Software-update: Ivanti Endpoint Manager Mobile 11.8.0.0

Nadat Ivanti eind 2020 MobileIron heeft overgenomen, is MobileIron Core hernoemd naar Ivanti Endpoint Manager Mobile. De software richt zich nog steeds op mdm, het beheren van devices, en mam, het beheren van applicaties op deze devices. Tegenwoordig kun je dit ook onder enterprise mobility management, kortweg emm, plaatsen. Daarnaast kan het worden gecombineerd met andere producten om de functionaliteit uit te breiden, zoals Sentry voor beveiligde dataoverdracht en de Secure Workspace-apps met onder andere Help@Work, waarmee bijvoorbeeld een helpdesk op afstand kan meekijken op het scherm van een iOS- of Android-toestel. Ivanti heeft versie 11.8.0.0 van haar EPMM uitgebracht met de volgende aanpassingen:

Ivanti EPMM 11.8.0.0 - New features summary

General features

• Ivanti Support Maintenance for App Gateway (appgw.mobileiron.com): Ivanti will be performing a scheduled network infrastructure maintenance on December 16, 2022, and your action is required if your organization uses explicit firewall rules. The following App Gateway (appgw.mobileiron.com) services will be unavailable during the maintenance window:
  • Firebase Cloud Messaging for Android device messaging
  • Mobile carrier lookup
  • Gateway location database update
  • SMS delivery
  • Device image look-up
  • Apple Push Notification service (APNs)
  • In-app device registration (auto-discover)
  • Apple MDM certificate renewal
  • Reg-service for Ivanti EPMM hostname lookup based on phone number (Android only)
  • Creation of Android for Work enrollment through the Ivanti Support site
  Action: If you use explicit firewall rules, you must append your rules with the following new IP addresses by December 16, 2022:
  • 34.227.203.115
  • 34.231.78.119
  • 35.168.168.163
  • 18.207.62.107
  • 18.209.150.213
  • 23.21.143.22
  Allow traffic to both the current and new IP addresses prior to December 16, 2022. You will receive a customer communication email with more information about the maintenance window when it is confirmed. For more information, see External and Internet Rules in the Ivanti EPMM On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector and Urgent Ivanti Endpoint Manager Mobile (MobileIron Core) Gateway Update.
• Rebranding changes: As part of the MobileIron to Ivanti rebranding in this release, page titles, logos, product names, images, and guide names have been changed. In addition, the following Core (now Ivanti EPMM) component names and user interfaces have been rebranded:
  • Core Admin Portal = EPMM Admin Portal
  • Core System Manager Portal = EPMM System Manager
  • Self Service Portal = Ivanti Self Service Portal
  • Connector Base = EPMM Connector
  • Reporting DB System Manager = Ivanti System Manager
• New consolidated EULA: A consolidated product End User License Agreement (EULA) replaced the previous version. The EULA is displayed during initial installation.
• Migrating Intune Azure graph to Microsoft Graph Due to the upcoming retirement of Azure Graph APIs in December 2022, Ivanti has enabled Ivanti EPMM releases to work with Microsoft Graph APIs. See the Microsoft information here.
• Query cellular device information: Starting with iOS 16.0, the device's phone number will be retrieved from the list of SIMs in the ServiceSubscriptions query.
• New Action menu item to synchronize device compliance status with Azure: Administrators can synchronize the compliance status only for authorized devices from Ivanti EPMM to Azure. When synchronizing for non-authenticated/non-related Azure devices, an error message displays listing device names. When the administrator performs a manual synchronization, a detailed Audit Log is generated for the devices. Applicable to all types of Azure tenants, for example: Standard, GCC_High, and DOD. For more information, see "Syncing the Device Compliance status of devices" in the Ivanti EPMM Device Management Guide of your OS system: Android, iOS.
