All endpoints managed and controlled efficiently

Lifecycle Management for Windows 10 and Mac OS and mobile devices


SecureUEM offers a complete PC-Lifecycle-Management (PCLM) for Laptops, Desktops with Windows 10 and Mac OS and mobile devices with iOS, Android and Windows Mobile, including provisioning, configuration up to decommissioning of the devices.


Managing Mac OS and Windows 10 Devices

Asset Management

Administrators have a centralized asset management overview and can see detailed device information like OS Version, Serial Number, Available Storage, Mac Addresses and much more.

Device Security

To protect access, admins can set password policies for the Mac Device including minimum length, Auto-Lock timeframes and more. It is also possible to provide certificates (e.g. S/MIME) certificates using the admin console, which will be automatically imported into the MacOS Key Chain. Furthermore, certain features like Camera, Touch ID and more can be disable per User or Group.

Connection Management

It is possible to define WIFI-Connections for the users. Using the web interface, admins can set the SSID, password and other settings that are required to connect to the predefined WIFI hotspots.

PIM Management

To reduce manual efforts for users regarding email setup the PIM Management feature can be used to predefine the access details for the Mailserver (Exchange or IBM). The settings are pushed to the device and the email accounts are created automatically using the local Mail Client Application.

App Management

With the app management, admins can see which applications are installed on the device with details including version number and source. It is also possible to define which applications are mandatory or blacklisted. For Windows it also possible to disable System applications like Calculator, Contana, Maps and many more. Additional applications can be uploaded using the web interface (.pkg files for Mac and .msi files for Windows).

Device Lock and Wipe

SecureUEM has remote wiping capabilities for MacOS as well as for Windows 10. Admins can remotely wipe the device and all its content. For MacOS it is also possible to lock a device remotely. Once a Mac device is locked, it can be only unlocked with a code, which is visible to the admin in the admin console.


Smooth device setup with device enrollment

With device enrollment employees can unbox their devices and start using immediately without even noticing that the device is being managed by the company. SecureUEM supports all common enrollment methods, including Apple DEP, Android Enterprise Enrollment and Samsung Knox Enrollment. Furthermore, the traditional enrollment methods can be used including using SMS, E-Mail, QR-Code and more.

Keep an overview over your Asset Inventory

IT staff has the possibility to track and get information over the hardware assets, such as WIFI, Bluetooth and Cellular Network information. Furthermore, SIM-Cards can be managed in SecureUEM.

Control over Software and Apps

You can decide, which Apps mandatory or optional for the employees. It is also possible to blacklist certain apps, in order to make sure the device is GDPR-Compliant for instance. Furthermore, it is possible to see, which Apps employees install and mitigate in case of security issues.

Enterprise App Store and Mobile Application Management

With the Mobile Application Management (MAM) you can setup your own Enterprise App Store and deliver enterprise signed In-House Apps, which you don’t want to install to the public AppStore. It is also possible to configure those Apps and remotely install them on the employee’s devices. OS updates can be managed too, in order to make sure employees are using the latest most stable version of the operating system.

Container Management

With SecureUEM you can manage “OS-Level Containers”, including Samsung KNOX, Android Enterprise and iOS Containers, as well as our own SecurePIM Container App.


Those are separate sections on the OS, which tend to split data and apps into two separate areas: business and private. All major mobile operating systems provide this feature, which are differently implemented however.

Samsung KNOX Containers

On Samsung KNOX, you can define which Apps must or can be installed inside the KNOX Container. The employees have usually the freedom to install any app outside of the container. A great aspect of this approach is, that the user could install the same app in both areas. Samsung KNOX makes sure in the background, that data cannot be mixed between the two areas. Android Enterprise Container work similarly. The only difference is, that KNOX conducts the separation on hardware level (separate CPU etc.), whereas Android Enterprise does it at a software level.

iOS Container

SecureUEM can also manage iOS containers, which are differently implemented by Apple. The separation of data is happening in the background, the user doesn’t even see a difference. Different to Android, it is not possible to install the same App twice. The iOS architecture makes sure, that private data cannot be mixed up with “managed data”. Manage contacts for instance cannot be accessed by non-managed apps, like WhatsApp e.g.

