Get the PDF

Create an activation profile

In the management console, on the menu bar, click

Policies and profiles > Policy > Activation

Click

Type a name and description for the profile.

In the

Number of devices that a user can activate

field, specify the maximum number of devices that a user can activate.

In the

Device ownership

drop-down list, select one of the following:

If some users activate personal devices and some users activate work devices, select

Not specified

If most users activate work devices, select

Work

If most users activate personal devices, select

Personal

Optionally, in the

Assign organization notice

drop-down list, select an organization notice. If you assign an organization notice, users activating

iOS

iPadOS

macOS

, or

Windows 10

devices must accept the notice to complete the activation process.

In the

Device types that users can activate

section, select the device OS types that users can activate.

For each device type that you include in the activation profile, perform the following actions:

Click the tab for the device type.

In the

Device model restrictions

drop-down list, select one of the following options:

No restrictions

: Users can activate any device model.

Allow selected device models

: Users can activate only the device models that you specify.

Do not allow selected device models

: Users can't activate the device models that you specify.

If you restrict the device models users can activate, click

Edit

to select the devices you want to allow or restrict and click

Save

In the

Minimum allowed version

drop-down list, select the minimum allowed OS version.

Select the supported activation types.

For

Android

devices, you can select multiple activation types and rank them. For all other device types, you can select only one activation type.

You must create separate activation profiles for

Android Enterprise

and

Android Management

. If

Android Enterprise

and

Android Management

activation types are specified in the same profile, the

Android Management

type will take precedence, even if it is ranked lower than

Android Enterprise

. Only the password and activation information for the

Android Management

activation type will be embedded in the QR Code.

For

iOS

and

iPadOS

devices, perform the following actions:

If you selected the

User privacy

activation type and you want to enable SIM-based licensing, select

Allow access to SIM card and device hardware information to enable SIM-based licensing

If you selected the

User privacy

activation type and you want to manage specific features, select the appropriate check boxes.

If you selected the MDM controls or

User privacy

(with SIM-based licensing) activation types and you only want to activate supervised devices, select

Do not allow unsupervised devices to activate

Optionally, in the

iOS app integrity check

section, select one of the following attestation methods:

Perform app integrity check on BlackBerry Dynamics app activation

: Use this method to send challenges to devices when they are activated to check the integrity of

iOS

work apps.

Perform periodic app integrity checks

: Use this method to send challenges to devices to check the integrity of

iOS

work apps.

To perform

iOS

app integrity checking, you must enable

CylancePROTECT

in your

UEM

domain. For more information, see Enable CylancePROTECT Mobile in your UEM domain.

Optionally, in the

Managed device attestation

section, select one of the following attestation methods:

Perform Managed device attestation on device activation

: Use this method to send challenges to devices when they are activated to check the integrity of the device properties.

Perform periodic Managed device attestation

: Use this method to send challenges periodically to check the integrity of the device properties.

To perform managed device attestation on

iOS

devices, you must enable the feature. For more information, see Configure attestation for

iOS

devices in the Administration content.

Managed device attestation applies to the

MDM controls

and the

User privacy

activation types, but not the

User privacy - User enrollment

activation type. When you select the

User privacy

activation type, you must select at least one of the management options (such as "Allow VPN management").

For

Android

devices, perform the following actions:

If you selected more than one activation type type, click the up and down arrows to rank them. Devices receive the highest ranked profile that they support.

If you selected a

Samsung Knox

activation type and you want to use

Google Play

to manage work apps, select

Google Play app management for Samsung Knox Workspace devices

. This option is available only if you have configured a connection to a Google domain..

Samsung Knox

activation types will be deprecated in a future release. Devices that support

Knox Platform for Enterprise

can be activated using the

Android Enterprise

activation types.

If you selected an

Android Enterprise

activation type, select the appropriate

Android Enterprise

options:

To enable

BlackBerry Secure Connect Plus

and

Knox

Platform for Enterprise features (for devices that support

Samsung Knox

) on devices with an appropriate license, select

When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus

To enable

Samsung Knox

DualDAR encryption for devices that support it, select

Enable Samsung Knox DualDAR Workspace

To allow

Google Play

app management in the work space, select

Add Google Play account to work space

To allow

UEM

to restrict activation by device ID, select

Allow only approved device IDs

This option is supported only for

Work space only

and

Work and personal - full control

devices.

To specify the network type that users can activate a device over, in the

QR Code enrollment

drop-down list, select a network. This option is supported only for

Work space only

and

Work and personal - full control

devices.

Optionally, in the

SafetyNet or Play Integrity attestation options

section, select one of the following attestation methods:

Perform SafetyNet or Play Integrity attestation for device

: Use this method to send challenges to test the authenticity and integrity of devices.

Perform SafetyNet attestation on device activation (Applies only to UEM Client versions that do not support Play Integrity)

: Use this method to send challenges to test the authenticity and integrity of devices when they are activated.

Perform SafetyNet or Play Integrity attestation on BlackBerry Dynamics app activation

: Use this method to send challenges to test the authenticity and integrity of

BlackBerry Dynamics

apps when they are activated.

If you want

UEM

to send challenges to devices when they are activated to ensure the required security patch level is installed, in the

Hardware attestation options

section, select

Enforce attestation compliance rules during activation

For

Windows 10

devices, select one or both form factor options.

Click

Add

If necessary, rank activation profiles.

Assign the profile to user accounts and groups.

Section:

Creating activation profiles