Key features for each device type
iOS devices
iOS
devicesFeature | Description |
|---|---|
Run app lock mode | On iOS devices that are supervised using Apple Configurator 2, you can use an app lock mode profile to limit the device to run only one app. For example, you can limit access to a single app for training purposes or for point-of-sales demonstrations. |
Device activation | You can use Apple Configurator 2 to prepare devices for activation in BlackBerry UEM . Users can activate the prepared devices without using the BlackBerry UEM Client app. |
Filter web content | You can use web content filter profiles to limit the websites that a user can view on a device. You can enable automatic filtering with the option to allow and restrict websites, or allow access only to specific websites. |
Link Apple VPP accounts to a BlackBerry UEM domain | The Volume Purchase Program (VPP) allows you to buy and distribute iOS apps in bulk. You can link Apple VPP accounts to a BlackBerry UEM domain so that you can distribute purchased licenses for iOS apps associated with the VPP accounts. |
Apple Device Enrollment Program | You can configure BlackBerry UEM to use the Apple Device Enrollment Program (DEP) so that you can synchronize BlackBerry UEM with the DEP. After you configure BlackBerry UEM , you can use the BlackBerry UEM management console to manage the activation of the iOS devices that your organization purchased for the DEP. You can use multiple DEP accounts.You can link multiple Apple DEP accounts to one BlackBerry UEM domain. |
Support for app-based PKI solutions | Added support for app-based PKI solutions, such as Purebred , which can enroll certificates for BlackBerry
Dynamics apps. You can now install the PKI app on devices and allow the latest versions of BlackBerry
Dynamics apps, such as BlackBerry Work and BlackBerry Access , to use certificates enrolled through the PKI app. |
Use custom payload profiles | You can use custom payload profiles to control features on iOS devices that are not controlled by existing BlackBerry UEM policies or profiles. You can create Apple configuration profiles using Apple Configurator and add them to BlackBerry UEM custom payload profiles. You can assign the custom payload profiles to users, user groups, and device groups. |
BlackBerry Secure Gateway | The BlackBerry Secure Gateway allows iOS devices with the MDM controls activation type to connect to your work email server through the BlackBerry Infrastructure and BlackBerry UEM . If you use the BlackBerry Secure Gateway , you don't have to expose your mail server outside of the firewall to allow users with these devices to receive work email when they are not connected to your organization's VPN or work Wi-Fi network. |
Integration with BlackBerry
Dynamics | You can use the BlackBerry
Dynamics profile to allow iOS devices to access BlackBerry
Dynamics productivity apps such as BlackBerry Work , BlackBerry Access , and BlackBerry Connect . You can assign the BlackBerry
Dynamics profile to user accounts, user groups, or device groups. Multiple devices can access the same apps. The profile allows you to enable BlackBerry
Dynamics for users that are not already BlackBerry
Dynamics enabled. |
Per-app VPN | You can set up per-app VPN for iOS devices to specify which apps on devices must use a VPN for their data in transit. Per-app VPN helps decrease the load on your organization’s VPN by enabling only certain work traffic to use the VPN (for example, accessing application servers or webpages behind the firewall). This feature also supports user privacy and increases connection speed for personal apps by not sending the personal traffic through the VPN.For iOS devices, apps are associated with a VPN profile when you assign the app or app group to a user, user group, or device group. |
Apple Activation Lock | The Activation Lock feature requires the user's Apple ID and password before a user can turn off Find My iPhone, erase the device, or reactivate and use the device. You can bypass the activation lock to give a COPE or COBO device to a different user. |
Personal app lists | You can view a list of apps that are installed in a user's personal space on iOS devices in your environment. You can view a list of personal apps installed on a user’s device on the User Details page or view a list of all personal apps installed in users’ personal spaces on the Personal apps page in the management console. |
Lost Mode for supervised iOS devices | Lost Mode allows you to lock a device, set a message that you want to display, and view the current location of the lost device. You can enable Lost Mode for supervised iOS devices. |
IBM Notes
Traveler support | iOS devices can connect to IBM Notes
Traveler through the BlackBerry Secure Gateway . |
Face ID support | BlackBerry UEM supports Face ID for device authentication and to open BlackBerry
Dynamics apps. |
Shared device management | You can allow multiple users to share an iOS device. You can customize terms of use that users must accept to check out shared devices. A user can check out a device using local authentication and when they are done using it, they can check it in and the device is available for the next user. Shared devices remain managed by BlackBerry UEM during the check-out and check-in process. This feature was designed for supervised devices with the following configuration:
|
Android devices
Android
devicesFeature | Description |
|---|---|
Manage Android Enterprise devices | You can activate Android devices to use Android Enterprise , which is a feature developed by Google that provides additional security for organizations that want to manage Android devices and allow their data and apps on Android devices.Devices can be activated to have only a work profile, or to have both work and personal profiles. You can have full control over both profiles and have the ability to wipe the entire device, or you can allow user privacy for the personal profile and only have the ability to wipe work data from the device. Samsung and BlackBerry powered by Android devices offer additional administrator options, including an enhanced set of IT policy rules, when activated with Android Enterprise Customers who have configured BlackBerry UEM to manage Google
Play accounts can now migrate Android Enterprise devices from an on-premises BlackBerry UEM server to UEM Cloud or another on-premises BlackBerry UEM server. |
Work and personal – full control activations for Android Enterprise devices | This activation type is for devices running Android 8 and later. It lets you manage the entire device. It creates a work profile on the device that separates work and personal data but allows your organization to maintain full control over the device and wipe all data from the device. Data in both the work and personal profiles is protected using encryption and a method of authentication such as a password. |
