Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.12
  3. Overview and what's new
  4. What's new in BlackBerry UEM 12.12

What's new in 
BlackBerry UEM
 12.12

iOS

  • Apple
     DEP error message update
    : If you have not yet accepted the updated terms and conditions for 
    Apple Business Manager
    , you will receive an error message by email.
  • Synchronize 
    Apple
     DEP accounts with 
    Apple Business Manager
     manually
    : You can manually synchronize 
    Apple
     DEP accounts in 
    BlackBerry UEM
     to ensure device connectivity.
  • Event notification update
    : The 
    Apple
     DEP connection failure status event notification now contains details for Communication Status, Operation mode, and Last synchronization time. 
  • Specify activation profile for 
    Apple
     DEP devices
    : For each device registered in 
    Apple
     DEP, you can now specify the activation profile that you want to assign to it. For example, if a user has multiple 
    iOS
     devices that require different activation types, you can specify the activation profile for each device. When activating the
    iOS
     device, the activation profile that is assigned to the device takes precedence over the activation profile that is assigned to the user account.
  • Assign users directly to 
    Apple
     DEP device serial numbers
    BlackBerry UEM
     now allows you to assign a user to an 
    Apple
     DEP device serial number before the device is activated. When a user is assigned to the device serial number in the 
    BlackBerry UEM
     management console, the user is not prompted for a username or password during device activation. 
  • Update 
    iOS
     to specific version number
    : On the device tab, you can upgrade the software version on a supervised 
    iOS
     device to a specific version number. You can use this feature to update the device OS to a version that your organization’s IT department has certified.
  • Support for 
    iOS
     13 single sign-on extension
    : Single sign-on extension for 
    iOS
     13 and 
    iPadOS
     13 allows users to authenticate once and then automatically log in to domains and web services within your organization’s network. You can configure a single sign-on extension profile in 
    BlackBerry UEM
     for devices running 
    iOS
     (or 
    iPadOS
    ) 13.
  • Improved activation process
    : The 
    BlackBerry UEM Client
     for 
    iOS
     has been updated to add some safeguards to minimize the instances where a user must restart the activation process from the beginning due to an interruption during device activation (for example, the user receives a call during activation). When the user returns to the 
    UEM Client
    , the user can now resume activation from the most recent step.
  • New activation type for 
    iOS
     and 
    iPadOS
     13.1 devices
    : A new activation type “User privacy – User enrollment” is now available for unsupervised 
    iOS
     devices running 
    iOS
     or 
    iPadOS
     13.1 and later. The activation type helps maintain user privacy while keeping work data separated and protected. Administrators can manage work data (for example, wipe work data) without affecting personal data. To activate a device with this activation type, users can simply use the native camera app to scan the 
    QR Code
     that they received in the activation email to manually download and install the MDM profile to the device. To activate their device, the user logs in to their managed 
    Apple
     ID account. Administrators can also assign the 
    BlackBerry UEM Client
     to allow users to easily activate other 
    BlackBerry Dynamics
     apps, import certificates, use 
    2FA
     features, use 
    CylancePROTECT Mobile for BlackBerry UEM
    , and check their compliance status.
  • Support for 
    iOS
     13 features
    BlackBerry UEM
     supports the new capabilities in 
    iOS
     13. New support includes three new IT policy rules, support for 
    WPA-3 Personal
     and 
    WPA-3 Enterprise
    Wi-Fi
     security, and new Email profile, VPN profile, and App Lock Mode profile settings.

