Skip Navigation

Key features for each device type

iOS
devices

Feature
Description
Run app lock mode
On
iOS
devices that are supervised using
Apple Configurator
2, you can use an app lock mode profile to limit the device to run only one app. For example, you can limit access to a single app for training purposes or for point-of-sales demonstrations.
Device activation
You can use
Apple Configurator
2 to prepare devices for activation in
BlackBerry UEM
. Users can activate the prepared devices without using the
BlackBerry UEM Client
app.
Filter web content
You can use web content filter profiles to limit the websites that a user can view on a device. You can enable automatic filtering with the option to allow and restrict websites, or allow access only to specific websites.
Link
Apple
VPP accounts to a
BlackBerry UEM
domain
The Volume Purchase Program (VPP) allows you to buy and distribute
iOS
apps in bulk. You can link
Apple
VPP accounts to a
BlackBerry UEM
domain so that you can distribute purchased licenses for
iOS
apps associated with the VPP accounts.
Apple
Device Enrollment Program
You can configure
BlackBerry UEM
to use the
Apple
Device Enrollment Program (DEP) so that you can synchronize
BlackBerry UEM
with the DEP. After you configure
BlackBerry UEM
, you can use the
BlackBerry UEM
management console to manage the activation of the
iOS
devices that your organization purchased for the DEP. You can use multiple DEP accounts.
You can link multiple
Apple
DEP accounts to one
BlackBerry UEM
domain.
Support for app-based PKI solutions
Added support for app-based PKI solutions, such as
Purebred
, which can enroll certificates for
BlackBerry Dynamics
apps. You can now install the PKI app on devices and allow the latest versions of
BlackBerry Dynamics
apps, such as
BlackBerry Work
and
BlackBerry Access
, to use certificates enrolled through the PKI app.
Use custom payload profiles
You can use custom payload profiles to control features on
iOS
devices that are not controlled by existing
BlackBerry UEM
policies or profiles. You can create
Apple
configuration profiles using
Apple Configurator
and add them to
BlackBerry UEM
custom payload profiles. You can assign the custom payload profiles to users, user groups, and device groups.
BlackBerry Secure Gateway
The
BlackBerry Secure Gateway
allows
iOS
devices with the MDM controls activation type to connect to your work email server through the
BlackBerry Infrastructure
and
BlackBerry UEM
. If you use the
BlackBerry Secure Gateway
, you don't have to expose your mail server outside of the firewall to allow users with these devices to receive work email when they are not connected to your organization's VPN or work
Wi-Fi
network.
Integration with
BlackBerry Dynamics
You can use the
BlackBerry Dynamics
profile to allow
iOS
devices to access
BlackBerry Dynamics
productivity apps such as
BlackBerry Work
,
BlackBerry Access
, and
BlackBerry Connect
. You can assign the
BlackBerry Dynamics
profile to user accounts, user groups, or device groups. Multiple devices can access the same apps.
The profile allows you to enable
BlackBerry Dynamics
for users that are not already
BlackBerry Dynamics
enabled.
Per-app VPN
You can set up per-app VPN for
iOS
devices to specify which apps on devices must use a VPN for their data in transit. Per-app VPN helps decrease the load on your organization’s VPN by enabling only certain work traffic to use the VPN (for example, accessing application servers or webpages behind the firewall). This feature also supports user privacy and increases connection speed for personal apps by not sending the personal traffic through the VPN.
For
iOS
devices, apps are associated with a VPN profile when you assign the app or app group to a user, user group, or device group.
Apple
Activation Lock
The Activation Lock feature requires the user's
Apple
ID and password before a user can turn off Find My iPhone, erase the device, or reactivate and use the device. You can bypass the activation lock to give a COPE or COBO device to a different user.
Personal app lists
You can view a list of apps that are installed in a user's personal space on
iOS
devices in your environment. You can view a list of personal apps installed on a user’s device on the User Details page or view a list of all personal apps installed in users’ personal spaces on the Personal apps page in the management console.
Lost Mode for supervised
iOS
devices
Lost Mode allows you to lock a device, set a message that you want to display, and view the current location of the lost device. You can enable Lost Mode for supervised
iOS
devices.
IBM Notes Traveler
support
iOS
devices can connect to
IBM Notes Traveler
through the
BlackBerry Secure Gateway
.
Face ID support
BlackBerry UEM
supports Face ID for device authentication and to open
BlackBerry Dynamics
apps.
Shared device management
You can allow multiple users to share an
iOS
device. You can customize terms of use that users must accept to check out shared devices. A user can check out a device using local authentication and when they are done using it, they can check it in and the device is available for the next user. Shared devices remain managed by
BlackBerry UEM
during the check-out and check-in process. This feature was designed for supervised devices with the following configuration:
  • App lock mode enabled
  • VPP apps assigned
iPad
iPad
devices can be shared between multiple users. When users sign in with a Managed
Apple
ID their data loads, and the user then has access to their own email accounts, files,
iCloud
Photo Library, app data, and more.

