New features summary

General features

• Ivanti Mobile Threat Defense (MTD) Vendor Support: Ivanti MTD now supports Lookout as a new vendor. The new vendor is listed in the MTD activation configuration page for new installations and upgrades. For more information, see Ivanti Mobile Threat Defense Solution Guide for EPMM.

• A heads-up on mandatory mutual authentication in the 11.12.0.0 release: Before you can upgrade from 11.11.0.0 release to 11.12.0.0 release, your EPMM systems must have client mutual authentication enabled between Mobile@Work and EPMM. For more information, see Upgrade Ivanti EPMM using System Manager.

• Introduced Stale LDAP Users: In this release, a new “Stale LDAP users” is introduced in the “To” dropdown on the Ivanti Admin Portal under Device & Users > Users. In previous versions, administrators wouldn’t be able to track inactive or disabled LDAP users. On the Users page, we introduced a new status column, “Stale LDAP Users” which shows “No” for active LDAP users and “Yes” for deleted or disabled LDAP users. For local users, it shows as “N/A”. This feature only works with Microsoft Active Directory, and users from other LDAP systems show N/A. For more information, see Managing LDAP users.

• Introduced Connect Timeout field: In this release, the Connect Timeout field is introduced on LDAP Setting, if there is an unreachable server, it searches for the user on the second LDAP server, and the connection times out at the specified interval. For more information, see Configuring LDAP servers.

• New edit option for Safari Domains on Windows integrated touch devices: You can now edit Safari Domains information, such as domain name and description, in the Edit VPN Setting window from the Windows UI touch screen. For more information, see Configuring new VPN settings.

• Introduced EULA : From this release onwards, users get to see the End User Licence Agreement (EULA) pop up message while upgrading the software from previous versions to the latest versions on Ivanti System Manager. The user needs to select “Yes” to agree to the end-user licence agreement to proceed further. For more information, see Upgrade Ivanti EPMM using System Manager. For more information, see Upgrade Ivanti EPMM using System Manager.

• New user SID certificate extension: Based on this article KB5014754, Certificate-based authentication changes on Windows domain controllers (microsoft.com), specifically for the Enterprise Certificate Authorities. In this release, Ivanti provides the ability to generate certificates with a non-critical extension and a SAN URI with a SID value. Administrators can generate certificates for end-users, which are used for certificate-based authentication with Kerberos Distribution Center (KDC) expected to have an SID in the certificate. First, we need to pull that SID value into EPMM.

• Synchronized AD LDAP user SID and make it available as an attribute: A new field User Security Identifier is added in the LDAP settings to read objectSid value from the LDAP user. LDAP settings should have User SID populated only when Active Directory is selected; field name = 'User Security Identifier', value = 'objectSid'. For more information, see Configuring LDAP servers. Use this SID value in the certificate enrollments, so that in the certificate enrollment request, the user can ask the Certificate Authorities to provide a certificate with this SID value. Ivanti EPMM has several certificate enrollments options.

• Local Certificate Enrollment Setting: In this release, a new Microsoft User Security Identifier check box is added to the Local Certificate Enrollment Setting. Once the user enables this Microsoft User Security Identifier check box, Ivanti EPMM will generate the new certificates with that identifier. A non-critical extension will be added with OID 1.3.6.1.4.1.311.25.2 and the value of substitution variable $USER_SID$. For more information, see Configuring Ivanti EPMM as an independent root CA.

• SCEP Certificate Enrollment Setting: In this release, a new Microsoft User Security Identifier check box is added to the New SCEP Certificate Enrollment Setting for centralized and decentralized. Once the user enables the Microsoft User Security Identifier check box, it will generate the new certificates on behalf of devices with LDAP identifier. By default, the Centralized check box will be enabled. For Decentralized you must enable the Decentralized check box along with the Microsoft User Security Identifier check box, and in the Subject Alternative Names, select the Type as Uniform Resource Identifier and Value as tag:microsoft.com,2022-09-14:sid:$USER_SID$, it will generate a certificate with SAN as expected for an Apple device. For more information, see Configuring SCEP.

• OpenTrust Certificate Enrollment Setting: EPMM now supports the SID value in the certificate requests sent to OpenTrust, provided the OpenTrust profile supports it. For more information, see Configuring OpenTrust CA.

• DigiCert Web Services Managed PKI Certificate Enrollment Setting: EPMM now supports the SID value in the certificate requests sent to DigiCert, provided the DigiCert profile supports it. For more information, see Configuring Symantec Web Services Managed PKI.

• Software Updates: When an OS update is performed, then the fields captured by the device from the OS update response should be shown in the device details.

Android features

• Manage duplicate Android devices: Ivanti EPMM matches devices by device type and uses various device information to determine whether a device is a duplicate or not. For more information, see Managing Duplicate Devices.

• Enhanced Multiple Slicing Support: Android 13 has introduced new enhanced multiple slicing support. Preferential Network Service on Android 13 allows admins to define five network slices on a 5G network and map different UIDs (apps) to each slice. A new Android APN configuration is required for admins to enable these five slices. For more information, see Android Enhanced Multiple-Slicing Support .

• APN Types: The following new APN types have been added. For more information, see Using custom APN with Android devices.
  
  

  • ApnSetting.TYPE_XCAP
    
    Supporting OS-Android R11

  • ApnSetting.TYPE_BIP
    
    Supporting OS-Android S12

  • ApnSetting.TYPE_VSIM
    
    Supporting OS-Android S12

  • ApnSetting.TYPE_ENTERPRISE
    
    Supporting OS-Android T13

iOS and macOS features

• Increased maximum length of the VPP token field: Now, the VPP token field accepts tokens of lengths up to 1024 characters. For more information, see Connecting Ivanti EPMM to Apple Business Manager.

• Associated Domains: Associated domains establish a secure connection between domains and your app. This enables you to share credentials or provide features in your app from your website. For more information, see Supporting Associated Domains.

• Apple ID field: The admin portal now contains a field where you can manually enter the Apple ID that was used to create or renew the MDM certificate. For more information, see Registration methods.

• Updates tab: This captures the update details of the MacOS software. For more information, see Configuring iOS and macOS software updates.

• A new Accessibility Setting added on iOS: In this release, a new Accessibility Settings Policy is added, which will provide the administrator with the ability to configure the accessibility controls remotely for supervised iOS devices. For more information, see Managing policies.

• Configure Accessibility controls on macOS: In this release, a new Mac configuration is added to control the Mac device accessibility settings. For more information, see macOS settings.

• RSS restriction works for supervised device: On the Restrictions Setting, the Rapid Security Response fields only work for iOS 16.0 and later supervised devices. For more information, see iOS and tvOS restrictions settings.

Windows features

There are no new Windows features for this release.

General features

• New edit option for Safari Domains on Windows integrated touch devices: You can now edit Safari Domains information, such as domain name and description, in the Edit VPN Setting window from the Windows UI touch screen. For more information, see "Managing VPN Settings" in the Ivanti EPMM Device Management Guide for your OS.

Android features

There are no new Android features for this release.

iOS and macOS features

• Increased maximum length of the Service Token field: The Service Token field now accepts tokens of lengths up to 1024 characters. For more information, see: Linking Ivanti EPMM to an Apple licensed account in theIvanti EPMM Apps@Work Guide, and Importing licensed apps from an Apple licensed account in the Ivanti EPMM Apps@Work Guide.

Windows features

There are no new Windows features for this release.

General features

• Commands now visible in CLISH: Support for enabling IPV6 is added to this release. The IPV6 command-line (CLI) commands are now visible in the Command Line Interface SHell (CLISH). For more information, see IPV6 commands in the Command Line Interface (CLI) Reference.

  Note: If you enable this feature in Ivanti EPMM, Mobile@Work and other productivity apps may experience a series of issues due to the fact that the Client applications do not currently support IPV6.

• New ACME client certificates: If attestation is enabled, your device can now request a client certificate from an Automated Certificate Management Environment (ACME) server. For more information, see Configuring ACME certificates in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Additional support for independent, customized messages for each Compliance Action tier: In the "Alert" aspect of Server compliance actions resulting from compliance conditions, the number of characters allowed for messages has been expanded from 800 characters to 65,530.

  For more information, see the Server compliance conditions and actions table in "Managing device compliance checks" in the Ivanti EPMM Device Management Guide for your OS system. Android iOS Windows

• Automated Device Cleanup: In the Settings > System Settings section of Ivanti EPMM, the Users & Devices > Retire and Delete Retired Devices section has been renamed Automated Device Cleanup. Use this page for retiring and cleaning up unused devices. Additional states have been added for the administrator to select for automated device cleanup. The full list is now: Retired, Retire Pending, Wiped, and Wiped Pending.

  After saving the settings, to view the logs for the automated device cleanup, use the Filters section on the left side of the Audit Logs page to narrow the search.

  For more information, see "Automated Device Cleanup"Automated Device Cleanup in the Ivanti EPMM Device Management Guide of your OS. AndroidiOS Windows

• Kerberos support: Ivanti EPMM now supports Kerberos authentication to communicate between Ivanti EPMM and the SCEP server.

  For more information, see "Enabling Kerberos Support" in the Ivanti EPMM Device Management Guide of your OS. Android iOS Windows

• New pagination and display options for LDAP users, groups, and organizational units (OUs): You can now control the number entries displayed per page when you access the list of LDAP entities in the Ivanti EPMM file system (MIFS). The list is displayed by page, with navigational controls to move from page to page. The default number of entries to display in each page is 50.

For more information, see Accessing the user management page in the Getting Started with Ivanti EPMM.

• Upgraded Splunk support: The 11.10.0.0 release supports Splunk Universal Forwarder 9.x+.

• Web Content Filter requirements: Ivanti EPMM now conforms to the Apple iOS/tvOS/iPadOS 16.0 WebContentFilter requirements.

• Changes in modification history log for configuration and policy attributes: Changes in the modification history log for configurations and policies attributes were already displayed in the Configuration Details page, which shows before and after content. In this release, the changes are now highlighted and in blue text for easy reference. For more information, see "Audit log information" in the Ivanti EPMM Device Management Guide for your system. Android iOS Windows

• Generic device images used: In Devices & Users>Devices tab, generic images for device platforms display instead of device model specific images.

• New macOS software update policy fields added: New fields in the macOS software upgrade policy have been added:

  • Scheduling Priority - Sets the priority for installing an operating system update. When set to Low (default), the device end user will have the option to defer the update. When set to High, the update will be pushed to the device and deferrals by the device user will not be allowed.

  • Install Action - Administrators can select an action from the following: Default, DownloadOnly, InstallASAP, NotifyOnly, InstallLater, InstallForceRestart.

  • Max User Deferrals - Designates the maximum number of times the system allows the user to postpone an update before installing it. This field displays when Install Action > InstallLater is selected.

    Scheduling Priority and Max User Deferrals are only available for Minor OS Updates.

    For more information, see Configuring iOS and macOS software updates in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Android features

• Relinquish Ownership has been deprecated, use Retire instead: When administrators use the Relinquish Ownership option, a warning displays stating that the action has been deprecated. If you need to remove organizational information and apps from devices, use Actions > Retire in the Devices & Users page. Personal data is not lost and the end user can then use the device as a personal device, with full access to all device controls and settings. After upgrade, for Work Profile for Company Owned Device mode in Android 11+ devices:

  • In Relinquish Pending state - the work profile gets relinquished.

  • Selecting Devices & Users > Actions > Android Only > Relinquish Ownership will display a warning message suggesting that administrators should now use the Retire Selecting Devices & Users>Actions>Android Only>Relinquish Ownership will display a warning message suggesting that administrators should now use the Retire option instead of the Relinquish Ownership option.

