Software-update: BlackBerry UEM 12.12

BlackBerry Unified Endpoint Management, UEM in het kort, kan gezien worden als de verdere ontwikkeling en samenvoeging van zowel BlackBerry Enterprise Server als Good Control MDM/MAM. Het product richt zich op emm, het beheren van devices en van applicaties op deze devices. Daarnaast kan het worden geïntegreerd met andere producten om de functionaliteit uit te breiden, zoals BlackBerry Share, BlackBerry Workspaces en BlackBerry 2FA. BlackBerry UEM 12.12 is verschenen en de bijbehorende lijst met vernieuwingen ziet er als volgt uit:

What's new in BlackBerry UEM 12.12

  • Apple DEP error message update: If you have not yet accepted the updated terms and conditions for Apple Business Manager, you will receive an error message by email.
  • Synchronize Apple DEP accounts with Apple Business Manager manually: You can manually synchronize Apple DEP accounts in BlackBerry UEM to ensure device connectivity.
  • Event notification update: The Apple DEP connection failure status event notification now contains details for Com Status, Operation mode, and Last synchronization time.
  • Specify activation profile for Apple DEP devices: For each device registered in Apple DEP, you can now specify the activation profile that you want to assign to it. For example, if a user has multiple iOS devices that require different activation types, you can specify the activation profile for each device. When activating the iOS device, the activation profile that is assigned to the device takes precedence over the activation profile that is assigned to the user account.
  • Assign users directly to Apple DEP device serial numbers: BlackBerry UEM now allows you to assign a user to an Apple DEP device serial number before the device is activated. When a user is assigned to the device serial number in the BlackBerry UEM management console, the user is not prompted for a username or password during device activation.
  • Update iOS to specific version number: On the device tab, you can upgrade the software version on a supervised iOS device to a specific version number. You can use this feature to update the device OS to a version that your organization’s IT department has certified.
  • Support for iOS 13 single sign-on extension: Single sign-on extension for iOS 13 and iPadOS 13 allows users to authenticate once and then automatically log in to domains and web services within your organization’s network. You can configure a single sign-on extension profile in BlackBerry UEM for devices running iOS (or iPadOS) 13.
  • Improved activation process: The BlackBerry UEM Client for iOS has been updated to add some safeguards to minimize the instances where a user must restart the activation process from the beginning due to an interruption during device activation (for example, the user receives a call during activation). When the user returns to the UEM Client, the user can now resume activation from the most recent step.
  • New activation type for iOS and iPadOS 13.1 devices: A new activation type “User privacy – User enrollment” is now available for unsupervised iOS devices running iOS or iPadOS 13.1 and later. The activation type helps maintain user privacy while keeping work data separated and protected. Administrators can manage work data (for example, wipe work data) without affecting personal data. To activate a device with this activation type, users can simply use the native camera app to scan the QR Code that they received in the activation email to manually download and install the MDM profile to the device. To activate their device, the user logs in to their managed Apple ID account. Administrators can also assign the BlackBerry UEM Client to allow users to easily activate other BlackBerry Dynamics apps, import certificates, use 2FA features, use CylancePROTECT Mobile for BlackBerry UEM, and check their compliance status.
  • Support for iOS 13 features: BlackBerry UEM supports the new capabilities in iOS 13. New support includes three new IT policy rules, support for WPA-3 Personal and WPA-3 EnterpriseWi-Fi security, and new Email profile, VPN profile, and App Lock Mode profile settings.
  • Factory reset protection profile: You can specify multiple Google accounts to a Factory reset protection profile.
  • Improvements to Android Enterprise device activation user experience: The number of steps required to activate Android Enterprise devices has been reduced. Users can now tap a check box when they enter their username to accept the license agreement. Additional notifications have been added to show app installation progress. Additional messages have been added to describe permissions required by the UEM Client.
  • Updated activation error messages: When activation is not successful on an Android device, a new or updated error message displays that explains why the device did not activate properly. This allows the user and IT personnel to diagnose and fix the problem.
  • Use OEMConfig apps from Android device manufacturers to manage device features: BlackBerry UEM supports using OEMConfig apps provided by device manufacturers, (for example, the Samsung Knox Service Plugin), to manage manufacturer-specific APIs on devices. The Samsung Knox Service Plugin allows you to manage new Samsung device features as soon as Samsung updates the device and app instead of waiting for new profile settings and IT policy rules in the next UEM update.
  • Review feedback from Android apps with app configurations: BlackBerry UEM receives and displays error and information feedback from any Android apps that have an app configuration and have been developed to provide feedback.
  • Easily add work apps for Android Enterprise devices to Google Play: Access the updated Google Play interface from BlackBerry UEM to more easily add private apps and web apps (shortcuts to web pages) to Google Play in the work profile on Android Enterprise devices. Note that this feature is now available if you are using BlackBerry UEM 12.9 MR1 or later.
  • Corporate owned single-use (COSU) device support for Android Enterprise: BlackBerry UEM now supports corporate owned single-use for Android Enterprise version 9.0 and later. When configured for COSU, a device is locked to a specific set of applications to perform a function.