Android

  • Factory reset protection profile
    : You can specify multiple 
    Google
     accounts to a Factory reset protection profile.
  • Improvements to 
    Android Enterprise
     device activation user experience
    : The number of steps required to activate 
    Android Enterprise
     devices has been reduced. Users can now tap a check box when they enter their username to accept the license agreement. Additional notifications have been added to show app installation progress. Additional messages have been added to describe permissions required by the 
    UEM Client
    .
  • Updated activation error messages
    : When activation is not successful on an 
    Android
     device, a new or updated error message displays that explains why the device did not activate properly. This allows the user and IT personnel to diagnose and fix the problem.
  • Use OEMConfig apps from 
    Android
     device manufacturers to manage device features
    BlackBerry UEM
     supports using OEMConfig apps provided by device manufacturers, (for example, the 
    Samsung Knox Service Plugin
    ), to manage manufacturer-specific APIs on devices. The 
    Samsung Knox
     Service Plugin allows you to manage new 
    Samsung
     device features as soon as 
    Samsung
     updates the device and app instead of waiting for new profile settings and IT policy rules in the next 
    UEM
     update.
  • Review feedback from 
    Android
     apps with app configurations
    BlackBerry UEM
     receives and displays error and information feedback from any Android apps that have an app configuration and have been developed to provide feedback.
  • Easily add work apps for 
    Android Enterprise
     devices to 
    Google Play
    : Access the updated 
    Google Play
     interface from 
    BlackBerry UEM
     to more easily add private apps and web apps (shortcuts to web pages) to 
    Google Play
     in the work profile on 
    Android Enterprise
     devices. Note that this feature is now available if you are using 
    BlackBerry UEM
     12.9 MR1 or later.
  • Corporate owned single-use (COSU) device support for 
    Android Enterprise
    BlackBerry UEM
     now supports corporate owned single-use for 
    Android Enterprise
     version 9.0 and later. When configured for COSU, a device is locked to a specific set of applications to perform a function. 
  • Request bug report
    : You can now send a command to an 
    Android Enterprise
     device from 
    BlackBerry UEM
     to request the client logs. Request bug report is available for the following activation types:
    • Work space only (
      Android Enterprise
       fully managed device)
    • Work and personal – full control (
      Android Enterprise
       fully managed device with work profile)
  • Control runtime permissions for 
    Android
     apps
    : When you add an 
    Android
     app in 
    BlackBerry UEM
    , you can choose to set runtime app permissions. You can choose to grant permissions, deny permissions, or use an app permission policy for each permission listed for the app.
  • Send client download location with 
    QR Code
    : You can define the location for downloading the 
    UEM Client
     for Work space only (
    Android Enterprise
     fully managed device) and Work and personal – full control (
    Android Enterprise
     fully managed device with work profile) activation types. The location is sent in the 
    QR Code
    .
  • Date range for OS updates
    : For 
    Android Enterprise
     Work space only and Work and personal – full control devices, you can now specify a date range when OS updates should not occur.
  • Message displays when work profile is deleted
    : If you use the "Delete only work data" command for 
    Android Enterprise
     Work and personal - user privacy devices, you can provide a reason that appears in the notification on the user's device to explain why the work profile was deleted.
  • Message displays when work profile is deleted due to a compliance violation
    : If the work profile is deleted from an 
    Android Enterprise
     Work and personal - user privacy device due to a compliance violation, the notification on the device now describes the compliance rule that was broken.
  • Force device restart
    : You can now use the Restart device command to force 
    Android Enterprise
     Work space only and Work and personal – full control devices to restart.
  • Improved secure tunnel connection for 
    Android
     devices
    : When an 
    Android
     device enters Doze mode, the BlackBerry Secure Connect Plus connection is now more reliably maintained.
  • Default device SR profile and work app updates
    : There is now a default device SR profile that is assigned to user accounts that don't already have a device SR profile assigned. The default profile is configured for 
    Android
     devices only and has the "Enable update period for apps that are running in the foreground" option enabled which allows work apps from 
    Google Play
     to be automatically updated during the time period. By default, apps are scheduled to start updates daily over 
    Wi-Fi
     at 02:00 (local device time) and stop in 4 hours.
  • Limit Android Enterprise devices to a single app
    : The app lock mode profile is now supported for  devices that are running 
    Android
     9 or later and activated with the “Work space only (Android Enterprise fully managed device)” activation type. You can now use the profile to limit 
    Android Enterprise
     devices to the apps that you specify and, optionally, limit the device to a single app. When you limit the device to a single app, the app can access the other apps that you specified in the profile when it is required, but users always return to the app that the device is limited to.

Samsung Knox

  • Support for 
    Samsung Knox
     DualDAR
    : Devices that support 
    Samsung Knox
     DualDAR encryption can now have 
    Knox Workspace
     data secured using two layers of encryption. When the user is not using the device, all data in the 
    Knox Workspace
     is locked and can’t be accessed by apps running in the background. In the Activation profile, you can specify whether to use the default DualDAR app or an internal app to encrypt the workspace. In the Device profile, you can specify the data lock timeout after which the user must authenticate with both device and workspace to access work data again, and specify apps that are allowed to access work data even when work data is locked.
    Samsung Knox
     DualDAR encryption is supported on devices that run 
    Samsung Knox
     3.3 or later for new activations using the Work and personal - full control (
    Android Enterprise
     fully managed device with work profile) premium activation type.
  • Improved support for 
    Knox Platform for Enterprise
     devices
    Samsung Knox
     IT policies were added for devices that support 
    Knox Platform for Enterprise
    . These policies are applied to the device, personal space, or work spaces on the device depending on the 
    Android Enterprise
     activation type that you choose.  Support has also been added for native 
    Samsung
     VPN and email, the ability to restrict apps in the personal space, and the ability to remotely lock the work space. To use 
    Knox Platform for Enterprise
     features, the 
    Knox
     device must be running 
    Android
     8 or later and be activated with one of the 
    Android Enterprise
     activation types and the premium option enabled.

