Software-update: BlackBerry UEM 12.21

BlackBerry Unified Endpoint Management, UEM in het kort, kan gezien worden als de verdere ontwikkeling en samenvoeging van zowel BlackBerry Enterprise Server als Good Control MDM/MAM. Het product richt zich op emm, het beheren van devices en van applicaties op deze devices. Daarnaast kan het worden geïntegreerd met andere producten om de functionaliteit uit te breiden, zoals BlackBerry Cybersecurity (voorheen Cylance), BlackBerry Work en BlackBerry 2FA. BlackBerry UEM 12.21 is verschenen en de bijbehorende lijst met vernieuwingen ziet er als volgt uit:

What's new in UEM version 12.21

• Support for Intercede MyID - This release supports the use of the Intercede MyID PIV credential management solution to provide derived credentials certificates to devices activated on UEM.
• Create local users administrator permission - This release includes a new Users and Devices permission, Create local users, that controls whether an administrator account can create local users. Create local users is enabled by default for the Security Administrator, Enterprise Administrator, and Senior HelpDesk roles. The Create local users permission can be enabled only if the Create users permission is also enabled.
  After you upgrade to UEM 12.21, custom roles that you created previously will not have the Create local users permissions by default, you must assign it manually.
• Enhancements to BlackBerry Dynamics profiles - BlackBerry Dynamics profiles feature the following enhancements:
  • A background activity setting is now available for iOS and Android devices, allowing background process restarts if the OS has terminated the application process. When enabled, an app may use secure networking and storage in the background after receiving a push notification. This feature (known as Background Authorize) was previously supported only for select BlackBerry Dynamics apps and was configured in the app policy. It is now supported for all BlackBerry Dynamics apps and is configured in the BlackBerry Dynamics profile. This feature requires a version of the BlackBerry Dynamics apps that will be released in early 2025.
  • The Data leakage prevention (DLP) section has been restructured for ease of use.
  • In the DLP section, you can now specify a character limit for cutting and copying text from a BlackBerry Dynamics app to a non-BlackBerry Dynamics app. This feature requires a version of the BlackBerry Dynamics apps that will be released in early 2025.
  • In the Transfer files section, for iOS there is a new setting to allow or block the transfer and opening of unencrypted files from BlackBerry Dynamics apps to selected non-BlackBerry Dynamics apps. This feature requires a version of the BlackBerry Dynamics apps that will be released in early 2025.
  • A new setting, "Allow Apple Intelligence in-app writing tools", specifies whether iOS users are able to access built-in Apple Intelligence writing tools in BlackBerry Dynamics apps. By default, this setting is not selected.
    This setting is enforced only if the following data leakage prevention setting is enabled in the profile: "Do not allow copying data from BlackBerry Dynamics apps into non-BlackBerry Dynamics apps". If this DLP setting is not selected, Apple Intelligence writing tools are allowed in BlackBerry Dynamics apps.
    Note that if you turn off the IT policy rule "Allow writing tools (supervised only)" in the assigned IT policy, writing tools will be blocked for all apps on supervised iOS devices, regardless of the configuration of this setting in the BlackBerry Dynamics profile. By default, the "Allow writing tools (supervised only)" IT policy rule is enabled.
• Changes to OS support - This release adds support for the following device operating systems:
  • iOS 18
  • Android 15
• New iOS IT policy rules - The following IT policy rules have been added for iOS devices.
  Device functionality (iOS 17.4 or later):
  • Allow auto dim (supervised only)
  Device functionality (iOS 18.0 or later):
  • Allow eSIM outgoing transfers (supervised only)
  • Allow iPhone mirroring (supervised only)
  • Allow Genmoji (supervised only)
  • Allow image playground (supervised only)
  • Allow image wand (supervised only)
  • Allow personalized handwriting results (supervised only)
  Device functionality (iOS 18.1 or later):
  • Allow call recording (supervised only)
  • Allow RCS messaging (supervised only)
  • Allow mail summary (supervised only)
  Apps (iOS 18.0 or later):
  • Allow hiding apps (supervised only)
  • Allow locking apps (supervised only)
  Apps (iOS 18.2 or later):
  • Allow default browser modification (supervised only)
  Security and privacy (iOS 18.0 or later):
  • Allow writing tools (supervised only)
  Security and privacy (iOS 18.2 or later):
  • Allow external intelligence integrations (supervised only)
  • Allow external intelligence integrations sign-in (supervised only)
• New Android IT policy rule to control Circle to Search - The "Allow Circle to Search" IT policy rule allows you to control whether Circle to Search functionality is enabled in the work profile. The rule is enabled by default and applies to devices running Android OS 15 or later. This rule requires the UEM Client for Android version 12.45.x or later.
• Changes to IT policy rules - The IT policy rule "Allow screenshots in the work profile to be stored in the personal profile" is not supported for devices with Android 15 or later.
• Enhancement to encrypting the connection between UEM and Microsoft SQL Server - Previously, you could encrypt the connection only after installing UEM. In this release you can set up an encrypted connection when you install or upgrade UEM using the command prompt.
• Support for group Managed Service Accounts - This release adds support for using a group Managed Service Account (gMSA) to install or upgrade UEM and to run the UEM services. When installing or upgrading UEM on-premises, you can now select an option to use a gMSA.
• Designate iOS and OS X apps as Work or Personal - When you assign iOS or OS X apps to a user or group, you can configure a new Target field to designate the app as "Work" (default) or "Personal". This field allows you to differentiate the type of app in the management console. This setting does not impact how the app is installed or managed on the device.
• Enhancement to the device vulnerabilities view - The device vulnerabilities view now allows you to search and filter by a specified CVE number to see the device operating systems that are impacted by that CVE.
• Copy app configurations - You can now copy and modify an existing app configuration.
• Enhancements to app configurations for BlackBerry Dynamics apps - The following enhancements have been made to the app configuration UI for BlackBerry Dynamics apps:
  • The available tabs are now stacked for ease of use.
  • You can move and resize the app configuration window.
• Support for Samsung Knox 3.11 with Android Enterprise activation types - This release adds support for Android Enterprise activation types on Android 15 with Samsung Knox 3.11. Note that the MDM controls activation type is no longer supported for Samsung Knox devices with Android 15 or later.
• Enhancement to compliance profiles - Compliance prompts for BlackBerry Dynamics apps are now supported for the following compliance rules:
  • OS update not applied (iOS and Android)
  • Managed device attestation failure (iOS)
  • Compliance prompts for these settings require the most recent release of BlackBerry Dynamics apps (October 2024 or later for iOS, November 2024 or later for Android).
• Changes to supported Android activation types for dark site environments - There are changes to the supported Android activation types in a dark site environment.
• Feature enhancements for the BlackBerry UEM ClientSee the UEM Client Release Notes to learn about the latest features:
  • UEM Client for Android
  • UEM Client for iOS
• Feature enhancements for the BlackBerry Web Services - See the BlackBerry Web Services Release Notes to learn about the latest features.