  • Request bug report: You can now send a command to an Android Enterprise device from BlackBerry UEM to request the client logs. Request bug report is available for the following activation types:
    • Work space only (Android Enterprise fully managed device)
    • Work and personal – full control (Android Enterprise fully managed device with work profile)
  • Control runtime permissions for Android apps: When you add an Android app in BlackBerry UEM, you can choose to set runtime app permissions. You can choose to grant permissions, deny permissions, or use an app permission policy for each permission listed for the app.
  • Send client download location with QR Code: You can define the location for downloading the UEM Client for Work space only (Android Enterprise fully managed device) and Work and personal – full control (Android Enterprise fully managed device with work profile) activation types. The location is sent in the QR Code.
  • Date range for OS updates: For Android Enterprise Work space only and Work and personal – full control devices, you can now specify a date range when OS updates should not occur.
  • Message displays when work profile is deleted: If you use the "Delete only work data" command for Android Enterprise Work and personal - user privacy devices, you can provide a reason that appears in the notification on the user's device to explain why the work profile was deleted.
  • Message displays when work profile is deleted due to a compliance violation: If the work profile is deleted from an Android Enterprise Work and personal - user privacy device due to a compliance violation, the notification on the device now describes the compliance rule that was broken.
  • Force device restart: You can now use the Restart device command to force Android Enterprise Work space only and Work and personal – full control devices to restart.
  • Improved secure tunnel connection for Android devices: When an Android device enters Doze mode, the BlackBerry Secure Connect Plus connection is now more reliably maintained.
  • Default device SR profile and work app updates: There is now a default device SR profile that is assigned to user accounts that don't already have a device SR profile assigned. The default profile is configured for Android devices only and has the "Enable update period for apps that are running in the foreground" option enabled which allows work apps from Google Play to be automatically updated during the time period. By default, apps are scheduled to start updates daily over Wi-Fi at 02:00 (local device time) and stop in 4 hours.
  • Limit Android Enterprise devices to a single app: The app lock mode profile is now supported for devices that are running Android 9 or later and activated with the “Work space only (Android Enterprise fully managed device)” activation type. You can now use the profile to limit Android Enterprise devices to the apps that you specify and, optionally, limit the device to a single app. When you limit the device to a single app, the app can access the other apps that you specified in the profile when it is required, but users always return to the app that the device is limited to.
Samsung Knox
  • Support for Samsung Knox DualDAR: Devices that support Samsung Knox DualDAR encryption can now have Knox Workspace data secured using two layers of encryption. When the user is not using the device, all data in the Knox Workspace is locked and can’t be accessed by apps running in the background. In the Activation profile, you can specify whether to use the default DualDAR app or an internal app to encrypt the workspace. In the Device profile, you can specify the data lock timeout after which the user must authenticate with both device and workspace to access work data again, and specify apps that are allowed to access work data even when work data is locked.
  • Samsung Knox DualDAR encryption is supported on devices that run Samsung Knox 3.3 or later for new activations using the Work and personal - full control (Android Enterprise fully managed device with work profile) premium activation type.
  • Improved support for Knox Platform for Enterprise devices: Samsung Knox IT policies were added for devices that support Knox Platform for Enterprise. These policies are applied to the device, personal space, or work spaces on the device depending on the Android Enterprise activation type that you choose. Support has also been added for native Samsung VPN and email, the ability to restrict apps in the personal space, and the ability to remotely lock the work space. To use Knox Platform for Enterprise features, the Knox device must be running Android 8 or later and be activated with one of the Android Enterprise activation types and the premium option enabled.
  • BitLocker encryption policies for Windows10 devices: Several IT policies that support the use of BitLocker Drive Encryption were added to UEM for Windows10 devices that require encryption. When configured, the devices prompt users to encrypt data using BitLocker on their OS drives, fixed data drives, and removable storage drives. You can configure the encryption strength, the additional authentication requirements and the PIN options for devices that have a Trusted Platform Module, and the recovery options that you want to allow (for example, if a user is locked out of their device).
Installation and Upgrade
  • Regionalization: BlackBerry UEM version 12.12 introduces regionalization features that allow BlackBerry Dynamics traffic to use the BlackBerry Infrastructure instead of the BlackBerry Dynamics NOC. These features are on by default in new installations of BlackBerry UEM version 12.12. If you are upgrading to BlackBerry UEM version 12.12 and want to enable these features, contact BlackBerry Technical Support. The regionalization features require BlackBerry Dynamics apps released in February 2020 or later. For custom BlackBerry Dynamics apps, BlackBerry Dynamics SDK 7.0 or later is required.
  • Migration support: BlackBerry UEM version 12.12 supports migrations from BlackBerry UEMversion 12.10 and later, and from Good Control version 5.0.
  • Upgrade support: BlackBerry UEM version 12.12 supports upgrades from BlackBerry UEM version 12.10 and later.
  • BES5 support: BES5 will no longer be integrated with BlackBerry UEM.
Software support