  • Selecting the Devices & Users > Actions > Retire action will remove work profiles (organizational data and apps.) (Previously, in Ivanti EPMM 11.9.0.0 and before, the Retire action would factory reset the device.)

    For Work Managed Device mode, Work Managed Device - Non GMS mode, and Managed Device with Work Profile modes on Android 8-10 devices: the Retire action is only available from the local compliance action in Ivanti EPMM security policy. Administrators will need to use the Wipe action instead.

    For more information, see Relinquishing ownership of a deviceRetiring a deviceand Wipe in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Warning displays when using Retire action: When the administrator uses the Retire command on devices, a warning displays notifying that one or more devices in this list are corporate owned Android devices in Fully Managed mode (Device Owner) or Managed Device with Work Profile (Android 8-10 devices, COPE.) The Retire command is not supported on these devices. Wipe command is supported in these modes. (Previously, in Ivanti EPMM 11.9.0.0 and before, the warning message was different and was applicable to Work Managed Device and Work Profile for Company Owned Device modes.)

  • If the administrator selects Retire after acknowledging this warning, and if any of the selected devices are in Work Managed Device mode, Managed Device with Work Profile mode, then Retire will not work on those devices. A message will display stating "Mobile Platform not Supported."

  • For more information, see Retiring a device in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Unlock PIN extended: Administrators can set the Unlock PIN to be between 6-8 digits and optionally, alphanumeric. Ivanti recommends using six numbers only, as the alphanumeric method can cause problems with different keyboards in different languages. For more information, see Unlock and Setting the unlock PIN for a specific device in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Registration authentication to support username and PIN on Android devices: Administrators can set it so client device users can register their devices with their username and PIN. The device user is allowed a configured number of login attempts (default is 5) before Ivanti EPMM blocks the device. When this occurs, an error message Authentication Failed: Invalid Credentials displays. For more information, see Registration methods in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Screen management options: The administrator can now configure the screen brightness, orientation, and timeout options on devices. Applicable to:

  • Work Managed Device mode

  • Managed Device with Work Profile mode

  • Work Managed Device Non-GMS mode (AOSP)

    For more information, see "Lockdown policy fields for Android Enterprise devices in Work Profile mode" and "Lockdown policy fields for Android Enterprise devices in Work Managed Device mode and Managed Device with Work Profile mode"Lockdown policy fields for Android Enterprise devices in Work Profile modeand Lockdown policy fields for Android Enterprise devices in Work Managed Device mode and Managed Device with Work Profile mode in the Getting Started with Ivanti EPMM.

• Administrators set the minimum Wi-Fi Security Level: Applicable to Android 13+ devices in:

  • Work Managed Device mode
  • Work Profile on Company Owned Device mode
  • Work Managed Device Non-GMS mode (AOSP)

    For more information, see "Lockdown policy fields for Android Enterprise devices in Work Managed Device mode, Managed device with Work Profile mode, and Work Profile on Company Owned Device mode" and "Lockdown policy fields for Android Enterprise devices in Work Managed Device mode and Managed Device with Work Profile mode"Lockdown policy fields for Android Enterprise devices in Work Managed Device mode, Managed device with Work Profile mode and Work Profile on Company Owned Device mode and Lockdown policy fields for Android Enterprise devices in Work Managed Device mode and Managed Device with Work Profile mode in the Getting Started with Ivanti EPMM.

• Allow device users to share the admin-configured Wi-Fi: Default setting is to allow it. Applicable to Android 13+ devices in:

  • Work Profile mode

  • Work Managed Device mode

  • Managed Device with Work Profile mode

  • Work Profile on Company Owned Device mode

  • Work Managed Device Non-GMS mode (AOSP)

    For more information, see Lockdown policy fields for all Android Enterprise devices in the Getting Started with Ivanti EPMM.

iOS and macOS features

• Support for scheduled OS updates: This release supports the Apple scheduled OS updates for the Rapid Security Response OS versions. Administrators can use the iOS or macOS policies software updates to update devices to the latest Rapid Security Response updates. Use the Update to the latest version option. The Update to a specific version option is not supported in iOS for Rapid security response update formats from either the iOS Software update policy or the Device actions menu. For more information, see iOS and tvOS restrictions settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Install Application during DEP Await configuration for VPP apps using Device based licenses: An administrator can set device-based VPP applications to install during the DEP enrollment process and (supervised) device enrollment. Using VPP apps using device-based licenses, the applications can be installed and available for the device user by the time the device finishes set up.

  Administrators can set a specific time limit, with a maximum of 10 minutes. Within the time limit, whatever apps have been applied to a particular device, those apps are to be installed during that time period. This is helpful in case there are a lot of apps that require more time. The remaining apps will be automatically installed after the device is registered.

  • Applicable to supervised iOS devices - Install in-house apps are also supported during DEP await configuration along with VPP apps.

  • Applicable to supervised macOS devices - In-house apps are not supported.

  For more information, see Link to Creating an Apple Device Enrollment Profile in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Per-app VPN by Label Only checked by default: The Per-app VPN by Label Only field is enabled (selected) by default for iOS and Android public, private and in-house apps. Upon upgrade of an app, if there are no per-app VPNs configured (list of VPNs is empty), the Per-app VPN by Label Only field will be selected by default. For more information, see the following topics in the Ivanti EPMM Apps@Work Guide:

  • Adding Google Play apps for Android

  • Adding secure apps for Android

  • Adding in-house apps for Android

  • Populating the iOS and macOS App Catalogs

• New Rapid Security Response fields: The following two iOS and macOS Rapid Security Response fields were added in the Device details, Device listings, and Advanced search properties.

  • SupplementalBuildVersion - Build version associated with the currently installed rapid security response. If there is no installed rapid security response, this value is identical to the value reported through BuildVersion. Requires DeviceInformation permission.

  • SupplementalOSVersionExtra - OS update rapid security response version letter if a rapid security response update is installed. Requires DeviceInformation permission.

  To activate these fields, select the Security Responses & System Files option for Software Update in Settings > General. The fields are displayed in the Device Details tab.

  This feature only supports iOS 16 and higher, and macOS 13 and higher. For more information, see Advanced Searching in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• DNS Proxy Configuration: Administrators can configure DNS Proxy settings using the DNS Proxy Configuration for users of iPhone and iPad devices with iOS 15.0 and later. You can use a single or multiple DNS Proxy payload to specify the application that provides the DNS proxy network extension and other vendor-specific values. Applicable to supervised only in-house apps and App Store apps.

  For more information, see Creating DNS Proxy Configurations in the Ivanti EPMM Device Management Guide for iOS and macOS devices and Setting DNS proxy for iOS and macOS apps in the Ivanti EPMM Apps@Work Guide.

• Local notification prompts appear when the application is terminated: If the device user terminates the Mobile@Work application, administrator can set the application to do one of the following:
  • To display the default notification - Ensure that device users stay connected with the App to keep their device secured by setting the following values in the Managed App configuration in Ivanti EPMM.

    • Key - enableAppTerminationNotification

    • Value - 0 or 1

    • Type - Boolean

  • To display a custom notification - Add the following Key to the Managed App configuration:

    • Key - appTerminationNotificationMessage (The key is ignored if enableAppTerminationNotification is absent or has a value of 0.)

    • Value - Custom notification

    • Type - String

      For more information, see Configuring the plist setting to take precedence over the iOS managed app configuration setting in the Ivanti EPMM Apps@Work Guide.

Windows features

There were no new Windows features added in this release.

General features

Android features

There are no new Android features for this release.

iOS and macOS features

• New Rapid Security Response fields: The following two iOS and iPadOS fields for the Rapid Security Response were added in the Device details, Device listings, and Advanced search properties:

  • SupplementalBuildVersion - Build version associated with the currently installed rapid security response. If there’s no installed rapid security response, this value is identical to the value reported through BuildVersion. Requires Device Information permission.

  • SupplementalOSVersionExtra - OS update rapid security response version letter if a rapid security response update is installed. Requires Device Information permission. To activate these fields, select the Security Responses & System Files option for Software Update in Settings > General. The fields are displayed in the Device Details tab.

    This feature only supports iOS 16 and higher, and macOS 13 and higher. For more information, see "Advanced Searching" in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Windows features

There are no new Windows features for this release.

General features

• Pagination request limit increased: Pagination requests limit on the Device and Audit log page increased from 10,000 records to 200,000 records.

Android features

There are no new Android features for this release.

iOS and macOS features

There are no new iOS or macOS features for this release.

Windows features

There are no new Windows features for this release.

General features

• Rebranding for this release: All product or brand name strings, text, and messages in the following portals have been rebranded to use rebranded words instead of MobileIron or Core: Admin Portal, System Manager Portal, Connector Base Portal, Reporting Database Portal, Self Service Portal, Base Portal.

• New tab "Integrated App Catalog" added to App Catalog for custom branding: A new tab, Integrated App Catalog, has been added to Apps@Work Settings for ease of custom branding. Within this tab, the administrator can enter the custom name (20 characters max.) to display in the App Catalog tab within Mobile@Work. The App Name will display at the top of the screen, above the All Apps tab, and in the small tab at the bottom of the Mobile@Work screen. Applicable to iOS only.

  For more information, see Apps@Work branding in the Ivanti EPMM Apps@Work Guide.

• Extended expiration renewal window for mutual authentication certificates: The window to renew mutual authentication certificates has increased from 60 to 270 days. For more information, see the Ivanti EPMM Device Management Guide for your OS:

  • Handling client identity certificate expiration for Android devices

  • Handling client identity certificate expiration for iOS devices

• Managed App Configuration for apps: Previously, in Ivanti EPMM 11.8.0.0 and lower, when the administrator saved the configuration, Ivanti EPMM added the All-Smartphones label by default. In Ivanti EPMM 11.9.0.0 and later, administrators can change the label. The last/lowest priority configuration must have a label, thus making it the default configuration. This means that the All-Smartphones label is not required on all configurations.

  For more information, see App Configuration Choices for iOS public apps in the Ivanti EPMM Apps@Work Guide.

• Increase in LDAP Custom Attributes support: Ivanti EPMM now supports a maximum of 20 LDAP Custom Attributes as substitution variables. Further Custom Attributes can only be used to define Labels. To create these custom attributes, go to Ivanti EPMM> Go to Services > LDAP > Modify LDAP form. For more information, see "Adding custom attributes to users and/or devices" in the Ivanti EPMM Device Management Guide for your OS: Android, iOS, or Windows.

• Upgraded Elasticsearch service version: Ivanti EPMM upgraded support for ElasticSearch from v1.7.2 to v7.17.x.

• Web Application support for Integrated App Catalog: Web Applications are now supported for Integrated App Catalog and they are now visible in the Apps@Work section in Mobile@Work.

  For more information, see Working with web applications for iOS and macOS in the Ivanti EPMM Apps@Work Guide.

• VPP support for Integrated App Catalog: Along with Web Applications, VPP apps are now supported for Integrated App Catalog and they are now visible in the Apps@Work section in Mobile@Work.

• Logs now exported to splunk and syslogs: The /var/log/httpd, servicestatus logs, and /var/log/elasticsearch/elasticsearch.log are now exported to the splunk and syslog settings. For more information, see Working with Logs in the Ivanti EPMM System Manager Guide.

