BlackBerry Enterprise Server: From BES 12 to UEM — The Complete 2026 Guide
What Is BlackBerry Enterprise Server (BES)?
BlackBerry Enterprise Server (BES) is server middleware that connects enterprise groupware and mail systems — including Microsoft Exchange, IBM Lotus Domino, and Novell GroupWise — to BlackBerry mobile devices. Acting as a relay between corporate infrastructure and employee handhelds, BES encrypts every message and calendar item with AES 256-bit encryption before it leaves the corporate perimeter.
For two decades, this architecture made BlackBerry the default choice for regulated sectors including financial services, government agencies, and large law firms that needed provable data protection for mobile communications.
At the infrastructure level, BES runs as a set of Windows services on a dedicated server within the organization's data center. It does not create a direct connection between each device and the mail server. Instead, all traffic routes through BlackBerry's Network Operations Center (NOC) relay — a push infrastructure that BlackBerry operates globally.
This NOC relay model means the enterprise firewall requires only a single outbound connection on port 443 to BlackBerry's relay servers, with no inbound ports exposed. Each device connects to the NOC, and the NOC relays the encrypted payload to the corporate BES, which then decrypts it (within the enterprise boundary) and delivers it to the mailbox server. The cryptographic keys never leave the enterprise's BES.
Beyond encrypted email relay, BES provides IT administrators with comprehensive policy-based device management. Administrators can define and push IT policies specifying password complexity, device encryption requirements, permitted applications, camera usage, and Bluetooth profiles — among dozens of other controls.
BES also supports over-the-air (OTA) device provisioning and activation, eliminating the need to physically configure each device. Remote wipe is a foundational feature: if a device is lost or an employee departs, an administrator can issue a remote wipe command from the BES console that removes all corporate data from the device within minutes.
Originally designed exclusively for BlackBerry OS devices — running on the BBOS platform up through version 7.1 — BES was later extended to support other mobile platforms as enterprise demand shifted. BES 10, released in 2013, was the first version to natively manage iOS and Android handsets alongside BlackBerry 10 devices.
This set the stage for the cross-platform evolution that would define BlackBerry's enterprise software strategy through the following decade. Today, that same codebase lives on as BlackBerry UEM, managing millions of iOS, Android, Windows, and macOS endpoints in regulated organizations worldwide.
BES Versions: From BES 10 to BES 12 to UEM
BlackBerry Enterprise Server 10, released in 2013 alongside the BlackBerry 10 operating system, represented a substantial architectural departure from earlier BBOS-focused releases. BES 10 introduced BlackBerry Balance — a containerization technology that maintained a hard separation between work and personal data on BlackBerry 10 devices. Under Balance, the corporate container is encrypted and managed by IT policy, while the personal space operates independently with no IT visibility.
BES 10 also offered limited management of legacy BlackBerry OS 7 devices through its BlackBerry Device Service (BDS) component, providing organizations a migration path while legacy BBOS handsets were still in circulation. The management console ran as a web application, a shift from the earlier Windows client tools.
BlackBerry Enterprise Server 12 launched in December 2014 and represented the most significant leap in the platform's history: it was the first BlackBerry server product to provide unified management of BlackBerry 10, iOS, Android, and Windows Phone devices through a single web-based administration console. For enterprise IT teams juggling separate MDM consoles for different device types, BES 12 offered genuine consolidation.
The underlying device management protocol for iOS used Apple's MDM enrollment mechanism, while Android used Device Administrator and, later in the BES 12 lifecycle, Android for Work profiles. BES 12.3, released in 2016, added expanded iOS 9 policy support and improved the management of Samsung Knox devices on Android.
The rebranding to BlackBerry UEM (Unified Endpoint Manager) occurred in 2017 and 2018 as BlackBerry shifted its software-first strategy. The version numbering continued the BES 12.x series, with the first UEM release carrying the 12.7 version label. The rename was not merely cosmetic: it reflected the end of BlackBerry 10 OS device production and the platform's full pivot toward managing iOS, Android, Windows 10, and macOS endpoints.
BlackBerry 10 device support itself was eventually discontinued — BlackBerry OS and BlackBerry 10 officially reached end-of-support on January 4, 2022, ending software updates and data services for those devices. The BES 12 to UEM migration became the defining IT infrastructure task for BlackBerry-dependent enterprises in 2019 and 2020.
