Fixed issues in

UEM

12.22 and

UEM Cloud

In September 2025,

Microsoft

will release a

Windows

update to enforce specific strong certificate to user identity mapping requirements. For details, see Microsoft KB 5014754.

If your organization uses a

BlackBerry UEM

SCEP profile to provide user credential certificates to devices to authenticate with resources such as

Microsoft Exchange Server

, after the

Windows

September update, the certificates will be rejected by the

Microsoft

Domain Controller’s KDC services if they do not include a user SID value. When user credential certificates are delivered using a SCEP profile,

UEM

does not add the user’s SID object property to the certificate request, as required by the

Microsoft

September update. As a result, email will not synchronize on users’ devices and users will not be able to access any impacted services that use certificate-based authentication.

UEM

on-premises version 12.22 MR1 and the

UEM Cloud

August update include a fix to address this issue and prevent disruption by the

Windows

September update. Your

UEM

environment is impacted if:

You configured and assigned a SCEP profile to users or groups.
You associated a SCEP profile with the app configuration of
BlackBerry Dynamics
apps for
iOS
or
Android
devices (
BlackBerry Work
,
BlackBerry Tasks
,
BlackBerry Notes
,
BlackBerry Access
), or with the app configuration of a third-party app (for example,
Samsung
Email or
Gmail
).
You associated a SCEP profile with an assigned email profile,
Wi-Fi
profile, VPN profile, single sign-on profile, single sign-on extension profile, or certificate mapping profile.

For more information about whether you are impacted, see BlackBerry Support Forum: Is your UEM environment impacted by Microsoft's updates to Windows Servers Domain Controllers processing Certificate-based Authentication (CBA)?

If your environment is impacted, you must do the following:

Upgrade to
UEM
on-premises 12.22 MR1 (
UEM Cloud
environments will automatically receive the update with the fix).
If your organization uses an LDAP directory connection to
Active Directory
, you must edit the directory configuration in UEM on-premises or in UEM Cloud to specify the following value in the new
User Security Identifier
field:
objectSid
. After you add this value, manually synchronize the directory connection.
After the directory connection is synchronized (you can verify by checking the Last report date link for the directory connection in Settings > External Integration > Company directory), update all SCEP profiles with the SAN type set to URI to add the following to the SAN value field (
iOS
and
Android
tabs only):
tag:microsoft.com,2022-09-14:sid:%UserAdSid%
After the upgrade and profile update, certificate renewal will trigger on users' devices. Instruct
BlackBerry Work
users to open the app and do the following:
iOS
: If the status of the app is offline, pull down from the top of the screen while in the inbox to refresh the page. The status should change to "Updated Just Now".
Android
: Tap the "Authentication failure due to missing certificate" message to reauthenticate with the
Microsoft Exchange Server
.

For more information, see Critical Issue Advisory: Impact of Microsoft KB5014754 on UEM SCEP profiles for user credential certificates – September 10 2025.

If UEM is configured with a large number of directory connections, when a user tried to log in to UEM Self-Service , the login might have failed. (EMM-158374)

If your UEM environment included profiles that were configured for older UEM snap-ins that are no longer supported, when you tried to upgrade to UEM 12.22, the upgrade process failed. (EMM-158127)

If UEM tried to remove a device due to a "Device out of contact" compliance violation and did not succeed, UEM did not try to remove the device again. (EMM-157761)

If you used an administrator account that was scoped to manage specific user groups to import user accounts from a CSV file, those users were added to the scoped groups, but were not added to the All Users group. (EMM-158165)

After Samsung device users upgraded the UEM Client to version 12.45.0.158182 or later, some devices were incorrectly reported as out of compliance because they were identified as jailbroken by UEM . The issue is fixed in this release and will no longer occur. Devices that were impacted will remain in the incorrect out of compliance state; to resolve, please submit a ticket with BlackBerry Support. (EMM-157827)

During startup, the UEM Core did not correctly handle the version string format for certain patch releases of JRE 17. If this occurred, the UEM Core did not start as expected. (EMM-157607)

In a UEM Cloud environment, if you configured an administrator role to have access only to certain directory connections, administrators with that role were still able to access and manage users from other directories. (EMM-157961)

If you tried to remove multiple devices from UEM from the Managed devices screen (for example, 40 or more devices), the process might have taken longer than expected and might have caused the UEM Core to stop responding. (EMM-157825)

When you viewed an IT policy or certain profile types that were not in edit mode, you could modify settings, but the changes were not saved because the policy or profile was not in edit mode. (EMM-157727)

