Migrating from BES 12 to BlackBerry UEM: A Complete Step-by-Step Guide
Why Migrate from BES 12 to BlackBerry UEM?
BlackBerry Enterprise Server 12 reached end-of-support on December 31, 2020. Organizations still operating BES 12 receive no security patches from BlackBerry, leaving every managed device exposed to vulnerabilities that have been publicly disclosed and actively exploited since that date. For enterprises subject to SOC 2, ISO 27001, or HIPAA compliance requirements, running unsupported MDM infrastructure is a reportable control deficiency.
BlackBerry UEM — introduced in 2017 as a unified successor to the fragmented BES 10/BES 12/BES for Good product lineup — is the vendor-supported path forward. The current production release, UEM 12.21, manages iOS, Android, Windows 10/11, and macOS devices through a single management console, replacing the per-platform BES 12 server roles that required separate configuration for iOS and Android devices.
UEM also incorporates the BlackBerry Dynamics containerization layer, acquired through the 2015 Good Technology transaction. BlackBerry Dynamics provides app-level encrypted containers that isolate corporate data from personal apps — a significant architectural advancement over the BES 12 application management model, which relied on per-app VPN tunneling and policy enforcement without true container isolation.
Beyond the security remediation argument, UEM's management breadth changes the operational calculus for enterprise IT teams. A single UEM deployment manages the full device lifecycle for the mixed iOS/Android/Windows fleets that are standard in most enterprises today.
BES 12 handled iOS and Android inconsistently, with Android management in particular requiring a legacy Samsung Knox integration rather than the modern Android Enterprise framework that UEM supports natively. For a broader view of the BES/UEM platform and its current capabilities, see the BlackBerry Enterprise Server and UEM overview.
Pre-Migration Checklist
Completing this checklist before touching the UEM installer prevents the most common migration failures. Each item has a direct effect on the migration timeline or a risk of disrupting users if skipped.
- Inventory all BES 12-enrolled devices — document device platform (iOS, Android, BlackBerry 10, legacy BlackBerry OS), OS version, ownership type (corporate or BYOD), and assigned user for each enrolled record in the BES 12 IT Admin Console.
- Document all active IT policies and policy groups in BES 12, including which IT policy is assigned to which user group. Export IT policy rule details from the BES 12 Admin Console (Policies and Profiles > Policy).
- Record assigned applications per user group in BES 12 Application Management — both required apps and optional apps — noting whether each is an in-house application (APK/IPA) or a public store app.
- Audit the existing LDAP or Active Directory group structure used for BES 12 user and policy assignments. UEM will use the same directory, but group-to-policy mappings must be rebuilt manually.
- Identify all third-party integrations connected to BES 12: IBM Notes/Domino mail servers, Exchange/Microsoft 365 ActiveSync configuration, SCEP servers, third-party certificate authorities, and any BES 12 APIs used by internal applications.
- Verify BES 12 database health — whether the deployment uses Microsoft SQL Server or the embedded database, confirm SQL Server version, run a manual backup, and check available disk space (UEM requires a separate database instance).
- Review firewall and network rules for BES 12 outbound NOC connections on ports 3101 and 443. UEM uses different connection endpoints; firewall rules must be updated before UEM goes live.
- Confirm the target Windows Server version for the UEM installation host. BlackBerry UEM 12.19 and later require Windows Server 2019 or Windows Server 2022. Windows Server 2016 is not supported for new UEM installations.
- Download the latest BlackBerry UEM installer from the BlackBerry software download portal (minimum supported version for migration: 12.19; recommended: 12.21 or later).
- Notify end users of the re-enrollment requirement. Devices will receive a new activation email; users who are not informed in advance will lose email access temporarily and submit helpdesk tickets.
- Prepare BlackBerry UEM license keys, obtained from the BlackBerry account team or through the BlackBerry Software licensing portal. UEM licenses are per-user, not per-device, and BES 12 licenses do not transfer.
- Back up the BES 12 database immediately before any migration activity begins. This backup is the recovery point if migration is aborted.
Step 1 — Assess Your BES 12 Environment
Before installing UEM, the BES 12 environment must be fully characterized. BlackBerry distributes the UEM Pre-migration Assessment Tool through BlackBerry Support (available via the MyAccount portal to customers with an active support entitlement).
This tool connects to the BES 12 database and produces a compatibility report that flags three categories of issues: IT policy rules with no UEM equivalent, deprecated application management APIs, and enrolled device records running firmware versions below UEM's minimum supported levels.
