Fixed issues in UEM 12.22 and UEM Cloud
UEM
12.22 and UEM Cloud
UEM on-premises 12.22 Maintenance Release 1 and UEM Cloud August update
UEM
on-premises 12.22 Maintenance Release 1 and UEM Cloud
August updateIn September 2025,
Microsoft
will release a Windows
update to enforce specific strong certificate to user identity mapping requirements. For details, see Microsoft KB 5014754.If your organization uses a
BlackBerry UEM
SCEP profile to provide user credential certificates to devices to authenticate with resources such as Microsoft Exchange
Server
, after the Windows
September update, the certificates will be rejected by the Microsoft
Domain Controller’s KDC services if they do not include a user SID value. When user credential certificates are delivered using a SCEP profile, UEM
does not add the user’s SID object property to the certificate request, as required by the Microsoft
September update. As a result, email will not synchronize on users’ devices and users will not be able to access any impacted services that use certificate-based authentication.UEM
on-premises version 12.22 MR1 and the UEM Cloud
August update include a fix to address this issue and prevent disruption by the Windows
September update. Your UEM
environment is impacted if:
- You configured and assigned a SCEP profile to users or groups.
- You associated a SCEP profile with the app configuration ofBlackBerry Dynamicsapps foriOSorAndroiddevices (BlackBerry Work,BlackBerry Tasks,BlackBerry Notes,BlackBerry Access), or with the app configuration of a third-party app (for example,SamsungEmail orGmail).
- You associated a SCEP profile with an assigned email profile,Wi-Fiprofile, VPN profile, single sign-on profile, single sign-on extension profile, or certificate mapping profile.
For more information about whether you are impacted, see BlackBerry Support Forum: Is your UEM environment impacted by Microsoft's updates to Windows Servers Domain Controllers processing Certificate-based Authentication (CBA)?
If your environment is impacted, you must do the following:
- Upgrade toUEMon-premises 12.22 MR1 (UEM Cloudenvironments will automatically receive the update with the fix).
- If your organization uses an LDAP directory connection toActive Directory, you must edit the directory configuration in UEM on-premises or in UEM Cloud to specify the following value in the newUser Security Identifierfield:objectSid. After you add this value, manually synchronize the directory connection.
- After the directory connection is synchronized (you can verify by checking the Last report date link for the directory connection in Settings > External Integration > Company directory), update all SCEP profiles with the SAN type set to URI to add the following to the SAN value field (iOSandAndroidtabs only):tag:microsoft.com,2022-09-14:sid:%UserAdSid%
- After the upgrade and profile update, certificate renewal will trigger on users' devices. InstructBlackBerry Workusers to open the app and do the following:
- iOS: If the status of the app is offline, pull down from the top of the screen while in the inbox to refresh the page. The status should change to "Updated Just Now".
- Android: Tap the "Authentication failure due to missing certificate" message to reauthenticate with theMicrosoft Exchange Server.
UEM on-premises 12.22 Quick Fix 2
UEM
on-premises 12.22 Quick Fix 2If UEM is configured with a large number of directory connections, when a user tried to log in to UEM Self-Service , the login might have failed. (EMM-158374) |
If your UEM environment included profiles that were configured for older UEM snap-ins that are no longer supported, when you tried to upgrade to UEM 12.22, the upgrade process failed. (EMM-158127) |
If UEM tried to remove a device due to a "Device out of contact" compliance violation and did not succeed, UEM did not try to remove the device again. (EMM-157761) |
UEM on-premises 12.22 Quick Fix 1
UEM
on-premises 12.22 Quick Fix 1If you used an administrator account that was scoped to manage specific user groups to import user accounts from a CSV file, those users were added to the scoped groups, but were not added to the All Users group. (EMM-158165) |
After Samsung device users upgraded the UEM Client to version 12.45.0.158182 or later, some devices were incorrectly reported as out of compliance because they were identified as jailbroken by UEM . The issue is fixed in this release and will no longer occur. Devices that were impacted will remain in the incorrect out of compliance state; to resolve, please submit a ticket with BlackBerry Support. (EMM-157827) |
UEM on-premises 12.22 and UEM Cloud (May 2025)
UEM
on-premises 12.22 and UEM Cloud
(May 2025)Installation and
UEM
servicesDuring startup, the UEM Core did not correctly handle the version string format for certain patch releases of JRE 17. If this occurred, the UEM Core did not start as expected. (EMM-157607) |
Management console fixed issues
In a UEM Cloud environment, if you configured an administrator role to have access only to certain directory connections, administrators with that role were still able to access and manage users from other directories. (EMM-157961) |
If you tried to remove multiple devices from UEM from the Managed devices screen (for example, 40 or more devices), the process might have taken longer than expected and might have caused the UEM Core to stop responding. (EMM-157825) |
When you viewed an IT policy or certain profile types that were not in edit mode, you could modify settings, but the changes were not saved because the policy or profile was not in edit mode. (EMM-157727) |
In the device SR requirements profile, the text above the OS update rule read "Work space only device OS update rule" even though the OS update rules apply to Work space only and Work and personal - full control activation types. (EMM-157611) |