Windows

  • BitLocker encryption policies for 
    Windows
    10 devices
    : Several IT policies that support the use of BitLocker Drive Encryption were added to UEM for 
    Windows
    10 devices that require encryption. When configured, the devices prompt users to encrypt data using BitLocker on their OS drives, fixed data drives, and removable storage drives. You can configure the encryption strength, the additional authentication requirements and the PIN options for devices that have a Trusted Platform Module, and the recovery options that you want to allow (for example, if a user is locked out of their device).

Installation and Upgrade

  • Regionalization
    BlackBerry UEM
     version 12.12 introduces regionalization features that allow 
    BlackBerry Dynamics
     traffic to use the 
    BlackBerry Infrastructure
     instead of the 
    BlackBerry Dynamics
     NOC. These features are on by default in new installations of 
    BlackBerry UEM
     version 12.12. If you are upgrading to 
    BlackBerry UEM
     version 12.12 and want to enable these features, contact 
    BlackBerry
     Technical Support. The regionalization features require 
    BlackBerry Dynamics
     apps released in February 2020 or later. For custom 
    BlackBerry Dynamics
     apps, 
    BlackBerry Dynamics
     SDK 7.0 or later is required.
  • Migration support
    BlackBerry UEM
     version 12.12 supports migrations from 
    BlackBerry UEM
    version 12.10 and later, and from 
    Good Control
     version 5.0.
  • Upgrade support
    BlackBerry UEM
     version 12.12 supports upgrades from 
    BlackBerry UEM
     version 12.10 and later. 
  • BES5
     support
    BES5
     will no longer be integrated with 
    BlackBerry UEM
    .

Software support

As of version 12.12, 
BlackBerry UEM
 no longer supports the following software:

Management console

  • Compliance profile updates
    : In a compliance profile, you can now set the Enforcement action for 
    BlackBerry Dynamics
     apps to Monitor and log. For new compliance profiles, ‘Monitor and log’ is now the default setting. The default option for Prompt interval expired action is also ‘Monitor and log'.
  • Improvements to device filtering
    : You can now filter devices by model number. For example, you can now filter different 
    Samsung Galaxy
     device models such as 
    Samsung
     A5 SM-A520F and 
    Samsung
     A5 SM-A510F. This allows administrators to apply policies, profiles, and group status to multiple devices of a specific model.
  • App configuration
    : When you add a new version of an internal app to 
    BlackBerry UEM
    , the app configuration is automatically copied from the older version of the internal app to the new version.
  • Event notification update
    : The “Metadata updated” event notification has been improved to display the full name of the device hardware vendor.
  • Override 
    BlackBerry Dynamics
     connectivity profile on a per-app basis
    : You can now specify a 
    BlackBerry Dynamics
     connectivity profile to associate with each 
    BlackBerry Dynamics
     app in 
    BlackBerry UEM
    . When a profile is assigned to an app, that profile takes precedence over the profile assigned to the user of that app.
  • App shortcut filter
    : A new filter on the 
    UEM
     management console Apps page lets you search for app shortcuts.
  • Dedicated device groups
    BlackBerry UEM
     has a new Dedicated devices menu item. You can view, add, edit, and delete shared device groups and public device groups under the Dedicated devices menu. Public device groups are used to manage single-use devices that are not assigned to specific users. Shared device groups are used to manage devices that can be checked out by multiple users. Previously, shared device groups were located under the Users menu item.
  • Microsoft Azure
     single tenant application registration
    : When you add or edit a 
    Microsoft Azure Active Directory Connect
     connection, you can choose to enable single tenant application registration.
  • Restrict enrollment using device IDs
    : On the Activation defaults page, you can import and export a list of unique device identifiers to restrict which devices can enroll with 
    BlackBerry UEM
    . You can specify whether 
    BlackBerry UEM
     can limit activation by device ID in the following activation types:
    Android
    • Work space only (
      Android Enterprise
       fully managed device)
    • Work and personal – full control (
      Android Enterprise
       fully managed device) 
    iOS
    • MDM controls