• Administrators who modify CE settings now identified as also causing corresponding configuration changes: When administrators modify a certificate enrollment (CE) setting, they cause changes to configurations that use that CE setting. The modification history field now identifies the administrator who made the CE setting change as the administrator who caused the configuration changes. For more information, see "Certificate Enrollment settings" in the Ivanti EPMM Device Management Guide for your OS: Android, iOS, or Windows.
• Event Center templates changes: The $SERVER_IDENT variable was removed from the $DEFAULT_POLICY_VIOLATION_MESSAGE variable and is now part of the Event Center template. Add the $SERVER_IDENT variable to the template to display server identity in an alert message. The $SERVER_IDENT variable is also a substitution variable in compliance actions. Use of this variable depends on whether the compliance action was updated from version 1 to version 2. For V1 actions, include this variable in the Event Center template or as part of the alert message text in the compliance action. For V2 actions, include this variable only as part of the alert message text in a compliance action. For more information, see "Customizing Event Center messages" in the Ivanti EPMM Device Management Guide for your OS: Android, iOS, or Windows.
• New restricted Manage Devices role created for remove and push profile actions: The Manage Devices role includes the following permissions: Push profiles, Remove profiles, and Update Intune Compliance Status. As an administrator, you can remove the Manage Devices role from a user and, instead, give the user the Manage Devices Restricted role, which omits these three roles. In addition to this restricted role, you can grant the three separated roles in any combination.

  For more information, see User management overview in the Getting Started with Ivanti EPMM.

Android features

• Set managed app config settings that are required to be sent to the device: In many cases, the default values of Android Enterprise managed app configurations may or may not be made available; Ivanti EPMM will still send these default settings to the device, thus causing unwanted settings on the device. Administrators can now choose the behavior for constructing managed app configurations. By default, Ivanti EPMM only pushes settings with valid values defined to device/app. Now a new option allows administrators to push all settings, irrespective of the value. This allows for apps with different behaviors to be compatible with Ivanti EPMM. It is recommended to only change this setting if defaults are causing issues with app performance. This applies to Ivanti EPMM upgrades and new installations. Applicable to Android Enterprise and Android Open Source Project (AOSP) mode in-house and public apps.

  For more information, see App configuration for Android Enterprise apps in the Ivanti EPMM Apps@Work Guide.

• Support to provide certain apps to have more permissions: The administrator can provide other apps some Delegated Permissions. These new permissions are:

  • Manage app configurations
  • Manage blocking app uninstallation
  • Manage enabling system apps
  • Manage certificate selection
  • Manage retention of uninstalled apps
  • Manage network log collection
  • Manage security log collection
  • Manage installation of existing apps

Applicable to public, private and in-house apps. For more information, see Adding in-house apps in the Ivanti EPMM Apps@Work Guide.

• Download Android Bulk Enrollment CSV: In the Device Details page, administrators can now download the CSV by selecting the Export to CSV button to the right of the Add button. For more information, see Android Bulk Enrollment in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Android Bulk Enrollment- delete profile and devices: Once the administrator has uploaded the device CSV via Android Bulk Enrollment and a profile and its associated devices have been created, the administrator can delete the profile and its devices. Active and Retire Pending devices cannot be removed, but inactive devices can be deleted. Note that delete action is only supported from global space. For more information, see Deleting a profile and associated device in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• New fields added - Allow Nearby Notification Streaming and Restrict input methods to system inputs:

  • Allow Nearby Notifications Streaming: In the Lockdown policy for managed device and managed profile section, the administrator can set Allow Nearby Notifications Streaming to the following values: Not Controlled by Policy (default), Enabled, Disabled, and Enabled for Same Account. Applicable to Work Profile mode, Work Managed Device mode, and Work Profile on Company Owned Device mode. Notifications streaming is sending notification data from pre-installed apps to nearby devices.
  • Restrict input methods to system inputs allows the device user on their device / personal profile to use the system input. When the administrator enables this option, the device user cannot use any other external keyboards. Applicable to Work Profile on Company Owned mode.

For more information, see Lockdown policy fields for Android Enterprise devices in Work Profile mode, Lockdown policy fields for Android Enterprise devices in Work Managed Device mode and Managed Device with Work Profile mode, and Lockdown policy fields for Android Enterprise devices in Work Profile on Company Owned Device mode in the Getting Started with Ivanti EPMM guide.

• MAC Address Randomization: On Android 13 devices or supported newer versions, upon installation or upgrade, the administrator can enable or disable the MAC Address Randomization for the Wi-Fi configuration. If the MAC Address Randomization is not selected, the randomization type is not pushed; the Wi-Fi and Inventory MAC Address are the same for a device. Applicable to Wi-Fi configurations for all authentication types in:
  • Work Managed Device (DO) mode
  • Work Profile (PO) mode
  • Work Profile on Company Owned Device (EPO) mode

  • Android Open Source Project (AOSP) mode

  For more information, see Wi-Fi settings in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Samsung Knox APIs Deprecated: Because the Samsung Kiosk mode is deprecated in Android 8.1 and above, you must implement Android kiosk mode instead.

  For more information, see Deprecated features. See also the Samsung Deprecation of APIs in Knox article and Samsung Knox Developer Documentation > Deprecated API methods.

iOS and macOS features

• New fields are introduced in the Web Clip configuration: The following new fields have been added to the Web Clip configuration:
  • Ignore Manifest Scope (iOS)

  • Target Application Bundle Identifier (iOS and macOS)

• Administrators can copy existing managed app configuration settings: In the Ivanti EPMM App Catalog, Administrators can go into an edited app and copy managed app configurations to experiment with new settings that app developers may have released. This helps prevent Administrators having to manually go through the entire managed app configuration schema just to create a duplicate configuration.

  For more information, see iOS managed app configuration in the Ivanti EPMM Apps@Work Guide.

• New iOS restrictions are added: The following restrictions can be added for devices with iOS 16:
  • Allow Rapid Security Response Installation
  • Allow Rapid Security Response Removal

  This feature can be used once Apple implements the functionality. For more information, see iOS and tvOS restrictions settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Windows features

• Azure AD compliance with Ivanti EPMM: Ivanti EPMM integration as compliance partner with Azure Active Directory in Common Criteria mode is supported. For more information, see Adding Ivanti EPMM as a compliance partner in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

General features

Android features

There are no new Android features for this release.

iOS and macOS features

• New Rapid Security Response fields: The following two iOS and iPadOS fields for the Rapid Security Response were added in the Device details, Device listings, and Advanced search properties:

  • SupplementalBuildVersion - Build version associated with the currently installed rapid security response. If there’s no installed rapid security response, this value is identical to the value reported through BuildVersion. Requires Device Information permission.

  • SupplementalOSVersionExtra - OS update rapid security response version letter if a rapid security response update is installed. Requires Device Information permission. To activate these fields, select the Security Responses & System Files option for Software Update in Settings > General. The fields are displayed in the Device Details tab.

    This feature only supports iOS 16 and higher, and macOS 13 and higher. For more information, see "Advanced Searching" in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Windows features

There are no new Windows features for this release.

General features

• Ivanti Support Maintenance for App Gateway (appgw.mobileiron.com): Ivanti will be performing a scheduled network infrastructure maintenance on December 16, 2022, and your action is required if your organization uses explicit firewall rules.

  The following App Gateway (appgw.mobileiron.com) services will be unavailable during the maintenance window:

  • Firebase Cloud Messaging for Android device messaging

  • Mobile carrier lookup

  • Gateway location database update

  • SMS delivery

  • Device image look-up

  • Apple Push Notification service (APNs)

  • In-app device registration (auto-discover)

  • Apple MDM certificate renewal

  • Reg-service for Ivanti EPMM hostname lookup based on phone number (Android only)

  • Creation of Android for Work enrollment through the Ivanti Support site

Action: If you use explicit firewall rules, you must append your rules with the following new IP addresses by December 16, 2022:

• 34.227.203.115

• 34.231.78.119

• 35.168.168.163

• 18.207.62.107

• 18.209.150.213

• 23.21.143.22

Allow traffic to both the current and new IP addresses prior to December 16, 2022. You will receive a customer communication email with more information about the maintenance window when it is confirmed.

For more information, see External and Internet Rules in the Ivanti EPMM On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector and Urgent Ivanti Endpoint Manager Mobile (MobileIron Core) Gateway Update.

• Rebranding changes: As part of the MobileIron to Ivanti rebranding in this release, page titles, logos, product names, images, and guide names have been changed. In addition, the following Core (now Ivanti EPMM) component names and user interfaces have been rebranded:

  • Core Admin Portal = EPMM Admin Portal

  • Core System Manager Portal = EPMM System Manager

  • Self Service Portal = Ivanti Self Service Portal

  • Connector Base = EPMM Connector

  • Reporting DB System Manager = Ivanti System Manager

• New consolidated EULA: A consolidated product End User License Agreement (EULA) replaced the previous version. The EULA is displayed during initial installation.

• Migrating Intune Azure graph to Microsoft Graph Due to the upcoming retirement of Azure Graph APIs in December 2022, Ivanti has enabled Ivanti EPMM releases to work with Microsoft Graph APIs. See the Microsoft information here.

• Query cellular device information: Starting with iOS 16.0, the device's phone number will be retrieved from the list of SIMs in the ServiceSubscriptions query.

• New Action menu item to synchronize device compliance status with Azure: Administrators can synchronize the compliance status only for authorized devices from Ivanti EPMM to Azure. When synchronizing for non-authenticated/non-related Azure devices, an error message displays listing device names. When the administrator performs a manual synchronization, a detailed Audit Log is generated for the devices. Applicable to all types of Azure tenants, for example: Standard, GCC_High, and DOD.

  For more information, see "Syncing the Device Compliance status of devices" in the Ivanti EPMM Device Management Guide of your OS system: Android, iOS.

• Export to CSV Installed Apps (App Inventory) Search Results: Administrators have the ability to export the results of an advanced search of the App Inventory page to a CSV file. The CSV would include all the fields in Summary View and Detail View. Applicable to all apps in the App inventory page.

  For more information, see Managing app inventory > "Exporting search results to a CSV" section in the Ivanti EPMM Apps@Work Guide.

• Samsung Firmware E-FOTA decommissioned: As of August 2022, Samsung discontinued the Samsung E-FOTA service. As a result, upon upgrade to (Undefined variable: CoreConnectorReleaseNotes.MI Core) 11.8.0.0, the following occurs:

  • In Policies > Add New > Android Firmware Policy dialog box, the "Enable Samsung Firmware Policy" field is disabled.

  • Upon upgrade, in the existing policy and new policy (in the case where the license has not yet been deactivated), the "Enable Samsung Firmware" field will still be visible; however, it will be Read-Only. The administrator will need to delete the existing policies and deactivate the license before creating the new policy.

  • The Services > Samsung > Samsung Firmware E-FOTA License Management page is disabled; the administrator cannot activate or deactivate an E-FOTA license. If you have an existing E-FOTA license already set up, the Deactivate button is enabled and the administrator will need to manually deactivate the Samsung Firmware E-FOTA License.

    For more information, see Activating the Samsung firmware E-FOTA license in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices. See also End of Life (EOL) and alternatives: Samsung Knox EOL article.

• New warning for registration PIN passcode settings: If you try to extend the registration PIN passcode settings beyond the default value, the following warning is displayed: Increasing the validity period for the PIN may pose a security risk and it is not recommended best practice. For more information, see Setting passcode and registration code defaults in the Getting Started with Ivanti EPMM guide.

• Support for pushing OS software to multiple devices: The administrator now has the option to select multiple devices and push OS software updates from the (Undefined variable: CoreConnectorReleaseNotes.MI Core)Admin Portal's Devices page to multiple devices. All the eligible iOS devices from the selected devices can be updated to the latest version or to a version specified by the administrator.

