators can apply a filter to easily see the apps that need to be reviewed or approved and take the appropriate action. From the Settings > Event notifications menu, you can set the types of events that you want administrators to be notified about. For example, you can notify administrators if an app requires review if changes were made to the app’s availability, version, approval status, permissions, app configuration schemas, or if an app was not successfully installed on a user’s device.
- Whitelist antivirus vendors for: In the compliance profile, in the “Antivirus status” rule forWindowsdevicesWindowsdevices, you can now choose to allow antivirus software from any vendor, or allow only those that you added to the “Allowed antivirus vendors” list. The rule will be enforced if a device has antivirus software enabled from any vendor that is not whitelisted.
- User credential profiles support using: You can now use yourEntrustforBlackBerry DynamicsappsEntrustPKI connection to enroll certificates forBlackBerry Dynamicsapps using the User credential profile.
- Compliance violation reporting: When a device is out of compliance, violations and any applicable actions display on the device summary page. To see which apps are in a noncompliant state, click on the ‘View noncompliant apps’ link. A device with performance alerts or compliance violations is flagged with a caution icon. Types of violations that are reported include:
In the management console, you can filter on any of the compliance rules when they occur.
- Rooted OS or failed attestation (Androidonly)
- SafetyNet attestation failure (Androidonly)
- Jailbroken OS (iOSonly)
- Restricted OS version is installed (iOS,Android,macOS,Windows)
- Restricted device model detected (iOS,Android,macOS,Windows)
- BlackBerry Dynamicslibrary version verification (iOS,Android,macOS,Windows)
- BlackBerry Dynamics apps connectivity verification (iOS,Android,macOS,Windows)
- Antivirus status (Windowsonly)
- Device compliance report: On the dashboard, the device compliance report now includes if either theBlackBerry UEM Clientor aBlackBerry Dynamicsapp is out of compliance.
- Device report update: The device report now includes theBlackBerry Dynamicscompliance rule status.
- Automatic device and OS metadata updates: If a user activates a device with a model or OS version that is unknown toBlackBerry UEM,UEMautomatically adds the new device or version metadata to theUEMdatabase so that the metadata is available for Activation, Compliance, and Device SR profiles.
- Enable: You can now use the ‘Enable Android keyboard restricted mode’ option in aAndroidkeyboard restricted modeBlackBerry Dynamicsprofile to force custom keyboards into incognito mode.
- Shared device groups:Migration is not supported for shared device groups. Users who belong to a shared device group do not appear in the Migrate users list. Devices that are part of a shared device group do not appear in the Migrate devices list.
- New Event Notifications:BlackBerry UEMcan now email event notifications to administrators for the following events:
- iOSVPP account expiry
- DEP token expiry
- IT policy pack updated
- Metadata updated
- Activate: Administrators now have the option to allowAndroid Enterprisedevices without adding aAndroid Enterprisedevices to be activated without adding aGoogle Playaccount to the workspace. You might use this option if you do not want to useGoogle Playto manage work apps onAndroid Enterprisedevices or you want to activate and use the device without accessingGoogle Playto the workspace forAndroid Enterprisedevices. By default, the activation profile adds theGoogle Playmanages the apps. If you do not add aBlackBerry UEMinfrastructure viaBlackBerry UEM Client.
- : This activation type is for devices runningBlackBerry UEMnow includes Work and personal – full control activations forAndroid EnterprisedevicesAndroid8 and later. It lets you manage the entire device. It creates a work profile on the device that separates work and personal data but allows your organization to maintain full control over the device and wipe all data from the device. Data in both the work and personal profiles is protected using encryption and a method of authentication such as a password. This activation type supports the logging of device activity (SMS, MMS, and phone calls) inBlackBerry UEMlog files.To activate a device with Work and personal – full control, the user must wipe the device and start the activation in the same way as Work space only activations.To enableBlackBerry Secure Connect PlusKnoxPlatform for Enterprise support, you must select the "When activatingAndroid Enterprisedevices, enable premiumUEMfunctionality such asBlackBerry Secure Connect Plus" option in the activation profile.When applying IT policy rules toAndroid Enterprisedevices with Work and personal – full control activations, the different rule categories affect different profiles on the device:
For example: to apply password requirements to unlock the device, use the Global password rules. To apply password requirements only to the work profile, use the Work profile password rules. To prevent screen capture only of work data, deselect the Work profile “Allow screen capture” rule and select the Personal profile “Allow screen capture” rule. To prevent screen capture of both work and personal data, deselect the Personal profile “Allow screen capture” rule.
