New features and enhancements

This release includes the following new features and enhancements.

  • Certificate pinning to prevent Man-in-the-middle attacks: Man-in-the-middle attacks would allow an attacker to impersonate a Core server and send commands to the device. This results in device compromise and confidential data leakage. To prevent this, a new Pinned Server Certificate policy has been added to deliver a set of certificates that clients can expect a Core server to present during check-in and similar traffic. This feature is applicable for post-first-time use, for steady-state assurance that the client is connecting to the correct Core.

    If none of the certificates configured match the active certificate in use on the Core server, then devices will strictly honor the pinning policy and fail to connect until a correction of the certificate pinning policy is sent.

    This pinning policy supports multiple entries to enable a smooth transition when the Core server's certificate is about to expire. Administrators can include the renewal certificate before it is active on the server and keep the expiring certificate in this policy for seamless transition to the renewed certificate. Ivanti advises administrators to set up Core system certificate expiration alerts to be warned when Core's server certificate is about to expire.

    Any Certificate Pinning policy created in Core 11.2.0.0 will be disabled upon Core 11.3.0.0 upgrade. Core will not push that policy. Instead, if / when the Admin edits the Certificate Pinning policy, Core will push the policy using a new Core property.

    Applicable to Mobile@Work for iOS 12.11.30 devices and supported later versions. Also applicable to Mobile@Work for Android 11.3.0.0 devices and supported later versions. For more information, see Configuring certificate pinning for registered devices.

  • Mutual authentication required for certificate pinning policy: Administrators who wish to distribute a certificate pinning policy to iOS devices must enable mutual authentication to allow certificate pinning through port 443. When a new certificate pinning policy is saved without mutual authentication enabled, a message displays: "You need mutual authentication enabled to create and distribute certificate pinning policy."

    For more information about certificate pinning, see Configuring certificate pinning for registered devices. For more information about mutual authentication, see Mutual authentication between devices and Core.

  • New field added to Enrollment profile to assist with macOS device setup: For your convenience, Auto Advance Setup was added to the Add Enrollment Profile dialog box. Selecting this check box will tell the Setup Assistant to automatically advance through its screens (Applicable for tvOS and macOS 11.0 and and later versions.) For more information, see Creating an Apple Enrollment profile for Apple Business Manager.
  • Apple Business Manager now has Shared iPad capability: If you have an Apple Business Manager account loaded in Core, you can enable Shared iPad devices between multiple employees. Employees sign in with a Managed Apple ID and their mail, files, iCloud Photo Library, app data, etc displays in their partition of the Shared iPad. This is useful for a frontline workforce, for example, a hospital environment, without compromising your organization's security and data.

    Requirements of Shared iPad devices in Apple Business Manager:

    • An Apple Business Manager account.

    • Managed Apple ID - Admins can manually create these accounts or federate to an identity provider like Azure Active Directory.

    • Shared iPad devices must have at least 32 GB of storage and be supervised.

    Only Apple-licensed apps are sent to Shared iPad devices through registration. This is set up in the Send Installation Request on device registration or sign in option in the App Catalog. For more information, see "Using the wizard to import iOS apps from the Apple App Store" and "Apple license users" in the Core Apps@Work Guide.

    • Administrators can set the Shared iPad devices sessions based on user login or guest/temporary logins.
    • Administrators can see the Shared iPad session information in the Device Details page. For more information, see Advanced searching.
    • Administrators can set Compliance policy rules for Shared iPad devices. See Custom compliance policies.

    For full information about Shared iPad devices, see Shared iPad devices with Apple Business Manager.

  • Device enrollment profile updated to include new Shared iPad devices labels: Two new labels have been added to the Managed App Config dialog box: Allow only Temporary Session and Set Timeout for User Session - Seconds. For more information, see Configuring the Managed App Config setting.

  • Substitution variable support for Shared iPad devices added: Where applicable, support for user substitution variables on user channel for Shared iPad devices. Admins will need to use $Managed_Apple_ID$ in place of, for example, Username and Email. This is applicable to the following:

    • CALDAV - User Name

    • CARDAV - User Name

    • EMAIL - User Email, User Name (incoming) & Server User Name (outgoing)

    • EXCHANGE - ActiveSync User Name & ActiveSync User Email

    • GOOGLE_ACCOUNT - Email Address

    • SINGLESIGNON - User Name

    • SUBCAL (Subscribed Calendars) - User Name

    For more information, see Enabling Shared iPad devices for Apple Business Manager.

  • Supported certificate type values for iOS IKEv2 VPN configurations: iOS VPN configurations using Internet Key Exchange version 2 (IKEv2) need to include a selected value from the following list of certificate types:
    • RSA
    • ECDSA256
    • ECDSA384
    • ECDSA512
    • ED25519 certificate type is not supported.

    For more information, see IKEv2 (iOS Only).

  • Automatic pruning of Core Local CA CRL now available: Revoked certificates can now be automatically pruned from a Core Local CA Certificate Revocation List (CRL). To configure the CRL pruning, from the Core Admin portal, go to Services > Local CA page, select a certificate, and choose Edit from the Actions menu. Below the CA Certificate text, there are three new fields:

    • CRL Pruning checkbox (it is off by default).
    • Number of days of revoked certificates to include in CRL: (default is 365)
    • CRL Lifetime (hours) - default is 168 (7 days)

    For information about CRL pruning of Local CA certifications, see Pruning revoked CRL certificates .

  • Content changes for rebranding and distribution: Product documentation has been rebranded to align with Ivanti standards and is now available on the Ivanti Product Documentation page.