  For more information, see Updating the OS on supervised iOS devices in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Ability to set the frequency of application notifications: The native App Catalog receives notifications when application updates are available in Apps@Work. Starting in this release, administrators can configure device user notifications for new application updates that are available in the App Catalog, and set the frequency to once a day or once a week. Applicable to iOS devices only. For more information, see iOS Apps@Work AppStore Features in the Ivanti EPMM Apps@Work Guide.

• IMEI information for inactive SIM slots now displayed: In the past, only IMEI information for the active SIM slot was displayed in Ivanti EPMM. Now, device information on active and inactive SIM slots displays. In addition, CSV-exported data now includes the information for inactive slots. For more information, see Advanced searching in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Support for independent, customized messages and email subjects for each Compliance Action tier: In previous releases, only one customized message could be sent for all Compliance Action tiers supported in Compliance Policies > Compliance Policy Rule. Starting in this release, administrators have the ability to create and send independent, customized messages and email subject lines for each of the now 20 possible Compliance Action tiers.

  For more information on customized messages and email subject lines for compliance action tiers, see "Custom compliance policies" in the Ivanti EPMM Device Management Guide for your system: Android, iOS, Windows.

• Send device compliance data to single/multiple Microsoft Office 365 GCCH/DoD tenants: Device compliance status can be sent to GCCH and DoD Tenants. For more information, see Office 365 GCC High and DoD.

Android features

• Enable app restrictions for all supported devices: In the App Catalog, a new check box has been added "Enable app restrictions for all supported devices" for Android Enterprise in-house apps to display in the App view page of the App Catalog. Applicable to:

  • Work Managed Device mode
  • Managed Device with Work Profile mode

  For more information, see Adding in-house apps for Android in the Ivanti EPMM Apps@Work Guide.

• Changes to a field in the App Catalog: The field called "Enable AOSP app restrictions" has been changed to: "Enable app restrictions only for AOSP" and now only applies to Android Enterprise devices in Work Managed Device - non GMS (AOSP) mode.

  For more information, see Adding in-house apps for Android in the Ivanti EPMM Apps@Work Guide.

• Advanced Search for devices with non-compliant passwords: The new "Data Protection Enabled" field allows you to find devices with non-compliant passwords.
  For more information, see Advanced searching in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• New option for Unlock command provided: For Android Enterprises, administrators can set a six-digit unlock PIN for specific devices. If this setting is used, "Unlock Device with Custom Pin <Pin value>" will display in the audit logs. For more information, see Setting the unlock PIN for a specific device in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Support for app restrictions and permissions on In-house apps for Android devices: The administrator can now set restrictions and grant or revoke permissions on In-house apps for Android devices. Applicable to: Work Managed Device (DO) mode, Managed Device with Work Profile, and Work Managed Device non-GMS (AOSP) mode.

For more information, see Adding in-house apps for Android in the Ivanti EPMM Apps@Work Guide.

• Android Enterprise Enable Single App Kiosk added to pin a single app to device screen: Administrators can select the Enable Single App Kiosk check box and then select the (single) app to pin to the device screen. This setting allows one app to be pinned to the device screen in most conditions. The dedicated single app mode will allow other apps to be available on the device, but they will not be available for the device user to directly launch. These other apps will only be launched through the pinned app. For example, Email is the pinned single app, and the device user receives an email with a link to the Google Maps app. When the device user taps on that link, it opens the Google Maps app.

  The pinned single app will be launched only when it is part of the Allowed App list, the Kiosk Mode Allowed Apps list, and installed on the device. Applicable to Work Managed Device mode (DO) and Work Managed Device-non-GMS mode (AOSP).

  Note the following:

  • Single app Kiosk is only applicable to regular Kiosk mode. Single app kiosk can only be exited remotely from the Ivanti EPMM Admin Portal > Devices page. Mobile@Work displays the toast message "Kiosk Exit" in the app but the dedicated single-app may still remain on screen, as it cannot be closed due to Android limitations.
  • The Lock Task mode can only be enabled when the home screen is in the foreground. If the dedicated single-app is in the foreground, then it is not possible to enable Lock Task mode.

    Workaround: Device user must tap the back or home button; the Lock Task mode becomes enabled.

    On devices Android 9 and below, when the single app Kiosk is disabled, then the device user may need to tap the back/home button to see the Kiosk home screen again. The launched app may remain pinned to the foreground and the Kiosk home screen may not display due to Android limitations

    For regular kiosk mode information, see Creating a shared-kiosk-mode policy for the shared kiosk users in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices

    For shared-kiosk mode, see Setting the kiosk policy for Android managed devices in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

iOS and macOS features

• Remote Authentication and Apple ID Default Domains for Shared iPads: In iPadOS 15 and below, Shared iPad required the device be connected to the internet when a user signs in. In iPadOS 16+, Shared iPad defaults to using the local passcode for existing users on the device, thus reducing the need for an internet connection. MobileIron administrators can choose to always enforce remote authentication, or by setting the number of days, provide the flexibility to determine when the remote passcode changes take effect on the existing cached sign-ins. Administrators can also set the default domains to make signing in to Shared iPads easier. For more information, see Creating an Apple Device Enrollment Profile in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Additional Skip option added: Skips the Terms of Address pane option has been added to the Devices & Users > Apple Device Enrollment. Availability: iOS 16+ and macOS 13+. For more information, see Creating an Apple Device Enrollment Profile in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Apple Cellular.APNsItem DefaultProtocolMask property no longer supported: Starting with this release, (Undefined variable: CoreConnectorReleaseNotes.MI Core) no longer supports the deprecated Cellular.APNsItem DefaultProtocolMask Apple property.

• New support for the Apple property Cellular.APNsItem EnableXLAT464: (Undefined variable: CoreConnectorReleaseNotes.MI Core) now supports the Cellular.APNsItem EnableXLAT464 Apple property, which enables the XLAT-464 option to provide access service for IPv6 across IPv6 networks.

  For more information, see Cellular Policies in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• New macOS restrictions: New macOS restrictions have been added to help administrators delay when device users can download software updates. There are three types of delay options, each with additional options for setting the number of days of delay:

  • Allow Universal Control - prohibits the control of multiple Apple devices - including an iMac, MacBook, and iPad - all with the same keyboard and mouse.

  • Allow UI Configuration Profile Installation - prohibits the user from installing configuration profiles and certificates interactively. Requires a supervised device. Available in iOS 6 and later, and macOS 13 and later.

  • Allow USB Restricted Mode - if disabled, allows the device to always connect to USB accessories while locked. On macOS, allows new USB accessories to connect without authorization.

  For more information, see macOS settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• macOS silent registration added: Administrators now have the option to have silent registration for macOS devices and thus not require device users to register manually. In System Settings > Device Registration, administrators would select the "Allow silent in-app registration only once (iOS and macOS)" field. Prerequisite: Administrators will need to upload Mobile@Work for macOS under Apps > App Catalog and assign a macOS label.

  In the same location, administrators can also set "Silent in-app registration time limit (minutes) (iOS and macOS)." This option enables a time limit to complete silent in-app registration. If macOS devices fail to register within this time frame, device users will be forced to register manually using their credentials.

  For more information, see Registration Considerations in the Getting Started with Ivanti EPMM and Registering iOS and macOS devices through the web in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Apps@Work available from Mobile@Work for iOS: Starting from MobileIron release 11.8.0.0 you can transition to Apps@Work native experience from the Mobile@Work application. The Apps@Work native AppStore is deployed automatically with the Mobile@Work client. Once the administrator enables Mutual Authentication and applies device labels to the (new) App Catalog configuration, the Apps@Work native AppStore is deployed with the Mobile@Work client.

  Note: Devices should be migrated to Mutual Authentication to support native App Catalog.

  Administrators can configure the integrated Apps@Work device user notifications; they can choose to enable, disable or set cadence. The Apps@Work tab is displayed on the Mobile@Work client task bar and device users can view and install their company-approved apps from Apps@Work. Starting with the Ivanti EPMM 11.8.0.0 release, Apps@work Webclip and Integrated Apps@Work are supported.

  **When an update is available to an app, Apps@Work will display a badge/notification. Badging is only for apps that are already installed and have updates. Applicable to in-house and public apps.

  Note: Volume Purchase Program (VPP) apps are not supported.

  For more information, see Apps@Work (iOS) and iOS Apps@Work AppStore Features in the Ivanti EPMM Apps@Work Guide.

• iOS Enrollment Certification chain now visible: When you navigate to MICS (System manager portal) > Security > Certificate Mgmt > iOS Enrollment certificate> View, click on View Certificate in Ivanti EPMM, the entire iOS Enrollment Certification chain is visible, not just the immediate issuing CA certificate. For more information, see Viewing, replacing, and deleting certificates in the user portal in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• New Encryption Algorithm: The ChaCha20Poly1305 encryption algorithm is supported while configuring the Always On VPN configuration for iOS devices. For more information, see IKEv2 (iOS Only) in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Available in macOS 11.3.0.0 and later.

The new restrictions are not automatically pushed to the devices when you upgrade. Instead, to force-push the restriction to all devices, open it and save it.

Windows features

There were no new features for Windows in this release.

General features

• Changes to instructions in Mobile@Work: In Mobile@Work, the instructions in the enrollment and remediation pages have been updated.

• Run Reporting Database reports on user and device attributes: The Reporting Database now includes user and device attributes in its reports. See the latest Ivanti Reporting Database Essentials guide for more information.

• Ability to delete multiple local users: Administrators can now delete multiple users. You cannot delete multiple users if:

  • a user you are trying to delete is currently logged in (administrator)

  • a user is an administrator user - you first need to remove the administrator role of the user

  • there is a non-retired device associated to the user

    For more information, see Deleting multiple local users in the admin portal in the Getting Started with Ivanti EPMM guide.

• Registration passcode expiry maximum time increased: You can now customize the number of hours the registration password is valid, from 4 hours (default) to a maximum of 4320 hours (6 months). For more information, see Setting passcode and registration code defaults in the Getting Started with Ivanti EPMM guide.

• Symantec name change updated in user interface: Symantec Web Services Managed PKI has changed its name to DigiCert PKI Platform, therefore, you may note associated textual changes in the Ivanti EPMM user interface.

• Support for optional KVP on Email+: The KVP email_user_certificate_self_service can optionally be set to the ‘retired’ certificate value for a device user by prefixing it with [optional].(email_user_certificate_self_service is a mandatorily configurable KVP for all the Ivanti EPMM users.)
  [optional]email_user_certificate_self_service is an alternative configurable KVP for applicable device users that Ivanti EPMM will push to the user’s device only when the value is non-empty. Developers of AppConnect apps now have the option to create [optional] keys so that if the value is null/empty, it will not send that key/value to the AppCconnect app.
  For more information, see the Ivanti Email+ for Android Guide.

• New Force Retire Option: Usually, when you issue a Retire command for a device, it is moved to a Retired state and is considered "Retire Pending." Sometimes the devices remain in the Retire Pending state. Ivanti EPMM offers a Force Retire check box to make sure the device is Retired. You can also schedule the retirement of Retire Pending devices. In Ivanti EPMM, go to Settings > Users and Devices > Retire and Delete. In the retire devices section, there are settings that allow you to retire the retire pending devices, based on the last check-in time, with on-demand actions and scheduled actions. For more information, see "Retiring a device" and "Retiring the Retire Pending devices" in the Ivanti EPMM Device Management Guide of your OS.

• Client ID added to Device Details: For troubleshooting purposes, Client ID has been added to the Device Details page. Administrators can also search for Client ID as well. For more information, see "Advanced Searching" in the Ivanti EPMM Device Management Guide of your OS.

