BlackBerry Unified Endpoint Management, UEM in het kort, kan gezien worden als de verdere ontwikkeling en samenvoeging van zowel BlackBerry Enterprise Server als Good Control MDM/MAM. Het product richt zich op mdm, het beheren van devices, en mam, het beheren van applicaties op deze devices. Daarnaast kan het worden geïntegreerd met andere producten om de functionaliteit uit te breiden, zoals BlackBerry Share, BlackBerry Workspaces en BlackBerry 2FA. BlackBerry UEM 12.11 is verschenen en de bijbehorende lijst met vernieuwingen ziet er als volgt uit:
Whats new in BlackBerry UEM 12.11
- iOS app integrity check (Use this feature in a beta environment only.)
You can use the iOS app integrity check framework to check the integrity of iOS work apps that have been published to the App Store. This feature uses Apple DeviceCheck and other methods to provide a way to identify that your app is running on a valid Apple device and that the app is published by the specified Apple Team ID. For more information on Apple DeviceCheck, see the information from Apple. This setting applies only to devices running iOS 11 and later. Activation of BlackBerry Dynamics apps that were built using BlackBerry Dynamics SDK for iOS version 5.0 or earlier will fail if you enable the ‘Perform app integrity check on BlackBerry Dynamics app activation’ option in the activation profile and if you add those apps for iOS app integrity check. If a BlackBerry Dynamics app that was built using BlackBerry Dynamics SDK for iOS version 5.0 or earlier is already activated, and you select the 'Perform periodic app integrity checks' option in the Activation profile, the app will fail the periodic attestation check and the device will be subject to the enforcement action specified in the compliance profile that is assigned to the user.
Note: You cannot enable the iOS app integrity checking on enterprise apps that your organization has developed and distributed internally using the Apple Enterprise Distribution program.
- BlackBerry Dynamics Connectivity profile change: The Route All option has been replaced with a Default Route option in the BlackBerry Dynamics Connectivity profile allowing for more detailed control over how BlackBerry Dynamics apps built using the latest BlackBerry Dynamics SDK can connect to app servers. This allows you to configure rules to avoid double tunneling the UEM App Store and UEM hosted application push.
- BlackBerry Dynamics access keys: You can now generate BlackBerry Dynamics access keys for users that do not have an email address.
- Notifications for changes to Android Enterprise apps: Administrators can now receive notifications when the status of an Android Enterprise app on Google Play has changed and requires review. When an app requires review, UEM marks the apps listed on the Apps screen. Administrators can apply a filter to easily see the apps that need to be reviewed or approved and take the appropriate action. From the Settings > Event notifications menu, you can set the types of events that you want administrators to be notified about. For example, you can notify administrators if an app requires review if changes were made to the app’s availability, version, approval status, permissions, app configuration schemas, or if an app was not successfully installed on a user’s device.
- Whitelist antivirus vendors for Windows devices: In the compliance profile, in the “Antivirus status” rule for Windows devices, you can now choose to allow antivirus software from any vendor, or allow only those that you added to the “Allowed antivirus vendors” list. The rule will be enforced if a device has antivirus software enabled from any vendor that is not whitelisted.
- User credential profiles support using Entrust for BlackBerry Dynamics apps: You can now use your Entrust PKI connection to enroll certificates for BlackBerry Dynamics apps using the User credential profile.
- Compliance violation reporting: When a device is out of compliance, violations and any applicable actions display on the device summary page. To see which apps are in a noncompliant state, click on the ‘View noncompliant apps’ link. A device with performance alerts or compliance violations is flagged with a caution icon. Types of violations that are reported include:
In the management console, you can filter on any of the compliance rules when they occur.
- Rooted OS or failed attestation (Android only)
- SafetyNet attestation failure (Android only)
- Jailbroken OS (iOS only)
- Restricted OS version is installed (iOS, Android, macOS, Windows)
- Restricted device model detected (iOS, Android, macOS, Windows)
- BlackBerry Dynamics library version verification (iOS, Android, macOS, Windows)
- BlackBerry Dynamics apps connectivity verification (iOS, Android, macOS, Windows)
- Antivirus status (Windows only)
- Device compliance report: On the dashboard, the device compliance report now includes if either the BlackBerry UEM Client or a BlackBerry Dynamics app is out of compliance.