• Export to CSV Installed Apps (App Inventory) Search Results: Administrators have the ability to export the results of an advanced search of the App Inventory page to a CSV file. The CSV would include all the fields in Summary View and Detail View. Applicable to all apps in the App inventory page. For more information, see Managing app inventory > "Exporting search results to a CSV" section in the Ivanti EPMM Apps@Work Guide.
• Samsung Firmware E-FOTA decommissioned: As of August 2022, Samsung discontinued the Samsung E-FOTA service. As a result, upon upgrade to Ivanti EPMM 11.8.0.0, the following occurs:
  • In Policies > Add New > Android Firmware Policy dialog box, the "Enable Samsung Firmware Policy" field is disabled.
  • Upon upgrade, in the existing policy and new policy (in the case where the license has not yet been deactivated), the "Enable Samsung Firmware" field will still be visible; however, it will be Read-Only. The administrator will need to delete the existing policies and deactivate the license before creating the new policy.
  • The Services > Samsung > Samsung Firmware E-FOTA License Management page is disabled; the administrator cannot activate or deactivate an E-FOTA license. If you have an existing E-FOTA license already set up, the Deactivate button is enabled and the administrator will need to manually deactivate the Samsung Firmware E-FOTA License.
  For more information, see Activating the Samsung firmware E-FOTA license in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices. See also End of Life (EOL) and alternatives: Samsung Knox EOL article.
• New warning for registration PIN passcode settings: If you try to extend the registration PIN passcode settings beyond the default value, the following warning is displayed: Increasing the validity period for the PIN may pose a security risk and it is not recommended best practice. For more information, see Setting passcode and registration code defaults in the Getting Started with Ivanti EPMM guide.
• Support for pushing OS software to multiple devices: The administrator now has the option to select multiple devices and push OS software updates from the Ivanti EPMM Admin Portal's Devices page to multiple devices. All the eligible iOS devices from the selected devices can be updated to the latest version or to a version specified by the administrator. For more information, see Updating the OS on supervised iOS devices in the Ivanti EPMM Device Management Guide for iOS and macOS devices.
• Ability to set the frequency of application notifications: The native App Catalog receives notifications when application updates are available in Apps@Work. Starting in this release, administrators can configure device user notifications for new application updates that are available in the App Catalog, and set the frequency to once a day or once a week. Applicable to iOS devices only. For more information, see iOS Apps@Work AppStore Features in the Ivanti EPMM Apps@Work Guide.
• IMEI information for inactive SIM slots now displayed: In the past, only IMEI information for the active SIM slot was displayed in Ivanti EPMM. Now, device information on active and inactive SIM slots displays. In addition, CSV-exported data now includes the information for inactive slots. For more information, see Advanced searching in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
• Support for independent, customized messages and email subjects for each Compliance Action tier: In previous releases, only one customized message could be sent for all Compliance Action tiers supported in Compliance Policies > Compliance Policy Rule. Starting in this release, administrators have the ability to create and send independent, customized messages and email subject lines for each of the now 20 possible Compliance Action tiers. For more information on customized messages and email subject lines for compliance action tiers, see "Custom compliance policies" in the Ivanti EPMM Device Management Guide for your system: Android, iOS, Windows.
• Send device compliance data to single/multiple Microsoft Office 365 GCCH/DoD tenants: Device compliance status can be sent to GCCH and DoD Tenants. For more information, see Office 365 GCC High and DoD.

