Software-update: Ivanti Endpoint Manager Mobile 11.12.0.0

Nadat Ivanti eind 2020 MobileIron heeft overgenomen, is MobileIron Core hernoemd naar Ivanti Endpoint Manager Mobile. De software richt zich nog steeds op mdm, het beheren van devices, en mam, het beheren van applicaties op deze devices. Tegenwoordig kun je dit ook onder enterprise mobility management, kortweg emm, plaatsen. Daarnaast kan het worden gecombineerd met andere producten om de functionaliteit uit te breiden, zoals Sentry voor beveiligde dataoverdracht en de Secure Workspace-apps met onder andere Help@Work, waarmee bijvoorbeeld een helpdesk op afstand kan meekijken op het scherm van een iOS- of Android-toestel. Ivanti heeft versie 11.12.0.0 van haar EPMM uitgebracht met de volgende aanpassingen:

OpenIvanti EPMM 11.12.0.0 - New features summary

General features

• Support for new Ivanti Apps@Work: The new Ivanti Apps@Work is now supported with new bug fixes, new branding, and a renewed certificate from Ivanti EPMM 11.10.0.3 and later versions. The administrators must distribute the new app catalog to the users and remove the old MobileIron Apps@Work. The legacy MobileIron Apps@Work will be End of Support in December 2023 and End of Life later in 2024.
• Windows Tunnel and Windows Apps@Work are now available for download.
• GlobalSign Certificate Enrollment Setting: Ivanti EPMM now supports the SID value in the certificate requests sent to GlobalSign only if the GlobalSign profile supports it. For more information, see Configuring a GlobalSign CA in the Ivanti EPMM Device Management Guide.
• SNMP Delete User Command Injection: Now, SNMP username and password will not support these characters while creating passwords: '$', '', ' "', ''', '`' Also, existing passwords that contain these characters must be updated before saving SNMP settings.
• Support for a new LDAP entity for domain components: With this release, Ivanti EPMM has introduced a new LDAP entity for domain components. The domain component option is now combined with LDAP OU option and is available in Ivanti EPMM Device & Users > Users > Category > LDAP OU and DC. Ivanti EPMM allows the administrator to assign roles at a higher level of the directory tree structure based on domain components or by substring matching the DN.
• Mutual TLS authentication is mandatory: From this release, TLS authentication is mandatory for users to upgrade the software from the previous version to the latest version. Users must enable the mutual authentication on the Ivanti Admin Portal under Settings > Security > Certificate Authentication. If the mutual authentication is not enabled, then it will prevent the upgrade. The number of devices that have enabled or disabled mutual authentication will now be shown on the client mutual authentication page. For mutual authentication, previously, EPMM did not allow an EPMM server certificate if it did not contain CRL, irrespective of whether it contained OCSP or not. But, from this release, the EPMM server certificate is accepted if either the CRL DP or OCSP is present in it. The Migrate Mobile@Work Client check box is enabled by default in all the sync policies when enabling mutual authentication.

Android features

• Native Catalog: App Prerequisite: With this release, App prerequisites are supported with the Integrated App Catalog in EPMM. Administrators can configure app prerequisites and the device user will have visibility of application dependencies when installing an app from the Integrated App Catalog. VPP apps cannot be configured as main apps.
• Create a secondary CRL URL: With this release, admin can add secondary CRL URL's for Local CA's and choose the preference of the CRL by using the Prefer Primary CRL URL checkbox.
• Control for notification scheduling: With this release admins can schedule VNS Notifications for MTD Registered devices independently.
• Switching to Play Integrity API from SafetyNet: With this release, Ivanti EPMM switches to PlayIntegrity API from SafetyNet: Upon client upgrade, Ivanti EPMM executes the Play Integrity attestation first. A failover mechanism is integrated to re-initiate certification check to use SafetyNet if the PlayIntegrity check fails. It is applicable to Android 14 devices only, in all modes. All existing fields are renamed from SafetyNet to PlayIntegrity.
• Driver Safety Kiosk: When devices are deployed in the Kiosk (GMS or non-GMS) with driver safety feature turned on and if the speed is greater than 12 miles per hour, all the applications are blocked. Only designated applications are enabled.
• OCSP stapling: With this release, OCSP stapling is enabled for TLS/SSL connections against 443, 8443 and apps@work ports. Ivanti recommends 7443 port for apps@work.
• Zebra Firmware Updates: With this release, when an admin browses for available Zebra OS updates, the firmware list does not contain any inactive firmware updates.
• Non G Suite subscribers: This method allows enterprises that are non G Suite users to be enrolled with Android enterprise without sending any personal information (email addresses to Google). Ivanti EPMM will provision and manage users automatically with Google. You need to authorize Android Enterprise with an admin Google account.
• GlobalSign Certificate Enrollment: With this release EPMM supports the SID value in the certificate requests sent to GlobalSign.
• Zebra Firmware Updates: From Android versions 11 and above, patch upgrades are not supported. Upgrade option is available for zebra firmware policy.
• Kiosk Mode Folder Structure: With this release admins can define folders that help manage and group apps.

