BlackBerry UEM12.7 available

BlackBerry Unified Endpoint Manager (UEM) v12.7 has been released with some interesting new features.


What’s new in BlackBerry UEM 12.7:


Microsoft Intune

Microsoft Intune integration: For iOS and Android devices, if you want to protect data in Microsoft Oce 365 apps using the MAM features of Microsoft Intune, you can use Intune to protect app data while using BlackBerry UEM to manage the devices. Intune provides security features that protect data within apps. For example, Intune can require that data within apps be encrypted and prevent copying and pasting, printing, and using the Save as command. You can connect UEM to Intune, allowing you to manage Intune app protection policies from within the UEM management console. Note: The Microsoft API that allows UEM to connect to Intune is currently in Beta. Service interruptions could occur for this feature if Microsoft makes significant changes to the API.


Device management

Wearable devices:

You can activate and manage certain Android-based, head-worn wearable devices in BlackBerry UEM. For example, you can manage Vuzix M300 Smart Glasses. Smart glasses provide users with hands-free access to visual information such as notifications, step-by-step instructions, images, and video and allow users to issue voice commands, scan bar-codes and use GPS navigation. Examples of BlackBerry UEM management capabilities that are supported include: Device activation using QR codes, IT policies, app management and location services. 



• App configuration: For Android email apps that support app configuration (such as BlackBerry Productivity Suite), you can configure the settings in an app configuration instead of in an Email profile. You must be using Android work profiles to use this feature.
• List of installed apps: You can specify whether BlackBerry UEM receives a list of apps that are installed in the user’s personal space on iOS, Android, Windows 10, and BlackBerry 10 devices in your environment. By default, the ability to view apps that are installed in the user’s personal space is enabled when the device is activated using a supported activation type. You can view the list of apps that are installed in a user’s personal space in the user account’s device details page or the Personal apps page. 

Note: You can also view apps that were installed on devices before they were activated as KNOX Workspace only devices. Viewing the list of personal apps installed in the user’s personal space is not supported on devices that are activated with the following activation types:

• iOS and Android: User privacy

• Android: Work and personal – user privacy

• Samsung KNOX: Work and personal – user privacy – (Samsung KNOX)

• BlackBerry 10: Work and personal – Corporate

• iOS and Android: Device registration for BlackBerry 2FA only
• App update notifications: Device users are notified of any new or updated apps. There is a new “Updated/New” tab in the Work Apps list and in the Work apps section of the BlackBerry UEM Client.
• Apple VPP account: You can configure the VPP account to automatically update VPP apps on devices. 
• Restricted apps: For Samsung KNOX devices activated with Work and personal – full control, you can create a compliance profile that enforces app restrictions in the personal space as well as the workspace.
• VPP apps: You can associate VPP licenses to iOS BlackBerry Dynamics app entitlements just as you can for other iOS apps. You can associate VPP licenses when you assign apps (or app groups) to users or user groups.


Management console

• Bulk updates: The following are added to the list of commands that can be sent to multiple devices: Update device information; Delete all device data; Delete only work data; Remove devices; Change device ownership; and Update OS (for supervised iOS devices. 
• Upload a certificate: User credential profiles now allow administrators or users to upload a certificate to push to devices.
• Customize the consoles: You can add a custom background image for the log in screen, a custom logo, and a custom name for BlackBerry UEM Self-Service. 
• User certificate upload: User credential profiles now allow users to upload certificates to BlackBerry UEM that can be associated with Wi-Fi, VPN, and email profiles. 
• Admin commands: The Remove device command lets you remove a device from BlackBerry UEM.
 License expiration date: The Licensing summary page in the management console now always displays the license expiration date instead of displaying the date only within the warning period.
 User search: On the top right corner of the User > Managed devices screen, there is a User search link that you can use as an alternative method to search for users by name. Note that if you log out of the console when you are on the User search screen, when you log back into the console you will be returned to the User search screen. 
 Login notice: The character limit that can be used in the login notice for the BlackBerry UEM management console and BlackBerry UEM Self-Service has been increased. The maximum number of characters is now 50,000. 
• Notes field: A notes field has been added for users. Administrators can use the notes field to keep track of any special information about the user. This information is stored against the user object and not against an individual device. If the user is removed, the information in the notes field is also removed. 
• Password complexity: In Settings > General settings > Activation defaults, administrators can specify minimum or maximum password complexity for automatically generated activation passwords. Administrators can specify password length as well as if lowercase letters, uppercase letters, numbers, or special characters are required for the password. 
• Gatekeeping profile: You can now configure the gatekeeping servers in a gatekeeping profile instead of in an email profile. On upgrade to BlackBerry UEM 12.7, gatekeeping profiles are automatically created if you previously configured gatekeeping in email profiles.
• User role: A new user role setting allows you to configure whether or not users have permission to create access keys in BlackBerry UEM Self-Service. 
 Choose the BlackBerry Proxy cluster to use for activation: Select the Enabled for activation option for the BlackBerry Proxy instance that you want to use for activation purposes. (JI 1638296)

Note that this feature will not be available until an upcoming update to the BlackBerry Infrastructure is complete.