- Global rules apply to the entire device
- Work profile rules apply to apps and data in the work profile
- Personal profile rules apply to apps and data in the personal profile
Windows 10 Modern Management
Windows 10Modern Management
- Support for:AzureActive DirectoryJoinBlackBerry UEMnow supportsAzureActive DirectoryJoin which allows a simplified MDM enrollment process forWindows 10devices. Users can enroll their devices withUEMusing theirAzureActive Directoryusername and password.
- Windows Autopilot support:AzureActive DirectoryJoin is also required to supportWindowsAutoPilot, which allowsWindows 10devices to be automatically activated withUEMduring theWindows 10out-of-box setup experience.Note: To enable automatic MDM enrollment withBlackBerry UEMduring theWindows 10out-of-box setup, aUEMcertificate must be installed on the device.
- : You can manage and deployMicrosoft Intuneapp protection support enhancementMicrosoft Intunemanaged apps from theBlackBerry UEMmanagement console when your environment is configured for modern authentication.
- Enroll: You can now use a static enrollment challenge to enroll multiple DEP devices usingAppleDEP devices usingAppleConfiguratorAppleConfigurator.
- Add public app source files as internal apps: You can now addBlackBerry Dynamicsapp source files from the public app stores as internal apps so that users can install the apps without connecting to the stores.
- Link to specific apps: You can now send users a link or QR code that links directly to the app details page for specificBlackBerry Dynamicsapps.
- Enhancements for certificate enrollment using app-based PKI solutions:BlackBerry UEMhas simplified certificate enrollment process for app-based PKI solutions such asPurebred. To use app-based certificates withBlackBerry Dynamicsapps, the "AllowBlackBerry Dynamicsapps to use certificate, SCEP profiles, and user credential profiles" check box no longer needs to be selected in theBlackBerry UEM Client.
- Logging changes:TheBlackBerry UEMadministrator console includes the following changes for logging:
- The Maximum device app audit log file size is now configured as a global setting instead of per instance. If you upgrade from a previous release, the maximum size is initially set to the minimum setting for any existing server instance.
- Component level logging is now supported forBlackBerry ProxyService. You can enable logging forBlackBerry ProxyService under Settings > Infrastructure > Logging, as well as the Server group andBlackBerry Connectivity Nodedefault settings pages.
- Trace logging option removed:The option to set logging level to Trace has been removed from Service logging override. You can set logging level to Info, Error, Warning, or Debug.
- Component level logging is now available forBlackBerry ProxyService:BlackBerry ProxyService. You can enable logging forBlackBerry ProxyService on the Server group andBlackBerry Connectivity Nodedefault settings pages.
- : TheBlackBerry Connectivityapp updatesBlackBerry Connectivityapp (version 22.214.171.1241) forSamsung Knox WorkspaceandAndroid Enterprisedevices does not include fixes or improvements, but is upversioned so that administrators can assign and update the app on devices. If enterprise connectivity is required, you are now required to use theBlackBerry UEMadministrator console to add theBlackBerry Connectivityapp as an internal app and assign it (with a Required disposition) toSamsung Knox WorkspaceandAndroid Enterprisedevices that don't have access toGoogle Play. For more information, visit support.blackberry.com/community to read article 37299.
BlackBerry Web Services
- Enabling access to the: If a web service client is outside of your organization’s firewall and it requires access to theBlackBerry Web Servicesover theBlackBerry InfrastructureBlackBerry Web ServicesAPIs (REST or legacy SOAP), the client can connect to the APIs securely over theBlackBerry Infrastructure. For more information, see the Getting started page in the REST API reference and the “Access On-Premise UEM web service securely” example.AUEMadministrator must explicitly enable access to theBlackBerry Web ServicesAPIs over theBlackBerry Infrastructure. An administrator can enable or disable this access in the management console in Settings > General settings >BlackBerry Web Servicesaccess.
