New features summary

These are cumulative release notes. If a release does not appear in this section, then there were no associated new features and enhancements.

  • Support for Dual Enrollment: The users can refresh the Personal Activation Code from the Personal Profile Protection on the Settings app.

  • Enhanced Microsoft authentication: Due to Microsoft changes related to enabling browser access mode, administrators should enable or add Manage Certificates settings. Perform the actions by navigating to App Configurations Summary > Delegated Device Permissions > Manage Certificates for Microsoft Authentication app distribution.

  • Threat defense update: Ivanti Go for Android now integrates with Lookout SDK version 4.1.16.39.

  • Support for Zero Touch VPN: The administrators should distribute the Always On VPN configuration (select Ivanti Go for Android) and anti-phishing configuration. After installing the configurations, the users should not see VPN information on the device.

  • Improvement to Lost mode while reactivating Kiosk: When Lost mode triggers while the user is in Kiosk, the logged-in Kiosk user would log out. Upon disabling the Lost mode, the Kiosk will reactivate if it was previously active.

  • Support for Private Space Lockdown: Administrators can now allow or disallow the creation of a Private Space on Android 15+ devices for organization-owned managed profile devices.

  • Support for AI Assist Lockdown: AI Assist Lockdown now supports Android 15+ in the PO and DO modes.

  • End of support for older Android versions: Starting from this release, Ivanti Go for Android will no longer support devices running on Android versions 8.x.

  • Introducing new app restrictions: New app restrictions will enable periodic activation checks and threat notifications for Zimperium to perform periodic checks.

  • Enhanced device registration source: During the device setup (OOBE), administrators can now define a custom Android Registration Source (for example, ZeroTouch, KME, or Hash Token) with up to 64 characters. This information will be visible in the Device Details, enabling better tracking and advanced search capabilities for streamlined device management.

  • Improved reporting capability: IMEI2 value duplication in the IMEI field in the device information on the Ivanti N-MDM when the first SIM slot is unused, and the SIM card is inserted in the second slot.

  • Support for Device Compliance: Ivanti Go for Android now supports Microsoft Azure Device Compliance for the GCC High Environment.

  • Enhanced support for PlayIntegrity: PlayIntegrity now supports all Android versions beginning with 8.x and higher.

  • Manual Android system update: Administrators can now manually update the Android version on a specific set of devices to test an update before a full rollout. This feature enables administrators to install a specific OTA (Over the Air) system update on the device. Supported on Android 10 and onwards for fully managed and work profile on company-owned devices.

  • Microsoft Azure Compliance: This feature is now supported for devices that have migrated from Ivanti EPMM to Ivanti N-MDM.

  • Skip passcode reset after unlock: When this option is selected, after unlocking a device, Ivanti Go for Android will not prompt the user to change the screen lock.

  • Lost device action: A device can now be marked as lost. Ivanti Go for Android will lock the device, display a custom message on the device screen, and optionally play sound. Supported on fully managed devices. The device user must contact their administrator to disable the lost mode.

  • Clear Google Chrome app user data on specific devices: When selected in the kiosk settings, this option enables clearing Chrome app data on all devices when clearing data is selected for Chrome in the Allowed Apps List. This option does not apply to Samsung, Lenovo, and Zebra devices, where clearing Chrome data is always supported when selected.

  • Shared kiosk auto-logout after a device restart: If a user is logged in to kiosk when a device reboots, the user will be prompted to log in again after the device restarts.

  • Threat defense UI enhancements: The threat defense card on the Ivanti Go for Android home screen is redesigned. The threat details screen is simplified to display the threat name, severity, and remediation action. The detailed threat description is visible after expanding the threat item.

  • Kiosk app notification alert: When this option is selected in the kiosk settings, app icons in the main kiosk screen will be badged when there are active notifications for the app. This feature requires the user to grant a permission, which is prompted on entering kiosk mode.

  • Threat defense local actions: Local compliance actions are now supported for all dynamic threats detected by Zimperium.

  • Threat defense update: Ivanti Go for Android now integrates with Lookout SDK version 4.1.14.

  • Threat defense update: Ivanti Go for Android now integrates with Zimperium SDK version 5.4.53.

  • Improved display of app names for kiosk settings in lockdown configuration: For in-house apps, Ivanti Go for Android now optionally uses the administrator-defined app name as the icon label within kiosk. You can enable this option in the kiosk settings of the lockdown configuration.

