Upgrade information

This section provides the upgrade information for this release and contains the following sections:

Before you upgrade Ivanti Standalone Sentry

  • Ensure that the Ivanti Standalone Sentry System Manager (MICS) portal certificate has not expired.
    If the Standalone Sentry portal certificate has expired prior to a software upgrade, Standalone Sentry generates a new self-signed certificate after the upgrade and does not initialize correctly. As a result, the Standalone Sentry System Manager (MICS) on port 8443 and the Standalone Sentry server on port 443 will not be accessible. The "show log message" CLI displays the following error: "portal-ca-setup: /mi/portalCA/ca-cert.pem not valid for /mi/portalCA/server-cert.pem".
  • Plan for 5 to 20 minutes downtime. Email and app tunnel traffic will be down during the upgrade.
  • If you have multiple Standalone Sentry in your installation, allow for a rolling upgrade to minimize downtime. Do not upgrade all Sentry instances at the same time.
  • Ensure that Ivanti EPMM is running and reachable to allow Standalone Sentry to upgrade successfully.
  • Verify that your current environment meets the requirements as listed in the Support and compatibility of this document.
  • Check disk space availability. At least 5 GB of disk space must be available in the / (root) directory for an upgrade to be successful.
  • Back up the Standalone Sentry installation configuration.
  • Test your connection to support.mobileiron.com. You can use the following command:
    telnet support.mobileiron.com 443.
  • Ensure that supportcdn.mobileiron.com is reachable.
  • For improved security, Ivanti recommends that TLS v1.2 is used and TLS v1.0 and v1.1 are disabled. Run the TLS compliance utility to check the TLS compliance for the servers connecting to Standalone Sentry. See TLS compliance utility.
  • See also Upgrade notes for Standalone Sentry.

Supported upgrade paths for Ivanti Standalone Sentry

The following table provides the supported upgrade paths for Ivanti Standalone Sentry for this release.

Table 43.   supported paths for sentry and aws upgrade

Current Ivanti Standalone Sentry version

Upgrade path to 9.20.0

9.18.0

9.18.0 > 9.20.0

9.18.1

9.18.1 > 9.20.0

9.19.0

9.19.0 > 9.20.0

9.19.1

9.19.1 > 9.20.0

We recommend you upgrade to the latest Sentry version.

Upgrade URL for CLI upgrades for Ivanti Standalone Sentry

Use the following URL if you are upgrading using the CLI upgrade method:

https://support.mobileiron.com/mi/sentry/9.20.0/

TLS compliance utility

Ivanti provides an utility that checks if Sentry can successfully connect with the server on TLS v1.2.

You must have Sentry 9.6.0 or later as a minimum version of TLS compliance utility.

TLS 1.1 and TLS 1.0 support: TLS 1.1 and TLS 1.0 is not supported with Sentry 9.16.0 and later versions. For more information, see KB article.

From the Standalone Sentry command line interface, enter the following command in EXEC PRIVILEGED mode to run the utility:

#install rpm url https://support.mobileiron.com/tlscheck/mobileiron-sentry-tlscheck-1.0.0-1.noarch.rpm

The command executes a script that checks the servers that Sentry connects with and returns an OK or FAILED value for each server it checks. The script uninstalls after each run.

The results are also recorded into a log file /var/log/TLSTrafficTool-timestamp.log. The log file is included in ShowTech-All. In case of failure, additional error message content as provided by OpenSSL displays and is recorded in the log file. Ivanti recommends upgrading the failed servers to support TLS v1.2.

After upgrading to 9.7.0, use the tlscheck command from the Standalone Sentry command line interface (CLI) to check TLS compliance. See "Using CLI command to check TLS compliance" in the Sentry Guide.

Upgrade notes for Standalone Sentry

Before you upgrade, read the following upgrade notes:

Telnet

Telnet server capability is not supported from Standalone Sentry 9.5.0 onwards. Disable Telnet before upgrading to 9.7.0. Upgrade fails if Telnet is not disabled. You will see the following Preflight check failed error message if Telnet is enabled.

Figure 1. Preflight check failed error message

Click OK, then disable Telnet. To disable Telnet, in Standalone Sentry system manager, go to Settings > CLI.

You will also see the following log message in Monitoring > Alert Viewer:

 

Upgrade failure: Telnet server is not supported anymore. You must first disable telnet before upgrade. The system will continue to run as Current Sentry Version.

Support for SMB

Ivanti dropped support for SMB 1.0 CIFS servers and added support for SMB 3.x, 2.0, and 2.1. If you were accessing an SMB 1.0 CIFS server through Standalone Sentry, upgrading to Standalone Sentry 9.4.1 through the latest version as supported by Ivanti results in users not being able to authenticate and therefore access the CIFS server.

SMB 3.x is enabled by default after upgrading to 9.17.0

Workaround: Ivanti recommends updating the file server to SMB 3.x, 2.0, or 2.1 before upgrading to Standalone Sentry 9.4.1 through the latest version as supported by Ivanti.

Supported upgrade versions for Ivanti Standalone Sentry

If you are upgrading from a version not listed in Supported upgrade paths for Ivanti Standalone Sentry , then you need to complete one or more previous upgrades first. See the release notes for the version to which you will upgrade.

Upgrade steps for Ivanti Standalone Sentry

For upgrade instructions, see the following sections in the Sentry Guide for the release: