9.2.0 (578)

Product Name: BEM Web V9.2.0 (Build: 578) GA

Valid on: 2024-03-20



New Features and Improvements




– Added support for Open LDAP as a domain import type.

– Added support for se-mail

– Merged separate Yubikey database into the main BEM database.

– Improved the visible products to be based on the licence contents

– Improved syslog messages to include the device name.

– Resolved an issue where enabling encryption on PostreSQL database installs did not always encrypt all traffic

– Added support for storing CA certificates in a Yubico HSM

– Added certificate revocation functionality to BEM CA.


iOS Features and Fixes

– Added a new scheduled job to renew iOS device certificates

– Added a new scheduled job to refresh DEP devices. This helps to prevent the cursor expirying which would then need a full DEP refresh.

– BCE-3382- Resolved for an issue where “Allow_pairing” was always set to false.


Paradox and Paradox SE Features and Fixes

– BCE-3496 – Resolved an issue where loading a complex policy would be slow.

– Added the ability to restrict Paradox and SE devices to a limited amount of selected users.

– Added the ability to set Yubikey pin restrictions in device policy.

– Added support for setting time zone in device policy.

– Added support for remote killing a Paradox and SE device.

– Resolved an issue where cloning a policy would not duplicate the file.

– Resolved an issue where cloning a policy with guest mode firewall rules results in an error.


Yubikey Features and Fixes

– Added APP-XD support for the Yubikey managent feature.

– Added the ability to import a first Enroller Yubikey.




– BCE-3486 – Updated the logic around the AppPoolConfig dictionary to ensure a full list of application pools is maintained in order to prevent key errors.

– Fixed an issue with BEM logins in a multi server environment.

– Fix for an issue where “Clone App Policy” button went missing after upgrade.




– BCE-3462 – Fix for an issue where Paradox SE user application policy was failing to be applied to devices.

– Added extra validation checks when adding and editing a domain in BEM.

– Fix for an issue where service user credentials were not hidden in config file.




– BCE-3455 – Fixed an issue where BEM installations and upgrade would fail if the hostnames begin with a number.




– BCE-3419 – Fixed various issues with BEM setup tool that were seen when running upgrade.

– BCE-3440 – Fixed an issue where setup tool did not run due to an issue with signing of files.

– BCE-3431 – Fixed and issue where Paradox SE user application policy UI was defaulting to first domain that was added.

– BCE-3430 – Fixed an issue where Paradox SE user application policy was failing when User LDAP domain was added along with port number.

– BCE-3427 – Fixed an issue where reopening setup tool was resetting appsettings.json file.

– Added support for accessing BEM UI externally.

– Made changes to setup tool to support Paradox SE device management on a split environment where registration/communication and BEM UI services are installed on different servers

– Added USB Mass Storage support for Paradox similar to Paradox SE.




– Resolved an issue where the Yubikey database install would fail when database encryption was enabled.




– BCE-3408 – Fix for an issue where scheduler service failed to run when the DB is on a remote machine and the SQL authentication is set to Windows user.

– BCE-3398 – Fix for an issue where BEM console has slowed down when Yubikey was enabled and not configured.

– BCE-3400 – BEM now returns body content confirming successful receipt in response to healthcheck updates from remote ES and TPS proxies.

– BEMD-11786 Fix for an issue where a clear cache was needed for the BEM UI changes to stay persistent.

– Fix for an issue appsettings.json was not configured with correct login urls.




– Remove dependency on .Net Framework 3.5 for installation of BEM.

– Fix for an issue where a new Yubikey DEK was not being generated during BEM installation.

– Added Paradox policy option to Wifi entries to hide/unhide Wifi access points.

– Added a Paradox and SE device policy option to disable print screen

– Added a Paradox and SE device policy option to disable the ability to edit network configuration on the device.

– BCE-3396 – Fix for an issue where BEM dashboard was loading slowly after logging in.

– BEMD-11607 – Added ability to set Login Page hostname which will resolve an issue where login page will show a 500 error after upgrading.




– Dropped support for multi tenancy.

– Dropped macOS device management.

– BEM setup tool migrated to .Net Core.

– Global Admin role has been removed .


iOS Features and Fixes:

– BCE-3346 – Fixed an issue where refresh DEP devices would fail due to an expired cursor.

– BCE-3164 – Fixed an issue where report filtering was not working based on last contact time interval.

– BCE-3375 – Fixed an issue where Rapid security responses install status was not shown correctly in BEM UI

– BEMD-11010 – Resolved an issue where a failed VPP licence request will unintentionally set the app status to failed for all apps on the device.