- Device report update: The device report now includes the BlackBerry Dynamics compliance rule status.
- Automatic device and OS metadata updates: If a user activates a device with a model or OS version that is unknown to BlackBerry UEM, UEM automatically adds the new device or version metadata to the UEM database so that the metadata is available for Activation, Compliance, and Device SR profiles.
- Enable Android keyboard restricted mode: You can now use the ‘Enable Android keyboard restricted mode’ option in a BlackBerry Dynamics profile to force custom keyboards into incognito mode.
- Shared device groups: Migration is not supported for shared device groups. Users who belong to a shared device group do not appear in the Migrate users list. Devices that are part of a shared device group do not appear in the Migrate devices list.
- New Event Notifications: BlackBerry UEM can now email event notifications to administrators for the following events:
- iOS VPP account expiry
- DEP token expiry
- IT policy pack updated
- Metadata updated
Windows 10 Modern Management
- Activate Android Enterprise devices without adding a Google account: Administrators now have the option to allow Android Enterprise devices to be activated without adding a Google Play account to the workspace. You might use this option if you do not want to use Google Play to manage work apps on Android Enterprise devices or you want to activate and use the device without accessing Google services. In the activation profile, you specify whether to add Google Play to the workspace for Android Enterprise devices. By default, the activation profile adds the Google account to the work space and Google Play manages the apps. If you do not add a Google account, apps and app configurations are managed through the BlackBerry UEM infrastructure via BlackBerry UEM Client.
- BlackBerry UEM now includes Work and personal – full control activations for Android Enterprise devices: This activation type is for devices running Android 8 and later. It lets you manage the entire device. It creates a work profile on the device that separates work and personal data but allows your organization to maintain full control over the device and wipe all data from the device. Data in both the work and personal profiles is protected using encryption and a method of authentication such as a password. This activation type supports the logging of device activity (SMS, MMS, and phone calls) in BlackBerry UEM log files. To activate a device with Work and personal – full control, the user must wipe the device and start the activation in the same way as Work space only activations. To enable BlackBerry Secure Connect Plus KNOX Platform for Enterprise support, you must select the "When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus" option in the activation profile. When applying IT policy rules to Android Enterprise devices with Work and personal – full control activations, the different rule categories affect different profiles on the device:
For example: to apply password requirements to unlock the device, use the Global password rules. To apply password requirements only to the work profile, use the Work profile password rules. To prevent screen capture only of work data, deselect the Work profile “Allow screen capture” rule and select the Personal profile “Allow screen capture” rule. To prevent screen capture of both work and personal data, deselect the Personal profile “Allow screen capture” rule.
- Global rules apply to the entire device
- Work profile rules apply to apps and data in the work profile
- Personal profile rules apply to apps and data in the personal profile
Microsoft Azure Cloud
- Support for Azure Active Directory Join: BlackBerry UEM now supports Azure Active Directory Join which allows a simplified MDM enrollment process for Windows 10 devices. Users can enroll their devices with UEM using their Azure Active Directory username and password.
- Windows Autopilot support: Azure Active Directory Join is also required to support Windows AutoPilot, which allows Windows 10 devices to be automatically activated with UEM during the Windows 10 out-of-box setup experience. Note: To enable automatic MDM enrollment with BlackBerry UEM during the Windows 10 out-of-box setup, a UEM certificate must be installed on the device.
- Create an enterprise endpoint in Microsoft Azure Cloud: You can manage and deploy Intune-managed apps from the BlackBerry UEM management console when your environment is configured for Modern authentication.
- Microsoft Intune app protection support enhancement: You can manage and deploy Microsoft Intune managed apps from the BlackBerry UEM management console when your environment is configured for modern authentication.
