Skip Navigation

Fixed issues in
UEM
12.22 and
UEM Cloud

UEM
on-premises 12.22 Maintenance Release 1 and
UEM Cloud
August update

In September 2025,
Microsoft
will release a
Windows
update to enforce specific strong certificate to user identity mapping requirements. For details, see Microsoft KB 5014754.
If your organization uses a
BlackBerry UEM
SCEP profile to provide user credential certificates to devices to authenticate with resources such as
Microsoft Exchange Server
, after the
Windows
September update, the certificates will be rejected by the
Microsoft
Domain Controller’s KDC services if they do not include a user SID value. When user credential certificates are delivered using a SCEP profile,
UEM
does not add the user’s SID object property to the certificate request, as required by the
Microsoft
September update. As a result, email will not synchronize on users’ devices and users will not be able to access any impacted services that use certificate-based authentication.
UEM
on-premises version 12.22 MR1 and the
UEM Cloud
August update include a fix to address this issue and prevent disruption by the
Windows
September update. Your
UEM
environment is impacted if:
  • You configured and assigned a SCEP profile to users or groups.
  • You associated a SCEP profile with the app configuration of
    BlackBerry Dynamics
    apps for
    iOS
    or
    Android
    devices (
    BlackBerry Work
    ,
    BlackBerry Tasks
    ,
    BlackBerry Notes
    ,
    BlackBerry Access
    ), or with the app configuration of a third-party app (for example,
    Samsung
    Email or
    Gmail
    ).
  • You associated a SCEP profile with an assigned email profile,
    Wi-Fi
    profile, VPN profile, single sign-on profile, single sign-on extension profile, or certificate mapping profile.
If your environment is impacted, you must do the following:
  1. Upgrade to
    UEM
    on-premises 12.22 MR1 (
    UEM Cloud
    environments will automatically receive the update with the fix).
  2. If your organization uses an LDAP directory connection to
    Active Directory
    , you must edit the directory configuration in UEM on-premises or in UEM Cloud to specify the following value in the new
    User Security Identifier
    field:
    objectSid
    . After you add this value, manually synchronize the directory connection.
  3. After the directory connection is synchronized (you can verify by checking the Last report date link for the directory connection in Settings > External Integration > Company directory), update all SCEP profiles with the SAN type set to URI to add the following to the SAN value field (
    iOS
    and
    Android
    tabs only):
    tag:microsoft.com,2022-09-14:sid:%UserAdSid%
  4. After the upgrade and profile update, certificate renewal will trigger on users' devices. Instruct
    BlackBerry Work
    users to open the app and do the following:
    • iOS
      : If the status of the app is offline, pull down from the top of the screen while in the inbox to refresh the page. The status should change to "Updated Just Now".
    • Android
      : Tap the "Authentication failure due to missing certificate" message to reauthenticate with the
      Microsoft Exchange Server
      .

UEM
on-premises 12.22 Quick Fix 2

If
UEM
is configured with a large number of directory connections, when a user tried to log in to
UEM Self-Service
, the login might have failed. (EMM-158374)
If your
UEM
environment included profiles that were configured for older
UEM
snap-ins that are no longer supported, when you tried to upgrade to
UEM
12.22, the upgrade process failed. (EMM-158127)
If
UEM
tried to remove a device due to a "Device out of contact" compliance violation and did not succeed,
UEM
did not try to remove the device again. (EMM-157761)

UEM
on-premises 12.22 Quick Fix 1

If you used an administrator account that was scoped to manage specific user groups to import user accounts from a CSV file, those users were added to the scoped groups, but were not added to the All Users group. (EMM-158165)
After
Samsung
device users upgraded the
UEM Client
to version 12.45.0.158182 or later, some devices were incorrectly reported as out of compliance because they were identified as jailbroken by
UEM
. The issue is fixed in this release and will no longer occur. Devices that were impacted will remain in the incorrect out of compliance state; to resolve, please submit a ticket with
BlackBerry
Support. (EMM-157827)

UEM
on-premises 12.22 and
UEM Cloud
(May 2025)

