BlackBerry offers a number of solutions to restrict specific apps from being installed on mobile devices within your organization. BlackBerry UEM, CylancePROTECT Mobile, CylancePROTECT Mobile for UEM, and CylanceGATEWAY provide configurations to prevent users from accessing specific apps or limiting the use of work apps while restricted apps are present on the device. For more information about different activation types for BlackBerry UEM, see device activation in the UEM documentation. You can click on any of the options below for details and instructions to restrict apps across different products and activation types:
Devices with this activation type can access only approved apps in the Work Play Store. Users can only install apps that you approve. You can use the following steps to add a specific app to the app list. Apps that are not on the app list cannot be installed on the device.
This activation creates a work and personal profile on the device. You can use different methods to restrict specified apps in each profile:
- The work profile has access only to approved apps in the Work Play Store. Users can only install apps that you approve.
- The personal profile will not have access to specific apps if the app is restricted in an IT policy. Restricting apps for a personal profile is only available for Android 11 and later devices.
With this activation type, the work profile has access only to approved apps in the Work Play Store, and users can only install apps that you approve.
A personal profile has no method to prevent users from installing certain apps on the personal side because the device is not fully managed. However, you can use CylancePROTECT Mobile for UEM to warn users of the threats that a specific app places on their devices.
With this activation type, there is no way to prevent users from installing specific apps because the device is not fully managed. You can, however, install, manage, and remove BlackBerry Dynamics apps on user devices. You can also use CylancePROTECT Mobile for UEM to warn users of the threats that a specific app places on their devices.
To restrict apps, you must create a compliance profile and add the apps to the restricted app list in the profile. For supervised iOS devices, if a user tries to install a restricted app, the app is hidden. If a restricted app is already installed, it is hidden from the user without any notification.
To restrict apps, you must create a compliance profile and add the apps to the restricted app list in the profile. For supervised iOS devices, if a user tries to install a restricted app, the app is hidden. If a restricted app is already installed, it is hidden from the user without any notification.
With this activation type, you cannot prevent an app from being installed. However, you can alert the user to take action and that their device will be out of compliance until the offending app is uninstalled.
When the user opens the UEM Client, they are prompted with a compliance violation. If they click More, they can see the restricted app that is causing the violation. The user must uninstall the app to get the device back into compliance.
If a device has a restricted app installed first and then activates on MDM, the UEM Client sends a list of installed applications during the activation. After the activation completes, a compliance violation is triggered within the UEM Client.
Restricting specific apps using CylancePROTECT Mobile for UEM is only supported for Android devices.
You can restrict specific apps that are added to the restricted app list and configure a compliance profile that includes blocking apps on the restricted app list. If an app on the restricted app list is installed on a user's device, that device will fall out of compliance and the user will need to remove the app before thye can access work apps. For more information, see Detecting Malware on Android devices in the CylancePROTECT Mobile for UEM documentation.
Restricting specific apps using CylancePROTECT Mobile is only supported for Android devices.
CylancePROTECT Mobile is a component of the Cylance Endpoint Security suite. The CylancePROTECT Mobile app scans the apps on a user’s device and uploads the app files to the CylancePROTECT cloud services, which use AI and machine learning to analyze the app package and produce a confidence score that it returns to the CylancePROTECT Mobile app. An app is uploaded to the CylancePROTECT services if it has a hash that the services have not processed previously. Whenever an app has a new hash (for example, for a new version) the app is uploaded to the CylancePROTECT services for analysis and scoring. The confidence score determines whether the scanned app is safe or potentially malicious. When the CylancePROTECT service determines that an app is potentially malicious, the CylancePROTECT Mobile app notifies the user and provides further details. The user can tap a fix option in the app to navigate to the device settings and uninstall the malicious app. For more information, see Resolve Mobile threats. To ensure that an app is classified as malicious, you can add it to the Restricted list, then you can specify blocking apps on the restricted list in a CylancePROTECT Mobile policy.
If Cylance Endpoint Security is integrated with Microsoft Intune, you can perform remediation actions that are specified within your Intune environment. You can create a risk assessment policy to provide risk levels for the alerts that are detected by MTD. Cylance Endpoint Security will report the overall risk level of the device to Intune, and Intune can carry out the mitigation action that have been configured for that risk level. To integrate Cylance Endpoint Security with Intune see Integrating Cylance Endpoint Security with Microsoft Intune to respond to mobile threats.
Add a public app to the app list
1. In the management console, click Apps, then click the apps icon.
2. Click Google Play.
3. Complete the fields and include the web address for the Google Play app. Click Add. For more information on these fields, see Add an Android app to the app list.
BlackBerry UEM work profile
Add a public app to the app list
1. In the management console, click Apps, then click the apps icon.
2. Click Google Play.
3. Complete the fields and include the web address for the Google Play app. Click Add. For more information on these fields, see Add an Android app to the app list.