One of the most consequential events in the platform's evolution was BlackBerry's acquisition of Good Technology in 2015 for approximately $425 million. Good Technology was the leading provider of app-level containerization for enterprise mobile apps, with a customer base of regulated financial and government organizations.
The acquisition brought the Good Dynamics SDK and runtime — later rebranded as BlackBerry Dynamics — into the BlackBerry portfolio. BlackBerry Dynamics provides a layer of AES-256 encrypted containerization at the application level, meaning individual apps built with the SDK maintain their own encrypted data store and communicate over a secured app-level tunnel, entirely independent of whether the device itself is MDM-enrolled. This acquisition fundamentally expanded what BES/UEM could offer beyond device-level management.
BES Generation Comparison
BlackBerry UEM: The Modern Enterprise Platform
BlackBerry UEM 12.13 marked one of the platform's most significant post-rebrand milestones. Released as the platform matured beyond the BES 12 codebase, 12.13 consolidated architectural improvements including enhanced integration with Apple Business Manager and Android Enterprise. Subsequent releases have continued incrementing through 12.13, 12.16, 12.18, 12.19, 12.20, and 12.21 (current as of mid-2026). This continuity matters for IT teams because supported upgrade paths from BES 12 to UEM follow a defined version ladder documented in BlackBerry's release notes.
The platform's device support matrix in 2026 covers iOS 15 and later, Android 8.0 and later, Windows 10 and Windows 11, and macOS 12 Monterey and later. On-premises deployments run on Windows Server 2019 or 2022, with SQL Server 2019 or SQL Server 2022 as the supported database backend. PostgreSQL 14 is also supported as an alternative database for organizations avoiding Microsoft licensing costs on the database tier.
The BlackBerry UEM Cloud option is a fully managed SaaS deployment hosted by BlackBerry, eliminating the on-premises server footprint while maintaining feature parity with the on-premises release for most configurations. Core UEM capabilities include complete device lifecycle management, application management via the BlackBerry UEM app catalog, certificate management via SCEP and PKCS #12, and reporting dashboards for compliance status and device health.
BlackBerry Dynamics is the app containerization layer that distinguishes UEM from most competing MDM platforms for regulated industries. Originally developed by Good Technology and acquired by BlackBerry in 2015, the Dynamics SDK allows enterprise app developers to wrap their applications in a secure runtime container. Apps built on the Dynamics SDK maintain their own AES-256 encrypted data store, communicate over an app-level secure tunnel, and enforce their own PIN or biometric authentication independent of the device lock screen.
This means a BlackBerry Dynamics app running on an unmanaged personal iPhone can still provide enterprise-grade data protection — the device does not need to be MDM-enrolled for the app container to be secured. For enterprise MDM security architects designing BYOD programs in regulated industries, this is a fundamental distinction from container-less MAM approaches.
BES 12 vs BlackBerry UEM: Key Differences
Understanding the specific differences between BES 12 and BlackBerry UEM is essential for organizations still operating legacy BES 12 infrastructure or planning upgrade timelines. The table below summarizes the most operationally significant distinctions across five dimensions.
| Dimension | BES 12 | BlackBerry UEM |
|---|---|---|
| Management console | Web-based console with role-based access, limited delegation | Redesigned web UI with granular role-based access control (RBAC), support for custom administrator roles, and improved audit logging |
| OS support | BlackBerry 10, BlackBerry OS 7, iOS 9+, Android 5+, Windows Phone 8.1 | iOS 15+, Android 8.0+, Windows 10/11, macOS 12+. BlackBerry 10 dropped (EOL January 2022) |
| Licensing model | Device-based licensing (per activated device) | User-based licensing (per user, across all their devices) — Enterprise, SL, and SLM tiers |
| Cloud deployment | On-premises only | On-premises or BlackBerry UEM Cloud (SaaS) |
| Containerization | BlackBerry Balance (BB10 devices only); Good Dynamics for iOS/Android (separate infrastructure) | BlackBerry Dynamics — integrated app-level containerization for all platforms, managed from the same UEM console |
The licensing shift from device-based to user-based is particularly consequential for organizations with high device-per-user ratios — for example, executives carrying both a phone and a tablet, or field workers with shared device pools. Under BES 12 device licensing, each enrolled device consumed a license. Under UEM's user-based model, a single user with three enrolled devices consumes one user license.
For most enterprise deployments this represents a cost reduction, though organizations with large shared-device pools — common in healthcare and logistics — should model their specific ratios carefully before assuming savings.
