Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM What's New
  3. What's new in BlackBerry UEM

What's new in
BlackBerry UEM

New in
UEM
 version 12.23 and
UEM Cloud

Feature
Cloud release date and on-prem version
Description
Update firewall configurations for new
UEM
 domains
November 2025
12.23
If you have configured your firewall to allow
UEM
 components to make outbound connections to required services by DNS name, you must allow connections to the following domains:
  • prod.dynamics.blackberry.com
  • prod-mdc.dynamics.blackberry.com
These domains replace gdmdc.good.com, gdweb.good.com, and gdentdw.good.com, and are required connections for
BlackBerry Dynamics
 apps, the
UEM
 server, and the
BlackBerry Connectivity Node
 for
UEM
 on-premises and
UEM Cloud
.
This impacts only environments where firewalls are managed by FQDN. If your firewall rules allow access to *.blackberry.com over port 443, you do not need to make any changes. You do not need to update any
UEM
 settings, as they will be updated when you upgrade
UEM
 to version 12.23 or when you receive the November 2025
UEM Cloud
 update.
Note that connections to gdmdc.good.com, gdweb.good.com, and gdentdw.good.com will continue to work, as they will be redirected to the new domains, but the good.com domains will eventually be deprecated.
For more information, see Port requirements: Server configuration.
The
BlackBerry Enterprise Mobility Server
 currently requires an outbound connection to gdweb.good.com, but in an upcoming
BlackBerry Enterprise Mobility Server
 release it will be updated to connect to prod.dynamics.blackberry.com and prod-mdc.dynamics.blackberry.com. To prepare for this update, allow connections for both gdweb.good.com and the new prod.dynamics.blackberry.com and prod-mdc.dynamics.blackberry.com domains.
Update IP address ranges
-
To facilitate a move to a new infrastructure,
BlackBerry
 has secured new IP ranges key infrastructure components. To ensure that
UEM
 servers continue to work seamlessly when the new IP addresses become active in February 2026, you must add the new IP ranges to your firewall configuration.
For more information, see Critical Issue Advisory 140894 and Global IP ranges.
Easier access to policy and profile assignments for devices and device groups
November 2025
12.23
The following enhancements to the management console provide easier access to policy, profile, and app assignments for devices and device groups:
  • When you view a list of policies or profiles in the management console (Policies and profiles > select a profile type), new columns indicate the number of devices and device groups that each policy or profile is assigned to.
  • When you click a policy or profile, new tabs are available to display the devices and device groups that the policy or profile is assigned to.
  • When you view the Apps or App groups lists, a new Applied devices column indicates the number of devices that are assigned the app or app group.
  • When you click an app or app group, new tabs are available to display the devices and device groups that the app or app group is assigned to. Note that when you view the Applied devices tab for an app or app group, the information indicates the devices that the app or app group are assigned to, it does not reflect whether the app or group of apps are present on devices.
Warning when changing a profile that is already assigned
November 2025
12.23
You can enable a new setting to display a confirmation dialog when saving profiles, policies, and apps that are already assigned. This setting is off by default.
When enabled, if you make changes to an IT policy, profile, or app that is already assigned, a prompt will display when you try to save to confirm that you want to apply the changes to the assigned users, groups, devices, and device groups. The prompt will list a count of impacted users, groups, devices, and device groups.
Configure the update mode for assigned Google Play apps
November 2025
12.23
When you assign a
Google Play
 app to
Android Enterprise
 or
Android Management
 devices by user or group assignment, you can use the Update Mode setting to configure how you want to manage app updates:
  • Default: When a new version of the app is available in
    Google Play
    , the device is notified. Any restrictions or conditions from an assigned device SR requirements profile are applied to the app update.
  • High Priority: When a new version of the app is available in
    Google Play
    , the device is notified. Any restrictions or conditions from an assigned device SR requirements profile are ignored.
  • Postpone: When a new version of the app is available in
    Google Play
    , the device is notified after 90 days, then the update is applied using latest available version. Any restrictions or conditions from an assigned device SR requirements profile are applied. Note that users can manually update the app at any time.
Changes to update controls for assigned
Apple
 VPP apps
November 2025
12.23
Previously, if you wanted to assign an
Apple
 VPP app to a user or group, you could set the Disposition to “Required without updates” or “Optional without updates” if you wanted to prevent
Apple
 VPP apps from updating automatically.
In this release, this is now controlled using an “Update Mode” setting when you assign an
Apple
 VPP app to a user or group:
  • Default: When a new version of the app is available, it will be pushed to devices automatically.
  • Postpone: When a new version of the app is available, it will not be pushed to devices automatically.
If you set the Disposition to “Required without updates” or “Optional without updates” prior to the
UEM Cloud
 update or the upgrade to 12.23, the corresponding settings will be updated automatically (Required + Postpone or Optional + Postpone) after the update or upgrade.
Support for zero-touch enrollment for
Android Management
 devices
November 2025
12.23
This release adds support for zero-touch enrollment for
Android Management
 devices.
Enable
BlackBerry Secure Connect Plus
 for email, contact, and calendar profiles for
iOS
November 2025
12.23
You can use the new setting "Enable Blackberry Secure Connectivity as the per-account VPN" in email, IMAP/POP3, CardDAV, and CalDAV profiles to enable
iOS
 devices to use BlackBerry Secure Connect Plus as the per-account VPN for email, calendar, and contact data that is managed by these profiles. This is an alternative to associating per-account VPN profiles and provides the added benefit of leveraging
BlackBerry
’s secure connectivity infrastructure.
BlackBerry Secure Connect Plus
 must be enabled to use this feature.