The most consequential finding from the assessment is the count of BlackBerry 10 and legacy BlackBerry OS devices in the BES 12 inventory. These devices have no supported path in UEM — BlackBerry OS and BB10 are entirely absent from UEM's device platform support. Any BlackBerry 10 handsets in the fleet must be decommissioned or replaced with iOS or Android hardware before those users can be migrated to UEM.
This hardware replacement requirement should be identified and budgeted before the migration project begins, as it represents a hard dependency that cannot be worked around. The BES 12 IT Admin Console (accessible on port 18084 by default) provides XML exports of user accounts, device records, and policy assignments that should be preserved as reference documentation throughout the migration.
Step 2 — Install and Configure BlackBerry UEM
Download the UEM installer package from the BlackBerry software download portal. The package includes the Setup Application, which manages the installation sequence for the UEM core services, the UEM Management Console, the UEM Proxy service (which handles device connections), and the BlackBerry Connectivity Node (which handles directory and mail server integration).
On the target Windows Server, verify that .NET Framework 4.7.2 or later is installed before running the Setup Application.
During database configuration, specify a SQL Server 2017, 2019, or 2022 instance — or PostgreSQL 14 or 15 for UEM 12.19 and later, which introduced native PostgreSQL support. For production deployments serving more than 2,000 devices, BlackBerry recommends placing the UEM database on a dedicated SQL Server instance rather than co-hosting it on the UEM application server. The Setup Application creates the UEM database schema automatically when provided with a SQL Server service account that has dbcreator permissions.
Connect UEM to the same Active Directory domain as BES 12 during initial configuration. The UEM directory integration (LDAP connector) discovers user accounts and group memberships automatically, providing the foundation for group-based policy assignment in UEM.
For SCEP and certificate authority integration, configure the UEM CA connector to point to the same SCEP server used by BES 12 — device certificates are re-issued during UEM enrollment, so the CA must be available and certificate request queues must be monitored during the enrollment wave. For enterprise MDM security best practices when configuring the UEM server itself, see the MDM Security hub.
Step 3 — Export and Import User Data
BlackBerry does not provide a tool that automatically migrates BES 12 configuration objects into UEM. The migration of user data, policies, and application assignments is a manual reconstruction process, and the BES 12 exports serve as the reference document rather than as direct import files.
For directory integration, re-enter the same LDAP server address, base DN, and user filter in UEM's directory integration settings. For IT policies, the BlackBerry "BES12-to-UEM Policy Mapping" spreadsheet — available through the MyAccount support portal — cross-references each BES 12 IT policy rule to its UEM Device Policy and Compliance Profile equivalent.
Application assignments are recreated in UEM through the Apps > Managed Apps workflow. Public app store applications (iOS App Store, Google Play) are added to the UEM app catalog by searching the store directly from the UEM console and assigning them as Required or Optional to the relevant user or device groups.
In-house applications — APK files for Android or IPA files distributed via Apple Business Manager or direct upload — are added through the Apps > Add App workflow. The UEM app catalog replaces BES 12 Application Management entirely; there is no API bridge between the two systems. Email, Wi-Fi, VPN, and Exchange ActiveSync profiles must also be recreated manually in UEM under Policies and Profiles > Profiles.
Step 4 — Re-enroll Devices
Device re-enrollment is the most visible and operationally intensive phase of the migration. BES 12-managed devices cannot be silently or remotely migrated to UEM — the existing BES 12 MDM management profile on each device must be removed, and a new UEM enrollment must be completed.
The UEM enrollment process begins with the administrator sending an activation email from the UEM Management Console. The email contains an activation password and a server address; from UEM 12.16 onward, it also contains a QR code that simplifies server entry on mobile devices.
On iOS, the user taps the enrollment link in the activation email, which opens Safari and initiates the MDM profile installation sequence. The user installs the UEM MDM configuration profile, and UEM immediately begins pushing the assigned Device Policy, email profile, Wi-Fi profile, and app catalog to the device. On Android, the user downloads the BlackBerry UEM Client from Google Play, opens it, enters the UEM server address and activation password, and follows the enrollment wizard.
For Android Enterprise work profile enrollment (BYOD), the UEM Client creates an isolated work profile container — personal apps remain outside the managed profile. For Android Enterprise fully managed enrollment (corporate-owned), the device must be factory-reset and enrolled via NFC/QR code provisioning.
For large-scale migrations, batch enrollment through Apple Business Manager ADE and Android Zero-touch enrollment eliminates the per-user enrollment action for corporate-owned supervised devices. With ADE configured in UEM, devices assigned to the UEM MDM server in Apple Business Manager enroll automatically when powered on, without requiring the user to enter activation credentials.