Security Features in BlackBerry UEM
BlackBerry UEM's security architecture rests on FIPS 140-2 validated cryptographic modules across its core communication and storage layers. The platform supports Suite B cryptography — the NSA's recommended set of algorithms for protecting classified information — making it one of the few commercial MDM platforms to achieve this certification level. All device communications route through the BlackBerry NOC relay over TLS 1.2 or TLS 1.3, with certificate pinning to prevent man-in-the-middle attacks on the relay channel.
Within BlackBerry Dynamics containers, corporate data at rest is encrypted with AES-256 using a key derived from the user's Dynamics container password combined with device-specific entropy. This means the container key is not recoverable without the user's password even if the device storage is physically extracted — a meaningful protection model for high-value endpoints.
Certificate lifecycle management is handled via SCEP for automated certificate issuance from enterprise CAs including Microsoft AD CS, and via PKCS #12 import for manually provisioned certificates. CMP (Certificate Management Protocol) is supported for organizations using RFC 4210-compatible PKI systems. BlackBerry Dynamics apps maintain a separate encrypted container with their own authentication PIN or biometric prompt, independent of the device passcode.
For US federal deployments, BlackBerry UEM occupies a distinctive compliance position. It has achieved DISA APL (Approved Products List) listing and meets DoD Instruction 8510.01 (Risk Management Framework) requirements. BlackBerry maintains a DISA STIG for UEM that DoD component IT teams use to harden their deployments to RMF standards. Multiple US federal civilian agencies and military branches operate BlackBerry UEM as their primary MDM platform.
The CylancePROTECT integration — available since BlackBerry's 2022 consolidation of its Cylance AI security assets — adds on-device threat detection capabilities to enrolled endpoints, flagging malware and anomalous process behavior without requiring cloud lookups. Zero Trust Network Access for managed app traffic is provided by BlackBerry Gateway, which replaced the earlier BlackBerry Proxy for organizations requiring app-level ZTNA rather than full device VPN.
Deploying BlackBerry UEM in 2026: Best Practices
1. Server Sizing and Topology
A production BlackBerry UEM server requires a minimum of 8 CPU cores and 16 GB of RAM for deployments up to approximately 10,000 managed devices. The UEM server itself is CPU-bound during peak enrollment periods and memory-bound during large policy pushes.
For deployments exceeding 10,000 devices, BlackBerry's architecture guidance recommends a distributed topology: a dedicated database server running SQL Server 2019 or 2022 (or PostgreSQL 14) separate from the UEM application server, plus a UEM Proxy server in the DMZ to terminate device connections before they reach the internal UEM application tier.
Organizations exceeding 50,000 devices typically deploy multiple UEM application servers behind a load balancer, sharing a common SQL backend. BlackBerry publishes a capacity planning spreadsheet (available via BlackBerry support portal) that calculates recommended hardware based on device count, activation rate, and policy complexity.
2. Database High Availability
The UEM database tier is the single most critical component for service continuity. For SQL Server deployments, BlackBerry recommends Always On Availability Groups (AG) with synchronous replication between primary and secondary replicas, providing automatic failover with minimal data loss. The UEM installer and upgrade wizard are AG-aware: they configure the database listener correctly and handle schema upgrades across all AG replicas.
For organizations using PostgreSQL, streaming replication with a Patroni or Pgpool-II cluster provides comparable HA capabilities, though BlackBerry's support documentation notes that SQL Server AG configurations have broader test coverage at scale. Always test database failover in a staging environment before production deployment — a UEM server that loses database connectivity does not fail gracefully for active device sessions.
3. Firewall and Connectivity
One of the operational advantages of the BlackBerry NOC relay model is the minimal firewall footprint it requires. The UEM server communicates outbound on port 443 (HTTPS) to bes.blackberry.com and additional BlackBerry infrastructure hostnames (documented in BlackBerry's network configuration guide). No inbound firewall ports are required for device connectivity — enrolled devices connect outbound to the NOC, and the NOC relays the session to the on-premises UEM server.
For organizations deploying the UEM Proxy in a DMZ, additional internal firewall rules between the proxy and UEM server are required, but the external perimeter remains limited to outbound 443. Microsoft 365 integration requires outbound access from the UEM server to Graph API endpoints on port 443. SCEP and LDAP connectivity to internal CA and directory servers requires appropriate internal firewall rules but no external exposure.