This option is turned off by default in email, IMAP/POP3, CardDAV, and CalDAV profiles. When enabled, the device will use the configuration of its assigned enterprise connectivity profile for the relevant secure connections (the default enterprise connectivity profile is assigned if no other enterprise connectivity profile was assigned previously). The enterprise connectivity profile that is assigned at the user level will be used for the per-account VPN, and will take precedence over any enterprise connectivity profiles assigned at the app level. If device-wide VPN is enabled in the enterprise connectivity profile that is assigned to a user, the "Enable Blackberry Secure Connectivity as the per-account VPN" setting has no effect.
Before you enable this setting in a profile, set the Per-account VPN setting to None to remove any assigned per-account VPN.
For more information about enabling and configuring
BlackBerry Secure Connect Plus
, see Using BlackBerry Secure Connect Plus for connections to work resources.
Enhancement to compliance profiles
November 2025
12.23
The new "Unapproved certificate is installed" compliance rule for
iOS
 devices allows you to upload a trusted signing certificate. If a certificate is detected on a device that is not trusted by the signing certificate that you uploaded, the device is considered out of compliance.
Preserve eSIM information when deleting device data
November 2025
12.23
When
UEM
 deletes device data from an
iOS
 or
Android
 device as the result of a compliance action or offboarding,
UEM
 will not delete eSIM information from the device.
Enhancements to
BlackBerry Dynamics
 profiles
November 2025
12.23
A new setting, "
iOS
: Do not require authentication when securely receiving a file from an authenticated Dynamics app", specifies whether
iOS
 device users need to authenticate with a
BlackBerry Dynamics
 app when they receive a secure file transfer from another
BlackBerry Dynamics
 app that they have already authenticated with. By default, this setting is not enabled.
For more information, see BlackBerry Dynamics profile settings.
View
Android
 device and work profile password expiry dates
November 2025
12.23
For
Android Enterprise
 and
Android Management
 devices, the device password and work profile password expiry dates are now listed in the device details in the management console. If a password expiry date has already passed, a warning icon displays next to it in the device details.
This feature requires devices to run the
UEM Client
 for
Android
 version 12.46.1.x or later.
Install VPP apps as unmanaged
November 2025
12.23
You can choose to have users install
OS X
 and
iOS
 VPP apps as personal apps that are not managed by
UEM
. You cannot use
UEM
 to remove them from devices and the apps are not subject to
UEM
 controls such as IT policy rules. When you assign a VPP app to a user or group, set “Disposition” to Optional and the “Target” to Personal to redirect the user to the
App Store
 to install the app as unmanaged. When you set the Disposition to Optional and the Target as Personal, you are prompted to assign the appropriate VPP license to devices so the app can be treated as unmanaged. You must set “Assign license to” to “User” to make it an unmanaged app.
If a user was already assigned a VPP app with these settings before you upgraded
UEM
 to version 12.23 or before the
UEM Cloud
 November 2025 update, the app will continue to be managed by
UEM
. To make the app unmanaged, you must remove the app assignment (note that this will remove the app from devices), and then reassign the app with “Disposition” set to Optional, “Target” set to Personal, and “Assign license to” set to “User”.
If a user was assigned a VPP app with “Disposition” set to Optional, “Target” set to Personal, and “Assign license to” set to “User” before the upgrade to 12.23 or the November 2025
UEM Cloud
 update, but the user did not install the app yet, when the user installs the app after the 12.23 upgrade or November
UEM Cloud
 update, the app will be installed as unmanaged.
Changes to the
UEM
 setup application
12.23
The
UEM
 setup application no longer provides the option to install
Microsoft SQL Server
 2012 Native Client, as it is no longer used by
UEM
.
If
Microsoft SQL Server
 2012 Native Client is installed on a computer that hosts a
UEM
 instance, the
UEM
 installation or upgrade process will not automatically remove it from the computer, it must be manually uninstalled.
Support for
Microsoft SQL Server
 on
Linux
12.23
UEM
 now supports
Microsoft SQL Server
 2019 and later on
Linux
.
UEM
 12.22 and earlier do not support
Microsoft SQL Server
 on
Linux
.
For more information, see the UEM Compatibility Matrix.
Changes to directory synchronization limit settings
November 2025
12.23
Previously, the "Sync limit" setting (Settings > External integration > Company directory > Sync settings) could be used to specify a maximum number of changes that could be carried out in a directory synchronization process. If the limit was exceeded, no synchronization actions were carried out (group additions, group removals, onboarding, and offboarding).
In this release, the "Sync limit" setting has been removed and replaced with two new settings that allow for more precise control over group removal and offboarding activities during synchronization:
  • Sync limit - percent of users to be off-boarded or removed: The maximum percentage of users in a group that can be removed or offboarded in a synchronization activity. If this maximum is exceeded,
    UEM
     does not carry out any removal or offboarding actions on the group during a synchronization. For example, if you specify the limit as 80%, if 81% or more of the users in a group would be removed or offboarded,
    UEM
     will not remove or offboard any users from that group. By default, the limit is 100%, which means that
    UEM
     will not carry out removal or offboarding actions on a group if all of the users that belong to that group are impacted.
  • Sync limit - minimum group size threshold: The minimum number of users that a directory group must contain before
    UEM
     will apply the maximum limit specified for "Sync limit - percent of users to be off-boarded or removed". The maximum sync limit percentage does not apply to groups with fewer users than the minimum group size that you specify. The default minimum threshold is 10 (a group must contain at least 10 users for
    UEM
     to factor in the maximum sync limit percentage; the maximum synch limit does not apply to groups of 9 or less users). Type 0 if you want
    UEM
     to apply the maximum sync limit to all groups regardless of size.
After the
UEM Cloud
 update or the upgrade to
UEM
 12.23, review the new sync limit settings and adjust the default values as necessary for your organization's environment.