  • Introduction of dual enrollment of apps: Ivanti Go for Android will now support dual enrollment with the Lookout For Work (L4W) app for complete protection of a managed work profile or a work profile on company-owned device. Ivanti Go for Android obtains the personal side activation code while activating threat defense protection in the work profile so that end-users can use it to provision the L4W app on the personal side to protect the work profile and the personal side of the devices from threats.

  • Support for Catalan localization: Starting with this release, Ivanti Go for Android now supports Catalan localization.

  • Added support for Ultra-wideband Radio restriction in Lockdown configuration: The ultra-wideband restriction is supported on a fully-managed device or a work profile on company-owned device. In both cases, the restriction applies globally to the device and will turn off the ultra-wideband radio if turned on. This feature is supported only on Google Pixel Pro devices.

  • Introducing support for Wi-Fi prioritization: Starting with this release of Ivanti Go for Android, administrators can now assign priorities to each Wi-Fi configuration. Ivanti Go for Android will attempt to keep the device connected to the highest-priority available network. This feature requires location services to be enabled and location permissions to be granted. Wi-Fi prioritization applies to all modes operating with Android 9 and above.

  • Threat defense update: Ivanti Go for Android now integrates with Zimperium SDK version 5.3.17.2.

  • Threat defense update: Ivanti Go for Android now integrates with Lookout SDK version 4.1.12.897.

  • Introduction of Keyguard shortcut control on Android 14+: The 'Enable Keyguard Shortcuts' option in the 'Advanced Android Passcode and Lock Screen' configuration allows administrators to control shortcuts on the lock screen. This option is enabled by default. When unchecked, shortcuts are removed from the lock screen. This feature is supported on fully managed devices and work profiles on company-owned devices.

  • Dynamic threat detection: Ivanti Go for Android has been redesigned to support Zimperium’s dynamic threat detection. The threat defense card on the home screen now displays threat counts by severity instead of by category. The redesigned threat details page displays all threats on one screen, with the most critical threats displaying first and threats of the same severity displayed in the order of their occurrence.

    Users may notice more threats are reported compared to previous versions, as the app now displays all applicable threats.

  • Deprecation of Android 7: You can install Ivanti Go 100 for Android on devices that are running Android 8.0 or higher versions.

  • Introduction of Wi-Fi-sharing lockdown for Android 13+: Ivanti Go for Android can now prevent users from sharing Wi-Fi networks configured by the administrator. This setting is available in all enterprise modes in the enterprise lockdown configurations.

  • Enhanced bulk enrollment: Users can now scan a bulk enrollment QR code using the Scan QR code button on the Ivanti Go for Android registration screen. Camera functionality may vary by device. Printing the QR code may give better results. This is supported for corporate-owned devices being provisioned as a fully-managed device, a fully-managed device with work profile, or a work profile on company-owned device.

  • Optimized screen orientation: When the Set screen orientation option in the Lockdown and Kiosk Configuration is unchecked, this no longer forces auto-rotate to be enabled.

  • Play Integrity for Android 14 devices: We now use Play Integrity to assess a device's security status and compatibility, replacing the previous SafetyNet Attestation.

  • Support for Lookout SDK: Ivanti Go for Android now supports Lookout SDK V4.1.11.

  • V5 SDK integration: Ivanti Go for Android is now upgraded to support Mobile Threat Defense with the V5 version of the Zimperium SDK.

  • In-house apps installation schedule: You can now specify an install schedule for in-house apps that are configured for silent installation. The schedule can be a window of time per day or a window that extends from a start date and time through an end date and end time. The schedule is optional.

  • Enhanced controls for Kiosk inactivity: You can now configure a Kiosk inactivity protection timeout in the Lockdown and Kiosk modes for Android enterprise configuration and work-managed devices. If a kiosk user is inactive for a length of time, based on screen touch, the device will lock (for a non-shared kiosk), or the user will be logged out (for a shared kiosk). The user will need to grant permission to draw over other apps when prompted. Note that user touch cannot be detected on the notification panel.

  • Introduction of network reset lockdown: A new lockdown is introduced to prevent a user from resetting network settings in Android Settings. This setting is available in Lockdown and Kiosk Configuration > Android Enterprise for work-managed devices and managed devices with a work profile.

  • BeyondCorp re-registration: If the system detects a problem with the current enrollment, it automatically initiates a re-registration process.

  • Kiosk type and user information: Kiosk devices will now report additional information. This includes the kiosk type and, for shared kiosk devices, a history of kiosk users. The kiosk type reports as follows:

    • N/A (Not Applicable): Kiosk is not configured, or the device does not support kiosk.