iOS and macOS features

• New MacOS restrictions are added: The following restrictions can be added for devices with MacOS 14 or higher. These features can be used once Apple implements the functionality.
  • Allow ARD Remote Management Modification
  • Allow Bluetooth Sharing Modification
  • Allow Cloud Freeform
  • Allow File Sharing Modification
  • Allow Internet Sharing Modification
  • Allow Local User Creation
  • Allow Printer Sharing Modification
  • Allow Remote Apple Events Modification
  • Allow Startup Disk Modification
  • Allow Time Machine Backup
• Enable FileVault during SetupAssist: Ivanti EPMM introduced a new Enable FileVault at SetupAssist checkbox in FileVault 2 policy. The Enable FileVault at SetupAssist helps to encrypt the device before the user logs in. You need to enable Await device configuration during Apple device enrollment in Devices & Users > Apple Device Enrollment > Enrollment Profile page for FileVault to be enabled at SetupAssist.
• Allow the iPhone 17 and later supervised devices widget on Mac 14 devices: Ivanti EPMM introduced a new Allow iPhone widget on a Mac check box in Restrictions Settings. By default, this check box will be enabled, and this new check box allows you to use the iPhone widget onto Mac devices when both are signed in with the same Apple ID.
• Device Model Number available on the Device Details page: The model number of iOS 16.4 and above devices will be shown on the Ivanti EPMM Device Details page in this release. After an iOS device is registered with Ivanti EPMM, Apple permits retrieval of the device model number.
• Account-driven Apple User Enrollment on Mac: With this release, Mac devices can leverage Account-driven User Enrollment. Mac device users can self-enrol in MDM User Enrollment on the Settings page in Ivanti EPMM. This feature uses the device user's managed Apple ID, making their devices managed. Once enrolled, administrators can view information in the Apple User Enrolled Device field on the Device Details page. There is a required action that must be taken by the device users.
• New Cellular Private Network added: Ivanti EPMM added a new Cellular Private Network configuration to support iOS 17 or above devices. EPMM allows you to configure several settings to geofence and to prefer cellular over Wi-Fi for security purposes.
• Support to configure relay: Users can now configure relays to access private company resources without a Tunnel or VPN for iOS 17. For more information, see iOS / tvOS settings.

Ivanti EPMM 11.12.0.0 - Resolved issues

• VSP-69341: Previously, in the System Management portal, the log entries for keystore handling startup process made diagnosis of startup issues confusing.
• VSP-69672: Previously, it was unable to enroll a device with a custom attribute in the Android Open Source Project (AOSP) configuration.
• VSP-69822: Previously, changing Apps@Work port to 8443 caused errors in the Sentry mutual authorization flow.
• VSP-69838: Previously, clicking re-import downloaded a new set of screenshots. However, the old screenshots were not removed at the directory /mi/files/appstore/<catalog_id> in stored files.
• VSP-69916: Previously, freshly installed instances of Ivanti EPMM did not write logs to miserviceswatch.log for MIFS service.
• VSP-69924: Previously, an administrator was unable to save the Exchange profile setting with the user/device attributes for the UserName field.
• VSP-69979: Previously, Developer Info Field was limited to 127 characters and an application could not be added. Now, the field is increased to 255 characters.
• VSP-69980: Previously, on freshly enrolled devices, configuring WiFi failed after updating the security patch.
• VSP-69986: Previously, there was an exception when the default Elastic Search mapping limit exceeded.
• VSP-70014: Previously, after a failover detection occurred on a standby secondary, the failover mechanism would start some services that Ivanti EPMM normally uses.
• VSP-70019: Previously, email client applications caused correlation failure in the ActiveSync flow from Ivanti Standalone Sentry to a device in Ivanti EPMM. For Android devices (excluding email client app configurations), use $SERIAL_NUMBER_SUBSTITUTE$ to get the device serial number. For other platforms, use DEVICE_SN to get the device serial number.
• VSP-70032: Previously, when editing a web clip, disabling the 'full screen' option failed if the option was already enabled.
• VSP-70044: Previously, after Lookout was removed from the device, custom attributes relating to Lookout were left in the device information. As per design, once the device is removed from Lookout MTD, the Custom Attribute ivantiMTDThreatLevel set to value as none remains applied to the device to mark that the device was enrolled with Lookout MTD.
• VSP-70059: Previously, when the iOS and tvOS labels were manually removed for the iOS Enterprise Appstore SCEP certificate, and if these labels were present in the Native App Catalogue setting, they were not reapplied automatically after a Tomcat restart.
• VSP-70082: Previously, the LDAP groups were not displayed in the User Interface details page in Service > LDAP > Select a LDAP > LDAP Groups.
• VSP-70106: Previously, with every tomcat restart of EPMM, one MobileIron Bridge with version was added to the app_catalog table.
• VSP-70108: Previously, the Native App catalog used a different process to determine the update status for applications instead of Apps@Work. This issue is now fixed to use Apps@Work implementation to display the update status.
• VSP-70258: Previously, unlocking an Android device through public API or User Portal when mutual auth was enabled failed as Ivanti EPMM failed to send the unlock PIN to the device. Ivanti EPMM now sends the unlock PIN of 0000.
• VSP-70300: Previously, Ivanti EPMM System Manager did not allow the user to configure username for the email when it exceeded 31 characters. This issue is now fixed to allow username length to 255 characters.
• VSP-70302: Previously, when the logs in the MIFS log area were large enough, MIFS failed to start due to an archival operation on those logs.
• VSP-70371: Previously, compliance violations failed to send out the appropriate notifications even when configured for it.
• VSP-70474: iOS 15.7.9 version is now added in 'When iOS version is less than' setting in the Ivanti EPMM security policy.
• VSP-70500: Previously, there were errors while registering devices from Ivanti EPMM, when MTD configurations were applied to the device added using 'Add single device' option.
• VSP-70565: Previously, the default lockdown policy was in a partially applied state and was not applied completely.
• VSP-70576: Previously, the "msa/v1/cps/rule/deviceGuid" API did not respond to fetch the associated labels with the device UUID .
• VSP-70582: Previously, the new feature to retire duplicate Android devices checked the serial numbers of multiple registered devices incorrectly.
• VSP-70749: CVE-2023-46604 is addressed in this release. Apache ActiveMQ is upgraded to the latest version.