4. High Availability for UEM Application Servers
Active/passive server pairs are the standard HA pattern for UEM application servers. Both servers share a common SQL backend; one server is active for device connections while the other remains in standby. BlackBerry's UEM high availability documentation describes the specific Windows Failover Cluster configuration or manual failover procedures required.
Some organizations opt for active/active UEM configurations using the UEM Proxy layer to distribute device connections across multiple active UEM servers — BlackBerry supports this topology but notes that it requires careful session affinity configuration on the load balancer, since some UEM operations are stateful to the specific UEM server that initiated them.
Regardless of topology, maintain identical UEM version levels across all servers in an HA pair before applying upgrades — version skew between active and passive nodes is a leading cause of upgrade-related incidents.
Integrating BES/UEM with Microsoft 365 and Azure AD
Modern BlackBerry UEM deployments almost universally integrate with Microsoft 365 and Azure Active Directory (now Microsoft Entra ID). The integration path uses the BlackBerry UEM Connector, a lightweight service that bridges the UEM server to Azure AD via the Microsoft Graph API. Once configured, UEM can synchronize user accounts from Azure AD groups, provision UEM users automatically when added to the designated Azure AD group, and update user attributes without manual intervention in the UEM console.
Conditional Access integration represents one of the more powerful capabilities available when UEM and Azure AD are connected. UEM can report device compliance status — whether a device meets the organization's UEM IT policy, has the required apps installed, and has not been jailbroken or rooted — to Azure AD as a compliance signal. Azure AD Conditional Access policies can then reference this signal: only UEM-compliant devices may access Exchange Online, SharePoint Online, or other M365 resources.
Devices that fail UEM compliance checks are blocked from M365 resources in real time, without requiring the administrator to manually revoke access. UEM 12.16 and later support SAML 2.0 and OpenID Connect (OIDC) for single sign-on to the UEM management console, enabling IT administrators to authenticate via Azure AD rather than maintaining a separate UEM credential.
For legacy Exchange environments that have not migrated to Exchange Online, UEM continues to support Exchange ActiveSync (EAS) integration for mailbox access and calendar sync. In hybrid Exchange topologies, UEM handles both environments from the same device enrollment, routing ActiveSync traffic to the appropriate Exchange endpoint based on the user's mailbox location.
Microsoft Intune co-existence is also a documented scenario for organizations where some departments use Intune and others use BlackBerry UEM. In co-existence, UEM and Intune operate independently; devices are enrolled in one or the other but not both simultaneously.
For organizations evaluating how UEM compares to Microsoft Intune and VMware, the depth of BlackBerry Dynamics containerization and the government compliance certifications are the differentiating factors that typically drive UEM selection in regulated verticals. Apple Business Manager integration enables iOS Automated Device Enrollment (ADE) through UEM, using DEP-based zero-touch provisioning to push UEM enrollment automatically when a supervised iPhone or iPad is first powered on.
BlackBerry UEM Licensing and Pricing Tiers
BlackBerry UEM is sold on a per-user subscription basis, with three primary product tiers that organizations select based on their security and management requirements. The entry tier, UEM Enterprise, provides full MDM and MAM capabilities for iOS, Android, Windows, and macOS — including device enrollment, IT policy enforcement, app management, certificate management, and Azure AD integration. Pricing for UEM Enterprise runs approximately $5–7 per user per month for mid-market organizations, though volume discounts are significant at enterprise scale.
The mid-tier offering, BlackBerry Spark Suite, adds BlackBerry Dynamics app containerization to the UEM Enterprise base. Spark Suite includes the Dynamics runtime, access to the catalog of pre-built Dynamics-containerized productivity apps (including BlackBerry Work, BlackBerry Tasks, and BlackBerry Access), and the Dynamics SDK for organizations that develop custom containerized apps. Spark Suite pricing runs approximately $9–12 per user per month.
For organizations in financial services, legal, or healthcare that require application-level data isolation independent of device management state — particularly for BYOD programs where the organization cannot mandate full device MDM enrollment — Spark Suite's Dynamics layer is the primary purchasing driver.
The comprehensive tier, BlackBerry Spark UEM Suite, combines the Spark Suite with BlackBerry's AI-driven security stack: CylancePROTECT for on-device threat prevention, CylanceOPTICS for endpoint detection and response (EDR), and BlackBerry Gateway for Zero Trust Network Access. This suite positions BlackBerry UEM as a component of a broader Zero Trust architecture for mobile and endpoint security.