Android Zero-touch works analogously for supported Android Enterprise devices. Both methods require that devices be registered with their respective provisioning portals, which for existing in-service devices typically requires coordination with the device manufacturer or carrier.
Step 5 — Post-Migration Verification
After each enrollment batch, verify device status systematically before decommissioning BES 12 management for those users. In the UEM Management Console, confirm that each migrated device appears with an Activation Status of "Activated" and the correct ownership type.
On the device record's Policy tab, verify that the intended Device Policy is applied and that the Last Policy Update timestamp is recent — a stale timestamp indicates the device has not contacted the UEM NOC since enrollment.
Run the UEM Compliance report (Reports > Compliance) across all migrated devices to confirm each device shows a Compliant status. Test the compliance enforcement chain by simulating a policy violation on a test device — for example, enabling a camera if the Device Policy blocks it — and confirm that UEM applies the defined compliance action within the policy evaluation interval.
Once all devices in a batch pass verification, remove those users from BES 12 management by deleting their BES 12 device records. After all batches are migrated and verified, BES 12 can be decommissioned according to the BES 12 removal procedure in BlackBerry's documentation.
Common Migration Pitfalls and How to Avoid Them
- BlackBerry 10 devices have no UEM path
- BB10 and legacy BlackBerry OS devices are not supported in UEM. These must be decommissioned or replaced with iOS or Android hardware before migration. Identify the count of BB10 devices in the pre-migration assessment and budget hardware replacement before the migration project begins — this is a hard dependency, not a post-migration task.
- IT policy gaps
- Some BES 12 IT policy rules, particularly those written for BlackBerry OS 5/6/7 devices, have no UEM equivalent. Use the BlackBerry policy mapping spreadsheet to identify these rules before migration begins. For each gap, determine whether a compensating control exists in UEM (for example, a Compliance Profile action that achieves the same enforcement outcome) or whether the rule was legacy and can be retired.
- Parallel operation licensing
- Running BES 12 and UEM simultaneously requires licenses for both systems. BES 12 licenses do not transfer to UEM, and UEM licenses must be purchased before migration begins. Negotiate a temporary dual-license period with BlackBerry's sales team before starting the migration project — this is a commercial arrangement that cannot be retroactively applied after the migration has started.
- Exchange connectivity
- If BES 12 used Direct Push (ActiveSync) rather than the BES relay model for Exchange connectivity, verify that UEM's Exchange profile is configured with the same Exchange server address and authentication method before decommissioning BES 12. Devices that re-enroll to UEM will receive a new Exchange profile from UEM, but the Exchange server must be accessible from the UEM server's network location.
- SCEP certificate re-issuance
- UEM re-issues SCEP device certificates during enrollment. If the corporate CA requires manual approval for SCEP certificate requests, the approval queue must be monitored and cleared promptly during the re-enrollment wave — devices that cannot obtain a certificate during enrollment may fail to receive email profiles or VPN profiles that depend on certificate authentication.
- User communication
- Users who receive no advance notice about re-enrollment will lose email access temporarily and create helpdesk tickets. Send a migration communication at least two weeks before a user's batch is migrated. The communication should explain: why the change is happening, what action the user must take (install the UEM Client, follow the activation email), and who to contact if enrollment fails.
Frequently Asked Questions
Can BES 12 and BlackBerry UEM run simultaneously during migration?
Yes. BlackBerry supports a parallel-operation period where both BES 12 and UEM coexist on the network. Devices are migrated in batches — each batch re-enrolls to UEM while BES 12 remains active and manages the devices that have not yet been migrated. The parallel operation period should not exceed 90 days to avoid licensing complexity and to limit the window during which BES 12 infrastructure (which has been out of support since December 2020) remains on the network.
What happens to device policies during migration?
Device policies — called IT policies in BES 12 — are not automatically imported into UEM. Administrators must recreate them manually as UEM Device Policies and Compliance Profiles. BlackBerry provides a policy mapping spreadsheet through the MyAccount support portal that cross-references each BES 12 IT policy rule to its UEM equivalent. Rules that have no UEM equivalent must be handled with compensating controls or retired if they were written for legacy BlackBerry OS devices.
Do users lose data during migration?
Corporate email, calendar, and contacts remain on the Exchange or Microsoft 365 server and are re-synced to the device automatically after UEM enrollment pushes the new email profile. App data stored locally within BES 12-managed apps may not persist through re-enrollment — users should back up any locally stored work documents (for example, files saved within a BES 12-managed document editor) before the re-enrollment process begins.