For more information, see Enable directory-linked groups.
Changes to IT policy rules
November 2025
12.23
  • iOS
     - Software update delay period (supervised only): For devices with
    iOS
     18 or later, if you enable “Automatically update device OS” and specify an update schedule, the delay period that you specify in this setting is added to the update schedule. For example, if the delay period is 3 days and the update schedule is 2 days after release, the device is automatically updated 5 days after release.
  • Android
     - Send security logs to UEM: This rule now applies to
    Android Management
     devices in addition to
    Android Enterprise
     devices. Previously, this functionality was always enabled for
    Android Management
     devices and could not be disabled.
For more information, see the UEM IT policy rules Reference Guide.
Enhancements to device details
November 2025
12.23
The following information is now available when you view device details in the management console:
  • Device serial numbers (not returned for devices with user privacy activation types)
  • Date and time work apps were installed (
    Android
     only, not applicable to personal apps)
  • List of
    Bluetooth
    -paired devices (
    Android
     only)
Note that for
Android
, this information can be returned only by devices with the
UEM Client
 for
Android
 version 12.46.1.x or later.
Enhancements to device reports
November 2025
12.23
Device reports that you generate from the management console now include:
  • Device serial numbers (not returned for devices with user privacy activation types)
  • List of Bluetooth-paired devices (
    Android
     only)
  • Multi-SIM information (network, phone number, whether roaming is enabled, IMEI, ICCID); IMEI and ICCID are not returned for user privacy activation types
Note that for
Android
, this information can be returned only by devices with the
UEM Client
 for
Android
 version 12.46.1.x or later.
For more information, see Generate a device report.
Enhancement to
Knox Service Plugin
 profiles
November 2025
12.23
Previously, certain settings in
Knox Service Plugin
 profiles could be selected or not selected. Settings that were not selected were considered to be “false” by
Knox
, instead of null or not set. In this release, the relevant
Knox Service Plugin
 profile settings now feature drop-down fields where you can select true, false, or – (not set).
For more information, see Create a Knox Service Plugin profile.
Enhancement to app lock mode profiles
November 2025
12.23
App lock mode profiles now feature a new setting in the Administrator-enabled Android Enterprise device settings section: “Prevent activity from apps that are not on the allowed list”. When enabled, any activities that are initiated by apps that are not allowed by the App lock profile (for example, a pop-up to install a different app) will be blocked. Activities from system apps are not blocked.
For more information about app lock mode profiles, see Limiting the apps that can run on a device.
IT policy rules Reference Guide
November 2025
Previously, documentation for the
UEM
 IT policy rules was provided as a downloadable spreadsheet. Starting with this release, the documentation for IT policy rules is now available in HTML and PDF format in the new UEM IT policy rules Reference Guide, making the information easier to navigate and search.
Removal of
BlackBerry Protect Mobile
 features
November 2025
12.23
The following
BlackBerry Protect Mobile
 features are no longer supported or available for use in the
UEM
 management console as of
UEM
 version 12.23 and the November 2025
UEM Cloud
 update:
  • Detecting malware when deploying
    Android
     apps from
    UEM
  • Detecting malware on
    Android
     devices
  • Safe browsing with
    BlackBerry Dynamics
     apps
  • Scanning URLs in text messages
  • Anonymous data collection (supported features do no collect user data)
Changes to enterprise connectivity profiles
November 2025
12.23
The following settings have been removed from the
iOS
 tab of enterprise connectivity profiles because they are no longer supported by
Apple
:
  • Calendar domains
  • Contacts domains
  • Mail domains
  • Excluded domains
Feature enhancements for the
BlackBerry UEM Client
November 2025
12.23
See the
UEM Client
 Release Notes to learn about the latest features:

What's new in
UEM
 version 12.22 and
UEM Cloud

Feature
Cloud release date and on-prem version
Description
New IT policy rules for
iOS
 26
September 2025
12.22 MR1 QF3
A
UEM Cloud
 update, an on-premises QF release, and a Sept 2025 IT policy pack add the following IT policy rules for
iOS
 26:
  • Allow Safari private browsing (supervised only)
  • Allow Safari history clearing (supervised only)
  • Allowed exceptions to Camera restriction (supervised only)
  • Denied ICCID's for iMessage and FaceTime (supervised only)
  • Denied ICCID's for RCS
For more information, see the Policy reference spreadsheet.
Enhancement for upcoming
Windows
 update to enforce strong certificate to user identity mapping requirements
August 2025
12.22 MR1
UEM
 12.22 MR1 and the August update of
UEM Cloud
 include an enhancement to address an upcoming September
Windows
 update that will enforce strong certificate to user identity mapping requirements. Your organization is impacted if it uses SCEP profiles to provide user credential certificates to devices to authenticate with resources such as
Microsoft Exchange Server
.
Support for
Windows Server
 2025
May 2025
12.22
This release adds support for
Windows Server
 2025.
For more information, see the UEM compatibility matrix.
Specify the directory when adding users to
UEM
 with a .csv file
May 2025
12.22
When you add user accounts to UEM using a .csv file, you can use a new column in the .csv file, Directory Instance Name, to specify the name of the directory that each directory user belongs to. This allows
UEM
 to import the user from the specified directory without having to search multiple directories that are associated with
UEM
.
UEM
 will make a single call to a directory to import all users that are associated with that directory.
In the Directory Instance Name column, specify a single directory name for each directory user that you want to import. The directory name must match the name of a directory connection that has been configured in
UEM
 (casing does not matter). If the value of this field is blank,
UEM
 searches all available directories for the user.
For more information, see Creating user accounts from a .csv file.