    • Multi-App Kiosk (general Kiosk): A lockdown configuration with kiosk mode enabled is distributed, and the user can use multiple apps as allowed by the administrator.

    • Shared Device - Login Pending: A lockdown configuration with kiosk mode enabled is distributed, the shared device option with login enabled is selected, and there is currently no logged-in user.

    • Shared Device - Logged In: A lockdown configuration with kiosk mode enabled is distributed, the shared device option with logout enabled is selected, and there is currently a logged-in user.

    For existing kiosk devices upgrading to Ivanti Go 96 for Android, kiosk users will be reported starting with the next login.

  • Exclude Quest devices from Lock Task Mode (LTM) checks: Provisioning failure due to LTM on Quest devices is now fixed and Quest-VR devices are now excluded from this check.
  • Integration of Lookout SDK: Lookout SDK version 4.1.9 with bug fixes is integrated in this release.
  • Clear Chrome data on shared kiosk logout: App data can now be cleared on Chrome during shared kiosk logout. Previously, this option was ignored for Chrome. Chrome must be configured as an allowed app and the clear-data option must be selected. This change is limited to Lenovo, Samsung, and Zebra devices on Android 9 and up.
  • Enhanced phishing threat notifications: When a phishing threat notification is clicked, it will now open the Notifications screen of the Ivanti Go application and the notification details will be displayed in the list of notifications. Prior to this release, there was no click action associated with phishing threat notifications.
  • Kiosk single-app mode (COSU): A single-app option is now supported for fully managed devices in kiosk mode. The selected app must also be configured as a kiosk allowed app.
  • Go screen sharing: Optional sharing of Go screens is now supported for troubleshooting and documentation. To enable this capability, select "False" for the "Keep Go app screens hidden" option in the Privacy configuration. This setting does not impact the screen sharing capability for other apps.
  • Compliance enforcement during provisioning: For fully-managed devices, users are now blocked from leaving the onboarding process until the initial device screen lock and location requirements are met.
  • Custom attributes for provisioning: Up to 3 custom attributes can now be specified when provisioning a corporate-owned device. The attributes are assigned to the device during registration and can be viewed by the admin. This is supported with Google Zero Touch, Samsung Knox Mobile Enrollment, or a Provisioner-generated QR code.
  • Integration with Google BeyondCorp: Google BeyondCorp has been added as a new compliance partner in the Partner Device Compliance configuration. By distributing this configuration to devices, admins can enable conditional access to Google Workspace apps based on Device Compliance Status.
  • Android 14 support: Ivanti Go now supports Android 14.
  • Google account configuration: If a Google account configuration fails to install, the user will be prompted immediately to try again.
  • Enhanced Unlock command: Administrators now have the option to specify a specific unlock code, using a minimum of 6 alphanumeric characters. This feature is dependent on a future server upgrade and feature availability on Ivanti Neurons for MDM.
  • Enhanced support for non-GMS fully managed devices: The following configurations are now supported: 
    • Mobile Threat Defense Activation
    • Mobile Threat Defense Local Actions
    • Anti-phishing Protection
    • Partner Device Compliance (Intune)
    • Android Shortcut
    • Custom (Zebra)
    • App Catalog for Android (branding)
  • Customize app layout in kiosk mode: Administrators can now group apps within folders in the allowed apps list.
  • Enhancements to support app certificate renewal: New enhancements are added to support the automatic renewal of app certificates to maintain client-server communication for continuous enhancements.
  • Support to Enter Kiosk and Exit Kiosk in Shared Kiosk: The administrator can now troubleshoot or perform any task on a shared kiosk device and the kiosk user remains logged in without the need to log out of the kiosk completely. Once the administrator finishes troubleshooting the device, Enter Kiosk will return the user back to the kiosk screen directly, without the need to log in again.
  • App usage data collection: When App Usage is selected in the Device Logging configuration on Ivanti Neurons for MDM and Force Check-in is performed on a device, the app usage data will be collected after allowing the Enable App Usage Logging permission on the device. The App Usage data will be shared back with Ivanti Neurons for MDM depending on the selected frequency (Daily, Weekly, Monthly, or Yearly). This functionality requires Secure UEM Premium license and corresponding server side functionality.

    The data usage cannot be reported on Samsung devices (with Android 9) because of OS limitation.