• Ability to remove profiles from individual devices: Similar to the Push Profiles option is a new feature that allows administrators to manually Remove Profiles from specific devices. This feature is helpful for troubleshooting specific devices, for example, overriding the default label for that device. For more information, see "Pushing and removing device profiles" in the Ivanti EPMM Device Management Guide of your OS.

• Hyper-V 2019 server is supported for Ivanti EPMM and enterprise connector installations: With this release, Ivanti EPMM can be installed on a Microsoft Hyper-V 2019 server. The Hyper-V 2019 includes Windows Hypervisor, a Windows server driver model, and virtualization components. Hyper-V is delivered as part of Microsoft Windows Server 2019. For more Hyper-V information, see Virtual Ivanti EPMM requirements in the On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector guide.

• Advanced search enhancements: In Apps > Installed Apps, Administrators can search apps with specific criteria according to attributes combinations, in addition to searching a specified term in different attributes. For more information, see Managing app inventory in the Ivanti EPMM Apps@Work Guide guide.

• Send device compliance data to single/multiple Microsoft Office 365 GCCH/DoD tenants: Device compliance status can be sent to GCCH and DoD Tenants. For more information on GCCH, DoD, see "Office 365 GCC High and DoD."

• New Global Policy to configure apps per label in bulk: Administrators can create global policies with different app settings (silent install, auto-update, mandatory, etc.) and can assign it to different labels. By creating a global policy, administrators can avoid editing each app and configuring the settings. When viewing and editing the per-label settings, administrators can set the app to default to the global setting so only the settings that are different for that label need to be changed. For more information, see Global App Config Settings policy in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Create a default label name: Starting with the 11.6.0.0 release, administrators had the ability to manually create a label (for Windows, Windows Phone or macOS) that does not contain any criteria. After it is created, the label automatically becomes a default label and cannot be removed or edited. Upon upgrade to version 11.7.0.0, Ivanti EPMM does not apply these labels to devices because they do not contain criteria. Administrators must apply the labels manually.

Android features

• Support for Private DNS: On fully-managed devices running Android 10 or later, the administrator can specify whether the device should use a private DNS server for encrypted domain name resolution, and if so, which one. Applicable to: Android 10+ devices in Work Managed Device mode. For more information, see Lockdown policy fields for Android Enterprise devices in Work Profile mode in the Getting Started with Ivanti EPMM guide.

• File Transfer Configuration: A new configuration File Transfer is available for Android devices. This configuration can be used to transfer files to the device and these files can be shared from Mobile@Work to other apps on the same device. Target apps consuming these files must support ContentURI to access files locally on the device.

  For more information, see Android File Transfer Configuration in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Mobile@Work auto-granted permissions reduced on all Android device versions: Administrators can provide device users more choice on Android 11 and below Work Profile devices by allowing the device user to choose whether Mobile@Work should be granted location permissions. The default behavior allows Mobile@Work to automatically grant this permission. In Ivanti EPMM 11.7.0.0, when the Mobile@Work auto-grant location permission check box is selected, the administrator would see a warning in Ivanti EPMM and device users would receive a prompt to grant Mobile@Work location permission during registration of devices in Work Profile mode.

  Phone permission is required to collect device information. Phone permission allows Mobile@Work to get information about device identifiers such as IMEI. This permission was originally only available in Device Admin mode, but has been extended to Work Profile mode. Device user consent is required for Mobile@Work to have phone permission.

  For more information, see Privacy policies and Understanding the Registration page in the Getting Started with Ivanti EPMM guide.

• Shared kiosk mode app settings: Upon upgrade, two new settings for Shared kiosk mode can be utilized in the New Android Kiosk App Setting Policy dialog box > Kiosk Mode Allowed Apps section:

  • Clear App Data is indicated by a "broom" icon. A broom with check mark icon indicates to clear the app data when the device user logs out of shared kiosk. A broom with a "not allowed" icon indicates do not clear app data when the user logs out of shared kiosk.

  • Android settings are indicated by a "gear" icon. A gear with check mark icon means allows device-wide settings for the selected app to be made available to the device user. A gear with a "not allowed" icon means disallow it.

    For more information, see Configuring the Android shared-kiosk mode in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Android Bulk Enrollment: Administrators can do registration of Android 7+ devices in batches (1000+) by uploading a CSV file. For each profile, a token will be generated with a default expiration time of 7 days. This token can be further extended for 7 days minimum to 99 days maximum. Optionally, the token can be regenerated (a completely new token is created for the profile with a default of 7 days of expiration.) Applicable to Work Managed Device mode, Managed Device with Work Profile mode, Work Profile on Company Owned Device mode, and AOSP mode.

  For more information, see Android Bulk Enrollment in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Additional battery health information provided: Additional battery health statistics per-device are now provided:
  • Android Battery Charging Status
  • Android Battery Health Status
  • Battery Charge Cycles (OEM)*
  • Battery Health Percentage (OEM)*
  • Battery Manufacture Date (OEM)*

  For more information, see Advanced searching in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

  *The OEM fields will only populate if the device is a Zebra device. For more information, see Advanced searching in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• MobileIron Cloud is now Ivanti Neurons for MDM: All the instances of Cloud in Ivanti EPMM documentation have been updated to Ivanti Neurons for MDM.

iOS and macOS features

• Update iOS Software Version button allows administrators to update iOS devices to a specific OS version: The Device Details page has a new "Software Version Update" button for administrators to update specific devices to any supervised DEP and non-DEP iOS versions. A list of only the applicable iOS versions to the device displays for the administrator to choose, and then execute the update. For more information, see Updating the iOS manually on a single supervised iOS device in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• New macOS restrictions: New macOS restrictions have been added to help administrators delay when device users can download software updates. There are three types of delay options, each with additional options for setting the number of days of delay.

  • Delay OS Software Update - you can set the delay of a software update on the device and set the delay of minor software updates to the device. The device user will not see a software update until the set number of days after the software release date.

  • Delay App Software Update - you can set the delay of a software update on the device and set the delay of non-OS software updates to the device. The device user will not see a non-OS software update until the set number of days after the software release date.

  • Delay Major Software Upgrade - you can set the delay of a major software upgrade on the device. The device user will not see the major software upgrade until the set number of days after the software release date.

    Available in macOS 11.3 and later.

    Additionally, Allow Erase All Content and Setting was added for resetting of iOS devices. Applicable to iOS 8+ and macOS 12+. For more information, see macOS settings and iOS and tvOS restrictions settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

    Upon upgrade, the new restrictions will not be pushed to the devices. The easiest way to do this is to open the restriction and then save it. This will force-push to all the devices.

• Skip options added to Device Enrollment Profile: To assist with easy installation, two additional options were added to Device Enrollment Profile:

  • Skips Device to Device Migration pane. Availability: iOS 13+.

  • Skips the iMessage pane. Availability: iOS 10+.

  For more information, see Creating an Apple Device Enrollment Profile in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• macOS registration configurations enabled upon upgrade: For new Ivanti EPMM deployments, Ivanti’s support for macOS device management is available in Ivanti EPMM, Ivanti EPM, and Ivanti Neurons for MDM.

• Version number updated: Ivanti EPMM applications have received the version numbers that are being updated: AppleTV, iOS 15.5 and 15.5.X, macOS 12.4.

• New iOS Restrictions added to Configurations > New Restrictions Setting dialog box:

  • Allow Apple TV's automatic screen saver restriction

  • Allow Mail Privacy Protection - helps protect device users' privacy by preventing senders from learning about device users' email activities. When the Allow Mail Privacy Protection configuration is installed and enabled from Ivanti EPMM, the Protect Mail Activity toggle is enabled on the device and the following options are visible to the device user:

    • Hide IP Address - The email sender cannot link the email to the device user's online activity or determine location.

    • Block All Remote Content - Prevents the email sender from seeing the device user's email activities.

    For more information, see iOS and tvOS restrictions settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Windows features

• Windows registration configurations enabled upon upgrade: For new Ivanti EPMM deployments, Ivanti’s support for Windows device management is available in Ivanti EPMM, Ivanti EPM, and Ivanti Neurons for MDM.

General features

• Changes to the identity certificate alias make selecting the right one easier: Previously, identity certificates were given an alias such as CERTIFICATE_22_9013_15 with the word CERTIFICATE as the prefix. Identity certificates will be given more admin-friendly names such as MSSCEP-TUNNEL_22_9013_15, with the prefix being the certificate enrollment configuration name. The new prefix was applicable for all the certificate enrollment configurations. With this release, the new prefix is applicable to all certificate enrollment configurations except Single File Identity.

General features

• Disabling "Save User Password" now clears all LDAP user passwords: Previously, the Save User Password checkbox in Settings > Ownership settings was disabled by default. However, if it was enabled and then disabled, Ivanti EPMM did not delete all the Lightweight Directory Access Protocol (LDAP) user passwords already in its database. With this release, the checkbox will still be disabled by default. But if Save User Password is enabled and then disabled, a pop-up message appears, warning that all stored passwords will be deleted.

• Unregistered devices can now redirect to Ivanti EPMM from Office 365: With this release, when a user of an unregistered device tries to access Office 365 services, they will be redirected to a Mobile@Work enrollment page for device registration (https://<Ivanti EPMM fully qualified domain name>/mifs/aadIntuneEnrollment.jsp). This feature is dependent upon a correctly-configured enrollment URL for iOS and Android in the Device Compliance settings.

• Support for Sentry-to-Ivanti EPMM TFE mutual authentication: With this release, Ivanti EPMM supports mutual authentication (MA) with Sentry through a Trusted Front End (TFE). The TFE server will verify the mutual authentication before forwarding it to Ivanti EPMM. The minimum version requirements are:

  • Ivanti Standalone Sentry - 9.15.0 and newer versions
  • Ivanti EPMM - 11.5.0.0 and newer versions

  Note the following

  • Ivanti EPMM initiates mutual authentication only if Sentry is running 9.15.0 or newer software.
  • If you would like a copy of the TFE server configuration template for mutual authentication, see your Ivanti EPMM support representative.

  For more information, see Advanced: Trusted Front End in the Ivanti EPMM System Manager Guide.

• New "Retire Pending" status for devices slated for retirement: In previous releases, when a device administrator retired a device, if the device owner chose not to acknowledge the action, it was difficult to know whether or not the device really was retired. In this release, a new Retire Pending device status in the Devices & Users > Devices page displays when a device has been retired from Ivanti EPMM, but has not yet checked in to confirm the action.

• Information access control tightened within Roles - Previously, information that was meant to be seen only by users with certain roles could potentially be viewed by unauthorized roles. With this release, Ivanti EPMM users will not be able to view information outside of their designated roles.

• LDAPS over SSL (LDAPS) protocol recommended for this release: Ivanti recommends that you adopt Lightweight Directory Access Protocol over Secure Sockets Layer (LDAPS) on port 636 when upgrading to the Ivanti EPMM 11.6.0.0 release. For more information, see Configuring LDAP servers in Getting Started with Ivanti EPMM.

• PIN and password device authentication strongly recommended: New installations of Ivanti EPMM 11.6.0.0 and higher will default to the device authentication choice of PIN+Password. We suggest that current Ivanti EPMM administrators consider the security benefit of a PIN plus a password for device registration and adopt PIN+Password going forward.

• Tooltip added to "Enabling Server Name Lookup" field: In the Ivanti EPMM Settings > System Settings > Users & Devices > Device Registration page, there is a radio button "Enable Server Name Lookup." A tooltip was added for administrators to follow specific, important instructions. For more information, see "Enable Server Name Lookup" in the Ivanti EPMM Device Management Guide of your OS.

