Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.19
  3. UEM Overview and Architecture
  4. What is BlackBerry UEM?
  5. Key features for each device type

Key features for each device type

iOS
 devices

Feature
Description
Device activation
You can use
Apple Configurator
 2 to prepare devices for activation with
UEM
. Users can activate the prepared devices without using the
BlackBerry UEM Client
.
Filter web content
You can use web content filter profiles to limit the websites that a user can view on a device. You can enable automatic filtering with the option to allow and restrict websites, or allow access only to specific websites.
Link
Apple
 VPP accounts to a
UEM
 domain
The Volume Purchase Program (VPP) allows you to buy and distribute
iOS
 apps in bulk. You can link
Apple
 VPP accounts to a
UEM
 domain so that you can distribute purchased licenses for
iOS
 apps associated with the VPP accounts.
Apple
 Device Enrollment Program
You can configure
UEM
 to use the
Apple
 Device Enrollment Program (DEP) so that you can synchronize
UEM
 with the DEP. After you configure
UEM
, you can use the management console to manage the activation of the
iOS
 devices that your organization purchased for the DEP. You can use multiple DEP accounts. You can link multiple
Apple
 DEP accounts to one
UEM
 domain.
Support for app-based PKI solutions
UEM
 supports app-based PKI solutions, such as
Purebred
, which can enroll certificates for
BlackBerry Dynamics
 apps. You can now install the PKI app on devices and allow the latest versions of
BlackBerry Dynamics
 apps, such as
BlackBerry Work
 and
BlackBerry Access
, to use certificates enrolled through the PKI app.
Custom payload profiles
You can use custom payload profiles to control features on
iOS
 devices that are not controlled by existing
UEM
 policies or profiles. You can create
Apple
 configuration profiles using
Apple Configurator
 and add them to
UEM
 custom payload profiles. You can assign the custom payload profiles to users, user groups, and device groups.
BlackBerry Secure Gateway
BlackBerry Secure Gateway
 allows
iOS
 devices with the MDM controls activation type to connect to your work email server through the
BlackBerry Infrastructure
 and
UEM
. If you use
BlackBerry Secure Gateway
 you don't have to expose your mail server outside of the firewall to allow users with these devices to receive work email when they are not connected to your organization's VPN or work
Wi-Fi
 network.
Integration with
BlackBerry Dynamics
You can use the
BlackBerry Dynamics
 profile to allow
iOS
 devices to access
BlackBerry Dynamics
 productivity apps such as
BlackBerry Work
,
BlackBerry Access
, and
BlackBerry Connect
. You can assign the
BlackBerry Dynamics
 profile to user accounts, user groups, or device groups. Multiple devices can access the same apps.
The profile allows you to enable
BlackBerry Dynamics
 for users that are not already
BlackBerry Dynamics
 enabled.
Per-app VPN
You can set up per-app VPN for
iOS
 devices to specify which apps on devices must use a VPN for their data in transit. Per-app VPN helps decrease the load on your organization’s VPN by enabling only certain work traffic to use the VPN (for example, accessing application servers or web pages behind the firewall). This feature also supports user privacy and increases connection speed for personal apps by not sending the personal traffic through the VPN.
For
iOS
 devices, apps are associated with a VPN profile when you assign the app or app group to a user, user group, or device group.
Apple
 Activation Lock
The activation lock feature requires the user's
Apple
 ID and password before a user can turn off Find My
iPhone
, erase the device, or reactivate and use the device. You can bypass the activation lock to give a COPE or COBO device to a different user.
Personal app lists
You can view a list of apps that are installed in a user's personal space on
iOS
 devices in your environment. You can view a list of personal apps installed on a user’s device on the user details page or view a list of all personal apps installed in users’ personal spaces on the personal apps page in the management console.
Run app lock mode
On
iOS
 devices that are supervised using
Apple Configurator
 2, you can use an app lock mode profile to limit the device to run only one app. For example, you can limit access to a single app for training purposes or for point-of-sales demonstrations.
Lost mode for supervised
iOS
 devices
Lost mode allows you to lock a device, set a message that you want to display, and view the current location of the lost device. You can enable lost mode for supervised
iOS
 devices.
IBM Notes Traveler
 support
iOS
 devices can connect to
IBM Notes Traveler
 through the
BlackBerry Secure Gateway
.
Face ID support
UEM
 supports Face ID for device authentication and to open
BlackBerry Dynamics
 apps.
Shared device management
You can allow multiple users to share an
iOS
 device. You can customize terms of use that users must accept to check out shared devices. A user can check out a device using local authentication and when they are done using it, they can check it in and the device is available for the next user. Shared devices remain managed by
UEM
 during the check-out and check-in process. This feature was designed for supervised devices with the following configuration:
  • App lock mode enabled
  • VPP apps assigned
iPad
iPad
 devices can be shared between multiple users. When users sign in with a managed
Apple
 ID, their data loads and the user can access their own email accounts, files,
iCloud
 photo library, app data, and more.