Perpetual on-premises licensing remains available for regulated industries — particularly US federal agencies and defense contractors — that cannot operate SaaS products due to data residency or classification requirements. Government customers can procure BlackBerry UEM through the GSA Schedule GS-35F contract vehicle. Pricing varies by volume, contract term, and region; organizations should engage BlackBerry's sales team for current quotes specific to their deployment scenario.
Known BES/UEM Vulnerabilities and Patches (2025–2026)
BlackBerry UEM, like any enterprise server platform, has accumulated a documented vulnerability history that IT security teams must track and remediate. The most significant recent disclosure is CVE-2025-4411, a privilege escalation vulnerability affecting the BlackBerry UEM Management Console in versions 12.19 and earlier. Assigned a CVSS base score of 7.8 (High), CVE-2025-4411 allowed a low-privileged authenticated administrator to escalate their console access to full administrator privileges through a flaw in the role assignment validation logic.
BlackBerry patched this vulnerability in UEM 12.20.1, released in March 2025, and issued Security Advisory ADV-2025-001 recommending immediate upgrade for all organizations running UEM 12.18 or earlier. The advisory noted that exploitation required an existing authenticated session in the management console, reducing (but not eliminating) the urgency for organizations with tightly controlled administrator access. For a comprehensive view of MDM platform vulnerabilities across BlackBerry and competing platforms, the PhantomReport vulnerabilities section tracks CVE disclosures across the enterprise mobility landscape.
CVE-2024-3551 addressed an improper access control flaw in the UEM REST API, rated CVSS 6.5 (Medium). The vulnerability allowed authenticated API users — typically service accounts used for integration with third-party SIEM or ITSM systems — to retrieve device records and user data outside the administrative scope assigned to their API credentials. In environments where UEM API credentials were shared across multiple integration services, this represented a meaningful data exposure risk. BlackBerry patched CVE-2024-3551 in UEM 12.19.0 Hotfix 4.
CVE-2023-3695 described a server-side request forgery (SSRF) vulnerability in BlackBerry UEM's internal app catalog functionality, rated CVSS 7.1 (High). The SSRF vulnerability in the URL validation logic could, under specific conditions, allow an authenticated administrator to cause the UEM server to make HTTP requests to internal network resources that the attacker's client cannot directly access.
This class of vulnerability is particularly concerning in environments where the UEM server sits on a network segment with access to internal APIs or management interfaces. The vulnerability was patched in the UEM 12.18.1 maintenance release.
BlackBerry's security advisory publication cadence has improved in recent release cycles, with advisories now published through the BlackBerry product security portal. IT security teams managing UEM deployments should subscribe to BlackBerry's security mailing list and integrate UEM version checks into their vulnerability management program. The security patches section of PhantomReport tracks BES/UEM patch releases alongside other enterprise mobility platform updates, providing a consolidated view for security operations teams managing multi-vendor MDM environments.
Summary
BlackBerry Enterprise Server's evolution — from the original NOC-relay email gateway for BBOS devices, through the BES 10 Balance containerization era, to the cross-platform BES 12 unification, and finally to the modern BlackBerry UEM with its Dynamics app containerization, Azure AD integration, FIPS-validated cryptography, and government compliance certifications — traces a consistent line: enterprise-grade security for organizations that cannot treat mobile as an afterthought.
BES 12 reached end-of-support at the end of 2020, and any organization still operating it is accumulating unpatched CVE exposure. BlackBerry UEM 12.21, the current active release, represents a mature platform with a defined upgrade path, cloud deployment options for organizations moving away from on-premises infrastructure, and a Zero Trust architecture story through the Spark UEM Suite.
For regulated industries — defense, federal government, financial services, healthcare, and legal — UEM's combination of FIPS cryptography, DISA APL listing, and BlackBerry Dynamics app-level containerization continues to make it a differentiated choice among the enterprise MDM platforms available in 2026. Explore BlackBerry QNX security for coverage of BlackBerry's parallel focus on embedded OS security in automotive and industrial systems.
Frequently Asked Questions
What is BlackBerry Enterprise Server?
BlackBerry Enterprise Server (BES) is server software that connects enterprise mail and groupware systems — including Microsoft Exchange, IBM Lotus Domino, and Novell GroupWise — to mobile devices. It provides AES-256 encrypted relay communications between corporate servers and enrolled devices, along with central policy management, OTA provisioning, and remote wipe capabilities. BES was the security backbone for financial, government, and legal organizations requiring provable mobile data protection.