BlackBerry Dynamics

  • Configure 
    BlackBerry Dynamics
     proxy settings with a PAC file
    : You can now use a PAC file to configure HTTP proxy settings for app traffic connections to the 
    BlackBerry Dynamics NOC
    . PAC files are supported only for apps that use 
    BlackBerry Dynamics SDK
     version 7.0 and later.
  • TLS v1.2
    BlackBerry Dynamics
     apps now allow only TLS v1.2 for secure communications by default. To allow TLSv1 and v1.1, you must manually configure them. 

New IT policy rules

  • Access Point Name profile
    : You can use Access Point Name profiles to send APNs for carriers to your user's 
    Android
     devices. If you want to force a device to use an APN sent to it by an Access Point Name profile, you can use the "Force device to use Access Point Name profile settings" IT policy rule in the 
    Android
     Global IT policy rules.
  • Hide certificate
    : For certificates pushed to 
    Android Enterprise
     devices with 
    Android
     9.0 and later, SCEP, shared certificate, and user credential profiles now allow you to hide the certificate from users to prevent them for using it for unintended purposes.
Device Type
Name
Description
Activation types
iOS
Allow Files app to use USB (supervised only)
Specify whether the Files app can access files using a USB connection.
MDM controls
iOS
Allow Files app to connect to network drives (supervised only)
Specify whether the Files app can access files stored on a network drive.
MDM controls
iOS
Force 
Wi-Fi
 to be enabled (supervised only)
Specify whether 
Wi-Fi
 is always enabled on the device. If this rule is selected, users can't turn 
Wi-Fi
 off using the Device Settings or Control Center and Airplane Mode doesn't disable 
Wi-Fi
.
MDM controls
iOS
Allow Files app to connect to network drives (supervised only)
Specify whether the Files app can access files stored on a network drive.
MDM controls
macOS
Enable 
Bluetooth
Specify whether 
Bluetooth
 is enabled or disabled when the policy is sent to the device. Regardless of the setting for rule, users can change the 
Bluetooth
 setting on their device at any time.
MDM controls
Android
 Global (all 
Android
  devices)
Secondary authentication timeout
Specify the maximum amount of time, in hours, that the user can use secondary authentication methods, such as a fingerprint, before the user must unlock the device with a strong authentication method such as a password. The maximum is 72 hours. If set to 0, a timeout value is not sent to the device. This rule takes effect only if the "Password requirements" rule is set to something other than "Unspecified."
Work space only, Work space only (Premium), Work and personal - user privacy, Work and personal - user privacy (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (all 
Android
 devices)
Allow installation of non-
Google Play
 apps
Specify whether users can install apps from sources other than 
Google Play
(unknown sources) globally on the device for all users. If you disallow installation of non-
Google Play
apps using this rule, the settings for the same rule in personal and work profiles are ignored. If this rule is selected, you can disallow installation of non-
Google Play
apps in just the work profile or just the personal profile.
Work space only, Work space only (Premium), Work and personal - user privacy, Work and personal - user privacy (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only)
Require internal storage encryption
Specify if a user is prompted to encrypt the device memory and the internal SD card on a device. If this rule is selected, remote administration commands such as changing a password or wiping the device cannot be applied unless the device is already running and the user can log in (or is logged in). This rule requires the value of the "Password requirements" rule to be at least "Alphanumeric". The device memory and internal SD card needs to be encrypted by the user prior to an activation in order for an activation to complete.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only)
Enable USB debugging
Specify if debugging over a USB connection is available. If this rule is not selected, debugging using Dalvik Debug Monitor Service (DDMS) is also blocked. This rule is available only if the Allow developer mode rule is selected.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only)
Allow outgoing SMS
Specify if a device can send SMS messages.
Work space only, Work space only (Premium),Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only) 
Allow incoming SMS
Specify if a device can receive SMS messages.
Work space only, Work space only (Premium),Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only)
Allow users to modify the mock location
Specify if a user can enable or disable mocking a device's GPS location. If this rule is selected, the device can change its actual longitude and latitude readings, and GPS apps show the false coordinates instead of the actual coordinates. This rule is available only if the Allow developer mode rule is selected.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only)
Maximum numeric sequence length
Specify the maximum length of the numeric sequence that is allowed in the device password. Only applies when device password quality is Numeric, Alphanumeric or Complex.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only)
Minimum number of changed characters for new device passwords
Specify the minimum number of changed characters that a new password must include compared to the previous password. 
Knox
