This section provides the upgrade information for this release and contains the following sections:
- Before you upgrade Standalone Sentry
- Supported upgrades paths for Standalone Sentry
- Upgrade URL for CLI upgrades for Standalone Sentry
- TLS compliance utility
- Upgrade notes for Standalone Sentry
- Upgrade steps for Standalone Sentry
- Ensure that the Standalone Sentry System Manager (MICS) portal certificate has not expired.
If the Standalone Sentry portal certificate has expired prior to a software upgrade, Standalone Sentry generates a new self-signed certificate after the upgrade and does not initialize correctly. As a result, the Standalone Sentry System Manager (MICS) on port 8443 and the Standalone Sentry server on port 443 will not be accessible. The "show log message" CLI displays the following error: "portal-ca-setup: /mi/portalCA/ca-cert.pem not valid for /mi/portalCA/server-cert.pem".
- Plan for 5 to 20 minutes downtime. Email and app tunnel traffic will be down during the upgrade.
- If you have multiple Standalone Sentry in your installation, allow for a rolling upgrade to minimize downtime. Do not upgrade all Sentry instances at the same time.
- Ensure that Core is running and reachable to allow Standalone Sentry to upgrade successfully.
- Verify that your current environment meets the requirements as listed in the Support and compatibility of this document.
- Check disk space availability. At least 5 GB of disk space must be available in the / (root) directory for an upgrade to be successful.
- Back up the Standalone Sentry installation configuration.
- Test your connection to support.mobileiron.com. You can use the following command:
telnet support.mobileiron.com 443.
- Ensure that supportcdn.mobileiron.com is reachable.
- For improved security, Ivanti recommends that TLS v1.2 is used and TLS v1.0 and v1.1 are disabled. Run the TLS compliance utility to check the TLS compliance for the servers connecting to Standalone Sentry. See TLS compliance utility.
- See also Upgrade notes for Standalone Sentry.
The following table provides the supported upgrade paths for Standalone Sentry for this release.
Current Standalone Sentry version
Upgrade path to 9.16.0
9.14.0 > 9.16.0
9.14.0 > 9.15.0 > 9.16.0
9.15.0 > 9.16.0
Use the following URL if you are upgrading using the CLI upgrade method:
Ivanti provides an utility that checks if Sentry can successfully connect with the server on TLS v1.2.
You must have Sentry 9.6.0 or later as a minimum version of TLS compliance utility.
TLS 1.1 and TLS 1.0 support: TLS 1.1 and TLS 1.0 is not supported with Sentry 9.16.0. For more information, see KB article.
From the Standalone Sentry command line interface, enter the following command in EXEC PRIVILEGED mode to run the utility:
#install rpm url https://support.mobileiron.com/tlscheck/mobileiron-sentry-tlscheck-1.0.0-1.noarch.rpm
The command executes a script that checks the servers that Sentry connects with and returns an OK or FAILED value for each server it checks. The script uninstalls after each run.
The results are also recorded into a log file /var/log/TLSTrafficTool-timestamp.log. The log file is included in ShowTech-All. In case of failure, additional error message content as provided by OpenSSL displays and is recorded in the log file. Ivanti recommends upgrading the failed servers to support TLS v1.2.
After upgrading to 9.7.0, use the tlscheck command from the Standalone Sentry command line interface (CLI) to check TSL compliance. See "Using CLI command to check TLS compliance" in the Sentry Guide.
Before you upgrade, read the following upgrade notes:
Telnet server capability is not supported from Standalone Sentry 9.5.0 onwards. Disable Telnet before upgrading to 9.7.0. Upgrade fails if Telnet is not disabled. You will see the following Preflight check failed error message if Telnet is enabled.
Figure 1. Preflight check failed error message
Click OK, then disable Telnet. To disable Telnet, in Standalone Sentry system manager, go to Settings > CLI.
You will also see the following log message in Monitoring > Alert Viewer:
Upgrade failure: Telnet server is not supported anymore. You must first disable telnet before upgrade. The system will continue to run as Current Sentry Version.
Ivanti dropped support for SMB 1.0 CIFS servers and added support for SMB 2.0 and 2.1. If you were accessing an SMB 1.0 CIFS server through Standalone Sentry, upgrading to Standalone Sentry 9.4.1 through the latest version as supported by Ivanti results in users not being able to authenticate and therefore access the CIFS server.
Workaround: Ivanti recommends updating the file server to SMB 2.0 or 2.1 before upgrading to Standalone Sentry 9.4.1 through the latest version as supported by Ivanti.
If you are upgrading from a version not listed in Supported upgrades paths for Standalone Sentry , then you need to complete one or more previous upgrades first. See the release notes for the version to which you will upgrade.
If you are using IBM Lotus Notes Traveler, SSLv3 protocol is disabled by default. This may impact device connectivity if you are using older versions of IBM Lotus Notes Traveler. Some older versions of Lotus Notes Traveler have not implemented TLS 1.0, resulting in the failure to negotiate a connection after the upgrade. IBM has released an interim fix to address this issue. For more information on how this upgrade may impact your environment see the Sentry 7.0 and Traveler Environments Knowledge Base article in the Ivanti support community.
For upgrade instructions, see the following sections in the Sentry Guide for the release:
- For upgrade instructions using the Standalone Sentry System Manager UI, see “Standalone Sentry software updates.”
- For upgrade instructions using the Standalone Sentry command line interface (CLI), see “Upgrading using CLI.”
- For multiple Sentry upgrade instructions using the Standalone Sentry CLI, see "Upgrading multiple Standalone Sentry."