Android features

• Enable app restrictions for all supported devices: In the App Catalog, a new check box has been added "Enable app restrictions for all supported devices" for Android Enterprise in-house apps to display in the App view page of the App Catalog. Applicable to:
  • Work Managed Device mode
  • Managed Device with Work Profile mode
  For more information, see Adding in-house apps for Android in the Ivanti EPMM Apps@Work Guide.
• Changes to a field in the App Catalog: The field called "Enable AOSP app restrictions" has been changed to: "Enable app restrictions only for AOSP" and now only applies to Android Enterprise devices in Work Managed Device - non GMS (AOSP) mode. For more information, see Adding in-house apps for Android in the Ivanti EPMM Apps@Work Guide.
• Advanced Search for devices with non-compliant passwords: The new "Data Protection Enabled" field allows you to find devices with non-compliant passwords. For more information, see see Advanced searching in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
• New option for Unlock command provided: For Android Enterprises, administrators can set a six-digit unlock PIN for specific devices. If this setting is used, "Unlock Device with Custom Pin " will display in the audit logs. For more information, see Setting the unlock PIN for a specific device in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
• Support for app restrictions and permissions on In-house apps for Android devices: The administrator can now set restrictions and grant or revoke permissions on In-house apps for Android devices. Applicable to: Work Managed Device (DO) mode, Managed Device with Work Profile, and Work Managed Device non-GMS (AOSP) mode. For more information, see Adding in-house apps for Android in the Ivanti EPMM Apps@Work Guide.
• Android Enterprise Enable Single App Kiosk added to pin a single app to device screen: Administrators can select the Enable Single App Kiosk check box and then select the (single) app to pin to the device screen. This setting allows one app to be pinned to the device screen in most conditions. The dedicated single app mode will allow other apps to be available on the device, but they will not be available for the device user to directly launch. These other apps will only be launched through the pinned app. For example, Email is the pinned single app, and the device user receives an email with a link to the Google Maps app. When the device user taps on that link, it opens the Google Maps app.
  The pinned single app will be launched only when it is part of the Allowed App list, the Kiosk Mode Allowed Apps list, and installed on the device. Applicable to Work Managed Device mode (DO) and Work Managed Device-non-GMS mode (AOSP).
  Note the following:
  • Single app Kiosk is only applicable to regular Kiosk mode. Single app kiosk can only be exited remotely from the Ivanti EPMM Admin Portal > Devices page. Mobile@Work displays the toast message "Kiosk Exit" in the app but the dedicated single-app may still remain on screen, as it cannot be closed due to Android limitations.
  • The Lock Task mode can only be enabled when the home screen is in the foreground. If the dedicated single-app is in the foreground, then it is not possible to enable Lock Task mode.
    Workaround: Device user must tap the back or home button; the Lock Task mode becomes enabled.
    On devices Android 9 and below, when the single app Kiosk is disabled, then the device user may need to tap the back/home button to see the Kiosk home screen again. The launched app may remain pinned to the foreground and the Kiosk home screen may not display due to Android limitations
  For regular kiosk mode information, see Creating a shared-kiosk-mode policy for the shared kiosk users in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices. For shared-kiosk mode, see Setting the kiosk policy for Android managed devices in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