  • Support Password with Ivanti Neurons for MDM in DPC extras: Including a password as part of sending DPC extras to Ivanti Neurons for MDM is supported now. Passing passwords in setup allows administrators to have simplified deployment and is not a recommended security practice.
  • Wi-Fi support for TLS: The administrator has options to provide outer-identity and domain when the EAP type is TLS.
  • MAC Address Randomization: On Android 13+ devices, MAC Address Randomization options have been added to the Wi-Fi Configuration. It is recommended to not disable randomization on Work Profile devices as Wi-Fi MAC address reported to Ivanti Neurons for MDM will not be the physical MAC being used by the device (to preserve user privacy).
  • Branding updates 
    • The MobileIron Go app has been renamed to Ivanti Go.
    • The app name, logo, and other branding info have been updated in the app and on Google Play.
  • OS Update downloads on Zebra devices: New enhancements have been introduced to define more granular parameters for Zebra OS Updates. The new enhancements introduced in this feature are currently in preview and require a corresponding feature on the R89 version of Ivanti Neurons for MDM. The existing behavior and functionalities will not be impacted for customers who don't participate in this preview.

    • The following enhancements are introduced in this release: 

    Initiate Download Request - The following two new preconditions are added to initiate the download request: 

    • Minimum required battery level
    • Require the device to be charging

    During Download (new condition added) - Allows the download to continue outside of the specified ‘Download Schedule’: When this option is selected, the download in progress will continue until it is finished. When this option is not selected, the download will be canceled (on the next compliance check).

    OS Update Request section - The following two new preconditions are checked before submitting an install request to Zebra: 

    • Minimum required battery level
    • Require the device to be charging
  • Unbundle Secure Apps Manager (SAM) from the Go app: To reduce the Go app size, the Secure Apps Manager (SAM) app is now downloaded from Ivanti's hosted repository.
  • Samsung APIs deprecated: The following features have been deprecated by Samsung as part of API deprecation:
    • Certificate Management – Not supported in Samsung devices using Samsung APIs
    • Android Encryption Configuration: Deprecated for Samsung devices in Device Admin mode on Android 11
    • Exchange Configuration : Deprecated for Samsung devices on Android 9+
    • Lockdown & Kiosk: Samsung Knox Standard Configuration : Deprecated for Samsung devices on Android 9 and later versions
    • Lockdown and Kiosk: Android Device Admin Mode Configuration: Deprecated for Samsung devices on Android 8 and later versions.
  • Minimum Wi-Fi Security Level: On Android 13+ devices, the Minimum Wi-Fi Security Level can be set using one of the following four options:
    • No minimum security required
    • Personal Network Based Security
    • Enterprise EAP Network Based Security
    • Enterprise 192 Network Based Security
  • Secure Apps Manager(SAM) version update: This release of Go supports SAM 9.4.1.0.
  • Controlling the Screen Management Settings: The administrator can now control the following device screen settings in device owner and company-owned device modes:
    • Screen brightness mode (Manual or Adaptive)
    • Screen brightness level
    • Screen off timeout
    • Screen rotation
  • Renewed certificate installation: Renewed identity certificates pushed from Ivanti Neurons for MDM now install on Android devices without any administrator intervention.
  • Security and Network logging: In the Device Logging configuration, collection of Android security and network logs can now be enabled. When enabled, these logs will be automatically included when the Request Debug Logs device option is selected.
    • Table 2.  Security Logging

    Mode

    Supported Android versions

    Device Owner and Device Owner - AOSP

    7,8,9,10,11,12,13

    Corporate-Owned, Personally Enabled

    8,9,10

    Profile Owner

    NA

    EPO 

    11,12,13

    Table 3.  Network Logging

    Mode

    Supported Android versions

    Device Owner and Device Owner - AOSP

    8,9,10,11,12,13

    Corporate-Owned, Personally Enabled

    8,9,10

    Profile Owner

    12,13

    EPO 

    12,13

  • Modern authentication for shared kiosk login: Shared kiosk login now supports FIDO-based hardware authenticators. This requires Ivanti Neurons for MDM to be integrated with a supported Identity Provider.

  • RealWear bulk enrollment: Provisioning of RealWear devices to fully managed AOSP mode using a QR code now supports bulk enrollment parameters, such as "server", "user", and "token." This allows for a more effective onboarding process.

  • App restrictions for In-house apps: The administrator can now set app restrictions and allow or deny some permissions for In-house apps on fully managed devices.

  • File Transfer configuration: This new configuration can be used to transfer files to the device and these files can be shared from the Go app to other apps on the same device.

