Create an activation profile
- On the menu bar, clickPolicies and Profiles.
- ClickPolicy > Activation.
- Click .
- Type a name and description for the profile.
- In theNumber of devices that a user can activatefield, specify the maximum number of devices the user can activate.
- In theDevice ownershipdrop-down list, select the default setting for device ownership.
- SelectNot specifiedif some users activate personal devices and some users activate work devices.
- SelectWorkif most users activate work devices.
- SelectPersonalif most users activate their personal devices.
- Optionally, select an organization notice in theAssign organization noticedrop-down list. If you assign an organization notice, users activatingiOS,iPadOS,macOS, orWindows 10devices must accept the notice to complete the activation process.
- In theDevice types that users can activatesection, select the device OS types that users can activate. Device types that you don't select are not included in the activation profile and users can't activate those devices.
- Perform the following actions for each device type included in the activation profile:
- Click the tab for the device type.
- In theDevice model restrictionsdrop-down list, select one of the following options:
- No restrictions: Users can activate any device model.
- Allow selected device models: Users can activate only the device models that you specify. Use this option to limit the allowed devices to only some models.
- Do not allow selected device models: Users can't activate the device models that you specify. Use this option to block activation of some device models or devices from specific manufacturers.
If you restrict the device models users can activate, clickEditto select the devices you want to allow or restrict and clickSave. - In theMinimum allowed versiondrop-down list, select the minimum allowed OS version.Many older OS versions are no longer supported byBlackBerry UEM. You only need to select a minimum version if you don't want to support the earliest version currently supported byBlackBerry UEM. For more information on supported versions, see the Compatability Matrix.
- Select the supported activation types.ForAndroiddevices, you can select multiple activation types and rank them. For all other device types, you can select only one activation type.The "MDM controls" activation type is deprecated for devices withAndroid10 and later. It is included in the list of activation types only if theEnable MDM controls activation type for Android devicessetting is selected in the default activation settings.
- ForiOSandiPadOSdevices, perform the following actions:
- If you selected the "User privacy" activation type and you want to enable SIM-based licensing, selectAllow access to SIM card and device hardware information to enable SIM-based licensing.
- If you selected the "User privacy" activation type and you want to manage specific features, select the appropriate check boxes. For more information on each option, see Activation types: iOS devices.
- If you selected the "MDM controls" or "User privacy" (with SIM-based licensing) activation types and you only want to activate supervised devices, selectDo not allow unsupervised devices to activate
- In theiOS app integrity checksection, optionally select one of the following attestation methods:
- Perform app integrity check on BlackBerry Dynamics app activation: Use this method to send challenges to devices when they are activated to check the integrity ofiOSwork apps.
- Perform periodic app integrity checks: Use this method to send challenges to devices to check the integrity ofiOSwork apps.
To performiOSapp integrity checking, you must enableCylancePROTECTin yourBlackBerry UEMdomain. For more information, see the BlackBerry Protect Mobile content.
- ForAndroiddevices, perform the following actions:
- If you selected more than one activation type type, click the up and down arrows to rank them.Devices receive the highest ranked profile that they support. For example, if you rank "MDM Controls" first, devices that don't support "MDM Controls" receive the next ranked activation type.
- If you selected the "MDM controls" activation type and you don't wantKnoxMDM policy rules to be applied to the devices that support them, clear theActivate Samsung KNOX APIs on MDM Controls activationscheck box.
- If you selected aSamsung Knoxactivation type and you want to useGoogle Playto manage work apps, selectGoogle Play app management for Samsung Knox Workspace devices. This option is available only if you have configured a connection to a Google domain.Samsung Knoxactivation types will be deprecated in a future release. Devices that supportKnox Platform for Enterprisecan be activated using theAndroid Enterpriseactivation types. For more information, visit https://support.blackberry.com/community to read article 54614.
- If you selected anAndroid Enterpriseactivation type, enable the appropriateAndroid Enterpriseoptions:
- When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect PlusenablesBlackBerry Secure Connect PlusandKnoxPlatform for Enterprise features (for devices that supportSamsung Knox) on devices with an appropriate license.
- Enable Samsung Knox DualDAR Workspaceenables Samsung Knox DualDAR encryption for devices that support it. This option is supported only by "Work space only" and "Work and personal - full control" devices.
- Add Google Play account to work spaceallowsGoogle Playapp management in the work space. If the device does not have access toGoogle Play, deselect this option.
- Allow only approved device IDsallows you to restrict activation to individual devices that you specify the device ID for. This option is supported only for "Work space only" and "Work and personal - full control" devices.
- Zero Touch QR Code enrollmentallows you specify whether users can activate a device using a QR Code over aWi-Fior mobile network. The default setting isWi-Fi. Users can activate using only the network type that you specify. This option is supported only for "Work space only" and "Work and personal - full control" devices.
- In theSafetyNet or Play Integrity attestation optionssection, optionally select one of the following attestation methods:
- Perform SafetyNet or Play Integrity attestation for device: Use this method to send challenges to test the authenticity and integrity of devices.
- Perform SafetyNet attestation on device activation (Applies only to UEM Client versions that do not support Play Integrity): Use this method to send challenges to test the authenticity and integrity of devices when they are activated.
- Perform SafetyNet or Play Integrity attestation on BlackBerry Dynamics app activation: Use this method to send challenges to test the authenticity and integrity ofBlackBerry Dynamicsapps when they are activated.
- In theHardware attestation optionssection, selectEnforce attestation compliance rules during activationif you wantBlackBerry UEMto send challenges to devices when they are activated to ensure the required security patch level is installed.
- ForWindows 10devices, select one or both form factor options.Windows 10 Mobiledevices are no longer supported byMicrosoftand have only limited support inBlackBerry UEM.
- ClickAdd.
If necessary, rank profiles.