What's new in BlackBerry UEM 12.10
Android
Android
Enable
: The configuration wizard that appears on initial log in to Android Enterprise
for all Android Enterprise
instancesBlackBerry UEM
now allows administrators to configure Android Enterprise
. (JI 2539585)Android
SafetyNet
improvements: The following improvements were made for Android
SafetyNet support:
- AGoogleSafetyNetattestation failure option was added to the compliance profile. This option creates a compliance rule that specifies the actions that occur if devices do not passSafetyNetattestation.
- An app grace period was added to theAndroidSafetyNetconfiguration.
- You can add a list ofBlackBerry Dynamicsapps that receive attestation challenges.
Policies for
: Policies have been added for logging of SMS, MMS and phone calls on Android Enterprise
devicesAndroid Enterprise
devices. You can enable the logging in a server group or in the default settings of the BlackBerry Connectivity Node
setup page. You must upgrade the BlackBerry Connectivity Node
to the most recent version before you can use this feature. (JI 856189)Specify which certificates are used with
: A new certificate mapping profile allows you the specify which user credential, SCEP, or shared certificate profile is used when an Android app requires a certificate. (JI 2517869)Android
appsAndroid
app-based PKIPurebred
with BlackBerry
Dynamics
apps on Android
devices. (JI 1965015)Samsung KNOX
supportBlackBerry UEM
now supports devices running Samsung KNOX
3.2. (JI 2573555) Support for
: The benefits of Samsung KNOX
policies on Android Enterprise
for all BlackBerry UEM
activationsSamsung KNOX
are now available to Samsung KNOX
devices when the devices are activated with an Android Enterprise
activation type. Samsung KNOX
devices that are activated with an Android Enterprise
activation type now have Samsung KNOX
policies applied. Even though devices already activated with a Samsung KNOX
activation type continue to work, the Android Enterprise activation types are recommended for new activations. (JI 2510232)Samsung KNOX activation type | Recommended Android Enterprise activation type |
Work and personal - full control (Samsung KNOX ) | Not applicable. Continue to use the Work and personal - full control (Samsung KNOX ) activation type. |
Work and personal - user privacy - (Samsung KNOX ) | Work and personal - user privacy - (Android Enterprise ): No KNOX policies are applied to the device. If you want to apply KNOX policies in the work space, select “When activating Android Enterprise ) devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus ” |
Work space only - (Samsung KNOX ) | Work space only ( Android Enterprise ): KNOX MDM policies are applied to the device. If you want to apply KNOX policies in the work space, select “When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus .” |
iOS
iOS
Event notification
: A new Administration section was added to the Event notifications page. The section contains a field that allows you to set up a notification that is sent when an administrator account gets locked. (JI 2529062) Device unenrollment notification
: The event notification that you receive for device unenrollment now includes the reason that the unenrollment occurred. (JI 2565941) New S/MIME settings
: New settings are available for iOS
12 and later devices. (JI 2571842)iOS : email profile settings | Description |
|---|---|
User can toggle S/MIME signing | This setting specifies whether a user is allowed to turn the signing setting on/off. This setting applies only to iOS 12.0 and later devices |
User can change signing credentials | This setting specifies whether a user is allowed to change signing credentials. This setting applies only to iOS 12.0 and later devices. |
User can override S/MIME encryption | This setting specifies whether a user is allowed to turn the encryption setting on/off. This setting applies only to iOS 12.0 and later devices. |
User can override S/MIME encryption credentials | This setting specifies whether a user is allowed to change S/MIME encryption credentials. This setting applies only to iOS 12.0 and later devices. |
Per-app notification
: When you are configuring per-app notifications for an iOS
device, you can select the following new options:- Enable critical alert: This option specifies whether a critical alert can override the do not disturb profile and notification settings. This setting applies only toiOS12.0 and later devices.
- Show in CarPlay: This option specifies whether notifications display inAppleCarPlay. This setting applies only toiOS12.0 and later devices.