  calculates the difference between the two passwords using the Levenshtein algorithm. Characters can be numeric, alphabetic, or symbolic. According to the Levenshtein algorithm, strings like "test" and "best" differ from each other by one unit. "Test" and "toad" differ from each other by three units. "Test" and "est" differ from each other by one unit. If set to 0, no restrictions are applied.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
  devices only)
Allow device password visibility
Specify whether the Device password is visible when a user is typing it. If this rule is not selected, users and apps cannot change the visibility setting.
Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
  devices only)
Require lock screen message
Specify whether you set a message to display when the device is locked. If this rule is not selected, the user can choose a message to display on the lock screen.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
  devices only)
Lock screen message
Specify the text to display on the device when the device is locked.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only)
Maximum character sequence length
Specify the maximum length of the character sequence that is allowed in the device password. Only applies when device password quality is Alphabetic, Alphanumeric or Complex.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium) 
Android
 Global (
Samsung Knox
 devices only
Allow phone
Specify if a user can use the phone. If this rule is not selected, the device can only make emergency calls. All other calls are blocked.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium) 
Android
 Global (
Samsung Knox
 devices only
Allow date and time changes
Specify if a user can manually change the date and time setting on a device.
Work space only (Premium), Work space only, Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only
Force automatic time sync
Specify if the device must obtain the date and time automatically using NITZ. If this rule is not selected, the user can choose whether the device automatically syncs the date and time.
Work space only (Premium), Work space only, Work and personal - full control, Work and personal - full control (Premium) 
Android
 Global (
Samsung Knox
 devices only
Allow Native 
Samsung
 VPN
Specify if a user can use the native VPN functionality. If this rule is not selected, the user cannot open a VPN session or access the VPN settings in the Settings app.
Work space only (Premium), Work space only, Work and personal - full control, Work and personal - full control (Premium) 
Android
 Global (
Samsung Knox
 devices only
Allow WAP push while roaming
Specify if a device can receive WAP push messages when roaming. If this rule is not selected, the device cannot receive MMS messages when roaming and the user cannot change this setting on the device. This rule applies only when the device is roaming.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only
Allow automatic sync while roaming
Specify whether a device can synchronize data automatically while roaming. If this rule is not selected, a roaming device can synchronize data only when a user accesses an account and the user cannot change this setting on the device. This setting applies only when the device is roaming.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only
Allow voice calls while roaming
Specify if a device can make or receive voice calls while roaming.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only)
Allow SD card
Specify if a device can access an SD card. If this rule is not selected, read and write access to the SD card is blocked.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only)
Allow data on mobile network
Specify if a device can use a mobile network connection. If this rule is not selected, the device cannot use the SIM data connection.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
  devices only)
Allow users to add new 
Wi-Fi
 networks
Specify whether users can add new 
Wi-Fi
 profiles to the device. If this rule is not selected, users can only use the work 
Wi-Fi
 profiles that you configure.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium) 
Android
 Global (
Samsung Knox
 devices only)
Allow 
Android
Beam
Specify whether users can use 
Android
 Beam or S Beam to send contact information, web bookmarks, and other data to a nearby device. Specify whether users can use 
Android
Beam or S Beam to send contact information, web bookmarks, and other data to a nearby device.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only
Allow Media Transfer Protocol (MTP)
Specify if a device can use MTP. Because 
Android
supports USB file transfer through MTP only, you can use this rule to block any kind of file transfer through USB. Picture Transfer Protocol (PTP) is a subset of MTP and is also affected by this rule.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Global (
Samsung Knox
 devices only)
Allow USB host storage
Specify if a device can use USB host storage using USB OTG. If this rule is selected, a user can connect any pen drive (portable USB storage), external HD, or SD card reader, and it is mounted as a storage drive on the device. If this rule is not selected, a user cannot mount any external storage device.
Work space only, Work space only (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Work profile (all 
Android
   devices)
Secondary authentication timeout
Specify the maximum amount of time, in hours, that the user can use secondary authentication methods, such as a fingerprint, before the user must unlock the device with a strong authentication method such as a password. The maximum is 72 hours. If set to 0, a timeout value is not sent to the device. This rule takes effect only if the "Password requirements" rule is set to something other than "Unspecified."
Work and personal - user privacy, Work and personal - user privacy (Premium), Work and personal - full control, Work and personal - full control (Premium)