BlackBerry UEM personal profile
Create an IT policy for Android 11 devices
On Android 11 and later devices, you must restrict apps in an IT policy.
1. In the management console, click Policies and profiles > IT policies > +.
2. Enter a name and description for your IT policy and click the Android tab.
3. In the Personal profile (all Android devices) section, in the Allowed personal apps from Google Play drop-down list, select Block specified apps. Click + beside Personal apps and enter the package IDs for the apps that you want to block in the personal space.
4. After you create an IT policy, you must assign it to users. For more information, see Assign a profile or IT policy to a user account in the BlackBerry UEM documentation.
BlackBerry UEM work profile
Add a public app to the app list
1. In the management console, click Apps, then click the apps icon.
2. Click Google Play.
3. Complete the fields and include the web address for the Google Play app. Click Add. For more information, see Add an Android app to the app list.
BlackBerry UEM personal profile
You can use CylancePROTECT Mobile for UEM to prevent users from accessing work resources on BlackBerry Dynamics apps while a device is out of compliance. For more information, see Malware scanning behavior by activation type. Depending on the products and licenses that your organization owns, you may need to purchase CylancePROTECT Mobile for UEM. For more information, see the enterprise licensing guide.
Enable malware detection for Android devices
1. If you own the entitlement for CylancePROTECT Mobile in UEM, you can enable it in the management console. Go to Settings > Services and click Enable in the CylancePROTECT row.
2. In the management console, click Policies and profiles > Protection > BlackBerry Protect > +.
3. Enter a name and description for the CylancePROTECT Mobile profile, then click the Android tab.
4. In the Malicious app package detection section, select Scan new and exisiting app packages from device for safety check, then select Always block apps in restricted app list.
5. In the Sideloaded app detection section, select Enable sideloaded app detection and click Save.
Add an app to the restricted app list
1. In the management console, click Settings > CylancePROTECT > Restricted apps > Restricted apps > +.
2. Select how you would like to add the app to the restricted app list.
3. Do one of the following:
- If you selected Select an app file, click Browse and select the .apk file for the app, and click Upload.
- If you selected Manually enter the app's hash info, complete the fields and click Save.
Create a compliance profile
1. In the management console, click Policies and profiles > Compliance > +.
2. Add a name and description and click the Android tab.
3. In the Malware detected section, select Malicious app package detected and confiure the actions to take when a malicious app package is detected.
4. Click Save.
5. After you create a compliance profile, you must assign it to users. For more information, see Assign a profile or IT policy to a user account in the BlackBerry UEM documentation.
BlackBerry UEM Android user privacy
You can use CylancePROTECT Mobile for UEM to prevent users from accessing work resources on BlackBerry Dynamics apps while a device is out of compliance. For more information, see Malware scanning behavior by activation type. Depending on the products and licenses that your organization owns, you may need to purchase CylancePROTECT Mobile for UEM. For more information, see the enterprise licensing guide.
Enable malware detection for Android devices
1. If you own the entitlement for CylancePROTECT Mobile in UEM, you can enable it In the management console. Go to Settings > Services and click Enable in the CylancePROTECT row.
2. In the management console, click Policies and profiles > Protection > BlackBerry Protect > +.
3. Enter a name and description for the CylancePROTECT Mobile profile, then click the Android tab.
4. In the Malicious app package detection section, enable Scan new and exisiting app packages from device for safety check, then enable Always block apps in restricted app list.
5. In the Sideloaded app detection section, enable Enable sideloaded app detection and click Save.
Add an app to the restricted app list
1. In the management console, click Settings > CylancePROTECT > Restricted apps > Restricted apps > +.
2. Select how you would like to add the app to the restricted app list.
3. Do one of the following:
- If you selected Select an app file, Click Browse, select the .apk file for the app, and click Upload.
- If you selected Manually enter the app's hash info, complete the fields, and click Save.
Create a compliance profile
1. In the management console, click Policies and profiles > Compliance > +.
2. Add a name and description and click the Android tab.
3. In the Malware detected section, select Malicious app package detected and confiure the actions to take when a malicious app package is detected.
4. Click Save.
5. After you create a compliance profile, you must assign it to users. For more information, see Assign a profile or IT policy to a user account in the BlackBerry UEM documentation.
Add an app to the restricted app list
1. In the management console, click Apps > Restricted Apps > +
2. Click App Store.
3. Type the app name in the search bar and click Add.
Create a compliance profile
1. On the management console, click Policies and profiles > Compliance > +.
2. Complete the Name, Description, Email sent when violation is detected, Enforcement interval, and Device notification sent when violation is detected fields. For more information on these fields, see Create a compliance profile.
3. In the iOS tab, select Restricted app is installed, then click + > Select an app from the restricted app list. For supervised iOS devices versions 9.3.2 and later, you can click Select a built-in app.
