Software-update: Ivanti Endpoint Manager Mobile Core 11.7.0.0

Nadat Ivanti eind 2020 MobileIron heeft overgenomen, is MobileIron Core hernoemd naar Ivanti Endpoint Manager Mobile Core. De software richt zich nog steeds op mdm, het beheren van devices, en mam, het beheren van applicaties op deze devices. Tegenwoordig kun je dit ook onder enterprise mobility management, kortweg emm, plaatsen. Daarnaast kan het worden gecombineerd met andere producten om de functionaliteit uit te breiden, zoals Sentry voor beveiligde dataoverdracht en de Secure Workspace-apps met onder andere Help@Work, waarmee bijvoorbeeld een helpdesk van afstand kan meekijken op het scherm van een iOS- of Android-toestel. Ivanti heeft versie 11.7.0.0 van haar Core uitgebracht met de volgende aanpassingen:

Core 11.7.0.0 - New features summary

General features

• Changes to instructions in Mobile@Work: In Mobile@Work, the instructions in the enrollment and remediation pages have been updated.
• Run Reporting Database reports on user and device attributes: The Reporting Database now includes user and device attributes in its reports. See the latest Reporting Database Essentials guide for more information.
• Ability to delete multiple local users: Administrators can now delete multiple users. You cannot delete multiple users if:
  • a user you are trying to delete is currently logged in (administrator)
  • a user is an administrator user - you first need to remove the administrator role of the user
  • there is a non-retired device associated to the user
  For more information, see Deleting multiple local users in the admin portal in the Getting Started with Core guide.
• Registration passcode expiry maximum time increased: You can now customize the number of hours the registration password is valid, from 4 hours (default) to a maximum of 4320 hours (6 months). For more information, see Setting passcode and registration code defaults in the Getting Started with Core guide.
• Symantec name change updated in user interface: Symantec Web Services Managed PKI has changed its name to DigiCert PKI Platform, therefore, you may note associated textual changes in the Core user interface.
• Support for optional KVP on Email+: The KVP email_user_certificate_self_service can optionally be set to the ‘retired’ certificate value for a device user by prefixing it with [optional].(email_user_certificate_self_service is a mandatorily configurable KVP for all the Core users.) [optional]email_user_certificate_self_service is an alternative configurable KVP for applicable device users that Core will push to the user’s device only when the value is non-empty. Developers of AppConnect apps now have the option to create [optional] keys so that if the value is null/empty, it will not send that key/value to the AppCconnect app. For more information, see the Email+ for Android Guide.
• New Force Retire Option: Usually, when you issue a Retire command for a device, it is moved to a Retired state and is considered "Retire Pending." Sometimes the devices remain in the Retire Pending state. Core offers a Force Retire check box to make sure the device is Retired. You can also schedule the retirement of Retire Pending devices. In Core, go to Settings > Users and Devices > Retire and Delete. In the retire devices section, there are settings that allow you to retire the retire pending devices, based on the last check-in time, with on-demand actions and scheduled actions. For more information, see "Retiring a device" and "Retiring the Retire Pending devices" in the Core Device Management Guide of your OS.
• Client ID added to Device Details: For troubleshooting purposes, Client ID has been added to the Device Details page. Administrators can also search for Client ID as well. For more information, see "Advanced Searching" in the Core Device Management Guide of your OS.
• Ability to remove profiles from individual devices: Similar to the Push Profiles option is a new feature that allows administrators to manually Remove Profiles from specific devices. This feature is helpful for troubleshooting specific devices, for example, overriding the default label for that device. For more information, see "Pushing and removing device profiles" in the Core Device Management Guide of your OS.
• Hyper-V 2019 server is supported for core and enterprise connector installations: With this release, Core can be installed on a Microsoft Hyper-V 2019 server. The Hyper-V 2019 includes Windows Hypervisor, a Windows server driver model, and virtualization components. Hyper-V is delivered as part of Microsoft Windows Server 2019. For more Hyper-V information, see Virtual Core requirements in the On-Premise Installation Guide for Core and Enterprise Connector guide.
• Advanced search enhancements: In Apps > Installed Apps, Administrators can search apps with specific criteria according to attributes combinations, in addition to searching a specified term in different attributes. For more information, see Managing app inventory in the Core Apps@Work Guide guide.
• Send device compliance data to multiple Microsoft Office 365 tenants: Administrator can configure device compliance data to be sent to multiple Microsoft Office 365 tenants in standard environments. For more information, see "Connecting Microsoft Azure to Core" in the Core Device Management Guide for your OS.
• New Global Policy to configure apps per label in bulk: Administrators can create global policies with different app settings (silent install, auto-update, mandatory, etc.) and can assign it to different labels. By creating a global policy, administrators can avoid editing each app and configuring the settings. When viewing and editing the per-label settings, administrators can set the app to default to the global setting so only the settings that are different for that label need to be changed. For more information, see Global App Config Settings policy in the Core Device Management Guide for Android and Android Enterprise Devices.
• Create a default label name: Starting with the 11.6.0.0 release, administrators had the ability to manually create a label (for Windows, Windows Phone or macOS) that does not contain any criteria. After it is created, the label automatically becomes a default label and cannot be removed or edited. Upon upgrade to version 11.7.0.0, Core does not apply these labels to devices because they do not contain criteria. Administrators must apply the labels manually.