- Enroll Apple DEP devices using Apple Configurator: You can now use a static enrollment challenge to enroll multiple DEP devices using Apple Configurator.
- Add public app source files as internal apps: You can now add BlackBerry Dynamics app source files from the public app stores as internal apps so that users can install the apps without connecting to the stores.
- Link to specific apps: You can now send users a link or QR code that links directly to the app details page for specific BlackBerry Dynamics apps.
- Enhancements for certificate enrollment using app-based PKI solutions: BlackBerry UEM has simplified certificate enrollment process for app-based PKI solutions such as Purebred. To use app-based certificates with BlackBerry Dynamics apps, the "Allow BlackBerry Dynamics apps to use certificate, SCEP profiles, and user credential profiles" check box no longer needs to be selected in the BlackBerry UEM Client.
- Logging changes: The BlackBerry UEM administrator console includes the following changes for logging:
- You can now enable SQL logging, CAP payload logging, and HTTP payload logging. These options are available under Settings > Infrastructure > Logging.
- The Maximum device app audit log file size is now configured as a global setting instead of per instance. If you upgrade from a previous release, the maximum size is initially set to the minimum setting for any existing server instance.
- Component level logging is now supported for BlackBerry Proxy Service. You can enable logging for BlackBerry Proxy Service under Settings > Infrastructure > Logging, as well as the Server group and BlackBerry Connectivity Node default settings pages.
- Trace logging option removed: The option to set logging level to Trace has been removed from Service logging override. You can set logging level to Info, Error, Warning, or Debug.
- BlackBerry Proxy Service: Component level logging is now available for BlackBerry Proxy Service. You can enable logging for BlackBerry Proxy Service on the Server group and BlackBerry Connectivity Node default settings pages.
BlackBerry Web Services
- BlackBerry Connectivity app updates: The BlackBerry Connectivity app (version 126.96.36.1991) for Samsung KNOX Workspace and Android Enterprise devices does not include fixes or improvements, but is upversioned so that administrators can assign and update the app on devices. If enterprise connectivity is required, you are now required to use the BlackBerry UEM administrator console to add the BlackBerry Connectivity app as an internal app and assign it (with a Required disposition) to Samsung KNOX Workspace and Android Enterprise devices that don't have access to Google Play. For more information, visit support.blackberry.com/community to read article 37299.
Changes to the Planning and the Installation and Upgrade content
- Enabling access to the BlackBerry Web Services over the BlackBerry Infrastructure: If a web service client is outside of your organization’s firewall and it requires access to the BlackBerry Web Services APIs (REST or legacy SOAP), the client can connect to the APIs securely over the BlackBerry Infrastructure. For more information, see the Getting started page in the REST API reference and the “Access On-Premise UEM web service securely” example. A UEM administrator must explicitly enable access to the BlackBerry Web Services APIs over the BlackBerry Infrastructure. An administrator can enable or disable this access in the management console in Settings > General settings > BlackBerry Web Services access.
- Documentation changes:The Planning and the Installation and Upgrade content have been reorganized for BlackBerry UEM version 12.11. The major changes are:
- A new “Preinstallation and preupgrade requirements” section in the Planning content consolidates information that was previously in several places in the Installation content. Most notably, the Preinstallation and preupgrade checklist has been removed from the Installation content and forms part of the new section.
- Information about ports has moved to the Planning content.
- Overview information about high availability has been consolidated into the Planning content. It was previously in the Installation content and the Configuration content.