• Redirect device users to the Mobile@Work app page from the Enrollment and the Remediation pages:

  • If an iOS device is not enrolled in Azure Active Directory (AAD) and the device user launches any of the Office 365 applications, the default Ivanti EPMM Enrollment page displays the Install Mobile@Work button that directs the device user to the Mobile@Work app store page.
  • If the enrolled device is out of compliance and the device user accesses any of the Office 365 applications, the default Ivanti EPMM Remediation page displays the Open Mobile@Work button which launches the Mobile@Work application.

• New "Upgrade" audit log captures Ivanti EPMM upgrade user information: There is a new Upgrade log file option available in the System Manager > Troubleshooting > Logs > View Module Logs section. With this release, when an administrator upgrades Ivanti EPMM, an audit log entry is created, listing the time, user ID, and IP address of the person doing the upgrade. For more information about Ivanti EPMM logs, see Working with logs in the Ivanti EPMM System Manager Guide.

• More visibility in run-time logs when a Ivanti EPMM update check fails: Previously, when an administrator clicked the Check Updates button in the System Manager > Maintenance > Software Updates section, if there were problems retrieving the information, there was only the message "Software repository is not configured," with no way to log and view these issues. With this release, if Ivanti EPMM attempts to check for system updates and fails, a new upgradeStatus module displays in the live logs, showing the relevant information.

• Changes to the identity certificate alias make selecting the right one easier: Previously, identity certificates were given an alias such as CERTIFICATE_22_9013_15 with the word CERTIFICATE as the prefix. With this release, identity certificates will be given more admin-friendly names such as MSSCEP-TUNNEL_22_9013_15, with the prefix being the certificate enrollment configuration name.

• New Device User Role for control of SSP "Trust/Untrust" feature: A new role is available to device users, giving them rights to use the Trust/Untrust feature in the Self-service User Portal (SSP). The Trust/Untrust feature allows a device user to self-designate his device as Trusted or Untrusted, depending upon the locational risk. For example, a device user might designate his device as Untrusted while in a busy airport. This feature is disabled by default for new users. A device administrator can enable it for users through the Users > Actions > Assign/Edit Roles > User Portal roles list. For more information, see Assigning user portal device management roles in the Ivanti EPMM Device Management Guide.

Android Features

• Administrators can copy existing managed app configuration settings and download updates:
• In the Ivanti EPMM App Catalog, Administrators can go into an edited app and copy managed app configurations to experiment with new settings that app developers may have released. This helps prevent Administrators having to manually go through the entire managed app configuration schema just to create a duplicate configuration for testing.
• Under the Configurations Choices section of an edited app, Ivanti EPMM will notify Administrators if there's a new schema to download.

For more information, see App configuration for Android Enterprise apps in the Ivanti EPMM Apps@Work Guide.

• Additional warning added for retiring devices: When retiring a device, a warning has been added to alert administrators that devices in Device Owner mode or Work Profile on Company Owned Device mode are wiped or erased and the action is not reversible. Administrators need to read the warning and check the box before retiring the device(s). For more information, see Retiring a device in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Customized Lock screen message on Android devices: As part of a Lockdown policy, administrators can now set a message on the Lock screen on company-owned Android devices. Applicable to the following modes:

  • Work Profile Managed Device
  • Managed Device with Work Profile
  • Work Profile for Company Owned Device
  • Work Managed Device - Non-GMS mode

  Both device and user attributes (default and custom) can be used with the Lock screen message. For more information, see Lockdown policies in Getting Started with Ivanti EPMM.

• Changes to "Allow unknown sources in personal profile" option in Lockdown policy:

  • Field renamed to "Allow Unknown Sources in Personal and Work Profile" - This controls the use of unknown sources in the personal profile and in Work Profile mode. Requires Google Play update.
  • When the above field is selected, the "Allow Unknown Sources in Work Profile" displays. Selecting it indicates to restrict the Allow Unknown Source setting to the Work Profile mode only. Use case: This allows third-party apps like games from outside the Google Play store to be installed in the personal profile.

  For more information, see Lockdown policies in Getting Started with Ivanti EPMM.

• For Android 12+ devices, Ivanti EPMM now supports 5G network slicing: Administrators can set app traffic through one enterprise 5G network slice. Administrators can set this feature in Lockdown policies, conduct advanced searches and make compliance rules in Ivanti EPMM. Applies to Work Profile and Work Profile for Company Owned devices. Requires support from 5G service provider. For more information, see Lockdown policy fields for Android Enterprise devices in Work Profile mode and "Lockdown policy fields for Android Enterprise devices in Work Profile on Company Owned Device mode" in Getting Started with Ivanti EPMM.

• Default ownership of corporate-owned Android devices can be set based on device registration method: Applicable to the following Android devices using:

  • Google Zero Touch (ZT)
  • Samsung Knox Mobile Enrollment (KME)
  • Non-GMS mode (Android Open Source Project (AOSP)

  For more information, see Registration methods and Setting up Ivanti EPMM with a closed network / AOSP deployment in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices. See also Understanding the Registration page in Getting Started with Ivanti EPMM.

• Option to not display Terms of Service on the above modes: Administrators can now set in Ivanti EPMM whether the Terms of Service will display on client devices for KME/ZT/Non GMS registrations. For more information, see Configuring the default ownership for newly registered devices in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Devices that are Non-GMS will be identified and reported to Ivanti EPMM: With the addition of the device ownership in Non-GMS mode, reporting of said devices are sent to Ivanti EPMM. In the Device Details page, Administrators can view individual devices and run a search for "Non GMS Device." For more information, see Setting up Ivanti EPMM with a closed network / AOSP deployment in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

iOS and macOS Features

• Certificate Revocation Checking configuration added: Administrators can now use the Certificate Revocation Checking configuration to check if configurations have been revoked from an iOS device. Administrators can specify a certificate authority (CA) that allows the configuration to enable revocation checking for all the certificates that are linked to that CA. Applicable to iOS 14.2+. For more information, see Certificate Revocation Checking Configuration in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• App restriction configuration now automatically gets pushed to Apple TV: The App Restrictions configurations are now supported for tvOS devices. Applying the "iOS and tvOS" label to the App Restrictions configuration now automatically pushes it to Apple TV. This setting applies to iOS and tvOS 11.3 and later supervised devices. For more information, see App restrictions configuration setting in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• TV remote support and Conference Room display support added: Two new tvOS policies have been added:

  • TV Remote - Applicable to supervised devices: iOS and tvOS 11.3 and later.
  • Conference Room Message - Applicable to tvOS 10.2 and later. The Conference Room Message policy requires Apple TV supervised devices.

  After the policy is created, apply labels to your Apple TV devices. For more information, see tvOS policy settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Hoedus REST API is End of Life: Because the REST API Hoedus is end of life (EOL), the public API has been removed from Ivanti EPMM:
  GET, /api/v2/appstore/googleplay.
  For more information, see this knowledge-based article: https://forums.ivanti.com/s/article/End-of-Life-timelines-for-proprietary-app-discovery-service. An Ivanti Community login may be required.

• Log out single user or all users on shared iPad session: The administrator can now delete a single user or all users on a shared iPad device's session. Applicable to Apple School Manager and Apple Business Manager in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Version number updated. Ivanti EPMM applications have received the version numbers that are being updated: AppleTV, iOS 15.4 and 15.4.X, macOS 12.3.

• Clarification on iOS and tvOS labels: Previous Ivanti EPMM versions had an "iOS" label and a "tvOS" label. The definition for the "iOS" label was to include both iOS and tvOS devices, causing confusion. Ivanti EPMM now has two labels:

  • "iOS label" (for iOS devices only)

  • "iOS and tvOS" label (to mean both iOS and tvOS (Apple TV)

    There is still a "tvOS" label.

  For more information, see Default labels in Getting Started with Ivanti EPMM.

• For iOS 11 devices, new parameters added for the AirPrint payload: Port and ForceTLS. For more information, see AirPrint settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Sorting and filtering of Apple Device Enrollment account and profiles: Apple Device Enrollment Account list page now allows for sorting and filtering. The Device Enrollment Profile list page also allows for sorting. For more information, see Creating an Apple Device Enrollment Profile and Managing Apple Device Enrollment accounts in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Windows features

• Support for Windows Bridge Service Failure Recovery options: In some rare cases, the Bridge Service fails without a known reason. In Ivanti EPMM 11.6.0.0, Bridge Service failure recovery is pre-configured, thus allowing device users to continue using the Bridge Service without any major issues. Applicable to Bridge release 2.1.14.0.

  The new 2.1.14.0 version of the Bridge application is automatically imported into the App Catalog for Ivanti EPMM 11.6.0.0 and higher releases. This Bridge version will be pushed to Windows devices as they check in. For more information, see "Bridge Server Failure Recovery" in the Ivanti EPMM Device Management Guide for Windows devices.

General features

• New force retire option: New Force Retire Option: Usually, when you issue a Retire command for a device, it is moved to a Retired state and is considered "Retire Pending." Sometimes the devices remain in the Retire Pending state. Ivanti EPMM offers a Force Retire check box to make sure the device is Retired. You can also schedule the retirement of Retire Pending devices. For more information, see "Retiring a device" and "Retiring the Retire Pending devices" in the Ivanti EPMM Device Management Guide of your OS.

• Online release notes now include previous releases: With this release, online release notes becomes cumulative, and you will be able to see releases back at least one current and one prior base release. For example, the online Ivanti EPMM 11.5.0.0 release notes include release information from Ivanti EPMM 11.5.0.0, 11.4.1.0, and 11.4.0.0. PDF release notes will continue to include only the current release details, with links to the earlier information online.

• New verification of TLS server certificates: Transport Layer Security (TLS) server certificates used to secure Ivanti EPMM systems require Certificate Revocation List (CRL) Distribution Point (DP) extensions. Online Certificate Status Protocol (OCSP), is not supported at this time. Previously, an Administrator could upload a TLS certificate that Ivanti EPMM does not support. With this release, Ivanti EPMM validates that a TLS server certificate includes a CRL DP extension in four actions: activation of the certificate in System Manager, activation of the mutual authentication feature, inclusion in a certificate pinning policy, and inclusion in a certificate pinning request. A TLS server certificate that doesn't pass these four validation checks will generate a message, explaining the error.

• Support for bridging old and new client mutual authentication CA certificates: Previously, updating a Certificate Authority (CA) certificate for client mutual authentication required re-registering all devices currently enrolled under that certification. With this release, you can:

  • Upload and select a new client mutual authentication certificate for devices going forward
  • Retire the previous certificate, while still allow existing devices to check in.

  For more information, see Mutual authentication between devices and Ivanti EPMM in the Ivanti EPMM Device Management Guide for your operating system.

• Ivanti EPMM support for Splunk Heavy Forwarder mutual authentication: With this release, Ivanti EPMM supports the Splunk Heavy Forwarder for secure mutual authentication to Splunk. The feature is enabled from the System Manager Settings > Data Export > Splunk Indexer page, where you can add, modify, delete and view your Splunk indexer information. For full information, see Data export: Splunk in the Ivanti EPMM System Manager Guide.

• Updated Splunk Forwarder supports Splunk Enterprise Server 8.x: The Splunk Forwarder in Ivanti EPMM now supports Splunk Enterprise Server 8.x. For more Splunk information, see the Ivanti EPMM System Manager Guide.

• New option to enforce only one Local User: In high-security environments, it is a best practice to allow only one Local User to be enabled. Once installation is complete, use the CLISH limitUser command in the Configuration Wizard to limit the number of Local Users to one (this feature has no effect on the number of LDAP users). Once installed, you will need help from Ivanti customer support to change this configuration. Attempts to create another Local User from the Ivanti EPMM Devices & Users > Security > Local Users menu generates an error message explaining the prohibition. In high availability (HA) environments, a reboot is required after a failover to re-enable the restriction. For more information, see Managing local users in the Admin Portal in Getting Started with Ivanti EPMM.

