Skip to content
Help and manuals  >  Enterprise services  >  BlackBerry UEM Cloud  >  Release notes and advisories

What's new in BlackBerry UEM Cloud

Microsoft Azure Active Directory

Organizations that use Microsoft Office 365 can now connect BlackBerry UEM Cloud to Microsoft Azure Active Directory instead of using the BlackBerry Cloud Connector to connect to an on-premise Microsoft Active Directory.

iOS

Face ID support: BlackBerry UEM supports Face ID for device authentication and to open BlackBerry Dynamics apps.

Multiple DEP accounts: You can now link multiple Apple DEP accounts to one BlackBerry UEM domain.

iOS 11: You can now specify the minimum and maximum TLS versions that devices can use over an IKEv2 connection in the VPN profile. This setting applies only to devices that are running iOS 11 and later.

Shared iOS device management: You can allow multiple users to share an iOS device. You can customize terms of use that users must accept to check out shared devices. A user can check out a device using local authentication, and when they are done using it, they can check it in so that the device is available for the next user. Shared devices remain managed by BlackBerry UEM during the check-out and check-in process. This feature was designed for supervised devices with the following configuration:
  • App lock mode enabled

  • VPP apps assigned

Configure layout of apps on iOS devices: You can create a Home screen layout profile for supervised iOS 9.3 and later devices that allows you to control the layout of apps on the device.

Sharing and recording screens: Administrators can now prevent iOS device users from sharing and recording their screens when using BlackBerry Dynamics apps. This BlackBerry Dynamics profile setting applies to devices running iOS 11 and later.

Assign VPP licenses to device groups: You can now assign Apple Volume Purchase Program (VPP) licenses to device groups. Assigning VPP licenses to device groups simplifies installation for users because they no longer require an Apple ID to install apps and apps do not appear in users' purchase histories and app installs. This feature requires iOS 9 or later.

Enable lost mode for iOS: In BlackBerry UEM Self-Service, users can now turn on or turn off Lost Mode for supervised iOS devices. Lost Mode locks the device with its existing passcode and displays a message on the screen.

Samsung KNOX

KNOX MDM policy improvements
  • When you activate a Samsung KNOX device that has a work profile with the Work space only or Work space only Premium activation type (Android Enterprise enrollment type), a subset of the KNOX MDM policy rules are also applied to the device. For example, the policy rules for allowing facial recognition, iris authentication, incoming MMS, outgoing MMS, or blocking Wi-Fi SSIDs, are applied to the device.

  • When you create an activation profile for Samsung KNOX devices, if you select the MDM Controls activation type, you can now choose whether you want KNOX MDM policy rules to be applied to the device. By default, Samsung KNOX devices receive KNOX MDM policy rules.

Per-app VPN for Samsung KNOX Workspace devices: You can now set VPN settings for individual work apps on Samsung KNOX devices. Per-app VPN settings are available for both VPN profiles and BlackBerry Secure Connect Plus.

Support for Enterprise FOTA: You can now use a Device SR requirements profile to control the firmware versions that are installed on Samsung KNOX devices. You can also schedule when firmware updates are applied. This feature requires MDM 5.7.1 and later.

Support installing specific apps from Google Play in Samsung KNOX Workspace: Administrators can now specify a list of apps from the Google Play Store that users can install in the Samsung KNOX Workspace.

Device activation: For devices that are activated using Samsung KNOX Mobile Enrollment, you can now specify whether to allow users to use their Microsoft Active Directory credentials to activate their devices.

Android

Android zero-touch enrollment: BlackBerry UEM supports zero-touch enrollment on devices running Android 8.0 or later that have been enabled for zero-touch enrollment. Zero-touch enrollment offers a seamless deployment method for organization-owned Android devices, making large-scale device deployment fast, easy, and secure for the organization and users..

SCEP support: Android devices with a work profile now support using SCEP to provide the client certificate to the device for authentication with your work Wi-Fi network.

