Skip Navigation

Activation types:
Android
devices

For
Android
devices, you can select multiple activation types and rank them to ensure that
BlackBerry UEM
assigns the most appropriate activation type for the device. For example, if you rank
Work and personal - user privacy
(
Samsung Knox
) first and
Work and personal - user privacy
(
Android Enterprise
) second, devices that support
Samsung Knox Workspace
receive the first activation type and devices that don't support
Samsung Knox Workspace
receive the second.

Android Management
devices

Before activating devices with
Android Management
activation types, review the Considerations for Android Management activation types.
Activation type
Description
Work and personal - user privacy
(
Android Management
with work profile)
This activation type maintains privacy for personal data but allows you to manage work data using commands and IT policy rules. A work profile is created on the device that separates work and personal data. Work and personal data are both protected using encryption and password authentication.
Work and personal - full control
(
Android Management
fully managed device with work profile)
This activation type allows you to manage the entire device using commands and IT policy rules. A work profile is created on the device that separates work and personal data. Data in the work space is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint. This activation type supports logging of device activity (SMS, MMS, and phone calls) in
UEM
log files.
Following activation,
Work and personal - full control
devices have only a limited set of the standard pre-installed apps, such as Camera, Phone, and Settings, in the personal space. The list of retained pre-installed apps depends on the device vendor and OS version.
This activation type requires the device to be reset to factory default settings before it is activated. If the
BlackBerry UEM Client
is deleted or the work profile is removed from the device, it is automatically reset to factory default settings.
Work space only
(
Android Management
fully managed device)
This activation type allows you to manage the entire device using commands and IT policy rules. This activation type requires the user to reset the device to factory settings before activating. The activation process installs a work profile and no personal profile. The user must create a password to access the device. All data on the device is protected using encryption and a method of authentication such as a password.
During activation, the device installs the
UEM Client
automatically and grants it Administrator permissions. Users cannot revoke the Administrator permissions or uninstall the app.
Following activation,
Work space only
devices have only a limited set of the standard pre-installed apps, such as Camera, Phone, and Settings, plus any apps you have assigned with a required disposition. The list of retained pre-installed apps depends on the device vendor and OS version.
This activation type requires the device to be reset to factory default settings before it is activated. If the
UEM Client
is deleted or the work profile is removed from the device, it is automatically reset to factory default settings.

Android Enterprise
devices

Activation type
Description
Work and personal - user privacy
(
Android Enterprise
with work profile)
This activation type maintains privacy for personal data but allows you to manage work data using commands and IT policy rules. A work profile is created on the device that separates work and personal data. Work and personal data are both protected using encryption and password authentication.
To allow
Google Play
app management for
Android Enterprise
devices, select "Add Google Play to the workspace" in the activation profile (enabled by default). If the device does not have access to
Google Play
, the user must download the latest
UEM Client
from a different source. To download the .apk file of the latest
UEM Client
, see KB 42607.
To enable
BlackBerry Secure Connect Plus
and
Knox Platform for Enterprise
support, you must select the "When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus" option in the activation profile.
Users do not have to grant Administrator permissions to the
UEM Client
.
Work and personal - full control
(
Android Enterprise
fully managed device with work profile)
This activation type allows you to manage the entire device using commands and IT policy rules. A work profile is created on the device that separates work and personal data. Data in the work space is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint. This activation type supports logging of device activity (SMS, MMS, and phone calls) in
UEM
log files.
To allow
Google Play
app management for
Android Enterprise
devices, select "Add Google Play account to the work space" in the activation profile (enabled by default).
Following activation,
Work and personal - full control
devices have only a limited set of the standard pre-installed apps, such as Camera, Phone, and Settings, in the personal space. The list of retained pre-installed apps depends on the device vendor and OS version.
To enable
BlackBerry Secure Connect Plus
and
Knox Platform for Enterprise
support, you must select the "When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus" option in the activation profile.
To specify whether
UEM
can limit activation by device ID, select "Allow only approved device IDs" in the activation profile.
This activation type requires the device to be reset to factory default settings before it is activated. If the
UEM Client
is deleted or the work profile is removed from the device, it is automatically reset to factory default settings.
During activation users must grant Administrator permissions to the
UEM Client
.
Work space only
(
Android Enterprise
fully managed device)
This activation type allows you to manage the entire device using commands and IT policy rules. It requires the user to reset the device to factory settings before activation. The activation process installs a work profile and no personal profile. The user must create a password to access the device. All data on the device is protected using encryption and a method of authentication such as a password.
To allow
Google Play
app management for
Android Enterprise
devices, select "Add Google Play to the workspace" in the activation profile (enabled by default). If the device does not have access to
Google Play
, the user can download the
UEM Client
using an .apk file of the app. You can configure and include a
QR Code
that contains the location of the
UEM Client
source file in the activation email message that you send to users. When a user scans the
QR Code
code, the
UEM Client
automatically downloads.
To configure and include a
QR Code
in the activation email message, you must select the “Allow QR codes for device activation” check box in the Activation defaults page (Settings > General settings > Activation defaults). You must also select the “Allow QR code to contain location of
UEM Client
app source file” check box and specify the location of the
UEM Client
app source file. To get the .apk file of the latest version of the
UEM Client
, see KB 42607.
During activation, the device installs the
UEM Client
automatically and grants it Administrator permissions. Users cannot revoke the Administrator permissions or uninstall the app.
Following activation,
Work space only
devices have only a limited set of the standard pre-installed apps, such as Camera, Phone, and Settings, plus any apps you have assigned with a required disposition. The list of retained pre-installed apps depends on the device vendor and OS version.
To enable
BlackBerry Secure Connect Plus
and
Knox Platform for Enterprise
support, you must select the "When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus" option in the activation profile.
To specify whether
UEM
can limit activation by device ID, select "Allow only approved device IDs" in the activation profile.
This activation type requires the device to be reset to factory default settings before it is activated. If the
UEM Client
is deleted or the work profile is removed from the device, it is automatically reset to factory default settings.