Android
 devices

Feature
Description
Manage
Android Enterprise
 and
Android Management
 devices
You can activate
Android
 devices to use
Android Enterprise
 or
Android Management
, which are features developed by
Google
 that provide additional security for organizations that want to manage and allow apps and data on
Android
 devices.
Devices can be activated to have only a work profile, or to have both work and personal profiles. You can have full control over both profiles and have the ability to wipe the entire device, or you can allow user privacy for the personal profile and only have the ability to wipe work data from the device.
Samsung
 devices offer additional administrator options, including an enhanced set of IT policy rules, when activated with
Android Enterprise
.
Work and personal – full control activations for
Android Enterprise
 and
Android Management
 devices
This activation type allows you to manage the entire device. It creates a work profile on the device that separates work and personal data but allows your organization to maintain full control over the device and wipe all data from the device. Data in both the work and personal profiles is protected using encryption and a method of authentication such as a password.
Manage devices using
Knox
 MDM and
Knox Workspace
UEM
 can also manage
Samsung
 devices using
Samsung Knox
 MDM and
Samsung Knox Workspace
.
Knox Workspace
 provides an encrypted, password-protected container on a
Samsung
 device that includes your work apps and data. It separates a user’s personal apps and data from your organization’s apps and data, and protects work apps and data using enhanced security and management capabilities that
Samsung
 developed.
When a device is activated,
UEM
 automatically identifies whether the device supports
Knox
. In addition to the standard
Android
 management capabilities,
UEM
 includes the following capabilities for devices that support
Knox
:
  • An enhanced set of IT policy rules
  • Enhanced application management including silent app installations and uninstallations, silent uninstallations of restricted apps, and prohibitions to installing restricted apps
  • App lock mode
For more information about supported devices, see the Compatibility matrix.
Integration with
BlackBerry Dynamics
You can use the
BlackBerry Dynamics
 profile to allow
Android
 devices to access
BlackBerry Dynamics
 productivity apps such as
BlackBerry Work
,
BlackBerry Access
, and
BlackBerry Connect
. You can assign the
BlackBerry Dynamics
 profile to user accounts, user groups, or device groups. Multiple devices can access the same apps.
The profile allows you to enable
BlackBerry Dynamics
 for users that are not already
BlackBerry Dynamics
 enabled.
Per-app VPN
You can enable per-app VPN for
Android
 devices that have a work profile to restrict the use of
BlackBerry Secure Connect Plus
 to specific work space apps that you add to an allowed list.
Zero-touch enrollment
UEM
 supports devices that have been enabled for zero-touch enrollment. Zero-touch enrollment offers a seamless deployment method for organization-owned
Android
 devices, making large-scale device deployment fast, easy, and secure. Zero-touch enrollment makes it simple for IT administrators to configure devices online and have enforced management ready when employees receive their devices. For more information from
Google
, see Zero-touch enrollment management and the zero-touch enrollment overview. You can get started with zero-touch enrollment in just a few steps: purchase devices, assign the devices to users, configure policies for your organization, and deploy the devices to users. You need to work with your reseller or carrier to get access to the Zero-touch portal and get devices configured in the portal.
Support for app-based PKI solutions
UEM
 supports app-based PKI solutions, such as
Purebred
, which can enroll certificates for
BlackBerry Dynamics
 apps. You can now install the PKI app on devices and allow the latest versions of
BlackBerry Dynamics
 apps, such as
BlackBerry Work
 and
BlackBerry Access
, to use certificates enrolled through the PKI app.
SafetyNet
 and
Play Integrity
When administrators enable
Android
SafetyNet
 or
Google Play Integrity
 attestation,
UEM
 sends challenges to test the authenticity and integrity of
Android
 devices that have been activated with the
Android Enterprise
,
Samsung Knox
, and MDM controls activation types in your organization's environment.
Security patch level enforcement for
BlackBerry Dynamics
 apps
You can apply security patch level enforcement to
BlackBerry Dynamics
 apps. If the security patch level is not met, you can choose to delete the
BlackBerry Dynamics
 app data, not allow
BlackBerry Dynamics
 apps to run on the device, or perform no actions on the device.
Derived smart credentials
Use
Entrust IdentityGuard
 derived smart credentials for signing, encryption, and authentication for
BlackBerry Dynamics
 apps and apps in the work space on
Android Enterprise
 and
Samsung Knox Workspace
 devices.
Factory reset protection for
Android Enterprise
 devices
You can set up a factory reset protection profile for your organization’s
Android Enterprise
 devices that have been activated using the Work space only activation type. This profile allows you to specify a user account that can be used to unlock a device after it has been reset to factory settings or remove the need to sign in after the device has been reset to factory settings.