iOS features

• Remote Authentication and Apple ID Default Domains for Shared iPads: In iPadOS 15 and below, Shared iPad required the device be connected to the internet when a user signs in. In iPadOS 16+, Shared iPad defaults to using the local passcode for existing users on the device, thus reducing the need for an internet connection. Ivanti EPMM administrators can choose to always enforce remote authentication, or by setting the number of days, provide the flexibility to determine when the remote passcode changes take effect on the existing cached sign-ins. Administrators can also set the default domains to make signing in to Shared iPads easier. For more information, see Creating an Apple Device Enrollment Profile in the Ivanti EPMM Device Management Guide for iOS and macOS devices.
• Additional Skip option added: Skips the Terms of Address pane option has been added to the Devices & Users > Apple Device Enrollment. Availability: iOS 16+ and macOS 13+. For more information, see Creating an Apple Device Enrollment Profile in the Ivanti EPMM Device Management Guide for iOS and macOS devices.
• Apple Cellular.APNsItem DefaultProtocolMask property no longer supported: Starting with this release, Ivanti EPMM no longer supports the deprecated Cellular.APNsItem DefaultProtocolMask Apple property.
• New support for the Apple property Cellular.APNsItem EnableXLAT464: Ivanti EPMM now supports the Cellular.APNsItem EnableXLAT464 Apple property, which enables the XLAT-464 option to provide access service for IPv6 across IPv6 networks. For more information, see Cellular Policies in the Ivanti EPMM Device Management Guide for iOS and macOS devices.
• New macOS restrictions: New macOS restrictions have been added to help administrators delay when device users can download software updates. There are three types of delay options, each with additional options for setting the number of days of delay:
  • Allow Universal Control - prohibits the control of multiple Apple devices - including an iMac, MacBook, and iPad - all with the same keyboard and mouse.
  • Allow UI Configuration Profile Installation - prohibits the user from installing configuration profiles and certificates interactively. Requires a supervised device. Available in iOS 6 and later, and macOS 13 and later.
  • Allow USB Restricted Mode - if disabled, allows the device to always connect to USB accessories while locked. On macOS, allows new USB accessories to connect without authorization.
  For more information, see macOS settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.
• macOS silent registration added: Administrators now have the option to have silent registration for macOS devices and thus not require device users to register manually. In System Settings > Device Registration, administrators would select the "Allow silent in-app registration only once (iOS and macOS)" field. Prerequisite: Administrators will need to upload Mobile@Work for macOS under Apps > App Catalog and assign a macOS label.
  In the same location, administrators can also set "Silent in-app registration time limit (minutes) (iOS and macOS)." This option enables a time limit to complete silent in-app registration. If macOS devices fail to register within this time frame, device users will be forced to register manually using their credentials.
  For more information, see Registration Considerations in the Getting Started with Ivanti EPMM and Registering iOS and macOS devices through the web in the Ivanti EPMM Device Management Guide for iOS and macOS devices.
• Apps@Work available from Mobile@Work for iOS: Starting from Ivanti EPMM release 11.8.0.0 you can transition to Apps@Work native experience from the Mobile@Work application. The Apps@Work native AppStore is deployed automatically with the Mobile@Work client. Once the administrator enables Mutual Authentication and applies device labels to the (new) App Catalog configuration, the Apps@Work native AppStore is deployed with the Mobile@Work client.
  Note: Devices should be migrated to Mutual Authentication to support native App Catalog.
  Administrators can configure the integrated Apps@Work device user notifications; they can choose to enable, disable or set cadence. The Apps@Work tab is displayed on the Mobile@Work client task bar and device users can view and install their company-approved apps from Apps@Work. Starting with the Ivanti EPMM 11.8.0.0 release, Apps@work Webclip and Integrated Apps@Work are supported.
  **When an update is available to an app, Apps@Work will display a badge/notification. Badging is only for apps that are already installed and have updates. Applicable to in-house and public apps.
  Note: Volume Purchase Program (VPP) apps are not supported.
  For more information, see Apps@Work (iOS) and iOS Apps@Work AppStore Features in the Ivanti EPMM Apps@Work Guide.
• iOS Enrollment Certification chain now visible: When you navigate to MICS (System manager portal) > Security > Certificate Mgmt > iOS Enrollment certificate > View, click on View Certificate in Ivanti EPMM, the entire iOS Enrollment Certification chain is visible, not just the immediate issuing CA certificate. For more information, see Viewing, replacing, and deleting certificates in the user portal in the Ivanti EPMM Device Management Guide for iOS and macOS devices.
• New Encryption Algorithm: The ChaCha20Poly1305 encryption algorithm is supported while configuring the Always On VPN configuration for iOS devices. For more information, see IKEv2 (iOS Only) in the Ivanti EPMM Device Management Guide for iOS and macOS devices. Available in macOS 11.3.0.0 and later.
  The new restrictions are not automatically pushed to the devices when you upgrade. Instead, to force-push the restriction to all devices, open it and save it.

Windows features
There were no new features for Windows in this release.