– BEMD-10201 – Allow access to USB Accessories.

– Introduced certificate pinning for iOS device management.


Paradox and Paradox SE Features and Fixes:

– BEMD-11184 – Added an option to set SAM account name to the device name in device certificates.

– Added the option to choose whether or not Paradox and Paradox SE devices are created as computer objects in Active Directory.

– Added SMB share support in Paradox SE.

– Added USB Mass Storage support for Paradox SE devices.

– Added new column to Paradox SE devices page to display OS Version installed on the device.

– Paradox USB Device Control expanded to include Read-Only / Read-Write and SID options.


Yubikey New Features and Fixes:

– Enrollers can be restricted to enroll Yubikeys to the users in the same OU as enroller.

– Restricted Enrollers can be promoted to global enrollers to enroll devices to any user from the estate/domain.

– Introduced Strict mode which means OTP enrollments are blocked when BEM is this mode.

– Added the ability to renew user certificates by enroller.



BCES Features and Fixes:

– Improved BCES registration process.

– Introduced “Strict mode” in BCES.


9.0.1 BETA


– Added support for Postgres SQL.

– Added new feature, Becrypt Resident CA that issues and manages device, user and server certificates.

– Added Becrypt Identity Provider that is used to create, authenticate and manage local BEM users.

– Added silent installer that supports easy deployment of BEM.

– User assignment is now option for DEP device enrolment.


9.0.0 BETA


iOS Features and Fixes:

– Added support for ECC device certificates for iOS devices

– Added ECC signature verification in BEM

– Added support for use of HiTMAN as High Assurance Gateway when using BEM with MDM Proxies

– Improved support for configuring outgoing Docker proxies when using BEM with MDM Proxies



Additional Notes



BEM Specific:

– If you need to change or remove the reverse proxy settings in a split or multi-server environment, please save them on each server using the BEM setup tool.

– Before running an upgrade please close any database tables which have been opened in SQL Management Studio

– Please re-upload the identical licence file that was previously uploaded into BEM if you notice any product menu items missing from the left-hand side panel of the BEM console after upgrading.

– Upgrading from a version below BEM 9.1.6, credentials used for domains will need to be updated to sAMAccountName@domain or user principal name (ensure that user principal name has a domain)

– Upgrading from a version below BEM 9.1, the login URL for BEM will be changed, therefore existing browser bookmarks will not work. Please create new browser bookmarks.

– Upgrading from a version below BEM 9.1, all existing BEM console users with super user role before upgrade will have permissions equivalent to a Global Admin.


BCES Specific:

– Please install BCES on the same domain as Users domain.


Yubikey Specific:

– Please use BCES 9.2.0 with BEM 9.2.0 to manage Yubikey devices.

– Please ensure that users are synchronised from Domains page before configuring BEM to manage Yubikey devices.

– Please ensure that the PUK code you enter when importing the first user using Yubikeyimport tool is set to 8 characters.


Paradox specific :


– Please use the username in the format .\<username> when registering PDX devices in an off domain environment using BEM Local Users.

– Please remove from BEM any browser extensions that were uploaded after upgrading to 8.1.0, and re-upload them before assigning to an application policy.

– After upgrading BEM Web, update the authorisation url to introspect url when using OAuth2 as your authentication method in Paradox device policy.

– After upgrading BEM Web, all the Paradox device groups will have “TPM required” checkbox ticked. Please do untick if you would like to modify those device groups.

– yubikeys and Human Interface Devices will be implicitly allowed as part of the device control policy for Paradox devices.

– In order for the Xerox printer to be discovered, add both Presets under the firewall rules in BEM Web Policy:

i) Generic Printer Discovery

ii) Xerox Printer Discovery



Paradox SE :

– After upgrading to 9.X, RA certificates will be issued by BEM CA (Resident CA)

– Revoking a device certificate manually from CA may not prevent the device from communicating to BEM Web server. Either use the “Revoke Device” function from BEM Web console or follow the below steps on BEM Web server:

– From command prompt run certutil -setreg chain\ChainCacheResyncFiletime @now

– Restart cryptographic services.


iOS Specific :

– It is recommended to purchase ample licenses for required apps in your VPP to avoid licensing issues.

– It is recommended that all devices are un-supervised before re-profiling.

– Note that if the MDM Profile is set to be removable, any devices which are still within Apple’s grace period after first being added to DEP will display the option “Leave Remote Management”. If a user actions this it will completely wipe the device and remove it from DEP – and BEM will receive no notification of this.



