Known issues in UEM 12.23 and UEM Cloud
UEM
12.23 and UEM Cloud
Installation and upgrade known issues
In unknown circumstances, after upgrading to UEM 12.23, you might not be able to log in to the management console. (EMM-159152)Workaround : Restart the "BlackBerry UEM - Management console" service and try to log in again. |
In certain circumstances, in a UEM Cloud environment, when you open the BlackBerry Connectivity Node console for the first time after an upgrade, an HTTP Status 500 error displays and the console does not load as expected. (EMM-157113)Workaround : Refresh the page after the error displays. |
Management console known issues
After installing or upgrading to UEM 12.23, or after receiving the November 2025 UEM Cloud update, if you try to create or change a directory synchronization schedule, the management console might stop responding when you click Add, and the synchronization schedule is not saved. For more information, see KB 140959. (EMM-159169) |
If you assign a new email profile to a user or group with an existing email profile, the prompt to replace the profile is titled “Assign Email profile” instead of “Replace email profile”, and an “Assign” button is displayed instead of a “Replace” button. Clicking the “Assign” button will replace the existing email profile. (EMM-159112) |
When viewing a user's details in the management console, an app group that is assigned to the user through nested group membership might not display as expected, even though the apps from that app group are still assigned and available to the user. (EMM-159109) |
If you are logged in to the management console using the macOS Safari browser, the Log Out and Help links in the top right of the console are cut off and cannot be clicked. (EMM-159083)Workaround : Use another supported browser to access the management console. |
In unknown and intermittent circumstances, when a user activates a macOS device, the device details in the management console may list "Command failed" for the action of sending the IT policy and profiles to the device even though the policy and profiles were delivered successfully. (EMM-159020, EMM-159166) |
If you create a Microsoft Intune app protection profile and try to add Intune -managed apps from the App package IDs list, the available apps are not displayed. (EMM-159018) |
When you navigate to Settings > Migration and follow the steps to migrate users, devices, and configurations from another UEM instance, some UI elements may not display as expected:
(EMM-158892) |
If a user deactivates a device with an Android Management activation type from the device settings, the device still displays as activated in the management console. (EMM-153468)Workaround : To remove the device from the management console, instruct the user to deactivate the device from the About menu in the UEM Client . |
User, device, and app management known issues
If you enable and configure the Software update delay period (supervised only) IT policy rule and the Schedule OS update IT policy rule for iOS devices, note that due to an Apple known issue, the software update prompt might display to the end user before the delay period that you specified in the rule. |
If a user’s iOS device is already activated with UEM and you enable that user for Entra ID conditional access, after the Microsoft Authenticator app is installed and the user brings the UEM Client to the foreground, the Microsoft authentication screen is not displayed to the user as expected. This is due to a Microsoft known issue. (EMA-18313)Workaround : Instruct users to force close the UEM Client and open it again. |
If a Knox Service Plugin (KSP) policy is set to disable factory reset on a device and you send an IT command to wipe the device from UEM , the device will be unmanaged and cannot be reactivated or complete a factory reset. (EMA-17549) |
If a VPP app is assigned as unmanaged (Disposition set to Optional, Target set to Personal, VPP license assigned to User), in unknown circumstances, when a user activates their device, the user might not be able to install the assigned VPP app. (EMM-159159) Workaround : Instruct users to install another app from the Required tab in Work Apps, then try to install the unmanaged VPP app again. |
If a user tries to use UEM Self-Service to set an activation password with exactly 15 characters, and the 15th character is a hexadecimal value (0-9, A-F, a-f), the activation password is not created and the user receives a "Failed" error message with no details. (EMM-159157)Workaround : Use a password that is not exactly 15 characters. |
If you search for a Microsoft Active
Directory user with a name that contains an apostrophe ('), UEM does not return that user account as expected. (EMM-159146) |
If you add a user to UEM and assign them to a group configured for BlackBerry 2FA as part of the user account creation process, the user might not receive the BlackBerry 2FA configuration, and will not be prompted for 2FA authentication when the user logs into the management console or UEM Self-Service console. (EMM-159108)Workaround : Add the user account to UEM first without any group assignment, then add the user to the BlackBerry 2FA group. |
If you configure a SCEP profile with an Entrust configuration, if the configuration does not include an igusername token, the certificate enrollment process does not complete as expected on devices. (EMM-159103) |
If you create a group and assign multiple VPP apps with different VPP license configurations to the group as part of the initial group creation process, some of the apps might not be assigned VPP licenses as expected. (EMM-159063) Workaround : Create the group first without assigning VPP apps, then assign the appropriate VPP apps to the group. |
