BlackBerry UEM version 12.19: Everything You Need to Know

BlackBerry UEM version 12.19: Everything You Need to Know
© Rafa Fernandez – stock.adobe.com

BlackBerry Unified Endpoint Management (UEM) is a comprehensive mobile device management solution. It enables organizations to securely manage and control mobile devices, applications, and content. UEM offers a single platform for managing a variety of endpoints, including smartphones, tablets, laptops, and other mobile devices, to enhance security and productivity.


Management Features

Day Zero Support

BlackBerry UEM v12.19 supports and allows the management of mobile devices running iOS 17/iPadOS 17 or Android 14 from day zero. 


Microsoft Azure AD Synchronization for On-Premises Deployments

For organizations using Microsoft Azure Active Directory (AAD), it is now possible to connect to an on-premises BlackBerry UEM server, using a BlackBerry Connectivity Node (BCN). This allows to create and synchronize users and directory-linked groups; they are now able to log into the BlackBerry UEM Self-Service portal using their corporate credentials.


Android Management

Three new activation types, using Android Management API (AMAPI), have been added:

  • Work and personal - full control (Android Management fully managed device with work profile)
  • Work and personal - user privacy (Android Management with work profile)
  • Workspace only (Android Management fully managed device


Unlike Android Enterprise, they do not require the use of custom Device Policy Controller (DPC), for example BlackBerry UEM client, for device enrollment and management, but rely on Google device-built Android Device Policy (ADP) DPC. While Android devices can already be enrolled and managed using that new framework, there is no feature parity yet, so for now, BlackBerry customers should keep using Android Enterprise activations.


Activation Type

Declarative Device Management (DDM)

Apple’s Declarative Device Management (DDM) is a user-centric approach to managing iOS and macOS devices in organizations. It focuses on separating personal and work data, simplifying device enrollment, utilizing Managed Apple IDs, and using configuration profiles to define settings and policies for enhanced security and user experience. BlackBerry UEM starts using Apple’s DDM framework, in view of preparing new features for future releases.


Device Actions

Improved VPP App Management

School Manager, that allows enterprises and educational institutions to purchase apps, books, and content in bulk for iOS and macOS devices, simplifying the provisioning and distribution of apps, offering cost savings and centralized management.


UEM administrators are now able to control automatic updates for VPP apps by utilizing the "Required without updates" and "Optional without updates" settings, allowing to deploy updates on a specific group of devices before making them accessible to all users. These settings can be applied at various levels, such as the app, user, user-app, device, or shared device group. It's important to note that these settings exclusively affect automatic app updates, while users can still manually update the app through the App Store.


This covers the use cases where certain groups of users get early access to pre-release/beta app updates ahead of the entire user base, and/or testing is required before deploying at a global scale.


Assign Apps

Rapid Secure Response (RSR) Improvements

Rapid Security Responses (RSR) are a new type of OS software release for iPhone, iPad, and Mac devices. They provide vital security enhancements in between regular OS software updates, such as refining the Safari browser, the Web Kit framework stack, and other essential system libraries.


UEM administrators are now able to define an RSR version as the minimum required OS version of iOS/iPadOS device, using an Active Profile.


Device model restrictions

RSR version are also displayed in the Device Grid, and available to filter the device view, just like another OS version.


Add user

eSIM Management Enhancements

Embedded SIM (eSIM) cards are integrated into mobile devices, enabling remote and flexible mobile network provisioning, making them popular in the enterprise for easy device setup, cost-effective global roaming, and streamlined management. They reduce the need for physical SIM swaps, simplifying device deployment and enhancing connectivity options, critical for business operations.


To facilitate the growing adoption of eSIM-equipped phones as part of the corporate mobile device fleets, BlackBerry UEM REST API now provides a new “Wipe device and Preserve eSIM info” command for third-party software developers, allowing them to implement that command within their own solution, for example a Security Orchestration, Automation, and Response (SOAR) or Security Information and Event Management (SIEM) like ISEC7 Sphere, and perform a full device wipe, for example in view of providing it to another employee, but without loosing the eSIM data, if present on said device. Also, eSIM information is now displayed under the UEM management console in the Device Details screen.


Apple iPhone 11 Activated Device

Knox Service Plugin (KSP)

Samsung Knox Service Plugin (KSP) is a component of Samsung Knox, designed for managing and securing Samsung Android devices in enterprise environments. It offers numerous benefits like enhancing security by providing a robust set of features, including data encryption, secure boot, and real-time threat detection, and offering granular control over device policies and configurations, ensuring compliance with corporate standards. It seamlessly integrates with Mobile Device Management (MDM) solutions, streamlining device management in the enterprise.


KSP policies can now be configured directly from under the common “Profiles and Policies” section in the UEM management console, instead of an app configuration, providing UEM administrators with a more convenient and seamless way to manage KSP policies.


Know Service Plugin

Expanded Reporting and Compliance Information

Reporting and compliance information are vital for enterprises as they ensure adherence to regulations, identify potential risks, enable informed decision-making, and maintain trust with stakeholders and customers.


BlackBerry UEM v12.19 provides the ability to export information about personal apps (ex: app name, version, OS…) as well as new variable for compliance email template to list Restricted Apps installed. This provides improved visibility for administrators regarding compliance breaches, particularly related to personal applications that might be prohibited or limited due to government regulations, such as TikTok and other social media platforms.


Also, a device Bluetooth MAC address is now be displayed in the Managed device user’s screen under the UEM management console.


BlackBerry Dynamics

Security Features

New BlackBerry Dynamics Rules

Allowing users to take screenshots of work emails and documents on mobile devices poses security risks, as sensitive information may be shared, accidentally or intentionally, and this without control, potentially leading to data breaches. Additionally, it may violate data privacy regulations, and data leaks or unauthorized sharing could harm the organization's reputation and legal compliance.


Thanks to a new policy called “Prevent Screenshots on iOS”, it is now possible for IT admins to prevent users from taking screenshots from within their BlackBerry Work mobile app, including emails, contacts, calendar and more.


Screenshot Prevention iOS Only

New Wi-Fi Profile Option

Transport Layer Security protocol (TLS) is a famous secure communication protocol that encrypts data transmitted over the internet, enhancing privacy and security, offering improved performance and security features. TLS 1.3, the latest version, can now be configured and enforced in a Wi-Fi profile.


Authentication protocol

New VPN Configuration Option

A new setting has been added to the VPN profile, so it is now possible to use RSA Probabilistic Signature Scheme (RSA-PSS), a cryptographic padding scheme used with Rivest-Shamir-Adleman (RSA) signatures, with VPN network connection using Internet Key Exchange version 2 (IKEv2) protocol.


Enable xAuth

Other Improvements

JRE 17 Required

Java Runtime Environment (JRE) version 17 must be implemented on the servers where BlackBerry UEM v12.19 will be installed or upgraded to, which requires some advanced configuration work.


The team at ISEC7 can help with updating and configuring BlackBerry UEM v12.9 within your pre-existing enterprise deployment to ensure all business and operational use cases are addressed. ISEC7 is your premier one-stop-shop for all your mobility and security needs, further shaping and improving efficiency in your digital landscape. Please feel free to contact us with any inquiries and we would be happy to assist you. 



Note: Please fill out the fields marked with an asterisk.

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group