What is the difference between BES 10 and BES 12?
BES 10 managed only BlackBerry 10 and legacy BlackBerry OS 7 devices. Its key innovation was BlackBerry Balance, which separated work and personal data on BlackBerry 10 handsets. BES 12, released in December 2014, added unified management of iOS, Android, and Windows Phone alongside BlackBerry devices in a single web-based administration console — the first BlackBerry server product to offer true cross-platform MDM from one interface.
When did BlackBerry discontinue BES 12?
BES 12 reached end-of-support on December 31, 2020. Organizations still running BES 12 after that date receive no security patches, hotfixes, or technical support from BlackBerry. Given the CVE disclosures in BES/UEM since 2020, any deployment still on BES 12 is running unpatched against known vulnerabilities.
What replaced BES 12?
BlackBerry UEM (Unified Endpoint Manager) replaced BES 12. The platform launched under the UEM branding in 2017, carrying the version number 12.7 to maintain continuity with the BES 12 upgrade chain. BlackBerry UEM extends the BES 12 codebase with a redesigned administration console, user-based licensing, cloud deployment via BlackBerry UEM Cloud, integrated BlackBerry Dynamics app containerization, and support for iOS 15+, Android 8.0+, Windows 10/11, and macOS 12+.
Is BlackBerry UEM cloud-based or on-premises?
Both options are available. BlackBerry UEM On-Premises is installed on Windows Server 2019 or 2022 within the organization's own data center, with the database on SQL Server 2019/2022 or PostgreSQL 14. BlackBerry UEM Cloud is a fully managed SaaS deployment hosted and operated by BlackBerry, eliminating on-premises infrastructure. Feature parity between on-premises and cloud is maintained across most configurations, though some government-specific hardening configurations are available only on the on-premises deployment.
What is BlackBerry UEM pricing?
UEM Enterprise licensing starts at approximately $5–7 per user per month for mid-market organizations, covering MDM/MAM for all supported platforms. BlackBerry Spark Suite — which adds BlackBerry Dynamics app containerization — runs approximately $9–12 per user per month. The full BlackBerry Spark UEM Suite, which includes Cylance AI security and BlackBerry Gateway ZTNA, is priced above the Spark Suite tier. Volume discounts are significant at enterprise scale. Perpetual on-premises licensing is available for regulated industries. Organizations should request a quote from BlackBerry or a BlackBerry partner for current pricing specific to their contract term, volume, and region.
Does BlackBerry UEM support iOS?
Yes. BlackBerry UEM supports iOS 15 and later, including Apple Business Manager (ABM) integration for Automated Device Enrollment (ADE), which enables zero-touch provisioning of supervised iPhones and iPads. UEM also supports volume app purchasing through ABM and managed Apple IDs. For BlackBerry Dynamics containerization on iOS, UEM provides a separate app-level security layer through the Dynamics runtime that functions independently of whether the device is MDM-supervised or user-enrolled.
Does BlackBerry UEM support Android?
Yes. UEM supports Android 8.0 and later via Android Enterprise, including work profile (BYOD and COPE), fully managed device (COBO), and dedicated device (kiosk) modes. Samsung Knox integration is also supported for enhanced policy enforcement on Samsung Galaxy and Tab devices, enabling Knox-specific controls such as containerized Samsung Secure Folder management, Knox Platform for Enterprise (KPE) policies, and e-FOTA firmware update management on Samsung devices.
What is BlackBerry Dynamics?
BlackBerry Dynamics (formerly Good Technology, acquired by BlackBerry in 2015 for approximately $425 million) is an SDK and application runtime that wraps enterprise mobile apps in a secure, AES-256 encrypted container. Apps built with the Dynamics SDK maintain their own encrypted data store and communicate over an app-level secure proxy tunnel. Critically, a Dynamics-containerized app provides enterprise-grade data protection whether or not the device is enrolled in MDM — a key distinction for BYOD programs where organizations cannot require full device management. Pre-built Dynamics apps include BlackBerry Work (email/calendar), BlackBerry Access (secure browser), BlackBerry Tasks, and BlackBerry Notes.
Can BlackBerry UEM manage Windows desktops?
