Get the PDF

Device activation
- Activation types: iOS devices
- Activation types: macOS devices
- Activation types: Android devices
- Activation types: Windows devices
- Activation types: BlackBerry 10 devices
Steps to activate devices
Requirements: Activation
Turn on user registration with the BlackBerry Infrastructure
Managing activation passwords
- Specify the default settings for activation passwords
- Allowing users to activate multiple devices with different activation types
- Manually expire an activation password
- Set an activation password and send an activation email message
- Send an activation email to multiple users
- Allow users to set activation passwords in BlackBerry UEM Self-Service
Supporting Android Enterprise activations
- Support Android Enterprise activations using managed Google Play accounts
- Support Android Enterprise activations with a G Suite domain
- Support Android Enterprise activations with a Google Cloud domain
- Support Android Enterprise devices without access to Google Play
- Enable a unified BlackBerry Hub
Supporting Windows 10 activations
Supporting Apple User Enrollment for iOS and iPadOS devices
Supporting Samsung Knox DualDAR
Enable user notification when a device has been activated
Creating activation profiles
- Create an activation profile
Activation step-by-step for users
- Activating Android devices
- Activating iOS devices
- Activate a macOS device
- Activate an Apple TV device
- Activate a Windows 10 tablet or computer
- Activate a Windows 10 Mobile device
- Activate a BlackBerry 10 device
Activate multiple devices using zero-touch enrollment for Android Enterprise devices
Activate multiple devices using Knox Mobile Enrollment
Automatically activate the first BlackBerry Dynamics app on Apple DEP and User Enrollment devices
Restricting unsupervised iOS devices
Import or export a list of approved device IDs
Activating iOS devices that are enrolled in DEP
- Steps to activate devices that are enrolled in DEP
- Register iOS devices in DEP and assign them to the BlackBerry UEM server
- Assign an enrollment configuration to iOS devices
- Add an enrollment configuration
- Remove an enrollment configuration that is assigned to iOS devices
- Delete an enrollment configuration
- Change the settings for an enrollment configuration
- View the settings for an enrollment configuration that is assigned to a device
- Assign an activation profile to iOS devices
- Remove an activation profile that is assigned to iOS devices
- Assign a user to an iOS device
- Unassign a user from an iOS device
- View the owner of an activated device
Activating iOS devices using Apple Configurator 2
- Steps to activate devices using Apple Configurator 2
- Add BlackBerry UEM server information to Apple Configurator 2
- Prepare iOS devices using Apple Configurator 2
Activating BlackBerry 10 devices using the BlackBerry Wired Activation Tool
- Install the BlackBerry Wired Activation Tool
- Configure the BlackBerry Wired Activation Tool and log in to a BlackBerry UEM instance
- Activate BlackBerry 10 devices using the BlackBerry Wired Activation Tool
Tips for troubleshooting device activation
- Device activation can't be completed because the server is out of licenses. For assistance, contact your administrator.
- Please check your username and password and try again
- Profile failed to install. The certificate "AutoMDMCert.pfx" could not be imported.
- Profile Installation Failed: The new MDM payload does not match the old payload.
- Error 3007: Server is not available
- Unable to contact server, please check connectivity or server address
- iOS or macOS device activations fail with an invalid APNs certificate
- Users are not receiving the activation email
- User details screen is showing more Windows devices activated with UEM than expected

Activation types:
Android
devices

For

Android

devices, you can select multiple activation types and rank them to make sure that

BlackBerry UEM

assigns the most appropriate activation type for the device. For example, if you rank "

Work and personal - user privacy

(

Android Enterprise

)" first and "

MDM controls

" second, devices that support

Android Enterprise

receive the first activation type.

The

Android

activation types are organized in the following tables:

Android Enterprise

devices

Android

devices without a work profile

Samsung Knox Workspace

devices

Android Enterprise
devices

The following activation types apply only to

Android Enterprise

devices.