Changes to the Planning and the Installation and Upgrade content
Documentation changes:The Planning and the Installation and Upgrade content have been reorganized for
BlackBerry UEMversion 12.11. The major changes are:
- A new “Preinstallation and preupgrade requirements” section in the Planning content consolidates information that was previously in several places in the Installation content. Most notably, the Preinstallation and preupgrade checklist has been removed from the Installation content and forms part of the new section.
- Information about ports has moved to the Planning content.
- Overview information about high availability has been consolidated into the Planning content. It was previously in the Installation content and the Configuration content.
New IT policy rules
Specify whether users can use
Bluetoothon the device. If you don't want to allow
Bluetooth, the "Allow
Bluetoothchanges" rule should also not be selected. If "Allow
Bluetoothchanges" is selected, users can re-enable
Bluetoothon the device.
Allow modifying personal hotspot settings (supervised only)
Specify whether the user can to modify the personal hotspot settings.
Specify whether the device can send
Allow users to deactivate devices from
Specify whether the user can deactivate the device using the
BlackBerry UEM Client. If this rule is not selected, the Deactivate My Device button in the
BlackBerry UEM Clientis disabled.
Android Enterprise(Work profile)
Androiddevices can display windows other than app windows; for example, windows for toasts, system error messages, and phone calls.
Allow users to modify apps in Android Settings
Specify whether users can modify apps in Settings or launchers. If this rule is not selected, users can't uninstall apps, disable apps, clear app caches, clear app data, force apps to stop, or clear app defaults from the device Settings or launchers.
Allow system error dialogs
Specify whether system error dialogs for crashed or unresponsive apps display on the device. If this rule is not selected, when an app stops or is unresponsive, the system will force-stop the app as if the user chose the "close app" option in the dialog box. A feedback report isn't collected because users can't provide explicit consent.
Skip first use hints
Specify whether work apps should to skip showing any introductory hints that display the first time the app is launched.
Android Enterprise(Personal profile)
Allow screen capture
Specify if a user can take screen shots of the device.
Specify whether the device can save user-entered form data to automatically fill future forms.
Allow adding and removing accounts
Specify whether a user can add or remove accounts, such as email accounts, on the device.
Specify whether the user can add additional
Disallowed account types
Specify the types of accounts that cannot be added to the work space. If no account types are specified, there is no restriction. Disallowing an account type blocks users and apps from adding the account. Account types are defined by the app that uses the account and so can't be thoroughly documented here. Some useful examples are:
For more information, visit support.blackberry.com/community to read article 46860.
Allow lock screen features
Specify whether special features can be enabled on the device lock screen.
Allow camera on lock screen
Specify whether users can access the device camera on lock screen.
Specify whether the device can display notifications on the lock screen.
Allow all notification content
Specify whether all notification content can appear on the lock screen or only the notification type.
Allow fingerprint authentication
Specify whether the user can unlock the device using a fingerprint.
Allow trust agents
Specify whether trust agents can unlock the device.
Allow NFC trust agent
Specify if NFC can be used to unlock the device.
Allow tags with basic authentication to unlock the device
Specify if NFC tags that authenticate using the tag ID can be used to unlock the device.
Allow secure NFC tags to unlock the device
Specify if NFC tags that use challenge-response authentication can be used to unlock the device.
Bluetoothcan be used to unlock the device.
Allow places trust agent
Specify if places can be used to unlock the device.
Allow custom places
Specify if a user can trust places other than Home.
Allow Face trust agent
Specify if face image can be used to unlock the device.
Allow Voice trust agent
Specify if voice can be used to unlock the device.
Allow On-body trust agent
Specify if On-body can be used to unlock the device.
Trust agent inactivity timeout
Specify Device inactivity timeout in minutes. When a device is in an idle state for a certain period of time, trust agents will be revoked.
Allow installation of non Google Play apps
Specify whether a user can install apps using the app installer (the ACTION_INSTALL_PACKAGE mechanism).
Allow developer options
For work space only devices, specify whether users can enable developer options on the device. For Work and personal - user privacy devices, the option for users to turn on developer options can't be disabled. If this rule is not selected the device deletes any apps that aren't on the app list in
UEMthat users have installed to the work profile using the developer options.