What is the minimum UEM version recommended for migration?
BlackBerry recommends UEM 12.19 or later for new BES 12 migrations. Version 12.21, released in Q1 2026, includes improved migration reporting dashboards and updated support for iOS 17 and iOS 18 Automated Device Enrollment (ADE) workflows. Installing an older version of UEM and then upgrading immediately after migration is a valid but less efficient approach — beginning with the current release avoids the upgrade step and provides access to the latest platform management capabilities.
Can migration be done without end-user involvement?
Partially. Apple Automated Device Enrollment (ADE) via Apple Business Manager and Android Zero-touch enrollment eliminate the need for users to manually enter activation credentials on supervised or corporate-owned devices — these devices enroll automatically when powered on after being assigned to the UEM MDM server. BYOD devices and corporate iOS devices that were not enrolled via ADE still require the user to tap the activation link, install the MDM profile, and follow the enrollment steps.
How long should the migration window be?
Scale the window to fleet size: deployments of up to 500 devices typically complete in 2 to 4 weeks; 500 to 5,000 devices require 4 to 8 weeks with phased batch migration; deployments larger than 5,000 devices should plan for 8 to 16 weeks with a dedicated migration team handling daily batch processing, monitoring, and helpdesk escalation. These estimates assume the pre-migration assessment, policy recreation, and UEM installation are completed before the first device re-enrollment batch begins.
What happens to existing BES 12 work email profiles after re-enrollment?
After UEM enrollment completes, UEM pushes a new Exchange or M365 email profile to the device. On iOS devices that were not fully wiped before re-enrollment, the old BES 12 email profile may still be present. If both profiles are active simultaneously, the device may attempt duplicate mail synchronization. Remove the old BES 12 profile via Settings > VPN & Device Management before initiating UEM enrollment on any iOS device that was not factory-reset as part of the migration process.
What are the server requirements for BlackBerry UEM?
The minimum specification for a single-server UEM deployment: Windows Server 2019 or 2022, 8 CPU cores, 16 GB RAM, 100 GB of available disk space for the UEM application server (database storage is separate). For the database tier: SQL Server 2017, 2019, or 2022, or PostgreSQL 14 or 15. For production deployments managing more than 2,000 devices, BlackBerry recommends placing the database on a dedicated server. Larger deployments (10,000+ devices) may require a distributed UEM deployment with multiple UEM application server nodes behind a load balancer.
Does BlackBerry UEM support macOS management?
Yes. UEM 12.14 and later supports macOS 12 (Monterey) and later versions via the Apple MDM protocol. Mac computers are enrolled via Apple Business Manager Automated Device Enrollment or via manual MDM profile installation. Management capabilities for macOS include configuration profiles, managed app deployment through the Mac App Store, software update enforcement, and compliance checking. FileVault disk encryption status is visible in the UEM device record and can be enforced via Compliance Profile.
How is UEM licensed after migration?
BlackBerry UEM is licensed per user, not per device. Each licensed user may activate multiple devices — the default limit is five devices per user, adjustable by BlackBerry Support. License consumption is visible in the UEM Management Console under Licenses > License Usage, which shows allocated seats by platform (iOS, Android, Windows, macOS) and current activation count. Unused BES 12 licenses do not transfer to UEM; new UEM licenses must be purchased from BlackBerry's sales team before migration begins.
Can BES 12 and BlackBerry UEM run simultaneously during migration?
Yes. BlackBerry supports a parallel-operation period where both BES 12 and UEM coexist on the network. Devices are migrated in batches — each batch re-enrolls to UEM while BES 12 remains active and manages the devices that have not yet been migrated. The parallel operation period should not exceed 90 days to avoid licensing complexity and to limit the window during which BES 12 infrastructure (which has been out of support since December 2020) remains on the network.
What happens to device policies during migration?
Device policies — called IT policies in BES 12 — are not automatically imported into UEM. Administrators must recreate them manually as UEM Device Policies and Compliance Profiles. BlackBerry provides a policy mapping spreadsheet through the MyAccount support portal that cross-references each BES 12 IT policy rule to its UEM equivalent. Rules that have no UEM equivalent must be handled with compensating controls or retired if they were written for legacy BlackBerry OS devices.
Do users lose data during migration?
