Activation types: Android devices

For

Android

devices, you can select multiple activation types and rank them to make sure that

BlackBerry UEM

assigns the most appropriate activation type for the device. For example, if you rank "

Work and personal - user privacy

(

Samsung Knox

)" first and "

Work and personal - user privacy

(

Android Enterprise

)" second, devices that support

Samsung Knox Workspace

receive the first activation type and devices that don't receive the second.

The

Android

activation types are organized in the following tables:

Android Enterprise

devices

Android

devices without a work profile

Samsung Knox Workspace

devices

Android Enterprise
devices

The following activation types apply only to

Android Enterprise

devices.

Activation type	Description
Work and personal - user privacy ( Android Enterprise with work profile)	This activation type maintains privacy for personal data but lets you manage work data using commands and IT policy rules. This activation type creates a work profile on the device that separates work and personal data. Work and personal data are both protected using encryption and password authentication. To allow Google Play app management for Android Enterprise devices, select Add Google Play to the workspace . This setting is enabled by default. If the device does not have access to Google Play , then this setting must be deselected and the BlackBerry UEM Enroll app must be used from a secondary device during the activation process. To enable BlackBerry Secure Connect Plus and Knox Platform for Enterprise support, you must select the When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus option. Users do not have to grant Administrator permissions to the BlackBerry UEM Client .
Work and personal - full control ( Android Enterprise fully managed device with work profile)	This activation type lets you manage the entire device using commands and IT policy rules. This activation type creates a work profile on the device that separates work and personal data. Data in the work space is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint. This activation type supports the logging of device activity (SMS, MMS, and phone calls) in BlackBerry UEM log files (if it runs Android 10 or earlier). To allow Google Play app management for Android Enterprise devices, select Add Google Play account to the work space . This setting is enabled by default. If the device does not have access to Google Play , then this setting must be deselected. Following activation, Work and personal - full control devices have only a limited set of the standard pre-installed apps, such as Camera, Phone, and Settings, in the personal space. The list of retained pre-installed apps depends on the device vendor and OS version. To enable BlackBerry Secure Connect Plus and Knox Platform for Enterprise support, you must select the When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus option. To specify whether BlackBerry UEM can limit activation by device ID, select Allow only approved device IDs . This activation type requires the device to be reset to factory default settings before activating. If the BlackBerry UEM Client is deleted or the work profile is removed from the device, it is automatically reset to factory default settings. During activation users must grant Administrator permissions to the BlackBerry UEM Client .
Work space only ( Android Enterprise fully managed device)	This activation type lets you manage the entire device using commands and IT policy rules. This activation type requires the user to reset the device to factory settings before activating. The activation process installs a work profile and no personal profile. The user must create a password to access the device. All data on the device is protected using encryption and a method of authentication such as a password. To allow Google Play app management for Android Enterprise devices, select Add Google Play to the workspace . This setting is enabled by default. If the device does not have access to Google Play , then this setting must be deselected and the BlackBerry UEM Enroll app must be used from a secondary device during the activation process. During activation, the device installs the BlackBerry UEM Client automatically and grants it Administrator permissions. Users cannot revoke the Administrator permissions or uninstall the app. Following activation, Work space only devices have only a limited set of the standard pre-installed apps, such as Camera, Phone, and Settings, plus any apps you have assigned with a required disposition. The list of retained pre-installed apps depends on the device vendor and OS version. To enable BlackBerry Secure Connect Plus and Knox Platform for Enterprise support, you must select the When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus option. To specify whether BlackBerry UEM can limit activation by device ID, select Allow only approved device IDs . This activation type requires the device to be reset to factory default settings before activating. If the BlackBerry UEM Client is deleted or the work profile is removed from the device, it is automatically reset to factory default settings.

Android
devices without a work profile

The following activation types apply to all

Android

devices.

Activation type	Description
MDM controls	This activation type lets you manage the device using commands and IT policy rules. A separate work space is not created on the device, and there is no added security for work data. This activation type is deprecated for devices with Android 10. Attempts to activate Android 10 and later devices with the MDM controls activation type will fail. For more information, visit https://support.blackberry.com/community to read article 48386. If the device supports Knox MDM, this activation type applies the Knox MDM IT policy rules. If you do not want to apply Knox MDM policy rules, clear the Activate Samsung KNOX on Samsung devices that have the MDM controls activation type assigned check box. During activation, users must grant Administrator permissions to the BlackBerry UEM Client .
User privacy	You can use the User privacy activation type to provide basic control of devices, including work app management, while making sure that users' personal data remains private. With this activation type, no separate container is installed on the device. To provide security for work data you can install BlackBerry Dynamics apps. Devices activated with User privacy can use services such as Find my Phone and Root Detection, but administrators cannot control device policies. You can also use the User privacy activation type to activate Chrome OS devices to allow you to install and manage Android BlackBerry Dynamics apps.
Device registration for BlackBerry 2FA only	This activation type supports the BlackBerry 2FA solution for devices that BlackBerry UEM does not manage. This activation type does not provide any device management or controls, but allows devices to use the BlackBerry 2FA feature. To use this activation type, you must also assign the BlackBerry 2FA profile to users. When a device is activated, you can view limited device information in the management console, and you can deactivate the device using a command. This activation type is supported only for Microsoft Active Directory users. For more information, see the BlackBerry 2FA content.

Samsung Knox Workspace
devices

The following activation types apply only to

Samsung

devices that support

Knox Workspace

.

Samsung Knox

activation types will be deprecated in a future release. Devices that support

Knox Platform for Enterprise

can be activated using the

Android Enterprise

activation types. For more information, visit https://support.blackberry.com/community to read article 54614.

Activation type	Description
Work and personal - user privacy - ( Samsung Knox )	This activation type maintains privacy for personal data, but lets you manage work data using commands and IT policy rules. This activation type does not support the Knox MDM IT policy rules. This activation type creates a separate work space on the device and the user must create a password to access the work space. Data in the work space is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint. The user must also create a Screen lock password to protect the entire device and will not be able to use USB debugging mode. During activation, users must grant Administrator permissions to the BlackBerry UEM Client .
Work and personal - full control ( Samsung Knox )	This activation type lets you manage the entire device using commands and the Knox MDM and Knox Workspace IT policy rules. This activation type creates a separate work space on the device and the user must create a password to access the work space. Data in the work space is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint. This activation type supports the logging of device activity (SMS, MMS, and phone calls) in BlackBerry UEM log files (if it runs Android 11 or earlier). During activation users must grant Administrator permissions to the BlackBerry UEM Client .
Work space only - ( Samsung Knox )	This activation type lets you manage the entire device using commands and the Knox MDM and Knox Workspace IT policy rules. This activation type removes the personal space and installs a work space. The user must create a password to access the device. All data on the device is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint. This activation type supports the logging of device activity (SMS, MMS, and phone calls) in BlackBerry UEM log files. During activation, users must grant Administrator permissions to the BlackBerry UEM Client .