Ivanti EPMM 11.8.0.0 - Resolved issues

• VSP-68335: In previous releases, Recommendation Cadence did not work correctly because the cadence value was a string, but an integer is required instead. In this release, the cadence value is an integer, and Recommendation Cadence works as expected.
• VSP-68333: In previous releases (when you upgraded to 11.6.0.1 or 11.7.0.0), certificate-based authentication failed for new devices on Android enterprise application configuration, if, prior to upgrade, you had already registered a device and Ivanti EPMM generated a user certificate, or you uploaded you own certificate. In this release, Ivanti EPMM uses a different method of caching certificates, and certificate-based authentication for both new devices and existing devices works as expected.
• VSP-68280: In previous releases, when you searched for devices to apply an action, the Found dialog window erroneously displayed the Force Retire checkbox. This checkbox should only be displayed when performing a Retire action. In this release the checkbox no longer appears in the Found window.
• VSP-68161: In previous releases, the Need Android Setting button was coupled with the Enable Lock Task Mode. That is, when you selected the Enable Lock Task Mode option, the gear icon became visible in both non-shared and shared kiosk policies. In this release, the Need Android Setting button is only shown in the shared kiosk, whether or not the Enable Lock Task Model is selected..
• VSP-68103: In the previous releases, in German, when you upgraded to Ivanti EPMM 11.7.0.0, then pushed the user profile, the view logs for the Device and Software Version Update were not visible. In this release, the view logs display as expected.
• VSP-68095: In the previous releases, the Volume Purchase Program (VPP) apps failed to be installed because the apps were not supported. In this release, the VPP apps are supported and install normally.
• VSP-68046: In previous releases, when you registered an Android device as a managed device and added the $DEVICE_SN$ variable as the lock screen message in the lock-down policy, the device lock screen erroneously displayed the registration UUID. In this release, the screen correctly displays the serial number instead.
• VSP-68018: In previous releases, when you set the allowDeviceSleep restriction for the Apple TV to True, then registered the Apple TV in the DEP or other registered device, the restriction was displayed as not set. In this release, the restriction status displayed as expected.
• VSP-67939: In the Ivanti EPMM 11.7.0.0, a change was made that caused backups to CIFS shares to stop working. In this release, the backups are working as expected.
• VSP-67818: In previous releases, Apple-driven UE registration failed when the email ID was used as the username. In this release, registration no longer fails.
• VSP-67770: In previous releases, you could not send Data Access Point Name (APN) settings through a cellular policy. In this release, sending the settings works correctly.
• VSP-67686: In previous releases, you received an Internal Server Error message if you tried to enter a special character in the Custom Attribute field because this field did not accept special characters. In this release, the Custom Attribute field accepts special characters.
• VSP-67672: In previous releases, when you tried to edit a VPN with a Device Channel type in the configuration view, the channel type was erroneously displayed as a User Channel type. If you tried to change the User Channel type back to a Device Channel type, the system displayed the following error: Nothing has changed. The channel type was correctly displayed in the Configuration Details pane on the configuration page. In this release, the channel type is displayed correctly.
• VSP-67619: In previous releases, you could not save Sentry settings when you tried to disable the previously enabled ActiveSync service with Kerberos authentication. In this release, you can save Sentry settings with ActiveSync service disabled.
• VSP-67600: In previous releases, even though you deleted a VPN configuration from a device, Ivanti EPMM continued to issue new SCEP certificates for the device. In this release, no new SCEP certificates are issued for devices whose VPN configuration has been deleted.
• VSP-67599: In previous releases, iOS device users who did not have Apple User Enrollment privileges could still complete Apple user enrollment for their device. In this release, users without the privileges cannot complete the enrollment.
• VSP-67598: In previous releases, using the Advanced search criteria for the RETIRE_PENDING status in combination with other criteria resulted in an error. In this release, the error no longer occurs.
• VSP-67587: In previous releases, audit log entries were unreliably retrieved by syslog through file monitoring. In this release, the log entries are injected directly into syslog.
• VSP-67421: In previous releases, when you applied multiple Single-App Mode policies to a device, only the policy that arrived first was applied, even if another policy with higher prioritization was applied later. In this release, policy application functions as expected.
• VSP-67393: In previous releases, when you install a custom app from Apple Business manager, the app's latest details and version sometimes failed to update in the App Catalog. In this release, the updates occur as expected.
• VSP-66718: In previous releases, a booting or rebooting of a system that had both FIPS and Common Criteria modes enabled caused a package integrity check to occur. If the check failed, the system performed several reboots and then shut down. Pressing Enter during the reboots allowed a compromised, inherently insecure system to function. In this release, a failed check causes the system to fall into immediate emergency recovery mode. In addition, the root account is disabled, and the system prompts you to enter a root password. Contact Ivanti Support to provide the requested password and to help recover the system.
• VSP-66123: In previous releases, Ivanti EPMM audit logs listed fake installation, which filled audit logs. In this release, Ivanti EPMM audit logs do not list fake installations, but existing audit log entries of fake installations will continue to show up in the listing.
• VSP-63894: In previous releases, when a user device state changed to non-compliant, Ivanti EPMM published the device status change event to its subscribers, and erroneously continued to publish the status at regular intervals. In this release, publishing occurs only once.
• VSP-63785: In previous releases, a race condition prevented App Tunnel from re-populating in Ivanti EPMM when the App Tunnel was deleted. In this release, repopulating occurs as expected.