As of version 12.12, BlackBerry UEM no longer supports the following software:
  • iOS version 11: (visit to read KB57538)
  • Android OS version 6 (visit to read KB57539)
  • BlackBerry 10 OS (see the BlackBerry Software Lifecycle Overview)
  • Windows Server 2008
Management console
  • Compliance profile updates: In a compliance profile, you can now set the Enforcement action for BlackBerry Dynamics apps to Monitor and log. For new compliance profiles, ‘Monitor and log’ is now the default setting. The default option for Prompt interval expired action is also ‘Monitor and log'.
  • Improvements to device filtering: You can now filter devices by model number. For example, you can now filter different Samsung Galaxy device models such as Samsung A5 SM-A520F and Samsung A5 SM-A510F. This allows administrators to apply policies, profiles, and group status to multiple devices of a specific model.
  • App configuration: When you add a new version of an internal app to BlackBerry UEM, the app configuration is automatically copied from the older version of the internal app to the new version.
  • Event notification update: The “Metadata updated” event notification has been improved to display the full name of the device hardware vendor.
  • Override BlackBerry Dynamics connectivity profile on a per-app basis: You can now specify a BlackBerry Dynamics connectivity profile to associate with each BlackBerry Dynamics app in BlackBerry UEM. When a profile is assigned to an app, that profile takes precedence over the profile assigned to the user of that app.
  • App shortcut filter: A new filter on the UEM management console Apps page lets you search for app shortcuts.
  • Dedicated device groups: BlackBerry UEM has a new Dedicated devices menu item. You can view, add, edit, and delete shared device groups and public device groups under the Dedicated devices menu. Public device groups are used to manage single-use devices that are not assigned to specific users. Shared device groups are used to manage devices that can be checked out by multiple users. Previously, shared device groups were located under the Users menu item.
  • Microsoft Azure single tenant application registration: When you add or edit a Microsoft Azure Active Directory Connect connection, you can choose to enable single tenant application registration.
  • Restrict enrollment using device IDs: On the Activation defaults page, you can import and export a list of unique device identifiers to restrict which devices can enroll with BlackBerry UEM. You can specify whether BlackBerry UEM can limit activation by device ID in the following activation types:
    • Android: Work space only (Android Enterprise fully managed device)
    • Android: Work and personal – full control (Android Enterprise fully managed device)
    • iOS: MDM controls
BlackBerry Dynamics
  • Configure BlackBerry Dynamics proxy settings with a PAC file: You can now use a PAC file to configure HTTP proxy settings for app traffic connections to the BlackBerry Dynamics NOC. PAC files are supported only for apps that use BlackBerry Dynamics SDK version 7.0 and later.
  • TLS v1.2: BlackBerry Dynamics apps now allow only TLS v1.2 for secure communications by default. To allow TLSv1 and v1.1, you must manually configure them.
New IT policy rules
  • Access Point Name profile: You can use Access Point Name profiles to send APNs for carriers to your user's Android devices. If you want to force a device to use an APN sent to it by an Access Point Name profile, you can use the "Force device to use Access Point Name profile settings" IT policy rule in the Android Global IT policy rules.
  • Hide certificate: For certificates pushed to Android Enterprise devices with Android 9.0 and later, SCEP, shared certificate, and user credential profiles now allow you to hide the certificate from users to prevent them for using it for unintended purposes.
Versienummer 12.12
Releasestatus Final
Besturingssystemen Windows Server 2012, Windows Server 2016
Website BlackBerry
Licentietype Betaald