Work app catalog search
: Users can now perform a search in the work app catalog to easily find apps that are assigned to them.BlackBerry Dynamics
App deployment reports
: For BlackBerry
Dynamics
apps, you can export app deployment reports to an .html file from the Apps screen in the management console. The report includes information about apps deployed by BlackBerry UEM
and the users that have installed the apps on their devices. The report now includes a Status column that provides a status of the apps on each device, such as installed and not installed. (JI 2565954)BlackBerry
Dynamics
access key emailBlackBerry
Dynamics
access keys for a user, you can specify whether to send an activation email to the user. (JI 2578997) SCEP improvement
: You can now configure BlackBerry
Dynamics
apps to use SCEP to retrieve certificates. (JI 2532872) Installation
Remove
: As of BlackBerry Collaboration Service
, JRE
, and JCE deployment from setup.exeBlackBerry UEM
release 12.10, the BlackBerry Collaboration Service
and JRE
are no longer bundled with the installer. If you are installing BlackBerry UEM
, you must first download and install JRE
(minimum version JRE
8u151).Certificates
Certificate-based authentication improvement:
BlackBerry UEM
now supports certificate-based authentication for logging in to the management console and UEM Self-Service
. (JI 1465040) BlackBerry UEM Notifications
BlackBerry UEM Notifications
User synchronization service from
UEM
: UEM
administrators can now ensure all of their users are in the BlackBerry AtHoc
system by synchronizing users from within the UEM
console. Administrators can set up a user synchronization service as a system job that updates users periodically and keeps track of the changes.New IT policy rules
Device type | Group | Name | Description |
|---|---|---|---|
Android | Global (all Android devices) | Allow outgoing calls | Specify if a user can place outgoing calls. If this rule is not selected, the device can only make emergency calls. All other outgoing calls are blocked. |
Android | Global (all Android devices) | Send SMS/MMS logs to the BlackBerry Connectivity Node | Specify whether the device synchronizes logs for SMS text messages and MMS messages with your EMM server. |
Android | Global (all Android devices) | Send phone logs to the BlackBerry Connectivity Node | Specify whether the device synchronizes the call log for the Phone app with your EMM server. |
Android | Global ( Samsung KNOX devices only) | Allow NFC | Specify whether a device can use NFC. |
Android | Global ( Samsung KNOX devices only) | Allow OTA updates | Specify if a device can update its OS using a Firmware Over-The-Air (FOTA) client (for example, Samsung KNOX EMM or WebSync DM). If this rule is not selected, all wireless update requests (user-initiated, server-initiated, and system-initiated) are blocked. The user may see messages related to new OS updates but any attempt to update the OS fails. |
Android | Global ( Samsung KNOX devices only) | Allow Wi-Fi | Specify whether a device can make Wi-Fi connections. After you deselect this rule and then reselect it, the device cannot use Wi-Fi until it is restarted. |
Android | Global ( Samsung KNOX devices only) | Allow Wi-Fi Direct | Specify if a device can use Wi-Fi Direct. When this rule is selected, the device can make connections using Wi-Fi Direct. This rule also affects the S Beam feature on Samsung devices. |
Android | Global ( Samsung KNOX devices only) | Allow tethering | Specify if a device can share its mobile network connection with other devices using Bluetooth . If this rule is not selected, the user cannot change this setting on the device. |
Android | Global ( Samsung KNOX devices only) | Allow Bluetooth tethering | Specify if a device can share its mobile network connection with other devices using Bluetooth . If this rule is not selected, the user cannot change this setting on the device. |
Android | Global ( Samsung KNOX devices only) | Allow USB tethering | Specify if a device can share its mobile network connection with other devices using USB. If this rule is not selected, the user cannot change this setting on the device. |
Android | Global ( Samsung KNOX devices only) | Allow Wi-Fi tethering | Specify if a device can share its mobile network connection with other devices using Wi-Fi . If this rule is not selected, the user cannot change this setting on the device. |
Android | Global ( Samsung KNOX devices only) | Allow firmware recovery | Specify if a user can update the operating system of a device using download mode. |
Android | Global ( Samsung KNOX devices only) | Require SD card encryption | Specify if a device must encrypt all data on the external SD card. This rule requires the value of the "Password requirements" rule to be at least "Alphanumeric." |
Android | Work profile ( Samsung KNOX devices only) | Require certificate revocation (CRL) check for apps | Specify if apps must check for revoked certificates in the server certificate chain when opening SSL connections in KNOX Workspace . This rule applies only to apps that use the standard Java SSL sockets and TrustManager implementation (including most native apps), but does not apply to third-party browsers. The certificate revocation check uses CRLs from the CRL distribution point listed in the certificates. If the "Require OCSP check" rule is selected, apps first check for certificate revocation using OCSP. If OCSP fails, then apps check the CRLs. |