SecurePIM App Container

Besides the OS-Level Containers, SecureUEM can fully manage and control the own Container App SecurePIM. Different to the preceding approaches, the SecurePIM App implements the containarisation on App-Level, hence the data is separated within the SecurePIM App, making access from other Apps impossible, unless IT allows it. The SecurePIM App provides all relevant business-functions, including E-Mail, Calendar, Files and more, enabling the mobile workforce to perform all daily tasks using one highly secure app.

Full Control over Device Security

With SecureUEM you have control over all security aspects of the devices. Starting with very basic things like device password policy up to more advanced settings like Certificate Management. In case a device gets lost, you can wipe the whole device remotely, or only perform a so-called enterprise-wipe, which only deletes the business-related stuff on the device. If a device has been stolen, you can try to locate it using the GPS-Tracking feature. Compromised devices can be detected via Root- and Jailbreak-Detection and locked remotely. On Android devices you can also install anti-virus software, if needed.

Always connected securely

Besides protecting data at rest, you need to make also sure that data in motion is protected too. It can for instance happen, that employees connect to harmful WIFI-Hotspot, without even noticing (at the Airport e.g.). Therefore, it is important to setup the correct WIFI and VPN-Profiles using SecureUEM. With SecureUEM administrators can even define, which Apps should establish a per-app VPN in order to make sure, that the corporate apps always use a secure connection.



The SecurePIM App covers all major features of MS Exchange and IBM Notes incuding:

  • Mail
  • Calendar
  • Contacts
  • Tasks
  • Notes

Secure Content (MCM)

Besides the PIM functionality, SecurePIM also provides a full Mobile Content Management (MCM). Administrators can define the File-Shares the users are allowed to access within the SecurePIM App. All major File-Share solutions with WebDAV protocol are supported (MS Sharepoint, Nextcloud, Owncloud…). With the Office 365 integration, it is even possible to use Microsoft OneDrive for business.

With Secure Content, users can access corporate files directly from the SecurePIM App. All files are transferred end-to-end encrypted and are stored encrypted all the time in the app. Users can not only view the documents but also edit them using the built-in Office editor, which supports all major filetypes (doc, ppt, xls, pdf…)

Secure Collaboration

Email is still the most used form of collaboration in a business context, there is no doubt about it. Many users however prefer more and more to use instant messaging instead of emails, as they are used to it from their private usage. However, many companies do not provide secure ways of modern communication. As an effect, many employees use private Messaging Apps like WhatsApp also for business purposes, which lead to data leakage and compliance issues (GDPR).

 With SecurePIM Secure Collaboration users can collaborate with colleagues using Chat, Voice and Video capabilities in an easy, secure and compliant manner without leaving the app. Again, all data is transferred securely using highest encryption standards.

Secure Chat

Instant Messaging is the core component of the SecurePIM Collaboration Suite. Employees are able to instantly chat with colleagues inside the SecurePIM App. With the neat less integration, it empowers the user to perform many integrative tasks such as creating a chat group from an existing email thread or calendar event. Furthermore, users can share files from the document module in an existing chat or create new conversations.

Secure Voice & Video

Besides instant messaging, users have the capability to instantly call a colleague or even a group of colleagues using voice or video. This is very useful for employees who are traveling in countries, where the roaming cost and security is relevant. With the tight integration into the SecurePIM App, users can initiate calls directly from the contact, email, and calendar module, e.g. to instantly call the group of participants in a scheduled meeting.

Complete Windows 10 management details – highlighting most important features

Device information

Make, model, OS version and path level, firmware versions, hardware spec. and many additional details

Security Management

Location, tracking, password length and quality, grace periods, and exportations.

Detailed Restrictions

Some of which include hardware restrictions (e.g. external storage, camera, etc.), domain connections, email configuration, user enrolment and related settings.