Installation and
UEM
services
During startup, the
UEM Core
did not correctly handle the version string format for certain patch releases of JRE 17. If this occurred, the
UEM Core
did not start as expected. (EMM-157607)
Management console fixed issues
In a
UEM Cloud
environment, if you configured an administrator role to have access only to certain directory connections, administrators with that role were still able to access and manage users from other directories. (EMM-157961)
If you tried to remove multiple devices from
UEM
from the Managed devices screen (for example, 40 or more devices), the process might have taken longer than expected and might have caused the
UEM Core
to stop responding. (EMM-157825)
When you viewed an IT policy or certain profile types that were not in edit mode, you could modify settings, but the changes were not saved because the policy or profile was not in edit mode. (EMM-157727)
In the device SR requirements profile, the text above the OS update rule read "Work space only device OS update rule" even though the OS update rules apply to Work space only and Work and personal - full control activation types. (EMM-157611)
If you copied a
BlackBerry Dynamics
connectivity profile, certain configurations from the profile were not transferred as expected to the new copy of the profile. (EMM-157541)
The metadata available in the management console for
iPad mini
7th generation devices was not correct. (EMM-157498)
If you set your browser to display the management console in French, when you navigated to the Apps page and tried to add an app, a blank box displayed instead of the expected UI to add an app. (EMM-157470)
After upgrading through multiple versions of
UEM
, an error message displayed when you accessed certain pages in the management console (user device and summary pages, apps page), and compliance profiles did not display as expected. (EMM-157452)
In a
UEM Cloud
environment, if you had more than one tenant, you were not able to create new Intercede user credential profiles. (EMM-157440)
If you tried to change the device ownership of more than 17 devices at the same time, the following error displayed: “An error was encountered. The device ownership could not be updated.” (EMM-157382)
If you configured certificate-based authentication for the management console and you configured a login notice to display for administrator users, the notice would display a second time after administrators dismissed it. (EMM-157306)
When you navigated to Users > Device vulnerabilities, it may have taken longer than expected for results to display. (EMM-157303)
If you copied an existing app configuration for an
Android
app but did not change the name, you could not save the app configuration. An error message did not display indicating that the name must be unique. (EMM-157288)
In environments with one instance of
UEM
, when you checked the installed version in myAccount, it was incorrectly displayed as one version behind the actual version that was installed. (EMM-157259)
When you opened the app configuration for a
BlackBerry Dynamics
app, the following error message might have displayed if you tried to change a setting in a drop-down list: "An error was encountered. The action cannot be performed." (EMM-157224)
If you enabled the "Automatically update device OS (supervised only)" rule in an IT policy, when you changed the start time, the following error message displayed: "An error was encountered. The action cannot be performed." (EMM-157223)
User, device, and app management fixed issues
After you assigned an Intercede user credential profile,
iPad
users did not receive a prompt to activate with MyID. (EMA-18761)
Due to a timing condition, when you assigned an Intercede user credential profile to an
iOS
device user and the user activated the
UEM Client
with MyID, in some cases the derived credentials certificates from MyID were not stored in the native keystore on the device. (EMA-18759)
The "View external integration settings" administrator role permission granted elevated permissions that were not intended (for example, granting the ability for an administrator to remove an
Android Enterprise
connection from the management console). (EMM-157970, EMM-157969)
If you assigned a compliance profile to
Apple
DEP users with the "OS update not applied" rule enabled,
UEM
was not able to deliver apps or IT policies to those users. (EMM-157891)
In specific circumstances, an offboarding exception that occurred during a group synchronization process caused the entire group synchronization process to roll back. (EMM-157848)
In specific circumstances, when you used
UEM
to update the OS on a supervised
iOS
device (Users > Managed devices > initiate update for one or more devices), an exception resulted in the OS update not being applied to the device, and the device could not receive further management commands from
UEM
. (EMM-157840)
If you configured
UEM
to synchronize with directory groups and you enabled offboarding, when
UEM
identified a user to offboard that was still associated with a device, it would attempt to wipe the device. If the device did not have the capability to be wiped, an exception was thrown and the user would not be offboarded. In this scenario,
UEM
now checks the device capabilities and proceeds to wipe the device or make the device unmanaged so that it can offboard the user. (EMM-157822)
In specific circumstances, when
UEM
synchronized directory groups, it could load a large number of objects into local memory and cause an out of memory event. (EMM-157721)
In specific circumstances, when
UEM
synchronized a large number of directory groups, it could cause an out of memory event. (EMM-157719)
Previously, an unlock key that you sent to a user from the management console, or that a user generated with the
UEM Self-Service
console, could only be used to unlock the
BlackBerry Dynamics
app that the key was generated for. The unlock key can now be used to unlock any
BlackBerry Dynamics
app on the user's device. The key expires after it is used to unlock a
BlackBerry Dynamics
app. You or the user must generate a new key for each app that the user wants to unlock. (EMM-157675)
After upgrading
UEM
, connections to
Microsoft Active Directory
might not have worked as expected. This was resolved by additional port requirements for outbound connections to Microsoft Active Directory. (EMM-157496)
If you sent a delete all device data command to an
iOS
17 or later device and selected the "Enable Return to Service" option, the selected
Wi-Fi
profile was not assigned to the device as expected after the device data was deleted. (EMM-157464)
In a rare circumstance, when a user used an unlock key to unlock a
BlackBerry Dynamics
app on an
iOS
device, it caused the device to be wiped. (EMM-157277)
If you used
UEM
to distribute B2B apps to
iOS
devices from the Apple VPP store,
UEM
was not able to update the apps on devices from the VPP store. (EMM-157145)