Fixed issues in UEM 12.21

Management console fixed issues

• If you configured UEM to connect to more than one Microsoft Active Directory instance, when you searched for a user account to add from Active Directory, UEM might not have found the user account as expected because it searched the wrong Active Directory instance. (EMM-157231)
• You could not assign apps to shared iPad groups when the browser was set to display the management console in German. (EMM-157187)
• If you set your browser to display the management console in German, Spanish, or French, when you navigated to Users > Compliance violations, an error message displayed and no devices were listed. (EMM-157122)
• If you tried to add certain Android APKs that were published to Google Play to UEM as internal app, the APK file could not be verified. (EMM-156847)
• Additional logging has been added for calls to Google APIs for publishing hosted applications. (EMM-156841)
• Under specific conditions, when you tried to update a hosted internal app, the update might have failed. (EMM-156828)
• The DNS Domain Name field in a Managed domains profile did not accept a domain name longer than 6 characters. (EMM-156638)
• When you opened an app group, an error displayed indicating that an unexpected error was encountered. (EMM-156584)
• If you navigated to the Org Connect section in the management console, a notification message displayed indicating that the Org Connect plug-in requires BBM Enterprise, but the Next button was greyed out. This prevented you from registering Org Connect. If Org Connect was registered previously, you could not manage your connection. (EMM-156520)
• In a UEM Cloud environment, if a user's Active Directory password contained certain German special characters (for example, ß or umlauts such as ä, ö, ü), the user could not log in to the management console. (EMM-156454)
• In compliance profiles, if you selected "Restricted app is installed", the iOS Journal App was missing from the list of built-in apps. (EMM-156432)
• In a UEM Cloud environment, if you made changes to an LDAP directory connection and saved, an error message displayed and you could not save your changes until you uploaded the LDAP server SSL certificate again. (EMM-156343)
• In the compliance events view (Users > Compliance violations), if you selected a resolved event and clicked the Ignore button, the event was not removed from the view or added to the list of Ignored events. (EMM-156329)
• When you added an app group to a device group with a required disposition and saved, the disposition changed to optional. (EMM-156069)
• After you set up Chrome OS device management and clicked on the Network tab for an org unit, an error message might have displayed indicating that the profile could not be retrieved. (EMM-151438)

User, device, and app management fixed issues

• If you set the expiration for delete commands to never expire, when you sent commands to delete work or device data to devices, the command expired after 24 hours. (EMM-157180)
• In a UEM Cloud environment, BlackBerry Dynamics apps could not retrieve a user certificate using a SCEP profile configured with a dynamic SCEP challenge password. (EMM-157026)
• Extra logging information has been removed from Debug logging. (EMM-156885)
• When BlackBerry Secure Connect Plus or BlackBerry Proxy made an authorization check for a device, if the checked failed, it would not attempt another authorization check for at least one hour. (EMM-156726)
• If you assigned a VPN profile to iOS devices with the "Connection type" set to IKEv2, the "Authentication type" set to User credential, and “Enable per-app VPN” and “Allow apps to connect automatically” enabled, “Connect on Demand” was not enabled automatically in the VPN settings on iOS devices. Users had to manually enable this setting on their devices.
• This is resolved in UEM version 12.21. Create a VPN profile for iOS devices with the configuration above, select “Enable VPN On demand”, and for “Enable per-app VPN”, specify a Safari domain. (EMM-156523)
• If a device was out of compliance and the compliance action you configured was untrust, in certain circumstances, UEM removed the IT policy from the device. (EMM-156359)
• When you sent the Delete all device data command to a device that was activated with an Android Management activation type, a SQL exception error might have displayed in the management console, but the command executed as expected on the device. (EMM-156357)