Send client certificates to devices using ACME
12.22
You can create and assign ACME profiles to enable
iOS
 devices that are activated on
UEM
 to communicate with an ACME server to obtain and manage the use of client certificates from a certificate authority.
After you create an ACME profile, you can associate the profile with
Wi-Fi
, VPN, and email profiles (Authentication type and Associated ACME profile settings).
Activation profile enhancements
12.22
New options to configure identity certificate settings have been added to activation profiles to support SCEP and ACME configurations.
For more information, see Create an activation profile.
New “Skip during setup” options when configuring
UEM
 for DEP
12.22
When you configure UEM for DEP, several new “Skip during setup” options have been added in this release. You can hover over each option to view a tooltip with additional details.
Feature enhancements for the
BlackBerry Web Services
May 2025
12.22
See the BlackBerry Web Services Release Notes to learn about the latest features.

What's new in
UEM
 version 12.21 and
UEM Cloud

Feature
Cloud release date and on-prem version
Description
Install and configure
UEM
 in a BSI-certified environment
12.21 MR1 (on-premises only)
UEM
 on-premises version 12.21 MR1 is certified by the German Federal Office for Information Security (BSI). For complete details about this certification and the differences in a BSI deployment of
UEM
, see the BSI-certified UEM Installation and Configuration Guide.
UEM
 12.21 MR1 is intended only for use by customers who want to run a version of
UEM
 that is fully compliant with BSI. If you do not require a BSI-certified version of
UEM
, do not install or upgrade to
UEM
 12.21 MR1. If you want to benefit from the latest fixes and enhancements for a standard
UEM
 environment,
BlackBerry
 recommends that you upgrade to
UEM
 12.22 MR1 or later.
IT policy pack for new
iOS
 rules
April 2025 (on-premises only)
The latest IT policy pack (April 2025) includes the following new
iOS
 IT policy rules:
  • Allow Cloud Private Relay (supervised only)
  • Allow use of satellite connectivity (supervised only)
  • Allowed External Intelligence Workspace IDs (supervised only)
  • Notes transcription summary (supervised only)
  • Allow Visual Intelligence Summary (supervised only)
  • Allow Apple Intelligence Report (supervised only)
  • Allow default calling app modification (supervised only)
  • Allow default messaging app modification (supervised only)
  • Allow Mail smart replies (supervised only)
  • Allow Notes transcription (supervised only)
  • Allow Safari summary (supervised only)
For more information, see the Policy reference spreadsheet.
Send client certificates to devices using ACME
March 2025 (
UEM Cloud
)
12.21 MR1 (see note above)
You can create and assign ACME profiles to enable
iOS
 devices that are activated on
UEM
 to communicate with an ACME server to obtain and manage the use of client certificates from a certificate authority.
After you create an ACME profile, you can associate the profile with
Wi-Fi
, VPN, and email profiles (Authentication type and Associated ACME profile settings).
Activation profile enhancements
March 2025 (
UEM Cloud
)
12.21 MR1 (see note above)
New options to configure identity certificate settings have been added to activation profiles to support SCEP and ACME configurations.
For more information, see Create an activation profile.
New
iOS
 IT policy rules
March 2025 (
UEM Cloud
)
12.21 MR1 (see note above)
The following
iOS
 IT policy rules are new in this release:
  • Allow Cloud Private Relay (supervised only)
  • Allow use of satellite connectivity (supervised only)
  • Allowed External Intelligence Workspace IDs (supervised only)
  • Notes transcription summary (supervised only)
  • Allow Visual Intelligence Summary (supervised only)
  • Allow Apple Intelligence Report (supervised only)
  • Allow default calling app modification (supervised only)
  • Allow default messaging app modification (supervised only)
  • Allow Mail smart replies (supervised only)
  • Allow Notes transcription (supervised only)
  • Allow Safari summary (supervised only)
For more information, see the Policy reference spreadsheet.
New “Skip during setup” options when configuring
UEM
 for DEP
March 2025 (
UEM Cloud
)
12.21 MR1 (see note above)
When you configure UEM for DEP, several new “Skip during setup” options have been added in this release. You can hover over each option to view a tooltip with additional details.
Support for Intercede MyID
November 2024
12.21
This release supports the use of the Intercede MyID PIV credential management solution to provide derived credentials certificates to devices activated on
UEM
.
Install the
BlackBerry Connectivity Node
 using the command line
November 2024 (cloud only)
You can now install the
BlackBerry Connectivity Node
 for a
UEM Cloud
 environment using the command prompt.
Create local users administrator permission
November 2024
12.21
This release includes a new Users and Devices permission, Create local users, that controls whether an administrator account can create local users. Create local users is enabled by default for the Security Administrator, Enterprise Administrator, and Senior HelpDesk roles. The Create local users permission can be enabled only if the Create users permission is also enabled.
After you upgrade to
UEM
 12.21, custom roles that you created previously will not have the Create local users permissions by default, you must assign it manually.
Enhancements to
BlackBerry Dynamics
 profiles
November 2024
12.21
BlackBerry Dynamics
 profiles feature the following enhancements:
  • A background activity setting is now available for
    iOS
     and
    Android
     devices, allowing background process restarts if the OS has terminated the application process. When enabled, an app may use secure networking and storage in the background after receiving a push notification. This feature (known as Background Authorize) was previously supported only for select
    BlackBerry Dynamics
     apps and was configured in the app policy. It is now supported for all
    BlackBerry Dynamics
     apps and is configured in the
    BlackBerry Dynamics
     profile. This feature requires an
    Android
     version of the
    BlackBerry Dynamics
     apps that will be released in Fall 2025 or later.
  • The Data leakage prevention (DLP) section has been restructured for ease of use.