Android features

• Support for Private DNS: On fully-managed devices running Android 10 or later, the administrator can specify whether the device should use a private DNS server for encrypted domain name resolution, and if so, which one. Applicable to: Android 10+ devices in Work Managed Device mode. For more information, see Lockdown policy fields for Android Enterprise devices in Work Profile mode in the Getting Started with Core guide.
• File Transfer Configuration: A new configuration File Transfer is available for Android devices. This configuration can be used to transfer files to the device and these files can be shared from Mobile@Work to other apps on the same device. Target apps consuming these files must support ContentURI to access files locally on the device.
  For more information, see Android File Transfer Configuration in the Core Device Management Guide for Android and Android Enterprise Devices.
• Mobile@Work auto-granted permissions reduced on all Android device versions: Administrators can provide device users more choice on Android 11 and below Work Profile devices by allowing the device user to choose whether Mobile@Work should be granted location permissions. The default behavior allows Mobile@Work to automatically grant this permission. In Core 11.7.0.0, when the Mobile@Work auto-grant location permission check box is selected, the administrator would see a warning in Core and device users would receive a prompt to grant Mobile@Work location permission during registration of devices in Work Profile mode.
  Phone permission is required to collect device information. Phone permission allows Mobile@Work to get information about device identifiers such as IMEI. This permission was originally only available in Device Admin mode, but has been extended to Work Profile mode. Device user consent is required for Mobile@Work to have phone permission.
  For more information, see Privacy policies and Understanding the Registration page in the Getting Started with Core guide.
• Shared kiosk mode app settings: Upon upgrade, two new settings for Shared kiosk mode can be utilized in the New Android Kiosk App Setting Policy dialog box > Kiosk Mode Allowed Apps section:
  • Clear App Data is indicated by a "broom" icon. A broom with check mark icon indicates to clear the app data when the device user logs out of shared kiosk. A broom with a "not allowed" icon indicates do not clear app data when the user logs out of shared kiosk.
  • Android settings are indicated by a "gear" icon. A gear with check mark icon means allows device-wide settings for the selected app to be made available to the device user. A gear with a "not allowed" icon means disallow it.
  For more information, see Configuring the Android shared-kiosk mode in the Core Device Management Guide for Android and Android Enterprise Devices.
• Android Bulk Enrollment: Administrators can do registration of Android 7+ devices in batches (1000+) by uploading a CSV file. For each profile, a token will be generated with a default expiration time of 7 days. This token can be further extended for 7 days minimum to 99 days maximum. Optionally, the token can be regenerated (a completely new token is created for the profile with a default of 7 days of expiration.) Applicable to Work Managed Device mode, Managed Device with Work Profile mode, Work Profile on Company Owned Device mode, and AOSP mode.
  For more information, see Android Bulk Enrollment in the Core Device Management Guide for Android and Android Enterprise Devices.
• Additional battery health information provided: Additional battery health statistics per-device are now provided:
  • Android Battery Charging Status
  • Android Battery Health Status
  • Battery Charge Cycles (OEM)*
  • Battery Health Percentage (OEM)*
  • Battery Manufacture Date (OEM)*
  For more information, see Advanced searching in the Core Device Management Guide for Android and Android Enterprise Devices.
  *The OEM fields will only populate if the device is a Zebra device. For more information, see Advanced searching in the Core Device Management Guide for Android and Android Enterprise Devices.
• MobileIron Cloud is now Ivanti Neurons for MDM: All the instances of Cloud in Core documentation have been updated to Ivanti Neurons for MDM.