Known Issues


BEM 9.2.0


BEM Specific issues:

– Roles cannot be assigned to the users without domain in their UPN.

PDX Specific issues:

– Menu icon, screen reader settings config and Homepage wallpaper are not duplicated when policy is cloned. Please re-upload the files before saving the policy.


BEM 9.1.0


– As per Android (Convex) design, BEM CA generates RSA type device certificates for Android devices when BEM CA is set to ECC type.


iOS Device Management issues:

– If Home Screen wallpaper is not set in policy, any Lock Screen wallpaper configured is also being displayed on the Home Screen.

– Devices may fail to keep up with policy and/or application changes if moved between multiple device groups rapidly.


BEM 9.0.1 BETA Limitations:



– BEM Web setup tool is not fully functional .

– Silent installation only supported for Postgres with Resident CA and Resident Users.

– Apple configurator devices cannot be enrolled when the CA is set to use ECC.


BEM Web specific issues:

– Requesting user certificates fails when CA is set to issue certificates using KSP.

– Internet Explorer 11 is known to fail loading important items in the Paradox Application Policy page. It is recommended that an alternate browser is used while managing Paradox and Paradox SE devices.

– The error “No DEK loaded” may be seen when doing an initial synchronize with Active Directory. An IIS restart is required, to fix this issue.

– Paradox SE Applications with (.) character in the file name when added are lost on saving the application policy.

– Template names set in general settings will only be checked against templates published on the Active Directory the server is located in.

– Changing the device certificate template does not affect certificate renewals for certificates already issued.

– Side by side installation of multiple .NET core versions can occasionally cause BEM Web to not load.


iOS and macOS Device Management issues:


– Policy fails to install on device when previous policy has password modification switched off / toggling it back on.

– The “Delete VPN certificate” command for iOS devices will not remove the certificate whilst a VPN profile is still deployed on the device. The profile must also be removed (from Policy) to complete deletion of the certificate.

– The iOS policy restriction to disallow “Erase All Contents and Settings” is not obeyed by devices running iOS 15.0.

– Enabling bluetooth on the device during provisioning only is now deprecated. Bluetooth may now be enabled/disabled within Device Policy at any time.

– If an iOS device with only Wi-Fi connectivity available has been placed into Lost Mode and then subsequently powered off, it may not be possible to disable Lost Mode again. This is because although the device is powered on again it may not be possible to start Wi-Fi without unlocking the screen.

– In iOS Device Policy editing an existing Standard VPN item into a PerApp VPN will fail. Remove the Standard VPN first and then apply a new PerApp VPN.

– Make sure “Send all traffic” is ticked for IPSEC VPN profile.

– IKEv2 VPN profile installation is currently failing for macOS devices.

– Enabling “Allow configuring restrictions” in iOS policy allows screen time settings on devices running iOS12 and later.

– iOS device may not register a correct push notification secret (Push Magic) after preparation. This will cause the device to stop communicating with the server.

– The values displayed for iOS device “Capacity” and “Available Capacity” may be incorrectly reported in the Details tab. This is an issue that requires a fix from Apple.

– Enabling profile encryption is currently not supported for EC certificates.

– If a new VPP account is used, apps from the previous account may remain.



Installation BEM Web



– Framework prerequisites to be installed on the server prior to BEM Web installation/Upgrade.:

– .NET 4.7.2 framework

– .NET Core 6.0 Hosting Bundle (download from

– Latest version of 6.0 recommended, product tested with 6.0.11

– Visual C++ Redistributable for Visual Studio 2019 (download from


– An admin document on how to perform an installation can be found in the full package of the product.






Upgrades from BEM 9.1.7


Supported Operating Systems



The BEM Web Server components support installation on the following Windows OS:


– Windows server 2016 64 bit

– Windows server 2019 64 bit

– Windows server 2022 64 bit


Supported Database Systems



The BEM Web Server components support installation on the following SQL servers:


– SQL Server 2014

– SQL Server 2019



Interoperability with other products


Provisioning iOS devices require:

– Apple Configurator 2.14


The supported email servers are:

– Microsoft Exchange 2016


The supported VPN are:

-Cisco ASA IPSEC VPN Concentrator.

-5.3.5-1ubuntu3.8 Strongswan



Supported End User Devices



BEM Web Supports:

– Devices running iOS/iPadOS 17.3.1 / 17.4




We're here to help

Please Contact us

general enquiries

+44 (0) 845 8382050


+44 (0) 345 8382070

Join Our Newsletter

Receive our latest blog posts directly in your inbox!