Installation, upgrade, and migration fixed issues
BlackBerry UEM Core fixed issues
- When you extracted the BlackBerry UEM installation files, if you had the ‘autorun’ option selected, an error message displayed because the files were extracted to the incorrect directory location. (JI 2723813)
- When you upgraded BlackBerry UEM, the Java heap size registry entries for BlackBerry Proxy were reset to default. (JI 2717877)
- When you installed BlackBerry UEM, if you used a folder with a name that contained special characters, the BlackBerry UEM services were not installed. (JI 2685876)
- The BlackBerry Router installation log files were not moved to the deployment folder after installation was complete. (JI 2634654)
- You could not install a BlackBerry Router if you specified a service account name and password in the deployer.properties file. (JI 2634648)
- Some app configurations did not migrate from Good Control to BlackBerry UEM. (JI 2521111)
User and device management fixed issues
- A potential XML External Entity vulnerability in the BlackBerry UEM Core has been fixed. BlackBerry is not aware of any exploitation of this vulnerability. For more information, refer to the BSRT release. (JI 2732517)
Management console fixed issues
- When a device was activated using the Work and personal - full control (Samsung KNOX) activation type, when a user upgraded the BlackBerry UEM Client on the device, the Client displayed a "Not compliant" message. (JI 2718641)
- The Factory reset protection profile did not work on Android Enterprise devices. (JI 2715303)
- When a device was activated using the Work and personal - full control (Samsung KNOX) activation type, when the 'Delete All Data' command was sent from BlackBerry UEM, the device was not wiped. (JI 2702443)
- After a user upgraded a Samsung 9 device to Android 9, the BlackBerry Connectivity app did not work. (JI 2697334, JI 2695510)
- Entrust certificates did not enroll if they were missing default RDN values. (JI 2675515)
- When a user activated an iOS device and set their own activation password, they might have received an unnecessary email about activating BlackBerry Dynamics apps. (JI 2635013)
- If a BlackBerry Dynamics app used app-based client certificates from the BlackBerry UEM Client, and a user tried to open and activate the app before the BlackBerry UEM Client had been provisioned for BlackBerry Dynamics, the BlackBerry UEM Client was locked. (JI 2662162)
- When you viewed a user's details and you clicked one of the groups that the user belonged to, a BBM Enterprise warning message might have displayed. (JI 2721257)
- If your organization had multiple BlackBerry UEM instances that were not running, when you navigated to Settings > Infrastructure, an error message displayed. (JI 2719094)
- When you created a user group, if you added an app to the group and clicked Save, an error message displayed. (JI 2677208)
- When you created a compliance profile for Android devices, if you selected the 'Restricted device model' option you could save the profile without selecting an 'Allowed device model'. (JI 2668668)
- If you opened the BlackBerry Connect app, clicked on an app configuration, clicked the Server Configuration tab, removed the information in the Connect Server Hosts field and clicked Save, when you clicked on the app configuration again, the information still displayed. (JI 2646430)
- If you added an iOS and Android version of an app and both apps had the same name, only one of the apps displayed on the App rankings page. (JI 2645646)
- When you tried to assign an OTP token to an LDAP user, an error message displayed. (JI 2642308)
- On the App groups page, if you clicked the number in the Applied users column, only the first user displayed. (JI 2641005)
- Future licenses did not display a start date or expiration date on the Licensing Summary screen. (JI 2636721) If you assigned the “First” BlackBerry Cluster to the default BlackBerry Connectivity profile, and you navigated to Settings > BlackBerry Dynamics > Clusters, created an empty “Second” cluster, and reassigned the server that is associated with the First cluster to the second cluster and clicked Save, an error message displayed. The Enabled for activation option was also cleared for the First cluster. (JI 2635165)
- When you clicked the Renew button twice on the user credential profile page, an error message displayed. (JI 2633794)
- When you created a certificate mapping profile, if you selected the Specified apps option, clicked +, searched for apps, selected multiple apps that the search returned and clicked add, more apps might have been added to the list than those that you selected. (JI 2627085)
- There was no indication in the management console that a device had failed Android SafetyNet attestation. (JI 2626552)
- When you created a user credential profile, if you selected the 'Native keystore' option in the Certification authority connection list, the bottom of the page was cut off. (JI 2623712)
- When the browser did not have a certificate, or you imported the wrong certificate, or the certificate was expired, a timeout page displayed instead of an error message. (JI 2621218)
- When you used invalid user credentials when you configured PKI for BlackBerry Dynamics, a generic message displayed: "Service Temporarily Unavailable." (JI 2572909)