What's new in BlackBerry UEM 12.12 Part 1

What's new in BlackBerry UEM Part 1

We’ve just released the latest update to BlackBerry UEM and BlackBerry UEM Cloud. Among the many upgrades are improvements to iOS, Android, Samsung Knox, and Windows device management. For more information about the release, refer to part 2 of the blog here.


  • Apple DEP error message update: If you have not yet accepted the updated terms and conditions for Apple Business Manager, you will receive an error message by email. 
  • Synchronize Apple DEP accounts with Apple Business Manager manually: You can manually synchronize Apple DEP accounts in BlackBerry UEM to ensure device connectivity.
  • Event notification update: The DEP connection failure status' event notification now contains details for Com Status, Operation mode, and Last synchronization time.
  • Specify activation profile for DEP devices: For each device registered in Apple DEP, you can now specify the activation profile that you want to assign to it. For example, if a user has multiple iOS devices that require different activation types, you can specify the activation profile for each device. When activating the iOS device, the activation profile that is assigned to the device takes precedence over the activation profile that is assigned to the user account.
  • Assign users directly to Apple DEP device serial numbers: BlackBerry UEM now allows you to assign a user to an Apple DEP device serial number before the device is activated. When a user is assigned to the device serial number in the BlackBerry UEM management console, the user is not prompted for a username or password during device activation.
  • Update iOS to specific version number: On the device tab, you can upgrade the software version on a supervised iOS device to a specific version number. You can use this feature to update the device OS to a version that your organization’s IT department has certified.
  • Support for iOS 13 single sign-on extension: Single sign-on extension for iOS 13 and iPadOS 13 allows users to authenticate once and then automatically log in to domains and web services within your organization’s network. You can configure a single sign-on extension profile in BlackBerry UEM for devices running iOS (or iPadOS) 13.
  • Improved activation process: The BlackBerry UEM Client for iOS has been updated to add some safeguards to minimize the instances where a user must restart the activation process from the beginning due to an interruption during device activation (for example, the user receives a call during activation).  When the user returns to the UEM Client, the user can now resume activation from the most recent step.
  • New activation type for iOS and iPadOS 13.1 devices: A new activation type “User privacy – User enrollment” is now available for devices running iOS or iPadOS 13.1 and later. The activation type helps maintain user privacy while keeping work data separated and protected. Administrators can manage work data (for example, wipe work data) without affecting personal data. To activate a device with this activation type, users can simply use the native camera app to scan the QR code that they received in the activation email to manually download and install the MDM profile to the device. The user logs in to their managed Apple ID account and completes the activation in the BlackBerry UEM Client.
  • Support for iOS 13 features: BlackBerry UEM supports the new capabilities in iOS 13. New support includes three new IT policy rules, support for WPA-3 Personal and WPA3-Enterprise Wi-Fi security, and new Email profile, VPN profile, and App Lock Mode profile settings.