Corporate email, calendar, and contacts remain on the Exchange or Microsoft 365 server and are re-synced to the device automatically after UEM enrollment pushes the new email profile. App data stored locally within BES 12-managed apps may not persist through re-enrollment — users should back up any locally stored work documents (for example, files saved within a BES 12-managed document editor) before the re-enrollment process begins.
What is the minimum UEM version recommended for migration?
BlackBerry recommends UEM 12.19 or later for new BES 12 migrations. Version 12.21, released in Q1 2026, includes improved migration reporting dashboards and updated support for iOS 17 and iOS 18 Automated Device Enrollment (ADE) workflows. Installing an older version of UEM and then upgrading immediately after migration is a valid but less efficient approach — beginning with the current release avoids the upgrade step and provides access to the latest platform management capabilities.
Can migration be done without end-user involvement?
Partially. Apple Automated Device Enrollment (ADE) via Apple Business Manager and Android Zero-touch enrollment eliminate the need for users to manually enter activation credentials on supervised or corporate-owned devices — these devices enroll automatically when powered on after being assigned to the UEM MDM server. BYOD devices and corporate iOS devices that were not enrolled via ADE still require the user to tap the activation link, install the MDM profile, and follow the enrollment steps.
How long should the migration window be?
Scale the window to fleet size: deployments of up to 500 devices typically complete in 2 to 4 weeks; 500 to 5,000 devices require 4 to 8 weeks with phased batch migration; deployments larger than 5,000 devices should plan for 8 to 16 weeks with a dedicated migration team handling daily batch processing, monitoring, and helpdesk escalation. These estimates assume the pre-migration assessment, policy recreation, and UEM installation are completed before the first device re-enrollment batch begins.
What happens to existing BES 12 work email profiles after re-enrollment?
After UEM enrollment completes, UEM pushes a new Exchange or M365 email profile to the device. On iOS devices that were not fully wiped before re-enrollment, the old BES 12 email profile may still be present. If both profiles are active simultaneously, the device may attempt duplicate mail synchronization. Remove the old BES 12 profile via Settings > VPN & Device Management before initiating UEM enrollment on any iOS device that was not factory-reset as part of the migration process.
What are the server requirements for BlackBerry UEM?
The minimum specification for a single-server UEM deployment: Windows Server 2019 or 2022, 8 CPU cores, 16 GB RAM, 100 GB of available disk space for the UEM application server (database storage is separate). For the database tier: SQL Server 2017, 2019, or 2022, or PostgreSQL 14 or 15. For production deployments managing more than 2,000 devices, BlackBerry recommends placing the database on a dedicated server. Larger deployments (10,000+ devices) may require a distributed UEM deployment with multiple UEM application server nodes behind a load balancer.
Does BlackBerry UEM support macOS management?
Yes. UEM 12.14 and later supports macOS 12 (Monterey) and later versions via the Apple MDM protocol. Mac computers are enrolled via Apple Business Manager Automated Device Enrollment or via manual MDM profile installation. Management capabilities for macOS include configuration profiles, managed app deployment through the Mac App Store, software update enforcement, and compliance checking. FileVault disk encryption status is visible in the UEM device record and can be enforced via Compliance Profile.
How is UEM licensed after migration?
BlackBerry UEM is licensed per user, not per device. Each licensed user may activate multiple devices — the default limit is five devices per user, adjustable by BlackBerry Support. License consumption is visible in the UEM Management Console under Licenses > License Usage, which shows allocated seats by platform (iOS, Android, Windows, macOS) and current activation count. Unused BES 12 licenses do not transfer to UEM; new UEM licenses must be purchased from BlackBerry's sales team before migration begins.
Conclusion
Migrating from BES 12 to BlackBerry UEM is a multi-week project that requires systematic preparation: a pre-migration assessment to surface policy gaps and identify unsupported BlackBerry 10 devices, manual reconstruction of IT policies as UEM Device Policies, and a phased device re-enrollment campaign with advance user communication.
The parallel-operation model significantly reduces risk compared to a hard cutover, but it introduces a dual-licensing requirement and a time constraint (parallel operation should not run past 90 days).
Organizations still running BES 12 should treat this migration as a security-critical remediation rather than a routine platform upgrade. The December 2020 end-of-support date means that every day BES 12 remains in production, unpatched vulnerabilities in the server software and its dependencies accumulate without resolution.
Completing the migration to BlackBerry UEM closes that exposure and positions the organization on a supported, actively maintained enterprise mobility management platform. For a broader view of the BES/UEM platform ecosystem, see the BlackBerry Enterprise Server guide. For a pre-migration platform comparison, see the UEM vs. Intune vs. VMware Workspace ONE analysis.