Android
devices without a work profile

The following activation types apply to all
Android
devices.
Activation type
Description
User privacy
You can use the
User privacy
activation type to provide basic control of devices, including work app management, while making sure that users' personal data remains private. A separate container is not created on the device. To provide security for work data you can install
BlackBerry Dynamics
apps. Devices activated with
User privacy
can use services such as Find my Phone and Root Detection, but administrators cannot control device policies.
You can also use the
User privacy
activation type to activate
Chrome OS
devices so that you can install and manage
Android
BlackBerry Dynamics
apps.
Device registration for
BlackBerry 2FA
only
This activation type supports the
BlackBerry 2FA
solution for devices that
UEM
does not manage. This activation type does not provide any device management or controls, but it allows devices to use the
BlackBerry 2FA
feature. To use this activation type, you must also assign the
BlackBerry 2FA
profile to users.
When a device is activated, you can view limited device information in the management console, and you can deactivate the device using a command.
This activation type is supported only for
Microsoft Active Directory
users.
For more information, see the BlackBerry 2FA content.

Samsung Knox Workspace
devices

Samsung Knox
activation types will be deprecated in a future release. Devices that support
Knox Platform for Enterprise
can be activated using the
Android Enterprise
activation types. For more information, see KB 54614.
Activation type
Description
Work and personal - user privacy
- (
Samsung Knox
)
This activation type maintains privacy for personal data but allows you to manage work data using commands and IT policy rules. This activation type does not support the
Knox
MDM IT policy rules. A separate work space is created on the device, and the user must create a password to access the work space. Data in the work space is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint. The user must also create a screen lock password to protect the entire device and will not be able to use USB debugging mode.
During activation, users must grant Administrator permissions to the
UEM Client
.
Work and personal - full control
(
Samsung Knox
)
This activation type allows you to manage the entire device using commands and the
Knox
MDM and
Knox Workspace
IT policy rules. A separate work space is created on the device and the user must create a password to access the work space. Data in the work space is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint.
During activation users must grant Administrator permissions to the
UEM Client
.
Work space only
- (
Samsung Knox
)
This activation type allows you to manage the entire device using commands and the
Knox
MDM and
Knox Workspace
IT policy rules. This activation type removes the personal space and installs a work space. The user must create a password to access the device. All data on the device is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint. This activation type supports logging of device activity (SMS, MMS, and phone calls) in
UEM
log files.
During activation, users must grant Administrator permissions to the
UEM Client
.