If you copied a BlackBerry
Dynamics connectivity profile, certain configurations from the profile were not transferred as expected to the new copy of the profile. (EMM-157541) |
The metadata available in the management console for iPad mini 7th generation devices was not correct. (EMM-157498) |
If you set your browser to display the management console in French, when you navigated to the Apps page and tried to add an app, a blank box displayed instead of the expected UI to add an app. (EMM-157470) |
After upgrading through multiple versions of UEM , an error message displayed when you accessed certain pages in the management console (user device and summary pages, apps page), and compliance profiles did not display as expected. (EMM-157452) |
In a UEM Cloud environment, if you had more than one tenant, you were not able to create new Intercede user credential profiles. (EMM-157440) |
If you tried to change the device ownership of more than 17 devices at the same time, the following error displayed: “An error was encountered. The device ownership could not be updated.” (EMM-157382) |
If you configured certificate-based authentication for the management console and you configured a login notice to display for administrator users, the notice would display a second time after administrators dismissed it. (EMM-157306) |
When you navigated to Users > Device vulnerabilities, it may have taken longer than expected for results to display. (EMM-157303) |
If you copied an existing app configuration for an Android app but did not change the name, you could not save the app configuration. An error message did not display indicating that the name must be unique. (EMM-157288) |
In environments with one instance of UEM , when you checked the installed version in myAccount, it was incorrectly displayed as one version behind the actual version that was installed. (EMM-157259) |
When you opened the app configuration for a BlackBerry
Dynamics app, the following error message might have displayed if you tried to change a setting in a drop-down list: "An error was encountered. The action cannot be performed." (EMM-157224) |
If you enabled the "Automatically update device OS (supervised only)" rule in an IT policy, when you changed the start time, the following error message displayed: "An error was encountered. The action cannot be performed." (EMM-157223) |
User, device, and app management fixed issues
After you assigned an Intercede user credential profile, iPad users did not receive a prompt to activate with MyID. (EMA-18761) |
Due to a timing condition, when you assigned an Intercede user credential profile to an iOS device user and the user activated the UEM Client with MyID, in some cases the derived credentials certificates from MyID were not stored in the native keystore on the device. (EMA-18759) |
The "View external integration settings" administrator role permission granted elevated permissions that were not intended (for example, granting the ability for an administrator to remove an Android Enterprise connection from the management console). (EMM-157970, EMM-157969) |
If you assigned a compliance profile to Apple DEP users with the "OS update not applied" rule enabled, UEM was not able to deliver apps or IT policies to those users. (EMM-157891) |
In specific circumstances, an offboarding exception that occurred during a group synchronization process caused the entire group synchronization process to roll back. (EMM-157848) |
In specific circumstances, when you used UEM to update the OS on a supervised iOS device (Users > Managed devices > initiate update for one or more devices), an exception resulted in the OS update not being applied to the device, and the device could not receive further management commands from UEM . (EMM-157840) |
If you configured UEM to synchronize with directory groups and you enabled offboarding, when UEM identified a user to offboard that was still associated with a device, it would attempt to wipe the device. If the device did not have the capability to be wiped, an exception was thrown and the user would not be offboarded. In this scenario, UEM now checks the device capabilities and proceeds to wipe the device or make the device unmanaged so that it can offboard the user. (EMM-157822) |
In specific circumstances, when UEM synchronized directory groups, it could load a large number of objects into local memory and cause an out of memory event. (EMM-157721) |
In specific circumstances, when UEM synchronized a large number of directory groups, it could cause an out of memory event. (EMM-157719) |
Previously, an unlock key that you sent to a user from the management console, or that a user generated with the UEM Self-Service console, could only be used to unlock the BlackBerry
Dynamics app that the key was generated for. The unlock key can now be used to unlock any BlackBerry
Dynamics app on the user's device. The key expires after it is used to unlock a BlackBerry
Dynamics app. You or the user must generate a new key for each app that the user wants to unlock. (EMM-157675) |
After upgrading UEM , connections to Microsoft Active
Directory might not have worked as expected. This was resolved by additional port requirements for outbound connections to Microsoft Active Directory. (EMM-157496) |
If you sent a delete all device data command to an iOS 17 or later device and selected the "Enable Return to Service" option, the selected Wi-Fi profile was not assigned to the device as expected after the device data was deleted. (EMM-157464) |
In a rare circumstance, when a user used an unlock key to unlock a BlackBerry
Dynamics app on an iOS device, it caused the device to be wiped. (EMM-157277) |
If you used UEM to distribute B2B apps to iOS devices from the Apple VPP store, UEM was not able to update the apps on devices from the VPP store. (EMM-157145) |