• Support for mutual authentication between Ivanti EPMM and Sentry: Ivanti EPMM 11.5.0.0 now supports mutual authentication with Sentry by default. Minimum version requirements are:

  • Ivanti EPMM - 11.5.0.0 and newer versions
  • Ivanti Standalone Sentry - 9.15.0 and newer versions

  Ivanti EPMM will only initiate mutual authentication if Sentry is running 9.15.0 or newer software.

• Registration passcode expiry time now configurable: Previously, when registration invitations were sent, a registration PIN number was generated that was good for five days (120 hours). With this release, you can customize the number of hours the registration password is valid, from 4 hours (the default) to a maximum of 72 hours. For more information, see Setting passcode and registration code defaults in Getting Started with Ivanti EPMM.

• Ivanti EPMM support for Apache Log4J logging utility version 2.17.1: In this release, Ivanti EPMM support for Log4J logging utility has been upgraded to 2.17.1, to avoid any possibility of a zero-day vulnerability in earlier versions. This update should not affect your system behavior.

• More context for some audit logs: Previously, audit logs only included information about what was changed. With this release, some logs (configurations, policies, labels, compliance groups, rules and actions) will also include the "before" values as well as the "after." You can view the logs from the Ivanti EPMM Logs > Audit Logs page. Logs with before and after values display an icon you can click to see the new information. The new log information is generated for the following actions:

  • Create - the "Before" column will be empty.
  • Edit or change - Both before and after values display.
  • Delete - The "After" column will be empty.

  For more information, see Audit log information in the Ivanti EPMM Device Management Guide for your OS.

• Ivanti EPMM installation on Hyper-V 2016 server is supported: With this release, Ivanti EPMM can be installed on a Microsoft Hyper-V 2016 server. The Hyper-V 2016 includes Windows Hypervisor, a Windows server driver model, and virtualization components. Hyper-V is delivered as part of Microsoft Windows Server 2016. For more Hyper-V information, see Virtual Ivanti EPMM requirements in the On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector.

• New customization options for the self-service user portal (SSP): Three new customization options are available in this release:

  • Hide or display the QR code and registration URL: A new configuration check box has been added to the Settings > System Settings > Users & Devices > Device Registration page that allows you to choose whether or not to show users a QR code and registration URL. This option is enabled by default. When deselected, the QR code and registration URL do not display to users.

  • Hide or display the self-service portal (SSP) Activity page: A new configuration check box has been added to the Settings > System Settings > General > Self-Service Portal page that allows you to choose whether or not to show users their activity in the SSP. This option is enabled by default. When deselected, the SSP Activity page does not display to users.

  • Hide or display the Settings option: Previously, the Settings option was always visible to client users from the SSP Action menu (upper-right, under user name). In this release, the administrator has the option to remove the Settings link from the SSP Action menu. Two new check boxes are available from the Ivanti EPMM General > Self-Service Portal > Self-Service Portal page:

    • Show settings for local users - Deselecting this option disables the Settings menu for local users.
    • Show settings for LDAP users - Deselecting this option disables the Settings menu for LDAP users.

    These settings determine whether or not clients can see the Settings option in the SSP Action menu.

  For more information, see Disabling options in the SSP in the Ivanti EPMM Device Management Guide for your operating system.

Android Features

• New lockdown options for Android devices using Android Enterprise: In this release, you have new lockdown options for Android Enterprise devices.

  Table 101.  New lockdown Policy options in 11.5.0.0

  Android Enterprise Mode	Lockdown options
  Device Owner or Work Profile on Company-owned devices	Allow location settings modification – If selected, users can modify the location settings of the managed device. This option is available in the Lockdown Policy > Android > Managed device > Device Restriction section. Allow date and time modification – If selected, users can modify the time or date of the managed device. This option is available from the Lockdown Policy > Android > Managed device > Device restrictions section.
  Work Profile and Work Profile on Company-owned devices	Allow back-up service – If selected, users can enable or access the back-up files on the managed profile. This option is available from the Lockdown Policy > Android > Work Profile > Android 8+ section.
  Work Profile on Company-owned devices	Manage personal apps for Work Profile on Company-owned Android devices: Previously, company-owned devices using Work Profile had no app management options for the personal side of their device. The user had full freedom to install any app on their Personal Profile. This freedom may not always meet organizational guidelines for a corporate-owned asset. With this release, administrators can now control the apps a user is allowed to install in the Personal Profile of their managed device (for devices running Android 11.0 and above). The new options are available from the Ivanti EPMM Policies & Configs > Policies > Lockdown policy > Android Enterprise section: Enable app control on Personal Profile – When enabled, you can select your level of app management: Allowed Apps – Only allow apps that are explicitly added to this list. No other apps can be installed. Disallowed Apps – Allow all except these specific apps from being installed. Choosing an option displays the Packages table, where you can add, delete, and save the app packages on your list.

  You can view your selections from the Ivanti EPMM Devices & Users > Devices > View logs on devices > Policies tab. For more information on Lockdown policies, see Lockdown policies in the Getting Started with Ivanti EPMM guide.

• New Security policy options for Android managed devices: In this release, you have new Security policy options for Android Enterprise devices.

  Table 102.  New Security policy options in 11.5.0.0

  Android Enterprise Mode	Security option
  Device Owner or Work Profile on Company-owned devices	Enable Security Logging on Android - When enabled, information is collected for security auditing purposes. These help admins identify suspicious activity by remotely tracking device activity, including app launches, Android Debug Bridge (adb) activity, and screen unlocks. These logs become available to administrators on demand. To protect the privacy of the user, some information (such as personal app launch events) are hidden, or redacted (for example, details of the physical volume mount events).
  For all Android Enterprise devices	Enable Network Logging on Android - When enabled, network and connectivity information is collected. Network logging can be used to troubleshoot any issues with device connectivity for work apps and can be used for historical forensics. Once enabled, Ivanti EPMM allows administrators to collect the logs on demand. Network logs contain DNS lookup and connect() library call events. These library functions are recorded while network logging is active: getaddrinfo() gethostbyname() connect() When network logging is enabled for Work Profile devices, the network logs will only include work profile network activity, not activity on the personal profile.

  You can view your selections from the Ivanti EPMM Devices & Users > Devices > View logs on devices > Policies tab. For more information on these policies, see Security Policies in Getting Started with Ivanti EPMM.

• Full device passcode attributes: For Android 12 devices in Work Profile mode, complex password type and password length are not supported. As a result, they are reported in Ivanti EPMM as "Unsupported." For more information, see Security policies in Getting Started with Ivanti EPMM.

• Always-On VPN for AOSP for Android Enterprise devices: In AOSP mode, you can have Always-On VPN status for devices using Android 10 and later supported versions. For more information, see Managing the closed network / AOSP devices in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
• Android 7+ Inventory MAC address: To preserve device user privacy, on Android 7+ devices, Ivanti EPMM accepts a randomized MAC address for inventory purposes and now also collects true physical MAC address for inventory. Inventory MAC is the hardware-based MAC that is reported after a device is registered and is only available for company-owned modes, namely Device Owner mode and Work Profile on Company Owned Device mode. Inventory MAC support is also available via substitution variables. For more information, see Inventory MAC address in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Corporate wallpaper for Android devices: This new feature for corporate owned Android devices allows the administrator the option of distributing an image as wallpaper and as a Lock screen image. The image will automatically be applied to the device. This feature is only supported in Work Managed Device mode. For more information see Setting wallpapers for devices in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

iOS and macOS Features

• OS Software update command removed from menu: Administrators will now only be able to set OS Software updates through a policy. In Devices & Users > Devices page, the Actions menu item has had the following options removed: 'iOS Software Update" and "macOS Software Update." This applies to iOS and macOS devices. See Configuring iOS and macOS software updates in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Software update recommendation cadence: Administrators can set a user's device to allow all available, the highest available, or the lowest available OS software update. Applicable to iOS 14.5 or later and iPadOS 14.5 or later. For more information, see Software update recommendation cadence in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• macOS registration configurations disabled upon upgrade: For new Ivanti EPMM deployments, Ivanti’s support for macOS device management has been transitioned to Ivanti EPM and Ivanti Neurons for MDM.

• Dynamic Privacy Policy presentation: When a device user is registering their device via iReg or with in-app registration, the privacy policy will display. The privacy policy is dynamic, based on the enrollment type. This feature is only applicable to iOS devices. For more information, see the Mobile@Work 12.11.50 for iOS Release Notes.

• Account-driven Apple User Enrollment: User Enrollment can now be set up so device users can self-enroll in MDM User Enrollment from the Settings page on their device. This feature uses the device user's managed Apple ID, making their devices managed. Once enrolled, administrators can view information in the Apple User Enrolled Device field in the Device Details page. There is required action that must be taken by the device users. See Account-driven Apple User Enrollment in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Changes to User Enrollment: The following configurations and policies are no longer applicable to User Enrollment.
  • Configurations > System > Multi-User Secure Sign-In
  • Configurations > Apple > iOS / tvOS > Managed Domains
  • Configurations > Apple > iOS / tvOS > Encrypted DNS
  • Configurations > Apple > iOS / tvOS > Network Usage Rules
  • Configurations > VPN > all VPN configurations
  • Policies > iOS > iOS Only > Single-App Mode
  • Policies > iOS > iOS Only > Global HTTP Proxy
  • Policies > iOS > iOS Only > Cellular
  • Policies > iOS > iOS Only > Home Screen Layout
  • Policies > iOS > iOS Only > Notification Settings

  Ivanti recommends administrators to update their labels associated to the above configurations and policies to "Apple User Enrolled Device" + "Equals" + "True" or iOS.apple_user_enrolled_device=true. For more information, see Configurations page, Managing Policies, and VPN settings overview in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

  The new Apple User Enrollment registration flow for LDAP Users/Groups must use single invite or bulk invite registration to verify that managed Apple ID was generated correctly. The administrator should also check the logs for any managed Apple ID failures. If the existing registration process is already using PINs, the registration will still work. For more information, see User Enrollment with Apple Business Manager in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• New iOS 15 Restrictions: There are three new restrictions for iOS 15:

  • Force Translation Processing Only on Device
  • Require Managed Pasteboards
  • Allow Cloud Private Relay

  For more information, see iOS and tvOS restrictions settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Windows features

• Windows registration configurations disabled upon upgrade: For new Ivanti EPMM deployments, Ivanti’s support for Windows device management has been transitioned to Ivanti EPM and Ivanti Neurons for MDM.

General Features

• ECDSA X.509 certificates must now be formatted with named curves in all modes: In Federal Information Processing Standards (FIPS) and Common Criteria Mode, only secp256r1 (NIST P-256), secp384r1 (NIST P-384), or secP521r1 (NIST P-521) are allowed. With this release, explicitly-defined Elliptic Curve Digital Signature Algorithm (ECDSA) curves certificates cannot be used to represent local certificate authority (CA) certificates. For more information about supported cypher suites, see Advanced: Incoming SSL Configuration in the Security Settings chapter of the Ivanti EPMM System Manager Guide.

• Four-digit year added to secure log file timestamp: The default timestamp for the /var/log/secure log file has been modified to include a four-digit year. The log file format has changed from:
  RSYSLOG_TraditionalFileFormat
  to
  RSYSLOG_SyslogProtocol23Format

  The format is:

  <%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%

  The format RSYSLOG_SyslogProtocol23Format is the format specified in the IETF internet-draft ietf-syslog-protocol-23, which is very close to Syslog Standard RFC5424.

