Skip Navigation

Create an activation profile

  1. In the management console, on the menu bar, click
    Policies and profiles > Policy > Activation
    .
  2. Click the add icon.
  3. Type a name and description for the profile.
  4. In the
    Number of devices that a user can activate
    field, specify the maximum number of devices that a user can activate.
  5. In the
    Device ownership
    drop-down list, select one of the following:
    • If some users activate personal devices and some users activate work devices, select
      Not specified
      .
    • If most users activate work devices, select
      Work
    • If most users activate personal devices, select
      Personal
      .
  6. Optionally, in the
    Assign organization notice
    drop-down list, select an organization notice. If you assign an organization notice, users activating
    iOS
    ,
    iPadOS
    ,
    macOS
    , or
    Windows 10
    devices must accept the notice to complete the activation process.
  7. In the
    Device types that users can activate
    section, select the device OS types that users can activate.
  8. For each device type that you include in the activation profile, perform the following actions:
    1. Click the tab for the device type.
    2. In the
      Device model restrictions
      drop-down list, select one of the following options:
      • No restrictions
        : Users can activate any device model.
      • Allow selected device models
        : Users can activate only the device models that you specify.
      • Do not allow selected device models
        : Users can't activate the device models that you specify.
      If you restrict the device models users can activate, click
      Edit
      to select the devices you want to allow or restrict and click
      Save
      .
    3. In the
      Minimum allowed version
      drop-down list, select the minimum allowed OS version.
    4. Select the supported activation types.
      For
      Android
      devices, you can select multiple activation types and rank them. For all other device types, you can select only one activation type.
      You must create separate activation profiles for
      Android Enterprise
      and
      Android Management
      . If
      Android Enterprise
      and
      Android Management
      activation types are specified in the same profile, the
      Android Management
      type will take precedence, even if it is ranked lower than
      Android Enterprise
      . Only the password and activation information for the
      Android Management
      activation type will be embedded in the QR Code.
  9. For
    iOS
    and
    iPadOS
    devices, perform the following actions:
    1. If you selected the
      User privacy
      activation type and you want to enable SIM-based licensing, select
      Allow access to SIM card and device hardware information to enable SIM-based licensing
      .
    2. If you selected the
      User privacy
      activation type and you want to manage specific features, select the appropriate check boxes.
    3. If you selected the MDM controls or
      User privacy
      (with SIM-based licensing) activation types and you only want to activate supervised devices, select
      Do not allow unsupervised devices to activate
      .
    4. Optionally, in the
      iOS app integrity check
      section, select one of the following attestation methods:
      • Perform app integrity check on BlackBerry Dynamics app activation
        : Use this method to send challenges to devices when they are activated to check the integrity of
        iOS
        work apps.
      • Perform periodic app integrity checks
        : Use this method to send challenges to devices to check the integrity of
        iOS
        work apps.
      To perform
      iOS
      app integrity checking, you must enable
      CylancePROTECT
      in your
      UEM
      domain. For more information, see Enable CylancePROTECT Mobile in your UEM domain.
    5. Optionally, in the
      Managed device attestation
      section, select one of the following attestation methods:
    • Perform Managed device attestation on device activation
      : Use this method to send challenges to devices when they are activated to check the integrity of the device properties.
    • Perform periodic Managed device attestation
      : Use this method to send challenges periodically to check the integrity of the device properties.
    To perform managed device attestation on
    iOS
    devices, you must enable the feature. For more information, see Configure attestation for
    iOS
    devices
    in the Administration content.
    Managed device attestation applies to the
    MDM controls
    and the
    User privacy
    activation types, but not the
    User privacy - User enrollment
    activation type. When you select the
    User privacy
    activation type, you must select at least one of the management options (such as "Allow VPN management").
  10. For
    Android
    devices, perform the following actions:
    1. If you selected more than one activation type type, click the up and down arrows to rank them. Devices receive the highest ranked profile that they support.
    2. If you selected a
      Samsung Knox
      activation type and you want to use
      Google Play
      to manage work apps, select
      Google Play app management for Samsung Knox Workspace devices
      . This option is available only if you have configured a connection to a Google domain..
      Samsung Knox
      activation types will be deprecated in a future release. Devices that support
      Knox Platform for Enterprise
      can be activated using the
      Android Enterprise
      activation types.
    3. If you selected an
      Android Enterprise
      activation type, select the appropriate
      Android Enterprise
      options:
      • To enable
        BlackBerry Secure Connect Plus
        and
        Knox
        Platform for Enterprise features (for devices that support
        Samsung Knox
        ) on devices with an appropriate license, select
        When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus
        .
      • To enable
        Samsung Knox
        DualDAR encryption for devices that support it, select
        Enable Samsung Knox DualDAR Workspace
        .
      • To allow
        Google Play
        app management in the work space, select
        Add Google Play account to work space
        .
      • To allow
        UEM
        to restrict activation by device ID, select
        Allow only approved device IDs
        This option is supported only for
        Work space only
        and
        Work and personal - full control
        devices.
      • To specify the network type that users can activate a device over, in the
        QR Code enrollment
        drop-down list, select a network. This option is supported only for
        Work space only
        and
        Work and personal - full control
        devices.
    4. Optionally, in the
      SafetyNet or Play Integrity attestation options
      section, select one of the following attestation methods:
      • Perform SafetyNet or Play Integrity attestation for device
        : Use this method to send challenges to test the authenticity and integrity of devices.
      • Perform SafetyNet attestation on device activation (Applies only to UEM Client versions that do not support Play Integrity)
        : Use this method to send challenges to test the authenticity and integrity of devices when they are activated.
      • Perform SafetyNet or Play Integrity attestation on BlackBerry Dynamics app activation
        : Use this method to send challenges to test the authenticity and integrity of
        BlackBerry Dynamics
        apps when they are activated.
    5. If you want
      UEM
      to send challenges to devices when they are activated to ensure the required security patch level is installed, in the
      Hardware attestation options
      section, select
      Enforce attestation compliance rules during activation
      .
  11. For
    Windows 10
    devices, select one or both form factor options.
  12. Click
    Add
    .
  • If necessary, rank activation profiles.
  • Assign the profile to user accounts and groups.