BlackBerry UEM Self-Service

Activation password email: You can configureBlackBerry UEM Self-Service to send an activation email to users when they create activation passwords using BlackBerry UEM Self-Service.


Device activation

QR code activation: Users can activate iOS and Android devices using a QR code instead of an activation password. You can send the QR code in an activation email or users can create a QR code in BlackBerry UEM Self-Service. 


• Event notifications: You can set up notifications so that emails are sent to administrators when certain events occur in BlackBerry UEM or on devices. For each event notification you can configure a recipient list, select the days and times to send notifications, and select an email template to use. (JI 930520)
• Monitor BlackBerry Work: You can monitor the performance of the BlackBerry Work app and choose the issues that you want to be reported. 



• Supervised devices: You can configure the activation profile to restrict devices in BlackBerry UEM that are not in supervised mode. If you restrict unsupervised devices, users cannot activate unsupervised devices whether they activate devices with the BlackBerry UEM Client or using DEP.
• Logging: You can use the “Get device logs” command to retrieve device logs from iOS devices that have the BlackBerry UEM Client installed (JI 597503)
• Update OS and other new commands: You can send the following new commands to iOS devices. (JI 2162972)

◦ Update OS (supervised DEP devices running iOS 9 and later and supervised devices running iOS 10.3 and later)

◦ Restart device (supervised devices running iOS 10.3 and later)

◦ Turn o… device (supervised devices running iOS 10.3 and later)


• Android for Work: The BlackBerry UEM console and documentation is updated to reflect Google’s rebranding of Android for Work. 
• Logging: You can use the “Get device logs” command to retrieve device logs from Android devices that have the BlackBerry UEM Client installed. 


Samsung KNOX

• Organizational message: You can set an organizational message to appear when the device is locked or rebooted.
• Wallpaper: You can set the wallpaper that displays on the device and the workspace.
• Transferring contacts: Samsung KNOX Workspace devices support transferring contacts using the Bluetooth Phone Book Access Profile. This capability can be disabled by an IT policy rule.


Windows 10

• App mode profile: You can use an app lock mode profile to limit Windows 10 Enterprise and Windows 10 Education devices managed using MDM to run only one app. For example, you can limit access to a single app for training purposes or for point-of-sales demonstrations. 
• SCEP profile: Administrators can now select a SCEP profile to associate with a Wi-Fi profile for Windows 10 devices.
 FIPS mode and AutoConnect: Administrators can now enable FIPS mode and AutoConnect for Windows 10 devices in a Wi-Fi profile. FIPS mode can be enabled when WPA2-Personal or WPA2-Enterprise security type and the AES encryption type are selected. Administrators may choose to allow the device to connect automatically to the Wi-Fi network when it is in range.
• Reboot: Administrators can now reboot a Windows 10 Mobile device running RS1 and later from the BlackBerry UEM console.
• Windows Information Protection profile: Administrators can now configure additional options in Windows Information Protection profiles. For example, you can configure the work IP ranges that are considered to be part of the work network, any internal proxy servers to use when connecting to work network locations, and cloud resources that need to be protected, and a list of domains that can be used for work or personal resources.
 Lock Down setting: Administrators can now enable the Lock Down setting in VPN profiles for Windows 10 devices. When this setting is enabled, the device stays connected to the VPN, must be connected to have a network connection, and cannot be disabled.


Device management

Apple TV: You can activate and manage Apple TV devices in BlackBerry UEM.


BlackBerry Dynamics

• Certificates: BlackBerry Dynamics apps now support replacing certificates issued by BlackBerry Control with certificates issued by another CA.
• PKI connector enhancements: User credential profiles now allow you to set certificate renewal and revocation options for certificates issues to users through the BlackBerry Dynamics PKI connector.


BlackBerry Dynamics Launcher

Shortcuts: You can add shortcuts to the BlackBerry Dynamics Launcher so that users can quickly access web links.


BlackBerry Dynamics SDK

No password required: With a security policy enforced by the BlackBerry Dynamics SDK and BlackBerry UEM, enterprises can allow users to start mobile applications without requiring a password. The “No Password” feature is available on iOS, Android, macOS, and Windows 10 (UWP).


Policy rules

New policy rules were added for BlackBerry UEM 12.7. To see the new rules, in the BlackBerry UEM Policy Reference Spreadsheet, in the ‘Introduced in BES12/BlackBerry UEM Version’ column click the arrow and select 12.7.0.