Get the PDF

Create an activation profile

On the menu bar, click

Policies and Profiles

Click

Policy > Activation

Click

Type a name and description for the profile.

In the

Number of devices that a user can activate

field, specify the maximum number of devices the user can activate.

In the

Device ownership

drop-down list, select the default setting for device ownership.

Select

Not specified

if some users activate personal devices and some users activate work devices.

Select

Work

if most users activate work devices.

Select

Personal

if most users activate their personal devices.

Optionally, select an organization notice in the

Assign organization notice

drop-down list. If you assign an organization notice, users activating

iOS

iPadOS

macOS

, or

Windows 10

devices must accept the notice to complete the activation process.

In the

Device types that users can activate

section, select the device OS types that users can activate. Device types that you don't select are not included in the activation profile and users can't activate those devices.

Perform the following actions for each device type included in the activation profile:

Click the tab for the device type.

In the

Device model restrictions

drop-down list, select one of the following options:

No restrictions

: Users can activate any device model.

Allow selected device models

: Users can activate only the device models that you specify. Use this option to limit the allowed devices to only some models.

Do not allow selected device models

: Users can't activate the device models that you specify. Use this option to block activation of some device models or devices from specific manufacturers.

If you restrict the device models users can activate, click

Edit

to select the devices you want to allow or restrict and click

Save

In the

Minimum allowed version

drop-down list, select the minimum allowed OS version.

Many older OS versions are no longer supported by

BlackBerry UEM

. You only need to select a minimum version if you don't want to support the earliest version currently supported by

BlackBerry UEM

. For more information on supported versions, see the Compatability Matrix.

Select the supported activation types.

For

Android

devices, you can select multiple activation types and rank them. For all other device types, you can select only one activation type.

The "

MDM controls

" activation type is deprecated for devices with

Android

10 and later. It is included in the list of activation types only if the

Enable MDM controls activation type for Android devices

setting is selected in the default activation settings.

For

Android

devices, perform the following actions:

If you selected more than one activation type type, click the up and down arrows to rank them.

Devices receive the highest ranked profile that they support. For example, if you rank "MDM Controls" first, devices that don't support "MDM Controls" receive the next ranked activation type.

If you selected the "

MDM controls

" activation type and you don't want

Knox

MDM policy rules to be applied to the devices that support them, clear the

Activate Samsung KNOX APIs on MDM Controls activations

check box.

If you selected a

Samsung Knox

activation type and you want to use

Google Play

to manage work apps, select

Google Play app management for Samsung Knox Workspace devices

. This option is available only if you have configured a connection to a Google domain.

Samsung Knox

activation types will be deprecated in a future release. Devices that support

Knox Platform for Enterprise

can be activated using the

Android Enterprise

activation types. For more information, visit https://support.blackberry.com/community to read article 54614.

If you selected an

Android Enterprise

activation type, enable the appropriate

Android Enterprise

options:

When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus

enables

BlackBerry Secure Connect Plus

and

Knox

Platform for Enterprise features (for devices that support

Samsung Knox

) on devices with an appropriate license.

Enable Samsung Knox DualDAR Workspace

enables Samsung Knox DualDAR encryption for devices that support it. This option is supported only by "Work space only" and "Work and personal - full control" devices.

Add Google Play account to work space

allows

Google Play

app management in the work space. If the device does not have access to

Google Play

, deselect this option.

Allow only approved device IDs

allows you to restrict activation to individual devices that you specify the device ID for. This option is supported only by "Work space only" and "Work and personal - full control" devices.

In the

SafetyNet attestation options

section, optionally select one of the following attestation methods:

Perform SafetyNet attestation for device

: Use this method to send challenges to test the authenticity and integrity of devices.

Perform SafetyNet attestation on device activation

: Use this method to send challenges to test the authenticity and integrity of devices when they are activated.

Perform SafetyNet attestation on BlackBerry Dynamics app activation

: Use this method to send challenges to test the authenticity and integrity of

BlackBerry Dynamics

apps when they are activated.

In the

Hardware attestation options

section, select

Enforce attestation compliance rules during activation

if you want

BlackBerry UEM

to send challenges to devices when they are activated to ensure the required security patch level is installed.

Click

Add

If necessary, rank profiles.

Section:

Creating activation profiles