Device support messages: For Android 8 devices, you can create a support message that appears on Android devices with a work profile when a feature is disabled by BlackBerry UEM.

Disable system apps: You can now disable system apps in the work profile on Android devices.

App catalog in the BlackBerry Dynamics Launcher: On Android devices that are not activated for MDM, users can now access their work app catalogs from the BlackBerry Dynamics Launcher without having theBlackBerry UEM Client installed on the device. Google Play opens in BlackBerry Access.

BlackBerry Dynamics

Compliance rules: A new compliance policy allows all BlackBerry Dynamics library versions. Administrators can automatically have all listed SDK library versions selected or allow new unlisted BlackBerry Dynamics library versions as a wildcard so that rules can be set for new versions.

Unlock BlackBerry Dynamics app email: You can now send an email with an unlock key to a user’s device to unlock BlackBerry Dynamics apps.

Internal BlackBerry Dynamics apps: Users can now install internal BlackBerry Dynamics apps in the work profile on Android devices.

Management console

App compliance: You can see which apps that are installed on a device are making the device non-complaint.

Self-service password: You can send a BlackBerry UEM Self-Service password to multiple users at one time.

Do not disturb: You can use Do not disturb profiles to limit device notifications outside of work hours for BlackBerry Work meetings and email on Android devices and BlackBerry Work email on iOS devices. These profiles allow you to block notifications during off-work days and hours that you define.

Banned password list: You can upload a list of passwords that a user can't use when they set a password for BlackBerry Dynamics apps on a device. You can also download the previously uploaded list of banned passwords.

Win32: BlackBerry Dynamics now supports Win32 and a new compliance policy for Win32 anti-virus detection is available.

User certificate list: The user page in the management console displays an improved list of the certificates assigned to a user.

Google account user management

New controls prevent users from adding additional accounts in the Android workspace.