Manage devices using Knox MDM and Knox Workspace | BlackBerry UEM can also manage Samsung devices using Samsung Knox MDM and Samsung Knox Workspace . Knox Workspace provides an encrypted, password-protected container on a Samsung device that includes your work apps and data. It separates a user’s personal apps and data from your organization’s apps and data and protects your apps and data using enhanced security and management capabilities that Samsung developed.When a device is activated, BlackBerry UEM automatically identifies whether the device supports Knox . In addition to the standard Android management capabilities, BlackBerry UEM includes the following management capabilities for devices that support Knox :
For more information about supported devices, see the Compatibility matrix. For more information about Knox , visit https://www.samsungknox.com. |
Integration with BlackBerry
Dynamics | You can use the BlackBerry
Dynamics profile to allow Android devices to access BlackBerry
Dynamics productivity apps such as BlackBerry Work , BlackBerry Access , and BlackBerry Connect . You can assign the BlackBerry
Dynamics profile to user accounts, user groups, or device groups. Multiple devices can access the same apps.The profile allows you to enable BlackBerry
Dynamics for users that are not already BlackBerry
Dynamics enabled. |
Per-app VPN | You can enable per-app VPN for Android devices that have a work profile to restrict the use of BlackBerry Secure Connect Plus to specific work space apps that you add to an allowed list. |
Zero-touch enrollment | BlackBerry UEM supports devices running Android 8.0 or later that have been enabled for zero-touch enrollment. Zero-touch enrollment offers a seamless deployment method for organization-owned Android devices making large-scale device deployment fast, easy, and secure for the organization and employees. Zero-touch enrollment makes it simple for IT administrators to configure devices online and have enforced management ready when employees receive their devices. See the information from Google : Zero-touch enrollment management, and the zero-touch enrollment overview information. You can get started with zero-touch enrollment in just a few steps: purchase devices, assign the devices to users, configure policies for your organization, and deploy the devices to users. You need to work with your reseller or carrier to get access to the Zero-touch portal and get devices configured in the portal. |
Support for app-based PKI solutions | Support for app-based PKI solutions, such as Purebred , which can enroll certificates for BlackBerry
Dynamics apps. You can install the PKI app on devices and allow the latest versions of BlackBerry
Dynamics apps, such as BlackBerry Work and BlackBerry Access , to use certificates enrolled through the PKI app. |
Android SafetyNet | When administrators enable Android SafetyNet attestation, BlackBerry UEM sends challenges to test the authenticity and integrity of Android devices that have been activated with the Android Enterprise , Samsung Knox , and MDM controls activation types in your organization's environment. |
Security patch level enforcement for BlackBerry
Dynamics apps | You can apply security patch level enforcement to BlackBerry Dynamics apps. If the security patch level is not met, you can choose to delete the BlackBerry Dynamics app data, not allow BlackBerry Dynamics apps to run on the device, or perform no actions on the device. |
Derived smart credentials | Use Entrust IdentityGuard derived smart credentials for signing, encryption, and authentication for BlackBerry
Dynamics apps and apps in the work space on Android Enterprise and Samsung Knox Workspace devices. |
Factory reset protection for Android Enterprise devices | You can set up a Factory reset protection profile for your organization’s Android Enterprise devices that have been activated using the Work space only activation type. This profile allows you to specify a user account that can be used to unlock a device after it has been reset to factory settings or remove the need to sign in after the device has been reset to factory settings. |
Windows 10 devices
Windows 10
devicesFeature | Description |
|---|---|
Support for Windows 10 devices | You can manage Windows 10 devices, including Windows 10 Mobile devices and Windows 10 tablets and computers. |
Proxy support for Windows 10 devices | You can configure VPN and Wi-Fi work connections for Windows 10 devices and you can set up a proxy server as part of the Wi-Fi profile for Windows 10
Mobile devices. |
Per-app VPN | You can set up per-app VPN for Windows 10 devices to specify which apps on devices must use a VPN for their data in transit. Per-app VPN helps decrease the load on your organization’s VPN by enabling only certain work traffic to use the VPN (for example, accessing application servers or webpages behind the firewall). This feature also supports user privacy and increases connection speed for personal apps by not sending the personal traffic through the VPN.For Windows 10 devices, apps are added to the app trigger list in the VPN profile. |
Windows Information Protection for Windows 10 devices | You can configure Windows Information Protection profiles to separate personal and work data on devices, prevent users from sharing work data outside of protected work apps or with people outside your organization, and audit inappropriate data sharing practices. You can specify which apps are protected and trusted to create and access work files. |
Whitelist antivirus vendors | In the compliance profile, in the “Antivirus status” rule for Windows devices, you can choose to allow antivirus software from any vendor, or allow only those that you added to the “Allowed antivirus vendors” list. The rule will be enforced if a device has antivirus software enabled from any vendor that is not whitelisted. |
Azure Active
Directory Join | BlackBerry UEM supports Azure Active
Directory Join which allows a simplified MDM enrollment process for Windows 10 devices. Users can enroll their devices with BlackBerry UEM using their Azure Active
Directory username and password. Azure Active
Directory Join is also required to support Windows AutoPilot, which allows Windows 10 devices to be automatically activated with BlackBerry UEM during the Windows 10 out-of-box setup experience. Note : To enable automatic MDM enrollment with BlackBerry UEM during the Windows 10 out-of-box setup, a BlackBerry UEM certificate must be installed on the device. |
BlackBerry 10 devices
BlackBerry 10
devicesFeature | Description |
|---|---|
Manage work information separately on a BlackBerry 10 device | BlackBerry
Balance technology makes sure that personal and work information and apps are separated on BlackBerry 10 devices. It creates a personal space and a work space and provides full management of the work space. For government and regulated industries that want to lock the device down further, additional options include full control over the work space and some control over the personal space, or you can create only a work space on the device to give your organization full control over the device. |