Skip Navigation

UEM
migration best practices and considerations

Migrating IT policies, profiles, and groups

Item
Considerations and best practices
Items copied from a source
UEM
server
  • Selected IT policies
  • Email profiles
  • Wi-Fi
    profiles
  • VPN profiles
  • Proxy profiles
  • BlackBerry Dynamics
    connectivity profiles
  • BlackBerry Dynamics
    profiles
  • App configuration settings
  • CA certificate profiles
  • Shared certificate profiles
  • Certificate retrieval
  • User credential profiles
  • SCEP profiles
  • CRL profiles
  • OSCP profiles
  • Certification authority settings (Entrust and PKI connector only)
  • Client certificates (app usage)
  • Any policies and profiles that are associated with the policies and profiles you select
Items copied from a source
Good Control
server to
UEM
on-premises only
  • Policy sets
  • Connectivity profiles
  • App groups
  • App usage (for certificates)
  • Certificates
Group migration
User, role, and software configuration assignments are not migrated. You must manually recreate these assignments on the destination
UEM
server.
IT policy passwords
If any of the source IT policies you selected for
Android
devices has a minimum password length of less than 4 or more than 16, no
UEM
IT policies or profiles can be migrated. Change the source IT policy accordingly.
Profile names
After migration, you must make sure that all SCEP, user credential, shared certificate, and CA certificate profiles have unique names. If two profiles of the same type have the same name, you must edit one of the profile names.
BlackBerry Dynamics
connectivity profiles
he values from the App servers tab are not migrated. The values are populated using the default values from the destination
UEM
server. Some of the values from the Infrastructure tab are not migrated. The administrator must manually edit each migrated profile and set the values for the Primary
BlackBerry Proxy
cluster and the Secondary
BlackBerry Proxy
cluster.
App groups (
Good Control
to
UEM
on-premises only)
The Everyone group is migrated but has no users assigned to it and is not related to the All Users group on the destination
UEM
server.
Certificate usage (
UEM
)
Certificate usage is migrated, except for:
  • Certificate usages that already exist on the destination server
  • Non-
    BlackBerry Dynamics
    apps
  • Custom apps from another
    Good Control
    organization
Post-migration tasks for
BlackBerry Dynamics
users
After you migrate users, devices, groups, and other data from
Good Control
to
UEM
on-premises, or from a source
UEM
on-premises server to
UEM Cloud
, complete the following tasks:
  • Assign app configurations to
    BlackBerry Dynamics
    apps in groups.
  • Assign connectivity profiles to groups.
  • Assign migrated
    BlackBerry Dynamics
    policies and
    Good Control
    compliance policies to users.
  • Set override profiles (
    BlackBerry Dynamics
    profiles and compliance profiles).
  • Move .json file configurations from
    Good Control
    to
    UEM
    .
  • In migrated connectivity profiles, specify the information for app servers and
    BlackBerry Proxy
    clusters.

Migrating users

Item
Maximum number of users
You can migrate a maximum of 1000 users at a time from a source server. If you select more than the maximum number of users, only the maximum number are migrated and the rest are skipped. You can repeat the migration process as needed to migrate all the users from the source server.
Email address
  • Only users with an associated email address can be migrated.
  • You can't migrate a user who already uses the same email address in the destination
    UEM
    server.
  • If two users in the source database have the same email address, only one user is displayed on the Migrate users screen.
Groups
  • You can filter users with no group assignment to include this set of users for a migration.
  • You can't migrate a user who is an owner of a shared device group. The user does not appear in the list of users to migrate.
BlackBerry UEM Self-Service
  • After migration, the user must use the same login information for
    BlackBerry UEM Self-Service
    that they used before migration.
  • After migration, local users must change their password after they log in to
    BlackBerry UEM Self-Service
    for the first time.
  • Users who did not have permission to access
    BlackBerry UEM Self-Service
    before migration are not automatically granted permission after migration.

Migrating devices from a source server

Item
Considerations and best practices
Validate configuration
It is a best practice to migrate one device for each unique configuration (for example, different groups, policies, app configurations, and so on) to make sure the destination server is configured correctly before migrating the rest of your devices.
Maximum number of devices
You can migrate a maximum of 2000 devices at a time from a source server.
Users
  • The device users must exist in the destination
    UEM
    domain.
  • You must migrate all of a user's devices at the same time.
Managed
iOS
devices from a
UEM
source
  • Devices must have the latest version of the
    UEM Client
    .
  • Devices that are assigned an App lock profile can't be migrated because the
    UEM Client
    can't be opened for the migration.
  • Apple
    DEP devices without the
    UEM Client
    are displayed on the list of devices that are not supported for migration, but can be migrated with an alternate method. You must complete additional steps to migrate DEP devices with or without the
    UEM Client
    . See Migrate DEP devices from a source server.
  • User enrollment devices cannot be migrated.
  • In the app settings for all applicable apps, clear the
    Remove the app from the device when the device is removed from BlackBerry UEM
    check box. If you attempt to migrate without performing this step, the app is removed and the device may be unenrolled from
    UEM
    .
Managed
Android
devices from a
UEM
source
  • Android Enterprise
    devices must have the latest version of the
    UEM Client
    installed.
  • You can't migrate
    Android
    devices that have a work profile using a
    Google
    account or
    Google
    domain.
Chrome OS
devices
You can migrate
Chrome OS
devices from a
UEM
source server.
Devices that are not supported for migration
  • Windows
  • macOS
Shared device group
You can't migrate a device that belongs to a shared device group. These devices do not appear in the migration list.
BlackBerry Dynamics
-enabled devices
  • In the Migrate devices screen, the Incompatible containers column displays the number of
    BlackBerry Dynamics
    apps for each device that can't be migrated and the total number of
    BlackBerry Dynamics
    apps for each device. Click on the number to see the
    BlackBerry Dynamics
    apps that are incompatible with migration.
  • BlackBerry Access for Windows
    ,
    BlackBerry Access for macOS
    , and
    BlackBerry Bridge
    are not supported for migration. After the migration is complete, users must re-enroll these apps.
  • The migration process does not track or guarantee migration of the
    UEM Client
    and apps activated on a device after that device's data is cached. It is a best practice to refresh the user cache before each migration.
  • BlackBerry Dynamics
    -enabled devices are always enrolled for
    BlackBerry Dynamics
    on the destination server.
  • For migrations from a
    Good Control
    (standalone) instance,
    Good Dynamics
    MDM enrollments are not migrated.
  • If a user has more than one device with
    BlackBerry Dynamics
    apps, all the devices are automatically selected for migration.
  • If a user forgets the password for a
    BlackBerry Dynamics
    app after migration has been initiated, but before the container has completed migration, the unlock access key must be obtained from the
    UEM
    source server. After the migration is complete, the key must be obtained from the destination
    UEM
    server.
  • To trigger the migration on the device, it is a best practice to first open the app that is configured as the authentication delegate on the device.