Android | Work profile ( Samsung KNOX devices only) | Require OCSP check for apps | Specify if apps must use OCSP before using CRLs to check for revoked certificates when opening SSL connections in KNOX Workspace . The OCSP check uses the OCSP response server in the "Authority Information Access" extension in the certificate. |
Android | Work profile ( Samsung KNOX devices only) | Validate end-user installed certificates | Specify whether the device validates certificates installed by end users. If one of the validation checks (for example, certification path, expiration date, or revocation status) fails, the device blocks the installation of the certificate. |
Android | Work profile ( Samsung KNOX devices only) | Allow "Share via" list | Specify whether a work app can display the "Share via" list to allow a user to share content across work apps in the Workspace. |
Android | Work profile ( Samsung KNOX devices only) | Allow audio recording | Specify whether a device can record audio. If this rule is not selected, the user can still make calls and use audio streaming using the device microphone. This rule applies to phone calls, voice recognition, and VoIP. If an app declares a use type and does something else, then this rule cannot block the app. If you deselect this rule, any ongoing audio recording is interrupted. Video recording is still allowed if no audio recording is attempted. This rule applies to the Workspace only. |
Android | Work profile ( Samsung KNOX devices only) | Allow Google auto-sync | Specify if Google accounts and apps can sync automatically. This rule does not block Google
Play from updating installed apps. Users can still manually sync from some apps, including Gmail. |
Android | Work profile ( Samsung KNOX devices only) | Allow video recording | Specify if a device can record video. If this rule is not selected, the camera is still available so that a user can take pictures and use video streaming. If you deselect this rule, any ongoing video recording is interrupted. |
Android | Work profile ( Samsung KNOX devices only) | Enable JavaScript | Specify whether the native Android browser prevents the browser from running JavaScript code for a website. If this rule is not selected, a website that requires JavaScript to be active to execute a function (for example, an animation) cannot execute the function. If this rule is not selected, a user cannot change the setting on the device. |
Android | Work profile ( Samsung KNOX devices only) | Allow fingerprint authentication | Specify whether the user can use fingerprint authentication for the KNOX Workspace . |
Android | Work profile ( Samsung KNOX devices only) | Allow iris authentication | Specify whether a user can authenticate with the work space using an iris scan. |
Android | Work profile ( Samsung KNOX devices only) | Allow password visibility | Specify whether the Workspace password is visible when a user is typing it. If this rule is not selected, users and apps cannot change the visibility setting. |
iOS | Security and privacy | Allow managed apps to add contacts to unmanaged accounts | Specify whether users can add contacts from managed apps to unmanaged contacts accounts. |
iOS | Security and privacy | Allow unmanaged apps to read contacts from managed accounts (supervised only) | Specify whether unmanaged apps can read contacts from managed contacts accounts. |
Windows Phone | Security and privacy | Default app access to diagnostic information | Specify whether apps can access device diagnostic information about other apps by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can access diagnostic information. If you select "Disallow," apps can't access diagnostic information. |
Windows Phone | Security and privacy | Apps allowed access to diagnostic information | Specify the list of apps that are always allowed to access device diagnostic information. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to diagnostic information" rule. |
Windows Phone | Security and privacy | Apps not allowed access to diagnostic information | Specify the list of apps that are never allowed to access device diagnostic information. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to diagnostic information" rule. |
Windows Phone | Security and privacy | App access to diagnostic information controlled by user | Specify the list of apps that users can choose to allow to access device diagnostic information. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default app access to diagnostic information" rule. |
Windows Phone | Security and privacy | Default apps can run in background | Specify whether apps can run in background by default. If you select "User controlled," the user can choose whether to allow access. If you select "Allow," apps can run in background. If you select "Disallow," apps can't run in background. |
Windows Phone | Security and privacy | Apps allowed to run in background | Specify the list of apps that are always allowed to run in background. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default apps can run in background" rule. |
Windows Phone | Security and privacy | Apps not allowed to run in background | Specify the list of apps that are never allowed to run in background. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default apps can run in background" rule. |
Windows Phone | Security and privacy | App ability to run in background controlled by user | Specify the list of apps that users can choose to allow to run in background. Specify apps using package family names, separated by semi-colons (;). Apps specified in this rule ignore the setting in the "Default apps can run in background" rule. |