iOS features

• Update iOS Software Version button allows administrators to update iOS devices to a specific OS version: The Device Details page has a new "Software Version Update" button for administrators to update specific devices to any supervised DEP and non-DEP iOS versions. A list of only the applicable iOS versions to the device displays for the administrator to choose, and then execute the update. For more information, see Updating the iOS manually on a single supervised iOS device in the Core Device Management Guide for iOS and macOS Devices.
• New macOS restrictions: New macOS restrictions have been added to help administrators delay when device users can download software updates. There are three types of delay options, each with additional options for setting the number of days of delay.
  • Delay OS Software Update - you can set the delay of a software update on the device and set the delay of minor software updates to the device. The device user will not see a software update until the set number of days after the software release date.
  • Delay App Software Update - you can set the delay of a software update on the device and set the delay of non-OS software updates to the device. The device user will not see a non-OS software update until the set number of days after the software release date.
  • Delay Major Software Upgrade - you can set the delay of a major software upgrade on the device. The device user will not see the major software upgrade until the set number of days after the software release date.
  Available in macOS 11.3 and later.
  Additionally, Allow Erase All Content and Setting was added for resetting of iOS devices. Applicable to iOS 8+ and macOS 12+. For more information, see macOS settings and iOS and tvOS restrictions settings in the Core Device Management Guide for iOS and macOS Devices.
  Upon upgrade, the new restrictions will not be pushed to the devices. The easiest way to do this is to open the restriction and then save it. This will force-push to all the devices.
• Skip options added to Device Enrollment Profile: To assist with easy installation, two additional options were added to Device Enrollment Profile:
  • Skips Device to Device Migration pane. Availability: iOS 13+.
  • Skips the iMessage pane. Availability: iOS 10+.
  For more information, see Creating an Apple Device Enrollment Profile in the Core Device Management Guide for iOS and macOS Devices.
• macOS registration configurations enabled upon upgrade: For new Core deployments, Ivanti’s support for macOS device management is available in Core, Ivanti EPM, and Ivanti Neurons for MDM.
• Version number updated: Core applications have received the version numbers that are being updated: AppleTV, iOS 15.5 and 15.5.X, macOS 12.4.
• New iOS Restrictions added to Configurations > New Restrictions Setting dialog box:
  • Allow Apple TV's automatic screen saver restriction
  • Allow Mail Privacy Protection - helps protect device users' privacy by preventing senders from learning about device users' email activities. When the Allow Mail Privacy Protection configuration is installed and enabled from Core, the Protect Mail Activity toggle is enabled on the device and the following options are visible to the device user:
    • Hide IP Address - The email sender cannot link the email to the device user's online activity or determine location.
    • Block All Remote Content - Prevents the email sender from seeing the device user's email activities.
    For more information, see iOS and tvOS restrictions settings in the Core Device Management Guide for iOS and macOS Devices.

Windows features

• Windows registration configurations enabled upon upgrade: For new Core deployments, Ivanti’s support for Windows device management is available in Core, Ivanti EPM, and Ivanti Neurons for MDM.