Connection Management

WiFi allowed, whitelists, password restrictions, certificates, minim encryptions standards, connection sharing, and many additional options.
Detailed VPN configuration options and restrictions
Detailed Bluetooth configuration options and restrictions

Synchronization and account management

Email, domains, profile, SSL encryption of connections, account types, sync intervals, server credentials, etc.

Release Notes

Release Notes: March 2018

SecureUEM Management Console:

  • Implemented many additional security features.
  • Fixed a bug that made it possible to edit a Super Root without being Super Root.
  • Fixed an issue that caused certain pages under android profiles to crash or load indefinitely (e.g. Mandatory App List, PIM Management)
Release Notes: May 2018

SecureUEM Management Console:

  • Some Icons have been replaced (e.g.: SecurePIM)
  • Style improvements has been implemented that make certain tabs more visible (e.g. the sources for an app installation)
  • The profile you are currently editing will always be displayed at the left side.
  • Selecting a group profile now shows which groups are affected by this profile
  • The Enrolment page for iOS and MacOS has been improved and now shows improved notification if, for example, no APNS certificate has been found
  • Several improvements to increase the performance has been implemented

Windows 10 PC:

  • App Management has been added. This contains Installed Apps, Black-/Whitelisting and Sys App Restrictions


  • App Management has been added. This contains Installed Apps and Mandatory Apps (In-House and VPP)


  • A Problem has been fixed that caused play store apps to not be displayed correctly in the console
  • A Problem has been fixed that caused the appstore to be empty


  • Automatic OS Update is now possible without DEP but in this case requires iOS 10.3 and supervised mode
  • The VPP App List will now be sorted alphabetically
  • A Hint has been added if the Enterprise Appstore is not displayed because Javascript is deactivated
  • You will be warned that disabling Javascript will end up in a not working Enterprise Appstore
  • Under certain circumstances mandatory app installation has not begun right after the enrolment. This is now fixed.
  • If an app-configuration contained integer the configuration was not applied correctly. This has been fixed.
  • Files App has been added to the sys app restrictions.
  • “Outlook” has been added to BYOD
Release Notes: November 2018

SecureUEM Management Console:

  • [NEW] TeamViewer Support for iOS and Android has been added. You can now easily remote access your devices.
  • [NEW] You can now set an Alias for your VPP token.
  • [NEW] REST API has been added to get the GPS information via our REST API. This is currently limited to GPS information and will be enhanced in the future.
  • [NEW] The navigation tree containing the users, groups and devices has been improved to make it more responsive, especially while using drag’n’drop.
  • [NEW] An extended search functionality has been added. You can now easily search for many different attributes.
  • [NEW] Overhauled the android password restriction form.
  • [NEW] You can now add comments to every single device to add any information you want to a device (e.g. at which date it was bought)
  • [NEW] The installed Apps list of Windows 10 PC now contains every installed, regardless of its installation type. (Before that change, the list was split into different categories for In House, Store and System Apps)
  • [NEW] Reworked the configuration tab of AfW apps that are using sections to better represent these sections (e.g. Samsung Mail)
  • [FIX] Under certain conditions, settings could not be saved correctly in the connection management. This has been fixed.
  • [FIX] In extremely rare cases it could happen that the system did not properly synchronize with the VPP service. This has been fixed.
  • [FIX] In the Outlook configuration for iOS, the placeholder was not working correctly. This has been fixed.
  • [FIX] Depending on your enrolment method, custom Roles were not able to edit, move or delete devices in the device pool. This has been fixed.
  • [FIX] Due to changes made by google, the android app search was not working correctly. This has been fixed.

Windows 10 PC:

  • [NEW] You can now uninstall apps
  • [NEW] You can now install apps via the mandatory apps list (Appx, Appxbundle and MSI)


  • [NEW] “Allow Bluetooth Sharing” implemented for Android for Work. This allows you to access your contacts if your device is connected to your car.
  • [NEW] You can now configure a timeout for the policy violation action for Android for Work.
  • [NEW] Minor improvements have been made to the kiosk mode.
  • [FIX] On certain devices, which do not have an IMEI, auto enrolment did not work properly under certain conditions. This has now been fixed.