Android
devices

Feature
Description
Manage
Android Enterprise
devices
You can activate
Android
devices to use
Android Enterprise
, which is a feature developed by
Google
that provides additional security for organizations that want to manage
Android
devices and allow their data and apps on
Android
devices.
Devices can be activated to have only a work profile, or to have both work and personal profiles. You can have full control over both profiles and have the ability to wipe the entire device, or you can allow user privacy for the personal profile and only have the ability to wipe work data from the device.
Samsung
devices offer additional administrator options, including an enhanced set of IT policy rules, when activated with
Android Enterprise
Customers who have configured
BlackBerry UEM
to manage
Google Play
accounts can now migrate
Android Enterprise
devices from an on-premises
BlackBerry UEM
server to
UEM Cloud
or another on-premises
BlackBerry UEM
server.
Work and personal – full control activations for
Android Enterprise
devices
This activation type is for devices running
Android
8 and later. It lets you manage the entire device. It creates a work profile on the device that separates work and personal data but allows your organization to maintain full control over the device and wipe all data from the device. Data in both the work and personal profiles is protected using encryption and a method of authentication such as a password.
Manage devices using
Knox
MDM and
Knox Workspace
BlackBerry UEM
can also manage
Samsung
devices using
Samsung Knox
MDM and
Samsung Knox Workspace
.
Knox Workspace
provides an encrypted, password-protected container on a
Samsung
device that includes your work apps and data. It separates a user’s personal apps and data from your organization’s apps and data and protects your apps and data using enhanced security and management capabilities that
Samsung
developed.
When a device is activated,
BlackBerry UEM
automatically identifies whether the device supports
Knox
. In addition to the standard
Android
management capabilities,
BlackBerry UEM
includes the following management capabilities for devices that support
Knox
:
  • An enhanced set of IT policy rules
  • Enhanced application management including silent app installations and uninstallations, silent uninstallations of restricted apps, and prohibitions to installing restricted apps
  • App lock mode
For more information about supported devices, see the Compatibility matrix. For more information about
Knox
, visit https://www.samsungknox.com.
Integration with
BlackBerry Dynamics
You can use the
BlackBerry Dynamics
profile to allow
Android
devices to access
BlackBerry Dynamics
productivity apps such as
BlackBerry Work
,
BlackBerry Access
, and
BlackBerry Connect
. You can assign the
BlackBerry Dynamics
profile to user accounts, user groups, or device groups. Multiple devices can access the same apps.
The profile allows you to enable
BlackBerry Dynamics
for users that are not already
BlackBerry Dynamics
enabled.
Per-app VPN
You can enable per-app VPN for
Android
devices that have a work profile to restrict the use of
BlackBerry Secure Connect Plus
to specific work space apps that you add to an allowed list.
Zero-touch enrollment
BlackBerry UEM
supports devices running
Android
8.0 or later that have been enabled for zero-touch enrollment. Zero-touch enrollment offers a seamless deployment method for organization-owned Android devices making large-scale device deployment fast, easy, and secure for the organization and employees. Zero-touch enrollment makes it simple for IT administrators to configure devices online and have enforced management ready when employees receive their devices. See the information from
Google
: Zero-touch enrollment management, and the zero-touch enrollment overview information. You can get started with zero-touch enrollment in just a few steps: purchase devices, assign the devices to users, configure policies for your organization, and deploy the devices to users. You need to work with your reseller or carrier to get access to the Zero-touch portal and get devices configured in the portal.
Support for app-based PKI solutions
Support for app-based PKI solutions, such as
Purebred
, which can enroll certificates for
BlackBerry Dynamics
apps. You can install the PKI app on devices and allow the latest versions of
BlackBerry Dynamics
apps, such as
BlackBerry Work
and
BlackBerry Access
, to use certificates enrolled through the PKI app.
SafetyNet
and
Play Integrity
When administrators enable
Android
SafetyNet
or
Google Play Integrity
attestation,
BlackBerry UEM
sends challenges to test the authenticity and integrity of
Android
devices that have been activated with the
Android Enterprise
,
Samsung Knox
, and MDM controls activation types in your organization's environment.
Security patch level enforcement for
BlackBerry Dynamics
apps
You can apply security patch level enforcement to BlackBerry Dynamics apps. If the security patch level is not met, you can choose to delete the BlackBerry Dynamics app data, not allow BlackBerry Dynamics apps to run on the device, or perform no actions on the device.
Derived smart credentials
Use
Entrust IdentityGuard
derived smart credentials for signing, encryption, and authentication for
BlackBerry Dynamics
apps and apps in the work space on
Android Enterprise
and
Samsung Knox Workspace
devices.
Factory reset protection for
Android Enterprise
devices
You can set up a Factory reset protection profile for your organization’s
Android Enterprise
devices that have been activated using the Work space only activation type. This profile allows you to specify a user account that can be used to unlock a device after it has been reset to factory settings or remove the need to sign in after the device has been reset to factory settings.