Activation type	Description
Work and personal - user privacy ( Android Enterprise with work profile)	This activation type maintains privacy for personal data but lets you manage work data using commands and IT policy rules. This activation type creates a work profile on the device that separates work and personal data. Work and personal data are both protected using encryption and password authentication. To allow Google Play app management for Android Enterprise devices, select Add Google Play to the workspace . This setting is enabled by default. If the device does not have access to Google Play , then this setting must be deselected and the BlackBerry UEM Enroll app must be used from a secondary device during the activation process. To enable BlackBerry Secure Connect Plus and Knox Platform for Enterprise support, you must select the When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus option. Users do not have to grant Administrator permissions to the BlackBerry UEM Client .
Work and personal - full control ( Android Enterprise fully managed device with work profile)	This activation type lets you manage the entire device using commands and IT policy rules. This activation type creates a work profile on the device that separates work and personal data. Data in the work space is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint. This activation type supports the logging of device activity (SMS, MMS, and phone calls) in BlackBerry UEM log files. To allow Google Play app management for Android Enterprise devices, select Add Google Play account to the work space . This setting is enabled by default. If the device does not have access to Google Play , then this setting must be deselected and the BlackBerry UEM Enroll app must be used from a secondary device during the activation process. Following activation, Work and personal - full control devices have only a limited set of the standard pre-installed apps, such as Camera, Phone, and Settings, in the personal space. The list of retained pre-installed apps depends on the device vendor and OS version. To enable BlackBerry Secure Connect Plus and Knox Platform for Enterprise support, you must select the When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus option. To specify whether BlackBerry UEM can limit activation by device ID, select Allow only approved device IDs . This activation type requires the device to be reset to factory default settings before activating. If the BlackBerry UEM Client is deleted or the work profile is removed from the device, it is automatically reset to factory default settings. During activation users must grant Administrator permissions to the BlackBerry UEM Client . This activation type is supported only for Android 8.0 and later.
Work space only ( Android Enterprise fully managed device)	This activation type lets you manage the entire device using commands and IT policy rules. This activation type requires the user to reset the device to factory settings before activating. The activation process installs a work profile and no personal profile. The user must create a password to access the device. All data on the device is protected using encryption and a method of authentication such as a password. To allow Google Play app management for Android Enterprise devices, select Add Google Play to the workspace . This setting is enabled by default. If the device does not have access to Google Play , then this setting must be deselected and the BlackBerry UEM Enroll app must be used from a secondary device during the activation process. During activation, the device installs the BlackBerry UEM Client automatically and grants it Administrator permissions. Users cannot revoke the Administrator permissions or uninstall the app. Following activation, Work space only devices have only a limited set of the standard pre-installed apps, such as Camera, Phone, and Settings, plus any apps you have assigned with a required disposition. The list of retained pre-installed apps depends on the device vendor and OS version. To enable BlackBerry Secure Connect Plus and Knox Platform for Enterprise support, you must select the When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus option. To specify whether BlackBerry UEM can limit activation by device ID, select Allow only approved device IDs . This activation type requires the device to be reset to factory default settings before activating. If the BlackBerry UEM Client is deleted or the work profile is removed from the device, it is automatically reset to factory default settings.

Android
devices without a work profile

The following activation types apply to all

Android

devices.

Activation type	Description
MDM controls	This activation type lets you manage the device using commands and IT policy rules. A separate work space is not created on the device, and there is no added security for work data. If the device supports Knox MDM, this activation type applies the Knox MDM IT policy rules. If you do not want to apply Knox MDM policy rules, clear the Activate Samsung KNOX on Samsung devices that have the MDM controls activation type assigned check box. During activation, users must grant Administrator permissions to the BlackBerry UEM Client . This activation type is deprecated for devices with Android 10. Attempts to activate Android 10 and later devices with the MDM controls activation type will fail. For more information, visit https://support.blackberry.com/community to read article 48386.
User privacy	You can use the User privacy activation type to provide basic control of devices, including work app management, while making sure that users' personal data remains private. With this activation type, no separate container is installed on the device. To provide security for work data you can install BlackBerry Dynamics apps. Devices activated with User privacy can use services such as Find my Phone and Root Detection, but administrators cannot control device policies. You can also use the User privacy activation type to activate Chrome OS devices to allow you to install and manage Android BlackBerry Dynamics apps.
Device registration for BlackBerry 2FA only	This activation type supports the BlackBerry 2FA solution for devices that BlackBerry UEM does not manage. This activation type does not provide any device management or controls, but allows devices to use the BlackBerry 2FA feature. To use this activation type, you must also assign the BlackBerry 2FA profile to users. When a device is activated, you can view limited device information in the management console, and you can deactivate the device using a command. This activation type is supported only for Microsoft Active Directory users. For more information, see the BlackBerry 2FA content.

Samsung Knox Workspace
devices

The following activation types apply only to

Samsung

devices that support

Knox Workspace

Samsung Knox

activation types will be deprecated in a future release. Devices that support

Knox Platform for Enterprise

can be activated using the

Android Enterprise

activation types. For more information, visit https://support.blackberry.com/community to read article 54614.

Activation type	Description
Work and personal - user privacy - ( Samsung Knox )	This activation type maintains privacy for personal data, but lets you manage work data using commands and IT policy rules. This activation type does not support the Knox MDM IT policy rules. This activation type creates a separate work space on the device and the user must create a password to access the work space. Data in the work space is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint. The user must also create a Screen lock password to protect the entire device and will not be able to use USB debugging mode. During activation, users must grant Administrator permissions to the BlackBerry UEM Client .
Work and personal - full control ( Samsung Knox )	This activation type lets you manage the entire device using commands and the Knox MDM and Knox Workspace IT policy rules. This activation type creates a separate work space on the device and the user must create a password to access the work space. Data in the work space is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint. This activation type supports the logging of device activity (SMS, MMS, and phone calls) in BlackBerry UEM log files. During activation users must grant Administrator permissions to the BlackBerry UEM Client .
Work space only - ( Samsung Knox )	This activation type lets you manage the entire device using commands and the Knox MDM and Knox Workspace IT policy rules. This activation type removes the personal space and installs a work space. The user must create a password to access the device. All data on the device is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint. This activation type supports the logging of device activity (SMS, MMS, and phone calls) in BlackBerry UEM log files. During activation, users must grant Administrator permissions to the BlackBerry UEM Client .

Section:

Device activation

Activation types: Android devices

Android Enterprise devices

Android devices without a work profile

Samsung Knox Workspace devices

Activation types:
Android
devices

Android Enterprise
devices

Android
devices without a work profile

Samsung Knox Workspace
devices