4. Do one of the following:
- Select apps from the app list
- Specify the app package ID
5. Do one of the following:
- If you selected Select apps from the app list, select the app from the restricted app list then click Add.
- If you selected Specify the app package ID, enter the package ID in the text field.
6. Complete the Restricted app is installed fields then click Save.
7. After you create a compliance profile, you must assign it to users. For more information, see Assign a profile or IT policy to a user account in the BlackBerry UEM documentation.
Add an app to the restricted app list
1. In the management console, click Apps > Restricted Apps > +
2. Click App Store.
3. Type the app name in the search bar and click Add.
Create a compliance profile
1. On the management console, click Policies and profiles > Compliance > +.
2. Complete the Name, Description, Email sent when violation is detected, Enforcement interval, and Device notification sent when violation is detected fields. For more information on these fields, see Create a compliance profile.
3. In the iOS tab, select Restricted app is installed, then click + > Select an app from the restricted app list. For supervised iOS devices versions 9.3.2 and later, you can click Select a built-in app.
4. Do one of the following:
- Select apps from the app list
- Specify the app package ID
5. Do one of the following:
- If you selected Select apps from the app list, select the app from the restricted app list then click Add.
- If you selected Specify the app package ID, enter the package ID in the text field.
6. Complete the Restricted app is installed fields then click Save.
7. After you create a compliance profile, you must assign it to users. For more information, see Assign a profile or IT policy to a user account in the BlackBerry UEM documentation.
Enable CylancePROTECT Mobile in UEM
You can use CylancePROTECT Mobile for UEM to prevent users from accessing work resources on BlackBerry Dynamics apps while a device is out of compliance. For more information, see Malware scanning behavior by activation type. Depending on the products and licenses that your organization owns, you may need to purchase CylancePROTECT Mobile for UEM. For more information, see the enterprise licensing guide.
Enable malware detection for Android devices
1. If you own the entitlement for CylancePROTECT Mobile in UEM, you can enable it In the management console. Go to Settings > Services and click Enable in the CylancePROTECT row.
2. In the management console, click Policies and profiles > Protection > BlackBerry Protect > +.
3. Enter a name and description for the CylancePROTECT Mobile profile, then click the Android tab.
4. In the Malicious app package detection section, select Scan new and exisiting app packages from device for safety check, then select Always block apps in restricted app list.
5. In the Sideloaded app detection section, select Enable sideloaded app detection and click Save.
Add an app to the restricted app list
1. In the management console, click Settings > CylancePROTECT > Restricted apps > Restricted apps > +.
2. Select how you would like to add the app to the restricted app list.
3. Do one of the following:
- If you selected Select an app file, click Browse, select the .apk file for the app, and click Upload.
- If you selected Manually enter the app's hash info, complete the fields and click Save.
Create a compliance profile
1. In the management console, click Policies and profiles > Compliance > +.
2. Add a name and description and click the Android tab.
3. In the Malware detected section, select Malicious app package detected and confiure the actions to take when a malicious app package is detected.
4. Click Save.
5. After you create a compliance profile, you must assign it to users. For more information, see Assign a profile or IT policy to a user account in the BlackBerry UEM documentation.
Add an app to the restricted app list
1. On the management console, click Settings > Global List (Mobile) > Restricted > Apps, then click Add App.
2. Select a method to specify the restricted app.
3. Do one of the following:
- If you selected Select an app file, click Browse Files and select the .apk file.
- If you selected Manually enter the app's hash info, complete the fields and click Add.
- If you selected Import an app list from .csv file, click Browse Files and select the .csv file.
Create a CylancePROTECT mobile policy
1. In the management console, Click Policies > User policy > Protect Mobile > Add Policy.
2. Complete and configure the policy fields. For more information, see Create a CylancePROTECT Mobile policy.
3. In the App security detections section, select Malicious apps and Always block apps in the restricted app list. To prevent users from sideloading restricted apps, select Sideloaded apps.
4. After you create a CylancePROTECT Mobile policy, you must assign the policy to users or devices. Users who have the policy assigned will recieve a notification if they have violated the policy.
Configure the access control list
1. In the management console, click Settings > Network > Access Control List > Add Rule.
2. In the General Information section, enter a name, description, and enable the use of rule in the access control list for the access control rule.
3. In the Action section, select Block in the drop-down list. Optionally, you can display a custom message to users when they attempt to use a blocked app and enable further event and evaluation controls.
4. In the Target fields of the Destinations section, enter the information for the app that you want to restrict access to. For more information, see ACL parameters in the Cylance Endpoint Security Setup Guide.
5. In the Category and Risk section, select Not applicable from the drop-down menu. This will prevent these fields from interfering with the configuration that you set in the Target section. Optionally, to prevent specific users or user groups from accessing the app, you can specify them in the User properties section.
6. Click Add.