  • Factory reset protection profile: You can specify multiple Google accounts to a Factory reset protection profile.
  • Improvements to Android Enterprise device activation user experience: The number of steps required to activate Android Enterprise devices has been reduced. Users can now tap a check box when they enter their username to accept the license agreement. Additional notifications have been added to show app installation progress. Additional messages have been added to describe permissions required by the UEM Client.
  • Updated activation error messages: When activation is not successful on an Android device, a new or updated error message displays that explains why the device did not activate properly. This allows the user and IT personnel to diagnose and fix the problem.
  • Use OEMConfig apps from Android device manufacturers to manage device features: BlackBerry UEM supports using OEMConfig apps provided by device manufacturers, (for example, the Samsung Knox Service Plugin), to manage manufacturer-specific APIs on devices. The Samsung Knox Service Plugin allows you to manage new Samsung device features as soon as Samsung updates the device and app instead of waiting for new profile settings and IT policy rules in the next UEM update.
  • Review feedback from Android apps with app configurations:  BlackBerry UEM receives and displays error and information feedback from any Android apps that have an app configuration and have been developed to provide feedback.
  • Easily add work apps for Android Enterprise devices to Google Play: Access the updated Google Play interface from BlackBerry UEM to more easily add private apps and web apps (shortcuts to web pages) to Google Play in the work profile on Android Enterprise devices.
  • Corporate owned single-use (COSU) device support for Android Enterprise: BlackBerry UEM now supports corporate owned single-use for Android Enterprise version 7.0 and later. When configured for COSU, a device is locked to a specific set of applications to perform a function.
  • Request bug report: You can now send a command to an Android Enterprise device from BlackBerry UEM to request the client logs. Request bug report is available for the following activation types:
    • Work space only (Android Enterprise fully managed device)
    • Work and personal – full control (Android Enterprise fully managed device with work profile)
  • Control runtime permissions for Android apps: When you add an Android app in BlackBerry UEM, you can choose to set runtime app permissions. You can choose to grant permissions, deny permissions, or use an app permission policy for each permission listed for the app.
  • Send client download location with QR code: You can define the location for downloading the UEM Client for Work space only (Android Enterprise fully managed device) activation types. The location is sent in the QR code.
  • Date range for OS updates: For Android Enterprise Work space only and Work and personal – full control devices, you can now specify a date range when OS updates should not occur.
  • Message displays when work profile is deleted: If you use the "Delete only work data" command for Android Enterprise Work and personal - user privacy devices, you can provide a reason that appears in the notification on the user's device to explain why the work profile was deleted.
  • Message displays when work profile is deleted due to a compliance violation: If the work profile is deleted from an Android Enterprise Work and personal - user privacy device due to a compliance violation, the notification on the device now describes the compliance rule that was broken.
  • Force device restart: You can now use the Restart device command to force Android Enterprise Work space only and Work and personal – full control devices to restart.
  • Improved secure tunnel connection for Android devices: When an Android device enters Doze mode, the BlackBerry Secure Connect Plus connection is now more reliably maintained.
  • Default device SR profile and work app updates: There is now a default device SR profile that is assigned to user accounts that don't already have a device SR profile assigned. The default profile is configured for Android devices only and has the "Enable update period for apps that are running in the foreground" option enabled which allows work apps from Google Play to be automatically updated during the time period. By default, apps are scheduled to start updates daily over Wi-Fi at 02:00 (local device time) and stop in 4 hours.
  • Limit Android Enterprise devices to a single app: The app lock mode profile is now supported for Android Enterprise devices that are running Android 9 or later and activated with the “Work space only (Android Enterprise fully managed device)” activation type. You can now use the profile to limit Android Enterprise devices to the apps that you specify and, optionally, limit the device to a single app. When you limit the device to a single app, the app can access the other apps that you specified in the profile when it is required, but users always return to the app that the device is limited to.

Samsung Knox

  • Support for Samsung Knox DualDAR: Devices that support Samsung Knox DualDAR encryption can now have Knox Workspace data secured using two layers of encryption. When the user is not using the device, all data in the Knox Workspace is locked and can’t be accessed by apps running in the background.  In the Activation profile, you can specify whether to use the default DualDAR app or an internal app to encrypt the workspace.  In the Device profile, you can specify the data lock timeout after which the user must authenticate with both device and workspace to access work data again and specify apps that are allowed to access work data even when work data is locked.
    Samsung Knox DualDAR encryption is supported on devices that run Samsung Knox 3.3 or later for new activations using the Work and personal - full control (Android Enterprise fully managed device with work profile) premium activation type.
  • Improved support for Knox Platform for Enterprise devices: Samsung Knox IT policies were added for devices that support Knox Platform for Enterprise. These policies are applied to the device, personal space, or work spaces on the device depending on the Android Enterprise activation type that you choose.  Support has also been added for native Samsung VPN and email, the ability to restrict apps in the personal space, and the ability to remotely lock the work space. To use Knox Platform for Enterprise features, the Knox device must be running Android 8 or later and be activated with one of the Android Enterprise activation types and the premium option enabled.


  • BitLocker encryption policies for Windows 10 devices: Several IT policies that support the use of BitLocker Drive Encryption were added to UEM for Windows 10 devices that require encryption. When configured, the devices prompt users to encrypt data using BitLocker on their OS drives, fixed data drives, and removable storage drives. You can configure the encryption strength, the additional authentication requirements and the PIN options for devices that have a Trusted Platform Module, and the recovery options that you want to allow (for example, if a user is locked out of their device).
Colin Fullerton

About Colin Fullerton