  • In the DLP section, you can now specify a character limit for cutting and copying text from a
    BlackBerry Dynamics
     app to a non-
    BlackBerry Dynamics
     app. This feature requires a version of the
    BlackBerry Dynamics
     apps that will be released in Fall 2025 or later.
  • In the Transfer files section, for
    iOS
     there is a new setting to allow or block the transfer and opening of unencrypted files from
    BlackBerry Dynamics
     apps to selected non-
    BlackBerry Dynamics
     apps. This feature requires a version of the
    BlackBerry Dynamics
     apps that will be released in Fall 2025 or later.
  • A new setting, "Allow Apple Intelligence in-app writing tools", specifies whether
    iOS
     users are able to access built-in
    Apple
     Intelligence writing tools in
    BlackBerry Dynamics
     apps. By default, this setting is not selected.
    This setting is enforced only if the following data leakage prevention setting is enabled in the profile: "Do not allow copying data from
    BlackBerry Dynamics
     apps into non-
    BlackBerry Dynamics
     apps". If this DLP setting is not selected,
    Apple
     Intelligence writing tools are allowed in
    BlackBerry Dynamics
     apps.
    Note that if you turn off the IT policy rule "Allow writing tools (supervised only)" in the assigned IT policy, writing tools will be blocked for all apps on supervised
    iOS
     devices, regardless of the configuration of this setting in the
    BlackBerry Dynamics
     profile. By default, the "Allow writing tools (supervised only)" IT policy rule is enabled.
For more information, see BlackBerry Dynamics profile settings.
Changes to OS support
November 2024
12.21
This release adds support for the following device operating systems:
  • iOS
     18
  • Android
     15
For more information, see the Mobile device OS compatibility matrix.
New
iOS
 IT policy rules
November 2024
12.21
The following IT policy rules have been added for
iOS
 devices.
Device functionality (
iOS
 17.4 or later): Allow auto dim (supervised only)
Device functionality (
iOS
 18.0 or later):
  • Allow eSIM outgoing transfers (supervised only)
  • Allow iPhone mirroring (supervised only)
  • Allow Genmoji (supervised only)
  • Allow image playground (supervised only)
  • Allow image wand (supervised only)
  • Allow personalized handwriting results (supervised only)
Device functionality (
iOS
 18.1 or later):
  • Allow call recording (supervised only)
  • Allow RCS messaging (supervised only)
  • Allow mail summary (supervised only)
Apps (
iOS
 18.0 or later):
  • Allow hiding apps (supervised only)
  • Allow locking apps (supervised only)
Apps (
iOS
 18.2 or later): Allow default browser modification (supervised only)
Security and privacy (
iOS
 18.0 or later): Allow writing tools (supervised only)
Security and privacy (
iOS
 18.2 or later):
  • Allow external intelligence integrations (supervised only)
  • Allow external intelligence integrations sign-in (supervised only)
For more information, see the Policy reference spreadsheet.
New
Android
 IT policy rule to control Circle to Search
November 2024
12.21
The "Allow Circle to Search" IT policy rule allows you to control whether Circle to Search functionality is enabled in the work profile. The rule is enabled by default and applies to devices running
Android
 OS 15 or later. This rule requires the
UEM Client
 for
Android
 version 12.45.x or later.
For more information, see the Policy reference spreadsheet.
Changes to IT policy rules
November 2024
12.21
The IT policy rule "Allow screenshots in the work profile to be stored in the personal profile" is not supported for devices with
Android
 15 or later.
Enhancement to encrypting the connection between
UEM
 and
Microsoft SQL Server
12.21 (on-prem only)
Previously, you could encrypt the connection only after installing
UEM
. In this release you can set up an encrypted connection when you install or upgrade
UEM
 using the command prompt.
Support for group Managed Service Accounts
November 2024
12.21
This release adds support for using a group Managed Service Account (gMSA) to install or upgrade
UEM
 and to run the
UEM
 services. When installing or upgrading
UEM
 on-premises, you can now select an option to use a gMSA.
For more information, see the UEM Installation and Upgrade Guide.
Designate
iOS
 and
OS X
 apps as Work or Personal
November 2024
12.21
When you assign
iOS
 or
OS X
 apps to a user or group, you can configure a new Target field to designate the app as "Work" (default) or "Personal". This field allows you to differentiate the type of app in the management console. This setting does not impact how the app is installed or managed on the device.
Enhancement to the device vulnerabilities view
November 2024
12.21
The device vulnerabilities view now allows you to search and filter by a specified CVE number to see the device operating systems that are impacted by that CVE.
For more information, see View mobile OS vulnerabilities.
Copy app configurations
November
12.21
You can now copy and modify an existing app configuration.
Enhancements to app configurations for
BlackBerry Dynamics
 apps
November 2024
12.21
The following enhancements have been made to the app configuration UI for
BlackBerry Dynamics
 apps:
  • The available tabs are now stacked for ease of use.
  • You can move and resize the app configuration window.
Support for
Samsung Knox
 3.11 with
Android Enterprise
 activation types
November 2024
12.21
This release adds support for
Android Enterprise
 activation types on
Android
 15 with
Samsung Knox
 3.11.
For more information, see the UEM compatibility matrix.
Note that the MDM controls activation type is no longer supported for
Samsung Knox
 devices with
Android
 15 or later.
Enhancement to compliance profiles
November 2024
12.21
Compliance prompts for
BlackBerry Dynamics
 apps are now supported for the following compliance rules:
  • OS update not applied (
    iOS
     and
    Android
    )
  • Managed device attestation failure (
    iOS
    )
Compliance prompts for these settings require the most recent release of
BlackBerry Dynamics
 apps (October 2024 or later for
iOS
, November 2024 or later for
Android
).
Changes to supported
Android
 activation types for dark site environments
November 2024
12.21
There are changes to the supported
Android
 activation types in a dark site environment.
