Skip Navigation

Create an activation profile

  1. On the menu bar, click
    Policies and Profiles
    .
  2. Click
    Policy > Activation
    .
  3. Click The Add icon.
  4. Type a name and description for the profile.
  5. In the
    Number of devices that a user can activate
    field, specify the maximum number of devices the user can activate.
  6. In the
    Device ownership
    drop-down list, select the default setting for device ownership.
    • Select
      Not specified
      if some users activate personal devices and some users activate work devices.
    • Select
      Work
      if most users activate work devices.
    • Select
      Personal
      if most users activate their personal devices.
  7. Optionally, select an organization notice in the
    Assign organization notice
    drop-down list. If you assign an organization notice, users activating
    iOS
    ,
    iPadOS
    ,
    macOS
    , or
    Windows 10
    devices must accept the notice to complete the activation process.
  8. In the
    Device types that users can activate
    section, select the device OS types that users can activate. Device types that you don't select are not included in the activation profile and users can't activate those devices.
  9. Perform the following actions for each device type included in the activation profile:
    1. Click the tab for the device type.
    2. In the
      Device model restrictions
      drop-down list, select one of the following options:
      • No restrictions
        : Users can activate any device model.
      • Allow selected device models
        : Users can activate only the device models that you specify. Use this option to limit the allowed devices to only some models.
      • Do not allow selected device models
        : Users can't activate the device models that you specify. Use this option to block activation of some device models or devices from specific manufacturers.
      If you restrict the device models users can activate, click
      Edit
      to select the devices you want to allow or restrict and click
      Save
      .
    3. In the
      Minimum allowed version
      drop-down list, select the minimum allowed OS version.
      Many older OS versions are no longer supported by
      BlackBerry UEM
      . You only need to select a minimum version if you don't want to support the earliest version currently supported by
      BlackBerry UEM
      . For more information on supported versions, see the Compatability Matrix.
    4. Select the supported activation types.
      For
      Android
      devices, you can select multiple activation types and rank them. For all other device types, you can select only one activation type.
      The "
      MDM controls
      " activation type is deprecated for devices with
      Android
      10 and later. It is included in the list of activation types only if the
      Enable MDM controls activation type for Android devices
      setting is selected in the default activation settings.
  10. For
    iOS
    and
    iPadOS
    devices, perform the following actions:
    1. If you selected the "
      User privacy
      " activation type and you want to enable SIM-based licensing, select
      Allow access to SIM card and device hardware information to enable SIM-based licensing
      .
    2. If you selected the "
      User privacy
      " activation type and you want to manage specific features, select the appropriate check boxes. For more information on each option, see Activation types: iOS devices.
    3. If you selected the "MDM controls" or "
      User privacy
      " (with SIM-based licensing) activation types and you only want to activate supervised devices, select
      Do not allow unsupervised devices to activate
    4. In the
      iOS app integrity check
      section, optionally select one of the following attestation methods:
      • Perform app integrity check on BlackBerry Dynamics app activation
        :  Use this method to send challenges to devices when they are activated to check the integrity of
        iOS
        work apps.
      • Perform periodic app integrity checks
        :  Use this method to send challenges to devices to check the integrity of
        iOS
        work apps.
      To perform
      iOS
      app integrity checking, you must enable
      CylancePROTECT
      in your
      BlackBerry UEM
      domain. For more information, see the BlackBerry Protect Mobile content.
  11. For
    Android
    devices, perform the following actions:
    1. If you selected more than one activation type type, click the up and down arrows to rank them.
      Devices receive the highest ranked profile that they support. For example, if you rank "MDM Controls" first, devices that don't support "MDM Controls" receive the next ranked activation type.
    2. If you selected the "
      MDM controls
      " activation type and you don't want
      Knox
      MDM policy rules to be applied to the devices that support them, clear the
      Activate Samsung KNOX APIs on MDM Controls activations
      check box.
    3. If you selected a
      Samsung Knox
      activation type and you want to use
      Google Play
      to manage work apps, select
      Google Play app management for Samsung Knox Workspace devices
      . This option is available only if you have configured a connection to a Google domain.
      Samsung Knox
      activation types will be deprecated in a future release. Devices that support
      Knox Platform for Enterprise
      can be activated using the
      Android Enterprise
      activation types. For more information, visit https://support.blackberry.com/community to read article 54614.
    4. If you selected an
      Android Enterprise
      activation type, enable the appropriate
      Android Enterprise
      options:
      • When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus
        enables
        BlackBerry Secure Connect Plus
        and
        Knox
        Platform for Enterprise features (for devices that support
        Samsung Knox
        ) on devices with an appropriate license.
      • Enable Samsung Knox DualDAR Workspace
        enables Samsung Knox DualDAR encryption for devices that support it. This option is supported only by "Work space only" and "Work and personal - full control" devices.
      • Add Google Play account to work space
        allows
        Google Play
        app management in the work space. If the device does not have access to
        Google Play
        , deselect this option.
      • Allow only approved device IDs
        allows you to restrict activation to individual devices that you specify the device ID for. This option is supported only for "Work space only" and "Work and personal - full control" devices.
      • Zero Touch QR Code enrollment
        allows you specify whether users can activate a device using a QR Code over a
        Wi-Fi
        or mobile network. The default setting is
        Wi-Fi
        . Users can activate using only the network type that you specify. This option is supported only for "Work space only" and "Work and personal - full control" devices.
    5. In the
      SafetyNet or Play Integrity attestation options
      section, optionally select one of the following attestation methods:
      • Perform SafetyNet or Play Integrity attestation for device
        : Use this method to send challenges to test the authenticity and integrity of devices.
      • Perform SafetyNet attestation on device activation (Applies only to UEM Client versions that do not support Play Integrity)
        : Use this method to send challenges to test the authenticity and integrity of devices when they are activated.
      • Perform SafetyNet or Play Integrity attestation on BlackBerry Dynamics app activation
        : Use this method to send challenges to test the authenticity and integrity of
        BlackBerry Dynamics
        apps when they are activated.
    6. In the
      Hardware attestation options
      section, select
      Enforce attestation compliance rules during activation
      if you want
      BlackBerry UEM
      to send challenges to devices when they are activated to ensure the required security patch level is installed.
  12. For
    Windows 10
    devices, select one or both form factor options.
    Windows 10 Mobile
    devices are no longer supported by
    Microsoft
    and have only limited support in
    BlackBerry UEM
    .
  13. Click
    Add
    .
If necessary, rank profiles.