Windows
 devices

Feature
Description
Support for
Windows 10
 devices
You can manage
Windows
 devices, including
Windows
 10 Mobile devices and
Windows 10
 tablets and computers.
Proxy support for
Windows 10
 devices
You can configure VPN and
Wi-Fi
 work connections for
Windows 10
 devices and you can set up a proxy server as part of the
Wi-Fi
 profile for
Windows 10 Mobile
 devices.
Per-app VPN
You can set up per-app VPN for
Windows 10
 devices to specify which apps on devices must use a VPN for their data in transit. Per-app VPN helps decrease the load on your organization’s VPN by enabling only certain work traffic to use the VPN (for example, accessing application servers or web pages behind the firewall). This feature also supports user privacy and increases connection speed for personal apps by not sending the personal traffic through the VPN.
Windows
 Information Protection for
Windows 10
 devices
You can configure
Windows
 Information Protection profiles to separate personal and work data on devices, prevent users from sharing work data outside of protected work apps or with people outside of your organization, and audit inappropriate data sharing practices. You can specify which apps are protected and trusted to create and access work files.
Allow antivirus vendors
In the compliance profile, in the “Antivirus status” rule for
Windows
 devices, you can choose to allow antivirus software from any vendor, or allow only those that you added to the “Allowed antivirus vendors” list. The rule will be enforced if a device has antivirus software enabled from any vendor that is not allowed.
Entra ID
 Join
UEM
 supports
Entra ID
 Join, which allows a simplified MDM enrollment process for
Windows 10
 devices. Users can enroll their devices with
UEM
 using their
Entra ID
 username and password.
Entra ID
 Join is also required to support
Windows
 AutoPilot, which allows
Windows 10
 devices to be automatically activated with
UEM
 during the
Windows 10
 out-of-box setup experience.

macOS
 devices

Feature
Description
Basic device management using device controls
When a user activates a
macOS
 device, the device and the user are set up as separate entities on
UEM
. Separate communication channels are established between
UEM
 and the device and
UEM
 and the user account, allowing you to manage the device and the user separately.
Profiles and policies
Some profiles are assigned to the user only (for example, email profiles). Some profiles are assigned to the device only (for example, proxy profiles). Some profiles allow you to choose whether to apply the profile to the device or the user (for example,
Wi-Fi
 profiles).
You can control the device using commands and IT policies. Users activate
macOS
 devices using
BlackBerry UEM Self-Service
.