New IT policy rules

Device type Group Name Description
Android work profiles Device functionality Allow Bluetooth Specify whether the device can use Bluetooth technology.
Android work profiles Device functionality Allow Bluetooth sharing Specify whether a user can share content from the device over a Bluetooth connection.
Android work profiles Device functionality Allow microphone Specify if the microphone is available to apps on the device. If this rule is not selected, the microphone is disabled for all services. On BlackBerry devices powered by Android, when this rule is not selected the phone app enables the microphone for emergency calls.
Android work profiles Security and privacy Allowed notification listeners Specify which personal apps can intercept notifications from other apps.
Android work profiles Security and privacy Notification listener packages Specify the package IDs for additional accessibility services that the user can access. If you do not specify a package ID, users can only use the system services. System accessibility services are always available to the user.
Android work profiles Security and privacy Allow device backup Specify whether the device can use the backup service. If the rule is not selected, the user can't backup or restore data on the device.
Android work profiles Security and privacy Allow autofill Specify whether the device can save user-entered form data to automatically fill future forms.
KNOX MDM Device functionality Disallowed Wi-Fi SSIDs Specify the list of Wi-Fi SSIDs that you want to prevent devices from connecting to. These can be used to block SSIDs added by the carrier, user, etc.
KNOX MDM Apps Set SMS/MMS Signature Specify the signature that is appended to outgoing SMS or MMS messages sent by the user.
KNOX Premium - Workspace Device functionality Enable USB access for apps in the KNOX Workspace Specify if apps inside the KNOX Workspace can access USB.
KNOX Premium - Workspace Security and privacy Apps allowed to access external storage Specify the package IDs of apps in the Samsung KNOX that are allowed to read or write to external storage.
iOS Device functionality Allow automatic setup of new devices (supervised only) Specify whether the device can be used for automatic setup of a new device. If this rule is not selected, the device doesn't display a prompt to set up new devices that are in proximity.
iOS Device functionality Delay software updates (supervised only) Specify the number of days after a device software update release that the update is installed on the device.
Windows Phone Device functionality Delivery Optimization mode Specify the methods that Delivery Optimization can use to download Windows updates, apps, and app updates to the device. This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Allow Delivery Optimization peer caching over VPN Specify whether the device can participate in peer caching when connected to the work network using VPN. This rule takes effect only if the "Delivery Optimization mode" rule is set to an option that allows peering. This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Group identifier Specify an arbitrary group ID that the device belongs to for local network peering between devices that are on different domains or are not on the same LAN. This rule takes effect only if the "Delivery Optimization mode" rule is set to "HTTP and peering across private group". This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Minimum RAM for peer caching Specify the minimum amount of RAM in GB that the device must have to use peer caching. Devices with less than the specified amount of RAM can't use peer caching. If set to 0, the Delivery Optimization cloud service default is used. This rule takes effect only if the "Delivery Optimization mode" rule is set to an option that allows peering. This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Cache drive Specify the drive that Delivery Optimization uses for the cache on the device. The drive location can be specified using environment variables, drive letter, or a full path. If no drive is specified, %SystemDrive% is used to store the cache. This rule takes effect only if the "Delivery Optimization mode" rule is set to an option that allows peering. This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Minimum disk size allowed to peer Specify the minimum disk size capacity in GB for the device to use peer caching. If set to 0, the Delivery Optimization cloud service default is used. This rule takes effect only if the "Delivery Optimization mode" rule is set to an option that allows peering. Recommended values: 64 GB to 256 GB. This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Maximum cache size percentage Specify the maximum percentage of the disk size that Delivery Optimization can use for the cache. The "Absolute maximum cache size" rule takes precedence over this rule. This rule takes effect only if the "Delivery Optimization mode" rule is set to an option that allows peering. This rule applies to Windows 10 computers and tablets.
Windows Phone Device functionality Absolute maximum cache size Specify the maximum size in GB of the Delivery Optimization cache. Delivery Optimization clears the cache when the device is low on disk space. This rule takes precedence over the "Maximum cache size percentage" rule. If set to 0, the Delivery Optimization cloud service default is used. This rule takes effect only if the "Delivery Optimization mode" rule is set to an option that allows peering. This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Minimum file size to cache Specify the minimum file size in MB that can be downloaded using peering. If set to 0, the Delivery Optimization cloud service default is used. This rule takes effect only if the "Delivery Optimization mode" rule is set to an option that allows peering. This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Maximum cache age Specify the maximum time in seconds that each file remains in the Delivery Optimization cache after downloading successfully. If set to 0, Delivery Optimization holds the files in the cache and makes them available for upload to other devices as long as the cache size is not exceeded. This rule takes effect only if the "Delivery Optimization mode" rule is set to an option that allows peering. This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Maximum download bandwidth percentage Specify the maximum percentage of available download bandwidth that Delivery Optimization uses across all concurrent download activities. If set to 0, Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Maximum download bandwidth Specify the maximum download bandwidth in KB/second that Delivery Optimization can use across all concurrent download activities. If set to 0, Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Minimum download quality Specify the minimum download speed in KB/second for background downloads. This rule affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum value set. This rule takes effect only if the "Delivery Optimization mode" rule is set to an option that allows peering. This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Minimum battery percentage for upload Specify the minimum battery percentage remaining for devices to upload cached data to LAN and group peers while on battery power. Uploads will pause if the battery level drops below the minimum percentage. If set to 0, the Delivery Optimization cloud service default is used. This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Maximum upload bandwidth Specify the maximum upload bandwidth in KB/second that Delivery Optimization can use across all concurrent upload activities. If set to 0, unlimited possible bandwidth is permitted, optimized for minimal usage. This rule takes effect only if the "Delivery Optimization mode" rule is set to an option that allows peering. This rule does not apply to Windows 10 smartphones.
Windows Phone Device functionality Monthly upload data cap Specify the maximum total data in GB that Delivery Optimization can upload to Internet peers in each calendar month. If set to 0, no monthly upload limit is applied. This rule takes effect only if the "Delivery Optimization mode" rule is set to an option that allows peering. This rule does not apply to Windows 10 smartphones.