What's new in BlackBerry UEM 12.11 Part 1

We’ve just released the latest update to BlackBerry UEM 12.11. Among the many upgrades are security, console, and activation improvements. For more information about the release, refer to part 2 of the blog here.


iOS app integrity check: Caution: Use this feature in a beta environment only.

You can use the iOS app integrity check framework to check the integrity of iOS work apps that have been published to the App Store. This feature uses Apple DeviceCheck and other methods to provide a way to identify that your app is running on a valid Apple device and that the app is published by the specified Apple Team ID. For more information on Apple DeviceCheck, see the information from Apple. This setting applies only to devices running iOS 11 and later. Activation of BlackBerry Dynamics apps that were built using BlackBerry Dynamics SDK for iOS version 5.0 or earlier will fail if you enable the ‘Perform app integrity check on BlackBerry Dynamics app activation’ option in the activation profile and if you add those apps for iOS app integrity check. If a BlackBerry Dynamics app that was built using BlackBerry Dynamics SDK for iOS version 5.0 or earlier is already activated, and you select the 'Perform periodic app integrity checks' option in the Activation profile, the app will fail the periodic attestation check and the device will be subject to the enforcement action specified in the compliance profile that is assigned to the user.

Note: You cannot enable the iOS app integrity checking on enterprise apps that your organization has developed and distributed internally using the Apple Enterprise Distribution program.

Management console

BlackBerry Dynamics Connectivity profile change: The Route All option has been replaced with a Default Route option in the BlackBerry Dynamics Connectivity profile allowing for more detailed control over how BlackBerry Dynamics apps built using the latest BlackBerry Dynamics SDK can connect to app servers. This allows you to configure rules to avoid double tunneling the UEM App Store and UEM hosted application push.

BlackBerry Dynamics access keys: You can now generate BlackBerry Dynamics access keys for users that do not have an email address.

Notifications for changes to Android Enterprise apps: Administrators can now receive notifications when the status of an Android Enterprise app on Google Play has changed and requires review. When an app requires review, UEM marks the apps listed on the Apps screen. Administrators can apply a filter to easily see the apps that need to be reviewed or approved and take the appropriate action. From the Settings > Event notifications menu, you can set the types of events that you want administrators to be notified about. For example, you can notify administrators if an app requires review if changes were made to the app’s availability, version, approval status, permissions, app configuration schemas, or if an app was not successfully installed on a user’s device.

Whitelist antivirus vendors for Windows devices: In the compliance profile, in the “Antivirus status” rule for Windows devices, you can now choose to allow antivirus software from any vendor, or allow only those that you added to the “Allowed antivirus vendors” list. The rule will be enforced if a device has antivirus software enabled from any vendor that is not whitelisted.

User credential profiles support using Entrust for BlackBerry Dynamics apps: You can now use your Entrust PKI connection to enroll certificates for BlackBerry Dynamics apps using the User credential profile.

Compliance violation reporting: When a device is out of compliance, violations and any applicable actions display on the device summary page. To see which apps are in a noncompliant state, click on the ‘View noncompliant apps’ link. A device with performance alerts or compliance violations is flagged with a caution icon. Types of violations that are reported include:

  • Rooted OS or failed attestation (Android only)
  • SafetyNet attestation failure (Android only)
  • Jailbroken OS (iOS only)
  • Restricted OS version is installed (iOS, Android, macOS, Windows)
  • Restricted device model detected (iOS, Android, macOS, Windows)
  • BlackBerry Dynamics library version verification  (iOS, Android, macOS, Windows)
  • BlackBerry Dynamics apps connectivity verification (iOS, Android, macOS, Windows)
  • Antivirus status (Windows only)

In the management console, you can filter on any of the compliance rules when they occur.

Device compliance report: On the dashboard, the device compliance report now indicates if either the BlackBerry UEM Client or a BlackBerry Dynamics app is out of compliance.

Device report update: The device report now includes the BlackBerry Dynamics compliance rule status.

Automatic device and OS metadata updates: If a user activates a device with a model or OS version that is unknown to BlackBerry UEM, UEM automatically adds the new device or version metadata to the UEM database so that the metadata is available for Activation, Compliance, and Device SR profiles.

Enable Android keyboard restricted mode: You can now use the ‘Enable Android keyboard restricted mode’ option in a BlackBerry Dynamics profile to force custom keyboards into incognito mode.

Shared device groups: Migration is not supported for shared device groups. Users who belong to a shared device group do not appear in the Migrate users list. Devices that are part of a shared device group do not appear in the Migrate devices list.

New Event Notifications: BlackBerry UEM can now email event notifications to administrators for the following events:

  • iOS VPP account expiry
  • DEP token expiry
  • IT policy pack updated
  • Metadata updated


Activate Android Enterprise devices without adding a Google account: Administrators now have the option to allow Android Enterprise devices to be activated without adding a Google Play account to the workspace. You might use this option if you do not want to use Google Play to manage work apps on Android Enterprise devices or you want to activate and use the device without accessing Google services. In the activation profile, you specify whether to add Google Play to the workspace for Android Enterprise devices. By default, the activation profile adds the Google account to the work space and Google Play manages the apps. If you do not add a Google account, apps and app configurations are managed through the BlackBerry UEM infrastructure using the BlackBerry UEM Client.


BlackBerry UEM now includes Work and personal – full control activations for Android Enterprise devices: This activation type is for devices running Android 8 and later. It lets you manage the entire device. It creates a work profile on the device that separates work and personal data but allows your organization to maintain full control over the device and wipe all data from the device. Data in both the work and personal profiles is protected using encryption and a method of authentication such as a password. This activation type supports the logging of device activity (SMS, MMS, and phone calls) in BlackBerry UEM log files.

To activate a device with Work and personal – full control, the user must wipe the device and start the activation in the same way as Work space only activations.

To enable BlackBerry Secure Connect Plus KNOX Platform for Enterprise support, you must select the "When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus" option in the activation profile.

When you apply IT policy rules to Android Enterprise devices with Work and personal – full control activations, the different rule categories affect different profiles on the device:

  • Global rules apply to the entire device.
  • Work profile rules apply to apps and data in the work profile.
  • Personal profile rules apply to apps and data in the personal profile.

For example, to apply password requirements to unlock the device, use the Global password rules. To apply password requirements only to the work profile, use the Work profile password rules. To prevent screen capture only of work data, deselect the Work profile “Allow screen capture” rule and select the Personal profile “Allow screen capture” rule. To prevent screen capture of both work and personal data, deselect the Personal profile “Allow screen capture” rule.

Colin Fullerton

About Colin Fullerton