Feature enhancements for the
BlackBerry UEM Client
November 2024
12.21
See the
UEM Client
 Release Notes to learn about the latest features:
Feature enhancements for the
BlackBerry Web Services
November 2024
12.21
See the BlackBerry Web Services Release Notes to learn about the latest features.

What's new in
UEM
 version 12.20 and
UEM Cloud

Feature
Cloud release date and on-prem version
Description
IT policy pack for new
iOS
 and
Android
 rules
12.20 (on-premises only)
The latest IT policy pack (October 2024) includes the following new IT policy rules:
Android
The "Allow Circle to Search" IT policy rule allows you to control whether Circle to Search functionality is enabled in the work profile. The rule is enabled by default and applies to devices running
Android
 OS 15 or later. This rule requires the
UEM Client
 for
Android
 version 12.45.x or later.
iOS
Device functionality (
iOS
 17.4 or later): Allow auto dim (supervised only)
Device functionality (
iOS
 18.0 or later):
  • Allow eSIM outgoing transfers (supervised only)
  • Allow iPhone mirroring (supervised only)
  • Allow Genmoji (supervised only)
  • Allow image playground (supervised only)
  • Allow image wand (supervised only)
  • Allow personalized handwriting results (supervised only)
Device functionality (
iOS
 18.1 or later):
  • Allow call recording (supervised only)
  • Allow RCS messaging (supervised only)
  • Allow mail summary (supervised only)
Apps (
iOS
 18.0 or later):
  • Allow hiding apps (supervised only)
  • Allow locking apps (supervised only)
Security and privacy (
iOS
 18.0 or later): Allow writing tools (supervised only)
Compliance events view
June 2024
12.20
This release introduces a new compliance events view in the management console that allows you to monitor and track the compliance events that
UEM
 detects across
iOS
,
Android
,
macOS
, and
Windows
 devices, including compliance events for
BlackBerry Protect Mobile
 features.
For more information, see Monitor compliance events.
BlackBerry Protect Mobile
 enhancements
June 2024
12.20
  • Insecure
    Wi-Fi
     access point detection is now supported for
    iOS
     devices. For more information, see Protecting devices from network threats in the
    BlackBerry Protect Mobile
     Administration content.
  • Scanning text messages to detect malicious URLs is now supported for
    Android
     devices (
    Android Enterprise
     and
    Android Management
     work space only activation types). For more information, see Scanning URLs in SMS text messages in the
    BlackBerry Protect Mobile
     Administration content.
  • BlackBerry Protect Mobile
     settings and compliance rules are now applicable to
    Android Management
     devices.
New IT policy rules to manage
iOS
 software updates
June 2024
12.20
The "Automatically update device OS (supervised only)" IT policy rule has been added to the “Software updates” group on the
iOS
 tab to provide new options to manage
iOS
 software updates on devices. When you enable this rule, you can enable or disable the following sub-rules (enabled by default):
  • Automatically update major versions
  • Automatically update minor versions
  • Automatically update patch versions
  • Automatically update rapid security responses
  • Update schedule
You can set the Update schedule to Immediate or you can specify the update schedule.
The "Automatically update device OS (supervised only)" rule and sub-rules are supported for
iOS
 devices with the MDM controls activation type.
For more information, see the Policy reference spreadsheet.
Schedule OS updates on supervised
iOS
 devices
June 2024
12.20
You can now schedule the date and time of OS updates for one or more supervised
iOS
 devices.
For more information, see Update the OS on supervised iOS devices.
Include devices in a device group based on pending OS updates
June 2024
12.20
When you add or make changes to a device group, you can specify the new device query option “Pending OS update age (days)” to include devices in the device group based on whether pending OS updates have not been installed within a specified number of days.
For more information, see Parameters for device groups.
Changes to IT policy rules for
Android
 password complexity
June 2024
12.20
  • The
    Android
     Global Password complexity IT policy rule now applies only to devices with
    Android
     OS 12 or later with a user privacy activation type (
    Android Enterprise
     and
    Android Management
    ).
  • The
    Android
     Global Password requirements IT policy rule now applies to full control and work space only activation types (
    Android Enterprise
     and
    Android Management
    ), and to user privacy activation types (
    Android Enterprise
     and
    Android Management
    ) on devices with
    Android
     11 only.
  • The Password complexity IT policy rule in the
    Android
     Work profile section is no longer applicable as of
    UEM Client
     version 12.44.x.
  • The Password requirements rule in the Work profile section now applies to all
    Android
     activation types.
When users upgrade the
UEM Client
 to version 12.44.0.157981 or later, if the device and work passwords do not meet the requirements set by an administrator in the IT policy, users will be prompted to set the device and work passwords according to the IT policy rules.
For more information, see the Policy reference spreadsheet.
Changes to compliance profiles
June 2024
12.20
  • A new option is available in compliance profiles that allows you to specify the compliance actions to take when
    iOS
     or
    Android
     devices have pending OS updates that exceed a specified period of time.
  • For rules that support email notifications, you can now specify the email template that you want to use for each compliance rule that you enable.
  • You can now specify the email template that you want to use for different compliance rules that you enable (when the email template option is applicable).
  • The “Prompt for compliance” option has been removed for the Jailbroken OS rule for
    iOS
     and for the Rooted OS rule for
    Android
    . If you configured this option previously, it will change to immediate enforcement action when you upgrade to
    UEM
     12.20.
For more information, see Create a compliance profile.
New option when activating devices with
Entra ID
 conditional access
June 2024
12.20
The
BlackBerry Dynamics
 profile includes a new option that allows you to delay conditional access enrollment for a user until the
Microsoft Authenticator
 app is installed on the user’s device.