Reacties (11)

Wijzig sortering
Verschrikkelijk stuk software. Vanuit mijn werkgever zit ik sinds de BB-UEM met een kreupele telefoon.
Wij hebben het hier ook maar geen enkel probleem, beheer er ~100 telefoons mee. Erg fijne MDM oplossing.
Wat is er kreupel aan je telefoon, als ik vragen mag? Of bedoel je dat je werkgever de telefoon heeft dicht getimmerd?
Er zitten (bij het laatste traject wat ik zijdelings meekreeg) toch nog wel aardig wat problemen in. Vooral de update snelheid bij agenda afspraken was een drama. Het zal uiteraard wel gedeeltelijk aan de consultants liggen die het implementeren de hoeveelheid problemen was noemenswaardig.
De update snelheid van agenda afspraken is hier zo goed als direct (max. 1 minuut). Wat ik bij ons doe is een Active Sync profiel bij de activatie meesturen en dan heb ik daarna maar 1 aandachtspunt: de standaard agenda op de telefoon (mix van 80% iPhone en 20% Samsung) aanpassen naar die van het Active Sync profiel en dan heb ik er geen omkijken naar.
Goede tip, maar volgens mij wou de klant juist geen gebruik maken van EAS. De problemen kwamen juist naar voren met BB eigen apps dus ik denk dat men hier de Dynamics app gebruikte zoals @Razwer al aangeeft.
BB Work mobile gebruikt EAS + EWS voor calendar attachments
BB Work mobile gebruikt EAS16 indien dit supported is (zonder EWS)
BB Acces (Work) win10/mac gebruikt EWS.

Het verschil tussen Dynamics en Native op dit punt is de tunneling en routering van het verkeer.

het GRP protocol ruikt naar HTTPS maar is het niet. Hier gaan veel (network) engineers (en CISO's) de mist in met design en implementatie.

Mocht je je vervelen, hier meer info: https://docs.blackberry.c...urity%20White%20Paper.pdf

[Reactie gewijzigd door Razwer op 29 januari 2020 13:25]

Er zit een flink technologisch verschil tussen gebruik van native email/calendar apps vs de (containerized) Dynamics apps.
Dynamics is flink veiliger maar routeert by default via Seattle (Dynamics NOC, GRP protocol) op alle pre 12.12 UEM servers tenzij je DirectConnect hebt ingericht. Native apps (per app VPN) gebruikt de BlackBerry infrastructure die een endpoint in Nederland gebruiken. Een flink verschil in latency dus.