  For information about Ivanti EPMM logs, see Working with logs in the Troubleshooting chapter of the Ivanti EPMM System Manager Guide.

• Swedish and Hungarian languages now supported in Ivanti EPMM: Two new languages, Swedish and Hungarian, are now supported and available in Ivanti EPMM 11.4.0.0 and supported newer versions. For more information about how to select the languages you want to use for messages, applications, and setting and changing the default language, see the chapter Language Support in the Ivanti EPMM Device Management Guide for your operating system.

• Certificate pinning to prevent Man-in-the-middle attacks: Man-in-the-middle attacks would allow an attacker to impersonate a Ivanti EPMM server and send commands to the device. This results in device compromise and confidential data leakage. To prevent this, a new Pinned Server Certificate policy has been added to deliver a set of certificates that clients can expect a Ivanti EPMM server to present during check-in and similar traffic. This feature is applicable for post-first-time use, for steady-state assurance that the client is connecting to the correct Ivanti EPMM. If none of the certificates configured match the active certificate in use on the Ivanti EPMM server, then devices will strictly honor the pinning policy and fail to connect until a correction of the certificate pinning policy is sent.

  This pinning policy supports multiple entries to enable a smooth transition when the Ivanti EPMM server's certificate is about to expire. Administrators can include the renewal certificate before it is active on the server and keep the expiring certificate in this policy for seamless transition to the renewed certificate. Ivanti advises administrators to set up Ivanti EPMM system certificate expiration alerts to be warned the Ivanti EPMM server certificate is about to expire.

  Any Certificate Pinning policy created in Ivanti EPMM 11.2.0.0 will be disabled upon Ivanti EPMM 11.3.0.0 upgrade. Ivanti EPMM will not push that policy. Instead, if / when the Admin edits the Certificate Pinning policy, Ivanti EPMM will push the policy using a new Ivanti EPMM property.

  Applicable to Mobile@Work for iOS 12.11.30 devices and supported later versions. Also applicable to Mobile@Work for Android 11.3.0.0 devices and supported later versions. For more information about certificate pinning and devices, see Configuring certificate pinning for registered devices in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices or in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Certificate pinning options now available from Certificate Mgmt page: You can now enable certificate pinning from the System Manager > Security > Certificate Mgmt page. There, you can add certificates, generate a pinning request, and upload your pinning statement. For information about enabling and configuring certificate pinning, see Configuring certificate pinning for registered devices in the Certificate Mgmt section of the Security Settings chapter of the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Reminder to enable mutual authentication: Ivanti EPMM now requires mutual authentication with managed devices for a more secure connection. If Ivanti EPMM is installed or updated to 11.4.0.0 release and mutual authentication has not been enabled, a red reminder banner will display in a ribbon just below the Admin portal masthead. To enable mutual authentication, go to Settings > System Settings > Security > Certificate Authentication > Client Mutual Certificate Authentication page. Once enabled, the banner does not appear again. For more information about mutual authentication, see Mutual authentication between devices and Ivanti EPMM in the Ivanti EPMM Device Management Guide for your operating system.

• Ivanti EPMM M2700-series on-premise appliance now available: The M2700 series large-scale deployment appliance provides a tightly-integrated solution comprised of a standardized appliance with the resources necessary for larger deployments, and dedicated QA certification of all Ivanti EPMM functionality. For information about the latest Ivanti EPMM appliance, see M2700 Series appliance in the On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector.

• 'Enable' password complexity requirements are now the same for Ivanti EPMM CLI and Ivanti EPMM UI: With this release, the complexity requirements for creating an enable password from the CLI are the same as when it is created in the Ivanti EPMM user interface. The password must be:

  • Between 6 and 20 characters in length
  • At least one numeric character

  Additionally, the CLI continues to check whether or not the password is based on a word in the dictionary. Case sensitivity and special characters are not required.

• New option to upload Certificate Authority chain for SCEP enrollment configurations: With this release, you can upload a specific Certificate Authority chain for Simple Certificate Enrollment Protocol (SCEP) enrollment configurations. In some cases, the SCEP CA may send more CA certificates than desired. When you need to use a specific certificate chain, use this feature to upload that exact chain. If you do not upload a CA chain, Ivanti EPMM continues its previous behavior of using the CA certificates directly acquired from the SCEP server.

  The upload option is available only for SCEP enrollment configurations. Certificate enrollment settings such as System - Mutual Auth CE setting use a local CA, which is already available on Ivanti EPMM.

  For upload instructions, see "Uploading a Certificate Authority chain for SCEP enrollment configurations" in the Configuring SCEP section of the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices or in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• New Azure Device Attributes in Compliance Policy Builder: Support for the following device attributes in compliance policy builder. These attributes should be available in common category.

  • AzureDeviceId
  • AzureClientStatusCode
  • AzureIntuneDeviceStatus
  • AzureIntuneStatusUpdatedAt
  • AzureUserUpn

• Users redirected to Ivanti EPMM after Microsoft Azure consent: This feature adds a redirect URL in the Ivanti EPMM device compliance on prem app for better user experience. The user will redirected back to the Ivanti EPMM application from the active directory consent page.

• Support for Entrust API version 11: Entrust Managed public key infrastructure (PKI) Services with API version 11 is supported with this release.

Android and Android Enterprise features

• Unique enrollment-specific ID: This new feature provides a unique ID that is guaranteed to be the same value for the same device, enrolled into the same organization by the same managing app. It will remain stable across factory resets or new profile inflation. Access to other hardware identifiers of the device such as IMEI, MEID, or serial number, is removed for personal devices with a work profile in Android 12. This is effective for new installs and post-upgrade to Android 12. Supported modes are Work Profile, Work Profile on Company Owned Device, and Work Managed Device. Please note that the ID will change when the same device is enrolled to the same tenant but uses a different managing package; a new unique ID is presented when the device registers to a new Ivanti EPMM instance.

• New Update Priority field in App Configuration for Android enterprise section: Update Priority field provides the ability to control the app updates behavior on Android Enterprise Devices. Allows admins to set the priority of updates. High Priority setting forces updates on the device immediately after it is available. Postpone for 90 days delays app updates so updates are not applied until 90 days after the update is available. Default mode allows app updates to be available as decided by the Google Play store.
  
  Minimum Version Code field provides the ability to make sure the provided (minimum, it can be higher than the provided version) version of the app is installed on the Android Enterprise device. As defined by specification minimum app version code is 7 digit numeric code (1234567) which is the minimum version of the app to be installed on the device.
  
  For example, the installed version of the Whatsapp App is 2.19.10.15 and the latest version available is 2.21.18.17, the minimum version code an admin could enter in EMM console could look like 2210000. In this case app will be upgraded to 2.21.18.17 meeting the minimum version criteria specified by admin. Admins should note this functionality forces an immediate app upgrade and could force an active app session to close abruptly for the upgrade to complete.

• Google official device admin deprecation: The following changes have been made as part of Official Device Admin Deprecation from Google with release of Android Operating System 10.

  • Reference: https://www.blog.google/products/android-enterprise/da-migration
    The configurations, policies and settings are deprecated from Ivanti EPMM version 11.4.0.0.

    Configurations

    • Android -> Samsung Browser
    • Android -> Samsung Kiosk
    • Android -> Samsung Knox Container

    Policies

    • Android -> Android Quick Setup -> Device Administrator (Device Administrator Field is deprecated)
    • Android -> Samsung Kiosk
    • Lockdown -> Samsung Device Admin Mode (All fields support from Samsung Device Admin Mode is deprecated)

    Settings
    

    Android > Android Custom ROM (Android Custom ROM enable/disable Radio Button Will be deprecated by default WIPE feature in Compliance Action will be available).

• Android Enterprise App Maintenance Window Settings Available: You can choose to set a Maintenance Window for auto-updates that will override the update settings users configure. By default this option is unchecked.

• Unique enrollment-specific ID: This new feature provides a unique ID that is guaranteed to be the same value for the same device, enrolled into the same organization by the same managing app. It will remain stable across factory resets or new profile inflation. Access to other hardware identifiers of the device such as IMEI, MEID, or serial number, is removed for personal devices with a work profile in Android 12. This is effective for new installs and post-upgrade to Android 12. Supported modes are Work Profile, Work Profile on Company Owned Device, and Work Managed Device. Please note that the ID will change when the same device is enrolled to the same tenant but uses a different managing package; a new unique ID is presented when the device registers to a new Ivanti EPMM instance.

• New Update Priority field in App Configuration for Android enterprise section: Update Priority field provides the ability to control the app updates behavior on Android Enterprise Devices. Allows admins to set the priority of updates. High Priority setting forces updates on the device immediately after it is available. Postpone for 90 days delays app updates so updates are not applied until 90 days after the update is available. Default mode allows app updates to be available as decided by the Google Play store.
  
  Minimum Version Code field provides the ability to make sure the provided (minimum, it can be higher than the provided version) version of the app is installed on the Android Enterprise device. As defined by specification minimum app version code is 7 digit numeric code (1234567) which is the minimum version of the app to be installed on the device.
  
  For example, the installed version of the Whatsapp App is 2.19.10.15 and the latest version available is 2.21.18.17, the minimum version code an admin could enter in EMM console could look like 2210000. In this case app will be upgraded to 2.21.18.17 meeting the minimum version criteria specified by admin. Admins should note this functionality forces an immediate app upgrade and could force an active app session to close abruptly for the upgrade to complete.

• Google official device admin deprecation: The following changes have been made as part of Official Device Admin Deprecation from Google with release of Android Operating System 10.

  • Reference: https://www.blog.google/products/android-enterprise/da-migration
    The configurations, policies and settings are deprecated from Ivanti EPMM version 11.4.0.0.

    Configurations

    • Android -> Samsung Browser
    • Android -> Samsung Kiosk
    • Android -> Samsung Knox Container

    Policies

    • Android -> Android Quick Setup -> Device Administrator (Device Administrator Field is deprecated)
    • Android -> Samsung Kiosk
    • Lockdown -> Samsung Device Admin Mode (All fields support from Samsung Device Admin Mode is deprecated)

    Settings
    

    Android > Android Custom ROM (Android Custom ROM enable/disable Radio Button Will be deprecated by default WIPE feature in Compliance Action will be available).

• Android Enterprise App Maintenance Window Settings Available: You can choose to set a Maintenance Window for auto-updates that will override the update settings users configure. By default this option is unchecked.

iOS and macOS features

• Remote activation of enhanced logging for iOS Mobile@Work: This new feature allows the manager to enable enhanced logging remotely using the device manager for a set of devices in order to collect the logging needed, and then to disable the feature once finished. This feature is currently supported in Ivanti EPMM 11.4.0.0 and later.

• New iOS15 Restrictions: There are two new restrictions for iOS 15:

  • Force Translation Processing Only on Device (iOS 15 and later, supervised only)
  • Require Managed Pasteboards (iOS 15 and later)

• Setup Assistant skip key available for iOS 15 and macOS 12 and higher devices: This release provides a new option to skip a setup window for iOS 15 and macOS 12 devices. The option UnlockWithWatch allows the device user to skip the Unlock Your Mac with your Apple Watch pane.

• Support for per-account VPN: This new feature supports association of VPN on a per-account basis. The supported types of accounts are Email, Exchange, CardDAV, CalDAV, Google, and Subscribed Calendar. However there is a known issue with LDAP Subscribed Calendar. Details are available on the Apple feedback ticket: https://feedbackassistant.apple.com/feedback/9228418

• Version numbers updated: Ivanti EPMM applications have received the version numbers that are being updated: AppleTV, iOS 15.0 and 15.0.X, macOS 12.0.