Prevent screenshots in
BlackBerry Dynamics
 apps for
iOS
June 2024
12.20
If you want to prevent users from taking screenshots in
BlackBerry Dynamics
 apps on
iOS
 devices, you can enable the new "Do not allow screenshots on iOS devices" option in the
BlackBerry Dynamics
 profile that is assigned to users.
If a device user tries to take a screenshot in a
BlackBerry Dynamics
 app after this option is enabled, a blank image with the following message is saved instead: "Your organization prevents screenshots being taken within this app."
This option is supported for
BlackBerry Dynamics
 apps that use
BlackBerry Dynamics SDK
 12.1 and later (apps released in June 2024 or later), and replaces the
iOS
 screen capture detection rule in compliance profiles.
BlackBerry
 recommends using the new profile setting and disabling the compliance rule. The compliance rule will be deprecated in a future
UEM
 release.
For more information, see BlackBerry Dynamics profile settings.
Encrypt communication between
UEM
 and
Microsoft SQL Server
12.20 (on-prem only)
You can encrypt the connection and communication between
UEM
 on-premises and
Microsoft SQL Server
. By default, the connection is not encrypted.
Changes to port requirements for
UEM
 connections to
Microsoft Active Directory
June 2024
12.20
This release includes a new port requirement for CLDAP requests for domain controller discovery.
Web proxy support for
Android Enterprise
 devices that use
BlackBerry Secure Connect Plus
June 2024
12.20
Apps on
Android Enterprise
 devices that use BlackBerry Secure Connect Plus can now use a web proxy server. You configure the web proxy using a proxy profile and select the proxy profile in the enterprise connectivity profile that you use to configure and enable
BlackBerry Secure Connect Plus
.
Apple
 managed device attestation
June 2024
12.20
You can now enable
Apple
 managed device attestation to ensure that only authorized and uncompromised devices are being used in your organization. During attestation, the device's properties (for example, its serial number) or identifiers are verified to be legitimate and not spoofed. This feature requires unsupervised devices to be running
iOS
 16 or
iPadOS
 16.1 or later. For supervised devices,
iOS
 17 or
iPadOS
 17 or later is required. .
  • You can turn on periodic device information attestation for
    Apple
     devices from the Settings > General settings > Attestation menu. The minimum challenge frequency is 9 days.
  • In the activation profile, you can specify whether the attestation occurs during device activation and/or periodically. Managed device attestation applies to the
    MDM controls
     and the
    User privacy
     activation types, but not the
    User privacy - User enrollment
     activation type. When you select the
    User privacy
     activation type in the activation profile, you must select at least one of the management options (such as "Allow VPN management").
  • You can use the compliance profile to enforce attestation and take action against devices where attestation is not successful.
  • The status of
    Apple
     device attestation is available from the device details screen.
For more information, see Configure attestation for iOS devices.
Updates to the
Microsoft Intune
 app protection policy
June 2024
12.20
The
Microsoft Intune
 app protection policy has been updated in the management console to include some of the latest app policies.
Support for
Samsung Knox
 3.10 with
Android Enterprise
 activation types
June 2024
12.20
This release adds support for
Android Enterprise
 activation types on
Android
 14 with
Samsung Knox
 3.10.
For more information, see the UEM compatibility matrix.
Changes to OS support
June 2024
12.20
This release will no longer support the following device operating systems:
  • Android
     10
  • iOS
     15
For more information, see the Mobile device OS compatibility matrix.
Changes to supported activation types
June 2024
12.20
  • The Work space only (
    Samsung Knox
    ) activation type is no longer supported.
  • The User privacy - User enrollment activation type is not supported for
    iOS
     18 and later.
Support for different home and lock screen wallpapers on supervised
iOS
 devices
June 2024
12.20
This release includes new options in the device profile to specify different wallpaper for the home and lock screens on supervised iOS devices.
For more information, see Create a device profile.
Show or hide the
BlackBerry Dynamics Launcher
 in the
UEM Client
June 2024
12.20
In the
BlackBerry Dynamics
 profile, you now have the option to show or hide the
BlackBerry Dynamics Launcher
 in the
UEM Client
:
  • Enable
    BlackBerry Dynamics Launcher
     in
    UEM Client
    : This setting specifies whether the
    BlackBerry Dynamics Launcher
     icon appears in the
    UEM Client
    .
  • Enable
    BlackBerry Dynamics Launcher
     first time setup: This setting specifies whether the tutorial appears when the
    BlackBerry Dynamics Launcher
     appears for the first time in the
    UEM Client
    .
For more information, see BlackBerry Dynamics profile settings.
Add a customizable text banner to the management console
June 2024
12.20
You can now add a customizable text banner that is displayed in the top-right header on every page in the management console. You can use this banner to display important information for all administrators that use the console (for example, you can display the information for the
UEM
 tenant).
View mobile OS vulnerabilities
June 2024
12.20
The new device vulnerabilities screen in the management console allows you to view a list of Common Vulnerabilities and Exposures (CVE) for any mobile OS that is used in the
UEM
 environment.
For more information, see View mobile OS vulnerabilities.
Changes to Kerberos Constrained Delegation (KCD) for
BlackBerry Dynamics
 apps
12.20 (on-prem only)
If you configured KCD for
BlackBerry Dynamics
 apps, you must create and configure a krb5.conf file with specific minimum settings to continue supporting this feature in
UEM
 12.20 and later.
If your organization uses a multi-realm
Kerberos
 environment, additional steps are required to support KCD after you upgrade to
UEM
 12.20.
New IT policy rule to allow web distribution apps for
iOS
June 2024
12.20
The "Allow web distribution apps (supervised only)" IT policy rule allows you to specify whether users are allowed to install web distribution apps. The rule is enabled by default and applies to devices running
iOS
 17.5 and later only.