Android
 Personal profile (
Samsung Knox
 devices only)
Allow audio recording
Specify whether a device can record audio. If this rule is not selected, the user can still make calls and use audio streaming using the device microphone. This rule applies to phone calls, voice recognition, and VoIP. If an app declares a use type and does something else, then this rule cannot block the app. If you deselect this rule, any ongoing audio recording is interrupted. Video recording is still allowed if no audio recording is attempted. This rule applies to the Personal space only. 
Work and personal - full control (Premium)
Android
 Personal profile (
Samsung Knox
 devices only)
Allow video recording
Specify whether a device can record video. If this rule is not selected, the camera is still available so that the user can take pictures and the user can use video streaming. When this rule is not selected, any ongoing video recording is interrupted.
Work and personal - full control (Premium)
Android
 Personal profile (
Samsung Knox
 devices only)
Allow 
Google
auto-sync
Specify if 
Google
 accounts and apps can sync automatically. This rule does not block 
Google Play
 from updating installed apps. Users can still manually sync from some apps, including Gmail.
Work and personal - full control (Premium)
Android
 Personal profile (
Samsung Knox
 devices only)
Allow sending crash reports to 
Google
Specify if the user can send crash reports to 
Google
.
Work and personal - full control (Premium)
Android
 Personal profile (
Samsung Knox
 devices only)
Allow 
S Voice
Specify whether a device can use the 
S Voice
 app.
Work and personal - full control, Work and personal - full control (Premium)
Android
 Personal profile (
Samsung Knox
 devices only)
Enforce two-factor authentication
Specify whether a user must use two-factor authentication to access the device. For example, you can use this rule if you want the user to authenticate using a fingerprint and a password.
Work and personal - full control (Premium)
Android
 Personal profile (
Samsung Knox
 devices only)
Allow other device administration apps
Specify if a device can be managed by other apps, such as MDM apps, in addition to the 
BlackBerry UEM Client
. If this rule is not selected and other device administration apps are activated before the policy is sent to the device, the policy cannot be applied.
Work and personal - full control (Premium)
Android
 Work profile (
Samsung Knox
 devices only)
Allow work files in the personal profile
Specify whether a user can move files from the work profile to the personal profile on a device.
Work and personal - user privacy (Premium), Work and personal - full control (Premium) 
Android
 Work profile (
Samsung Knox
 devices only)
Allow personal files in the work profile
Specify whether a user can move files from the personal profile to the work profile on a device.
Work and personal - user privacy (Premium), Work and personal - full control (Premium) 
Android
 Work profile (
Samsung Knox
 devices only)
Enable work and personal data synchronization
Specify if apps can synchronize data between the work profile and the personal profile.
Work and personal - user privacy (Premium), Work and personal - full control (Premium)
Android
 Work profile (
Samsung Knox
 devices only)
Allow personal contacts in the work profile
Specify whether the contacts app can import personal contact data into the work profile.
Work and personal - user privacy (Premium), Work and personal - full control (Premium)
Android
 Work profile (
Samsung Knox
 devices only)
Allow work contacts in the personal profile
Specify whether the contacts app can export work contact data from the work profile into the personal profile.
Work and personal - user privacy (Premium), Work and personal - full control (Premium)
Android
 Work profile (
Samsung Knox
 devices only)
Allow personal calendar data in the work profile
Specify whether the calendar app can import personal calendar data into the work profile.
Work and personal - user privacy (Premium), Work and personal - full control (Premium)
Android
 Work profile (
Samsung Knox
 devices only)
Allow work calendar data in the personal profile
Specify whether the calendar app can export work calendar from the work profile into the personal profile.
Work and personal - user privacy (Premium), Work and personal - full control (Premium)
Android
 Work profile (
Samsung Knox
 devices only)
Allow user modification of "Show detailed notifications" setting
Specify whether a user can change the "Show detailed notifications" setting on a device. This setting determines whether the device displays reduced information about work notifications in the personal profile.
Work and personal - user privacy (Premium), Work and personal - full control (Premium)
Android
 Work profile (
Samsung Knox
 devices only)
Apps allowed to access external storage
Specify the package IDs of apps in the work profile that are allowed to read and write data to an SD card.
Work space only (Premium), Work and personal - user privacy (Premium), Work and personal - full control (Premium)
Android
 Work profile (
Samsung Knox
 devices only)
Allow other device administration apps
Specify if a device can be managed by other apps, such as MDM apps, in addition to the 
BlackBerry UEM Client
. If this rule is not selected and other device administration apps are activated before the policy is sent to the device, the policy cannot be applied.
Work and personal - user privacy (Premium), Work space only, Work space only (Premium), Work and personal - full control (Premium) 
Android
 Work profile (
Samsung Knox
 devices only)
Allow sending crash reports to 
Google