  • Report device battery status to the server: The admin can now get the device battery status so that it can be used for Dashboard Widgets and Dynamic Device Grouping. The following details about the device battery will be available:

    • Battery Level
    • Battery Health Status
    • Battery Charging Status
    • Battery Health Percentage
    • Battery Manufacturing Date
    • Battery Charging Cycles

  • Support to display notifications in Kiosk mode: A Notifications item has been added to the Kiosk Settings menu. Tapping this item directs the user to the notifications area. When Go has a notification to display, it will be available in this notifications area.

  • Device Name: When available, devices will now report the device name, which is displayed in the Overview tab. If the user changes the device name, it will be shown after the next device check-in.
  • RAM usage: The current, highest, and lowest RAM usage is now reported in the app at Settings > About > Product Details > Memory Usage.
  • Support TeamViewer Unattended mode in all fully managed devices: On Android Go 83 devices, TeamViewer works in Unattended mode on all fully managed (DO mode) devices without any manual intervention after the initial setup is complete on the device.
  • Support for new scope delegation using EMM DPC: The admin can configure some apps to be granted the following scopes using EMM DPC:
    • Table 4.  Delegated Scopes

    Scope

    OS limitations

    Supported modes

    Set and Get App Restrictions

    Android 8 and later

    Fully managed, work profile, and work profile on corporate-owned device

    Manage blocking app uninstallation

    Android 8 and later

    Fully managed, work profile, and work profile on corporate-owned device

    Manage Enabling System Apps

    Android 8 and later

    Fully managed, work profile, and work profile on corporate-owned device

    Manage Certificate Selection

    Android 10 and later

    For grant/revoke certificate key pairs - Android 11 and later

    Fully managed, work profile, and work profile on corporate-owned device

    Manage Retention of Uninstalled Apps

    Android 9 and later

    Fully managed

    MobileIron Private: Install and remove existing packages

     

    Fully managed

    Manage Network Log Collection

    Android 10 and later
    • For Android 10 and 11 - Fully managed
    • For Android 12 and later - Fully managed, work profile, and work profile on corporate-owned device

    Manage Security Log Collection

    Android 12 and later

    Fully managed or work profile on company-owned device

    Manage Installation of Existing apps

    Android 9 and later

    Fully managed and managed device with work profile (profile side)

    The Manage Certificate Selection, Manage Network Log Collection, and Manage Security Log Collection scopes can only be granted to a single app at a time.

  • Modern authentication login procedure for shared kiosk devices: On Android shared kiosk devices, when a user logs in for the first time, the user provides a username and password. For future logins, the username will be stored and next time when the same user tries to log in, the username can be selected from the recent user list without the need to enter a username.
  • Android 11 AOSP devices: AOSP devices running Android 11 are now supported.
  • Send Provisioning failure client logs to the Cloud server: If the app determines that provisioning is failing, then the failure client logs will be sent to the MobileIron Cloud server.

  • BLE support for FIDO users: FIDO users can now unlock their desktop on Android using BLE technology in offline mode.

    For more information, see "Fast Identity Online (FIDO2) or Zero Sign-on with Access" in the Access Guide.

  • Support for Passcode complexity on Android 12+ devices: On Android 12+ devices using Work Profile and Work Profile on Company-Owned modes, the Passcode complexity has higher priority than Password Quality for Device Passcodes.

  • Granularity for Android devices with Lock Task Mode (LTM): When the LTM option is selected, admins can allow the “Device Settings” app to be available for kiosk settings or other apps that are distributed to the kiosk device when it is in use. This allows some apps to use system services accessed through the settings app of the device. By default, this option is disabled.

  • Support Auto-launch of app on install: The Auto-launch on install option is now available for Public, Private, and In-house apps in the Managed Play App Configuration section.

  • Juniper Junos Pulse VPN configuration: Support for Juniper Junos Pulse VPN configuration withdrawn.

  • Legacy Email+ (non-AE, non-AppConnect) no longer supported: Support for legacy Email+ for Device Admin mode (non-enterprise, non-AppConnect) withdrawn.

  • Support for enrollment-specific identifier: Android 12 devices enrolled as Android enterprise will have a unique enrollment-specific identifier, which will remain stable across factory resets. In the case of employee-owned devices, the enrollment-specific identifier should be used to replace hardware-based identifiers as the UEM solution will not have access to hardware identifiers such as IMEI, Serial Number, and MEID for employee-owned devices.

  • Sensor-related app permissions for Android 12 devices: Sensor-related app permissions can no longer be auto-granted in a work profile or work profile on a corporate-owned device. In addition, for Wi-Fi configurations, users will no longer be asked to enable location services in any mode. However, for MTD, there is no change from the existing behavior, and users are still prompted for location services.