In 12.12 gaat Dynamics (GRP) nu ook via de BlackBerry Infrastructure en niet meer via Seattle. Kanttekening is dat dit alleen bij nieuwe installaties is en niet bij upgraded omgevingen, tenzij er een aanpassing komt in de database. In 12.13 (komende zomer) zal de upgrade dit ook enablen voor bestaande omgevingen.

GRP = Good Relay Protocol
Door het aankopen en integreren van Good Dynamics binnen BES12 (UEM is hier het kindje van) is de infrastructuur communicatie binnen UEM relatief complex.
Zonder goed design en zonder goede kennis van zaken en daarnaast een complexe IT infrastructuur doet menig engineer achter zijn oren krabbelen met implementaties van UEM.

De echt goede (senior) BlackBerry engineers binnen Nederland zijn op 1 hand te tellen helaas.

Ik ben reuze benieuwd welk bedrijf/instelling de door jou genoemde issues heeft en wie de engineers zijn die het implementeren.
Helaas kan ik daar niet op ingaan maar ik weet wel dat het TO inclusief netwerk / firewall communicatie tekening er verder netjes en professioneel uitzagen. Er zijn natuurlijk veel factoren waaronder de firewall mensen die ook letterlijk geen idee hadden hoe de boel werkte.. Nu ik er aan terug denk, lijkt me het probleem eerder daar te zitten.
BlackBerry UEM is een endpoint management software met ontzettend veel mogelijkheden en is het meest veilige endpoint management/security systeem op de markt.
De inrichting kan heel vrij zijn (en toch ontzettend veilig) of heel restrictief.

Het ligt aan de beheerder/werkgever hoeveel vertrouwen hij heeft in zijn werknemers of de telefoons kreupel worden of niet. Als jouw telefoon kreupel is ingericht door jouw baas zegt dat genoeg over het vertrouwen wat hij in jou heeft :+
Als eindgebruiker, staat deze link op intranet, misschien wordt het beter ;)

Op dit item kan niet meer gereageerd worden.

Tweakers maakt gebruik van cookies

Tweakers plaatst functionele en analytische cookies voor het functioneren van de website en het verbeteren van de website-ervaring. Deze cookies zijn noodzakelijk. Om op Tweakers relevantere advertenties te tonen en om ingesloten content van derden te tonen (bijvoorbeeld video's), vragen we je toestemming. Via ingesloten content kunnen derde partijen diensten leveren en verbeteren, bezoekersstatistieken bijhouden, gepersonaliseerde content tonen, gerichte advertenties tonen en gebruikersprofielen opbouwen. Hiervoor worden apparaatgegevens, IP-adres, geolocatie en surfgedrag vastgelegd.

Meer informatie vind je in ons cookiebeleid.


Toestemming beheren

Hieronder kun je per doeleinde of partij toestemming geven of intrekken. Meer informatie vind je in ons cookiebeleid.

Functioneel en analytisch

Deze cookies zijn noodzakelijk voor het functioneren van de website en het verbeteren van de website-ervaring. Klik op het informatie-icoon voor meer informatie. Meer details


    Relevantere advertenties

    Dit beperkt het aantal keer dat dezelfde advertentie getoond wordt (frequency capping) en maakt het mogelijk om binnen Tweakers contextuele advertenties te tonen op basis van pagina's die je hebt bezocht. Meer details

    Tweakers genereert een willekeurige unieke code als identifier. Deze data wordt niet gedeeld met adverteerders of andere derde partijen en je kunt niet buiten Tweakers gevolgd worden. Indien je bent ingelogd, wordt deze identifier gekoppeld aan je account. Indien je niet bent ingelogd, wordt deze identifier gekoppeld aan je sessie die maximaal 4 maanden actief blijft. Je kunt deze toestemming te allen tijde intrekken.

    Ingesloten content van derden

    Deze cookies kunnen door derde partijen geplaatst worden via ingesloten content. Klik op het informatie-icoon voor meer informatie over de verwerkingsdoeleinden. Meer details