Specify if the user can send crash reports to 
Google
.
Work and personal - user privacy (Premium), Work space only, Work space only (Premium), Work and personal - full control (Premium)
Android
 Work profile (
Samsung Knox
 devices only)
Allow camera
Specify whether a user can use the camera in the work profile.
Work and personal - user privacy (Premium), Work and personal - full control (Premium) 
Android
 Work profile (
Samsung Knox
 devices only
Allow 
S Voice
Specify whether a device can use the 
S Voice
 app.
Work space only (Premium), Work space only, Work and personal - full control, Work and personal - full control (Premium)
Android
 Work profile (
Samsung Knox
 devices only)
Enforce two-factor authentication
Specify whether a user must use two-factor authentication to access the work profile. For example, you can use this rule if you want the user to authenticate using a fingerprint and a password.
Work and personal - user privacy (Premium), Work space only (Premium), Work and personal - full control (Premium)
Android
 Work profile (
Samsung Knox
 devices only)
Maximum character sequence length
Specify the maximum length of the character sequence that is allowed in the work profile password. Only applies when work profile password quality is Alphabetic, Alphanumeric or Complex.
Work and personal - full control (Premium),Work and personal - user privacy (Premium)
Android
 Work profile (
Samsung Knox
 devices only)
Maximum numeric sequence length
Specify the maximum length of the numeric sequence that is allowed in the work profile password. Only applies when work profile password quality is Numeric, Alphanumeric or Complex.
Work and personal - full control (Premium),Work and personal - user privacy (Premium)
Android
 Work profile (
Samsung Knox
 devices only
Minimum number of changed characters for new work profile passwords
Specify the minimum number of changed characters that a new password must include compared to the previous password.
Work and personal - full control (Premium),Work and personal - user privacy (Premium)
Android
 Personal profile (all 
Android
 devices)
Allowed system apps
Specify the package IDs for the system apps that are installed in the personal space. If you remove apps from this list, the apps are deleted from the personal space on users' devices.
Work and personal - full control, Work and personal - full control (Premium)
Android
 Personal profile (
Samsung Knox
 devices only)
Allow other device administration apps
Specify if a device can be managed by other apps, such as MDM apps, in addition to the 
BlackBerry UEM Client
. If this rule is not selected and other device administration apps are activated before the policy is sent to the device, the policy cannot be applied.
Work and personal - full control (Premium)
Windows
BitLocker encryption method for mobile
Specify the BitLocker Drive Encryption method and cipher strength for mobile devices. This rule does not apply to 
Windows
  10 computers and tablets.
MDM controls
Windows
BitLocker encryption method for desktop
Specify the BitLocker Drive Encryption method and cipher strength for tablets and computers. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Allow storage card encryption prompts on the device
Specify whether the device prompts the user to encrypt the storage card. If this rule is not selected, encryption is not disabled. This rule does not apply to 
Windows
 10 computers and tablets.
MDM controls
Windows
Allow BitLocker Device Encryption to enable encryption on the device
Specify whether BitLocker Device Encryption can enable encryption on the device. If this rule is not selected, encryption is not disabled but the user is not prompted to enable it.
MDM controls
Windows
Set default encryption methods for each drive type
Specify whether the default algorithm and cipher strength used by BitLocker Drive Encryption can be configured separately for different drive types. This rule does not apply to 
Windows
 10 smartphones. 
MDM controls
Windows
Encryption method for operating system drives
Specify the encryption method for operating system drives. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Encryption method for fixed data drives
Specify the encryption method for fixed data drives. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Encryption method for removable data drives
Specify the encryption method for removable data drives. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Require additional authentication at startup
Specify whether BitLocker requires additional authentication each time the device starts. This setting is applied when BitLocker is turned on. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Allow BitLocker without a compatible TPM
Specify whether BitLocker can be started without a TPM chip. If this rule is selected, BitLocker can be started with a password or a startup key on a USB flash drive. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Require TPM startup key
Specify whether a TPM startup key is optional, required, or disallowed. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Require TPM startup PIN
Specify whether a TPM startup PIN is optional, required, or disallowed. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Require TPM startup key and PIN
Specify whether both a TPM startup key and PIN are optional, required, or disallowed. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Require TPM startup
Specify whether TPM startup is optional, required, or disallowed. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Require minimum PIN length for startup
Specify whether BitLocker has a minimum startup PIN length. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Minimum PIN length