If you used UEM to assign the Vrbo Owner app to users or groups with the Disposition set to Optional and the Target set to Personal, but a user did not install the app yet, after the upgrade to UEM 12.23 or the November 2025 UEM Cloud update, when the user tries to install the app, an error message indicates that the app cannot be downloaded. UEM indicates that the app used a VPP license. (EMM-159034) |
If you add the “Threema Work For Companies” app to UEM and try to add an app configuration from a template as part of the process for adding the app, an error message indicates that the XML template could not be updated. (EMM-159032)Workaround : Add the app to UEM first without an app configuration, then add the app configuration from a template. |
If you associate an enterprise connectivity profile configured for per-app VPN with an IMAP/POP3 profile, after the IMAP/POP3 profile is applied, iOS devices are not able to connect to the IMAP/POP3 server. (EMM-158971)Workaround : Configure the enterprise connectivity profile for device-wide VPN. |
If you create an email profile and you both specify a password and enable certificate authentication for iOS devices, the device does not authenticate as expected with the Microsoft Exchange
Server . (EMM-158824)Workaround : Configure the email profile to use either a password or certificate authentication, not both. |
If a VPP app is installed on a device as unmanaged (Disposition set to Optional, Target set to Personal, VPP license assigned to User), then you change the Target setting for the app to Work, the app is still considered unmanaged by UEM and cannot be removed or otherwise managed from the management console. (EMM-158465) |
If a VPP app is installed on a device as unmanaged (Disposition set to Optional, Target set to Personal, VPP license assigned to User), when you view the user’s device details, the app status is displayed as Not installed. (EMM-158447) |
If you enable automatic OS updates for iOS devices in the assigned IT policy, and set an update schedule of 1 day, the device OS is not updated on the 1 day schedule as expected. The update is automatically moved to the next day (and does occur as expected on that day). This issue occurs intermittently. (EMM-157987) |
If you use a .csv file to import directory user accounts into UEM , and you use the Group membership column to specify the group that you want to add each user to, during the import process you will receive a prompt asking you to select the groups that you want to add the users to, even though this information is already specified in the .csv file. If you make a selection in the prompt and click Import, the selection from the prompt will override whatever group memberships are specified in the .csv file. (EMM-157964)Workaround : Don't select any groups in the prompt and click Import. The imported users will be added to the groups that you specified in the .csv file. |
In unknown circumstances, if an assigned compliance profile is set to not allow BlackBerry
Dynamics apps to run while there is a pending OS update, an impacted device might still be considered out of compliance even after a user applies an OS update. (EMM-157939) |
If you configure compliance prompts for BlackBerry
Dynamics apps for the "OS update not applied" (iOS and Android ) or "Managed device attestation failure" (iOS ) rules and you set the action for BlackBerry
Dynamics apps to block or to delete BlackBerry
Dynamics app data, then you remove and reassign the compliance profile, the UEM Client and other BlackBerry
Dynamics apps may be blocked or deactivated and removed (depending on the selected action) without prompting the user first. (EMM-156895) |
When you assign VPP apps with a user license to Apple DEP devices, if you assign the apps right after associating the VPP license to users, the apps might not install as expected because the app license cannot be retrieved. (EMM-156886) |
If you assign a compliance profile with the iOS "OS update not applied" rule set to provide compliance prompts for BlackBerry
Dynamics apps, then you change the compliance action for BlackBerry
Dynamics apps from block to delete app data, or from delete data to block, prompts are not provided to the user before the enforcement action is applied. (EMM-156884) |
When you configure a device profile with different wallpapers for the home screen and the lock screen and you assign the profile to an iOS device, the wallpaper configuration may not be applied to the device as expected. This issue occurs intermittently. (EMM-155689) |
Samsung devices that are activated with Android Enterprise Work space only and are assigned an enterprise connectivity profile cannot send or receive SMS or MMS messages. (EMM-154287)Workaround : In the enterprise connectivity profile settings, on the Android tab, select Container-wide VPN and add the com.android.mms.service and com.google.android.apps.messaging apps to the list of apps restricted from using BlackBerry Secure Connect Plus . |
When you schedule an OS update for one or more supervised iOS devices, the update is delivered to devices but is not installed. This occurs intermittently and is due to an iOS known issue. (EMM-152977) |
Chrome OS devices will not synchronize with UEM if they are in an org unit that has no child org units. (EMM-150375) |
If an authentication delegate app is configured in an assigned BlackBerry
Dynamics profile, when a device user removes the authentication delegate app from their device and then restarts a different BlackBerry
Dynamics app and uses the forgot password option, the forgot password option does not work and the user does not receive an error message. (GD-66829)Workaround : Instruct the user to install the authentication delegate app again. |
During the Entra ID Conditional Access enrollment flow, the user might be prompted to register the device twice. (SIS-15411)Workaround : If the user is enrolling only in conditional access, they shouldn't open the Microsoft Authenticator app from the app store after they install it, instead they should switch to the UEM Client and then open the Microsoft Authenticator app. |