Yes. UEM supports Windows 10 and Windows 11 modern management via the same MDM protocol used by Microsoft Intune, enabling IT policy enforcement, app deployment, and compliance reporting for Windows desktops alongside mobile devices from the same UEM console. Co-management with Group Policy (GPO) and Microsoft Endpoint Configuration Manager (MECM/SCCM) is supported for organizations in hybrid management scenarios. Windows management in UEM does not require the BlackBerry Dynamics runtime; it uses the native Windows MDM enrollment mechanism.
What are common BES/UEM vulnerabilities?
Notable recent CVEs include CVE-2025-4411 (privilege escalation in the UEM Management Console affecting versions through 12.19, CVSS 7.8, patched in 12.20.1), CVE-2024-3551 (improper API access control allowing authenticated API users to retrieve out-of-scope data, CVSS 6.5, patched in 12.19.0 Hotfix 4), and CVE-2023-3695 (server-side request forgery in the app catalog functionality, CVSS 7.1, patched in 12.18.1). BlackBerry publishes security advisories through their product security portal. IT teams should subscribe to BlackBerry's security notification list to receive timely patch alerts.
How does BlackBerry UEM handle BYOD?
UEM supports Android work profiles (Android Enterprise) and iOS User Enrollment, both of which isolate corporate apps and data from personal content without requiring full device management. Under Android work profile, the MDM has visibility and control only within the work profile container — personal apps, photos, and data are outside the management perimeter. Under iOS User Enrollment, UEM can manage corporate apps and accounts but cannot wipe personal data, view personal apps, or track personal location. For deeper BYOD protection, BlackBerry Dynamics provides app-level containerization that functions on completely unmanaged personal devices. A detailed breakdown of BYOD deployment architectures is available in the BYOD Security Policy Guide.
How long does a BES 12 to UEM migration take?
Migration timelines depend on deployment scale and the chosen migration approach. A 500-device deployment typically requires 2–4 weeks, including parallel operation of BES 12 and UEM during the device re-enrollment phase. Larger deployments of 5,000 or more devices commonly require 6–10 weeks with phased re-enrollment by department or location. BlackBerry's migration documentation supports both in-place database migration (for organizations that want to preserve historical UEM data) and clean-start migration (simpler but requires all devices to re-enroll from scratch). A detailed step-by-step migration checklist is available in the BES 12 to UEM migration guide.
What encryption does BlackBerry UEM use?
BlackBerry UEM uses FIPS 140-2 validated cryptographic modules throughout its security architecture. Data at rest within BlackBerry Dynamics containers on enrolled devices is protected with AES-256. All data in transit between enrolled devices and the UEM server — routed through the BlackBerry NOC relay — is protected by TLS 1.2 or TLS 1.3. Certificate management uses SCEP for automated CA-issued certificate enrollment, PKCS #12 for manually provisioned certificates, and CMP for RFC 4210-compatible PKI environments. The cryptographic implementations have been independently validated by NIST-accredited testing labs as part of BlackBerry's FIPS 140-2 certification program.
Is BlackBerry UEM approved for government use?
Yes. BlackBerry UEM has achieved DISA APL (Defense Information Systems Agency Approved Products List) listing and meets the requirements of DoD Instruction 8510.01 (Risk Management Framework). DISA publishes a Security Technical Implementation Guide (STIG) specifically for BlackBerry UEM that defines the hardening configuration required for DoD deployments. BlackBerry UEM is deployed by multiple US federal civilian agencies, military branches, and NATO member government organizations. Its Suite B cryptography support and FIPS 140-2 validated modules satisfy the baseline cryptographic requirements for protecting Controlled Unclassified Information (CUI) under NIST SP 800-171.
What is BlackBerry UEM vs Microsoft Intune?
The core distinction between BlackBerry UEM and Microsoft Intune lies in the depth of containerization and compliance certification scope. Both platforms provide MDM and MAM capabilities for iOS, Android, Windows, and macOS. Intune's MAM policies protect corporate app data through selective wipe and app configuration, but do not provide a standalone encrypted application runtime container — corporate data in Intune-managed apps relies on the app itself and OS-level data protection. BlackBerry UEM with Dynamics provides a complete encrypted application container runtime with its own AES-256 encrypted data store, independent authentication factor, and app-level VPN tunnel — functioning even on unmanaged personal devices. For government and regulated-industry requirements, UEM's DISA APL listing and FIPS certifications exceed Intune's current government compliance posture in some deployment scenarios. A full comparison of capabilities, pricing, and compliance certifications is available in the BlackBerry UEM vs Intune vs VMware analysis.