In the device SR requirements profile, the text above the OS update rule read "Work space only device OS update rule" even though the OS update rules apply to Work space only and Work and personal - full control activation types. (EMM-157611)

If you copied a BlackBerry Dynamics connectivity profile, certain configurations from the profile were not transferred as expected to the new copy of the profile. (EMM-157541)

The metadata available in the management console for iPad mini 7th generation devices was not correct. (EMM-157498)

If you set your browser to display the management console in French, when you navigated to the Apps page and tried to add an app, a blank box displayed instead of the expected UI to add an app. (EMM-157470)

After upgrading through multiple versions of UEM , an error message displayed when you accessed certain pages in the management console (user device and summary pages, apps page), and compliance profiles did not display as expected. (EMM-157452)

In a UEM Cloud environment, if you had more than one tenant, you were not able to create new Intercede user credential profiles. (EMM-157440)

If you tried to change the device ownership of more than 17 devices at the same time, the following error displayed: “An error was encountered. The device ownership could not be updated.” (EMM-157382)

If you configured certificate-based authentication for the management console and you configured a login notice to display for administrator users, the notice would display a second time after administrators dismissed it. (EMM-157306)

When you navigated to Users > Device vulnerabilities, it may have taken longer than expected for results to display. (EMM-157303)

If you copied an existing app configuration for an Android app but did not change the name, you could not save the app configuration. An error message did not display indicating that the name must be unique. (EMM-157288)

In environments with one instance of UEM , when you checked the installed version in myAccount, it was incorrectly displayed as one version behind the actual version that was installed. (EMM-157259)

When you opened the app configuration for a BlackBerry Dynamics app, the following error message might have displayed if you tried to change a setting in a drop-down list: "An error was encountered. The action cannot be performed." (EMM-157224)

If you enabled the "Automatically update device OS (supervised only)" rule in an IT policy, when you changed the start time, the following error message displayed: "An error was encountered. The action cannot be performed." (EMM-157223)

After you assigned an Intercede user credential profile, iPad users did not receive a prompt to activate with MyID. (EMA-18761)

Due to a timing condition, when you assigned an Intercede user credential profile to an iOS device user and the user activated the UEM Client with MyID, in some cases the derived credentials certificates from MyID were not stored in the native keystore on the device. (EMA-18759)

The "View external integration settings" administrator role permission granted elevated permissions that were not intended (for example, granting the ability for an administrator to remove an Android Enterprise connection from the management console). (EMM-157970, EMM-157969)

If you assigned a compliance profile to Apple DEP users with the "OS update not applied" rule enabled, UEM was not able to deliver apps or IT policies to those users. (EMM-157891)

In specific circumstances, an offboarding exception that occurred during a group synchronization process caused the entire group synchronization process to roll back. (EMM-157848)

In specific circumstances, when you used UEM to update the OS on a supervised iOS device (Users > Managed devices > initiate update for one or more devices), an exception resulted in the OS update not being applied to the device, and the device could not receive further management commands from UEM . (EMM-157840)

If you configured UEM to synchronize with directory groups and you enabled offboarding, when UEM identified a user to offboard that was still associated with a device, it would attempt to wipe the device. If the device did not have the capability to be wiped, an exception was thrown and the user would not be offboarded. In this scenario, UEM now checks the device capabilities and proceeds to wipe the device or make the device unmanaged so that it can offboard the user. (EMM-157822)

In specific circumstances, when UEM synchronized directory groups, it could load a large number of objects into local memory and cause an out of memory event. (EMM-157721)

In specific circumstances, when UEM synchronized a large number of directory groups, it could cause an out of memory event. (EMM-157719)

Previously, an unlock key that you sent to a user from the management console, or that a user generated with the UEM Self-Service console, could only be used to unlock the BlackBerry Dynamics app that the key was generated for. The unlock key can now be used to unlock any BlackBerry Dynamics app on the user's device. The key expires after it is used to unlock a BlackBerry Dynamics app. You or the user must generate a new key for each app that the user wants to unlock. (EMM-157675)

After upgrading UEM , connections to Microsoft Active Directory might not have worked as expected. This was resolved by additional port requirements for outbound connections to Microsoft Active Directory. (EMM-157496)

If you sent a delete all device data command to an iOS 17 or later device and selected the "Enable Return to Service" option, the selected Wi-Fi profile was not assigned to the device as expected after the device data was deleted. (EMM-157464)

In a rare circumstance, when a user used an unlock key to unlock a BlackBerry Dynamics app on an iOS device, it caused the device to be wiped. (EMM-157277)

If you used UEM to distribute B2B apps to iOS devices from the Apple VPP store, UEM was not able to update the apps on devices from the VPP store. (EMM-157145)