Windows 10
devices

Feature
Description
Support for
Windows 10
devices
You can manage
Windows 10
devices, including
Windows
10 Mobile devices and
Windows 10
tablets and computers. 
Proxy support for
Windows 10
devices
You can configure VPN and Wi-Fi work connections for
Windows 10
devices and you can set up a proxy server as part of the
Wi-Fi
profile for
Windows 10 Mobile
devices.
Per-app VPN
You can set up per-app VPN for
Windows 10
devices to specify which apps on devices must use a VPN for their data in transit. Per-app VPN helps decrease the load on your organization’s VPN by enabling only certain work traffic to use the VPN (for example, accessing application servers or webpages behind the firewall). This feature also supports user privacy and increases connection speed for personal apps by not sending the personal traffic through the VPN.
For
Windows 10
devices, apps are added to the app trigger list in the VPN profile.
Windows
Information Protection for
Windows 10
devices
You can configure
Windows
Information Protection profiles to separate personal and work data on devices, prevent users from sharing work data outside of protected work apps or with people outside your organization, and audit inappropriate data sharing practices. You can specify which apps are protected and trusted to create and access work files.
Whitelist antivirus vendors
In the compliance profile, in the “Antivirus status” rule for
Windows
devices, you can choose to allow antivirus software from any vendor, or allow only those that you added to the “Allowed antivirus vendors” list. The rule will be enforced if a device has antivirus software enabled from any vendor that is not whitelisted.
Azure
Active Directory
Join
BlackBerry UEM
supports
Azure
Active Directory
Join which allows a simplified MDM enrollment process for
Windows 10
devices. Users can enroll their devices with
BlackBerry UEM
using their
Azure
Active Directory
username and password.
Azure
Active Directory
Join is also required to support
Windows
AutoPilot, which allows
Windows 10
devices to be automatically activated with
BlackBerry UEM
during the
Windows 10
out-of-box setup experience.
Note
: To enable automatic MDM enrollment with
BlackBerry UEM
during the
Windows 10
out-of-box setup, a
BlackBerry UEM
certificate must be installed on the device.

macOS
devices

Feature
Description
Basic device management using device controls
When a user activates a
macOS
device, the device and the user are set up as separate entities on
BlackBerry UEM
. Separate communication channels are established between
BlackBerry UEM
and the device and
BlackBerry UEM
and the user account, allowing you to manage the device and the user separately.
Profiles and policies
Some profiles are assigned to the user only, for example email profiles. Some profiles are assigned to the device only, for example proxy profiles. Some profiles allow you to choose whether to apply the profile to the device or the user, for example
Wi-Fi
profiles.
You can control the device using commands and IT policies. Users activate
macOS
devices using
BlackBerry UEM Self-Service
.