  • [NEW] The new version of the Cisco Anyconnect app is now supported too! Besides that, the Legacy app can still be configured.
  • [NEW] The new version of the OpenVPN App is now supported.
  • [NEW] iOS Update can now be delayed for up to 90 days
  • [NEW] If you had to accept changed Terms and Conditions for your DEP account, the sync was not working. We now implemented a warning for that if this is the case.
  • [FIX] Fixed a bug that caused the exchange profile to lose the password if a changed PIM profile was pushed.
  • [FIX] In rare cases, certificates were not pushed correctly to the device. This has been fixed.
Release Notes: February 2019

SecureUEM Management Console:

  • [NEW] After creating a device the values for operating system, device type and ownership will be saved and applied for the next device, giving you the ability to add devices much more efficient.
  • [NEW] Global Configuration has been extended with more templates.
  • [NEW] Changed the way the appliance uses to contact the mail server to avoid conflicts with some mail server settings.
  • [NEW] The enterprise appstore has been re-worked for iOS and Android and now features a search function.
  • [NEW] The enrolment mail will now contain the QR Code for Android and iOS.
  • [NEW] Improved the caching of app icons for every app list which should decrease loading time after the first time.
  • [FIX] In rare cases, it happened that a button got switched to from On to Off or vice versa without displaying it correctly until saving. This is now fixed.
  • [FIX] Under certain circumstances it took much longer than expected to load a group when clicked. This has been fixed.

Windows 10 PC:

  • [NEW] Added support for big UWP (appx & appxbundle) and MSI apps.
  • [NEW] You are now able to remove some architectures (e.g. ARM) from bundles since this can cause problems on devices not matching this architecture.
  • [NEW] “Wipe Device” has been added.
  • [NEW] Full support for Windows 10 Version 1809 has been added
  • [NEW] Adjusted the UI for upload of UWP (appx & appxbundle) and MSI apps.


  • [NEW] “Android for Work” has been added as operating system. Creating a device using this operating system will hide every setting which is not required.
  • [NEW] QR Code Enrolment is now possible with native android enrolment.
  • [NEW] You can now reset the password with a custom password.
  • [NEW] The “+” button in the installed apps list has been removed. The recommended way to add apps that should be installed is using the mandatory app list. Due to confusion and problems caused by the “+” button, we decided to remove it.
  • [NEW] Changed the wording from Samsung SAFE to Samsung KNOX since Samsung also switched to this terminology.
  • [NEW] Samsung KNOX functions can now be used in Android for Work Device Owner Mode
  • [NEW] Changed the system which is used to push devices to resolve push issues on some Android 9 devices.
  • [FIX] A few apps have special characters in their name. This caused the installed apps list to be empty. This has been fixed.
  • [FIX] In rare cases in House apps got not installed on the devices. This has been fixed.


  • [NEW] Overhauled the whole system to get licenses which will make the process much faster and more stable, especially for higher amounts of licenses.
  • [NEW] The Built-In Security Container can now be customized to allow screenshots and other functions.
  • [NEW] Improved they way the enrolment got processed if you add the device to the MDM and to DEP using the Apple Configurator 2. This also avoids the creation of 2 identical devices which occurred in rare cases while using this method.
  • [NEW] New “Skip” options has been added to the DEP profile to match the latest iOS versions.
  • [NEW] The bypass code for the activation lock can now be shown in the console and used to manually remove the activation lock.
  • [NEW] You can now enter a bundle identifier to the Black- or Whitelist.
  • [NEW] Activity App has been added to the Sys App Restrictions.
  • [NEW] The “+” button in the managed apps list has been removed. The recommended way to add apps that should be installed is using the mandatory app list. Due to confusion and problems caused by the “+” button, we decided to remove it.
  • [FIX] Due to changes of Apple, the device log did not display every error correctly. This has now been fixed.