Specify the minimum number of digits for the startup PIN. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Pre-boot recovery message and URL
Specify whether you can customize the BitLocker pre-boot recovery message and URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Pre-boot recovery screen
Specify whether the BitLocker pre-boot recover screen is empty, displays a default message and URL, displays a custom message, or displays a custom URL. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Custom recovery message
If you selected "Custom recovery message" in the "Pre-boot recovery screen" rule, specify the custom message. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Custom recovery URL
If you selected "Custom recovery URL" in the "Pre-boot recovery screen" rule, specify the custom URL. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
BitLocker OS drive recovery options
Specify whether you can customize how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Allow certificate-based data recovery agent for OS drives
Specify whether a data recovery agent can be used with BitLocker-protected operating system drives. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Allow recovery password generation for OS drives
Specify whether the user can create and store a BitLocker recovery password for OS drives. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Allow recovery key generation for OS drives
Specify whether the user can create and store a BitLocker recovery key for OS drives. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Exclude recovery options from the BitLocker setup wizard for OS drives
Specify whether recovery options are hidden from the user when they turn on BitLocker on an OS drive.
MDM controls
Windows
Allow saving BitLocker recovery information for OS drives to 
Active Directory
 Domain Services
Specify whether BitLocker recovery information for OS drives can be saved to 
Active Directory
 Domain Services. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Stored BitLocker recovery information for OS drives
Specify whether 
Active Directory
 Domain Services stores only recovery passwords, or both recovery passwords and key packages for OS drives. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Require 
Active Directory
 backup for recovery information for OS drives
Specify whether BitLocker recovery information saved to 
Active Directory
 Domain Services for OS drives must be backed up. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
BitLocker fixed drive recovery options
Specify whether you can customize how BitLocker-protected fixed drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Allow certificate-based data recovery agent for fixed drives
Specify whether a data recovery agent can be used with BitLocker-protected fixed drives. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Allow recovery password generation for fixed drives
Specify whether the user can create and store a BitLocker recovery password for fixed drives. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Allow recovery key generation for fixed drives
Specify whether the user can create and store a BitLocker recovery key for fixed drives. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Exclude recovery options from the BitLocker setup wizard for fixed drives
Specify whether recovery options are hidden from the user when they turn on BitLocker on a fixed drive. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Allow saving BitLocker recovery information for fixed drives to 
Active Directory
 Domain Services
Allow BitLocker recovery information for fixed drives to be saved to 
Active Directory
 Domain Services. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Stored BitLocker recovery information for fixed drives
Specify whether 
Active Directory
 Domain Services stores only recovery passwords, or both recovery passwords and key packages for fixed drives. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Require 
Active Directory
 backup for recovery information for fixed drives
Specify whether BitLocker recovery information saved to 
Active Directory
 Domain Services for fixed drives must be backed up. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Require BitLocker protection for fixed data drives
Specify whether BitLocker protection is required to allow write access to fixed data drives. If this rule is selected, all fixed data drives that are not BitLocker-protected will be mounted as read-only. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Require BitLocker protection for removable data drives
Specify whether BitLocker protection is required to allow write access to removeable data drives. If this rule is selected, all removeable data drives that are not BitLocker-protected will be mounted as read-only. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Allow write access to devices configured in another organization
Specify whether removable drives that don't match the device's identification fields can have write access. If this rule is selected, only drives with identification fields matching the computer's identification fields will be given write access. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Allow recovery key location prompt
Specify whether the user is prompted to choose where to back up the OS drive's recovery key. When this rule is not selected, the OS drive's recovery key backs up to the user's 
Azure
Active Directory
 account. This rule does not apply to 
Windows
 10 smartphones.
MDM controls
Windows
Enable encryption for standard users
Specify whether encryption is enabled on all fixed drives, even if a current logged in user is a standard user. This setting is only supported in 
Azure
Active Directory
Windows
 10 smartphones.
MDM controls