For more information, see the Policy reference spreadsheet.
Return to service option for the
iOS
 Delete all device data command
June 2024
12.20
When you send the "Delete all device data" command to devices with
iOS
 17 or later, you can select the “Enable Return to Service” option and select a
Wi-Fi
 profile to assign to the devices to assist the user in setting up the device again after the data is deleted.
For more information, see Send commands to users and devices.
Feature enhancements for the
BlackBerry UEM Client
June 2024
12.20
See the
UEM Client
 Release Notes to learn about the latest features:
Feature enhancements for the
BlackBerry Web Services
June 2024
12.20
See the BlackBerry Web Services Release Notes to learn about the latest features.

What's new in
UEM
 version 12.19 and
UEM Cloud

Feature
Cloud release date and on-prem version
Description
Changes to
iOS
 IT policy rules and compliance rules
April 2024
12.19 Quick Fix 3
This release includes the following changes:
  • The "Allow marketplace apps" IT policy rule has been added to allow you to control whether users can install marketplace apps. This rule is supported for
    iOS
     17.4 and later. (EMM-155942)
  • The functionality of the following
    iOS
     IT policy rules now extend to marketplace apps: Allow installing apps (supervised only), Allow removing apps (supervised only).
  • The functionality of the following
    iOS
     compliance rules now extend to marketplace apps: Show only allowed apps on the device, Restricted app is installed.
For more information, see the UEM 12.19 IT policy rules reference.
New
iOS
 IT policy rules
January 2024
12.19 Quick Fix 1
The following IT policy rules have been added for devices with
iOS
 17.2 and later:
  • Preserve eSIM data plan on device wipe (supervised only)
  • Allow Live Voicemail (supervised only)
For more information, see the UEM 12.19 IT policy rules reference.
Changes to console URLs
October 2023
12.19
The
UEM
 console URLs have changed in this release to include additional information at the end of the path:
  • Management console: https://
    <server_name>
    :
    <port>
    /admin/index.jsp?tenant=
    <tenant_ID>
    &redirect=no
  • UEM Self-Service
     console: https://
    <server_name>
    :
    <port>
    /mydevice/index.jsp?tenant=
    <tenant_ID>
    &redirect=no
If you integrate UEM with Entra ID, the
UEM
 console URLs change to the following ("&redirect=no" is removed from the end of the URL):
  • Management console: https://
    <server_name>
    :
    <port>
    /admin/index.jsp?tenant=
    <tenant_ID>
  • Self-service console: https://
    <server_name>
    :
    <port>
    /mydevice/index.jsp?tenant=
    <tenant_ID>
New OS support
October 2023
12.19
The following operating systems are now supported:
  • iOS
     17: Includes support for RSA-PSS and DH group 32 in VPN profiles and TLS 1.3 in
    Wi-Fi
     profiles
  • Android
     14
JRE 17 required
October 2023
12.19
You must install JRE 17 on the servers where you will install
UEM
, and you must set an environment variable that points to the BB_JAVA_HOME home location.
Connect
UEM
 on-premises to
Entra ID
October  2023
12.19
You can now connect
BlackBerry UEM
 on-premises to
Entra ID
 to create and synchronize users and directory-linked groups.
For more information, see Connect BlackBerry UEM to Entra ID.
New
Android Management
 activation types
October  2023
12.19
Three new activation types that support the
Android Management
 API have been added:
  • Work and personal - full control (
    Android Management
     fully managed device with work profile)
  • Work and personal - user privacy (
    Android Management
     with work profile)
  • Work space only (
    Android Management
     fully managed device)
Knox Service Plugin
 policies
October 2023
12.19
You can now configure KSP policies from the Policies and profiles menu in the
UEM
 management console instead of an app configuration.
For more information, see Managing Android devices with OEM app configurations profile.
iOS
 app update dispositions
October 2023
12.19
You can now specify new "Required without updates" or "Optional without updates" dispositions for
iOS
 VPP apps and assign them to users, user groups, device groups, shared device groups, and public device groups. For shared
iPad
 groups you can assign "Required without updates".
iOS
 RSR versions
October 2023
12.19
You can now select an RSR version as the minimum allowed OS version in activation profiles for
iOS
 devices.
New
BlackBerry Dynamics
 profile setting
October 2023
12.19
You can use the new "Allow
WatchOS
 apps" setting to control whether end users can pair their Apple
WatchOS
 apps with
BlackBerry Dynamics
 apps. This setting is off by default.
For more information, see BlackBerry Dynamics profile settings.
New email profile setting for
iOS
October 2023
12.19
You can use the new "Allow Mail Drop" setting to control whether users with the MDM controls activation type can send files from their account using Mail Drop.
For more information, see iOS: Email profile settings.
Updated compliance variable
October 2023
12.19
You can now use the %ComplianceApplicationList% variable to display the names of restricted apps that are installed on a device in compliance notifications that are sent to users.
LDAP directory enhancements (
UEM
  on-premises only)
October 2023
12.19
Paged search results are now supported for LDAP directories.
SIM management enhancement
October 2023
12.19
You can now view the information for multiple SIMs for a device on the Device details screen, including eSIM information.
Enhancements to the Managed device users screen
October 2023
12.19
You can now add the
Bluetooth
 MAC address as an optional field in the Advanced view of the Managed device users screen. You can also export this data from this view.
Export personal apps list
October 2023
12.19
You can now export a list of the personal apps that are installed on a user's device. The list includes the user and device name, the app name and version, the OS type and version, and the installation date.
Feature enhancements for the
BlackBerry UEM Client
October 2023
12.19
See the
UEM Client
 Release Notes to learn about the latest features: