New features and enhancements

This release includes the following new features and enhancements.

  • Certificate pinning to prevent Man-in-the-middle attacks: Man-in-the-middle attacks would allow an attacker to impersonate a Core server and send commands to the device. This results in device compromise and confidential data leakage. To prevent this, a new Pinned Server Certificate policy has been added to deliver a set of certificates that clients can expect a Core server to present during check-in and similar traffic. This feature is applicable for post-first-time use, for steady-state assurance that the client is connecting to the correct Core.

    If none of the certificates configured match the active certificate in use on the Core server, then devices will strictly honor the pinning policy and fail to connect until a correction of the certificate pinning policy is sent.

    This pinning policy supports multiple entries to enable a smooth transition when the Core server's certificate is about to expire. Administrators can include the renewal certificate before it is active on the server and keep the expiring certificate in this policy for seamless transition to the renewed certificate. Ivanti advises administrators to set up Core system certificate expiration alerts to be warned when Core's server certificate is about to expire.

    Any Certificate Pinning policy created in Core 11.2.0.0 will be disabled upon Core 11.3.0.0 upgrade. Core will not push that policy. Instead, if / when the Admin edits the Certificate Pinning policy, Core will push the policy using a new Core property.

    Applicable to Mobile@Work for iOS 12.11.30 devices and supported later versions. Also applicable to Mobile@Work for Android 11.3.0.0 devices and supported later versions. For more information, see Configuring certificate pinning for registered devices.

  • Mutual authentication required for certificate pinning policy: Administrators who wish to distribute a certificate pinning policy to iOS devices must enable mutual authentication to allow certificate pinning through port 443. When a new certificate pinning policy is saved without mutual authentication enabled, a message displays: "You need mutual authentication enabled to create and distribute certificate pinning policy."

    For more information about certificate pinning, see Configuring certificate pinning for registered devices. For more information about mutual authentication, see Mutual authentication between devices and Core.

  • Android 5.0 / 5.1 EOL'd: Support for Android 5.0 / 5.1 has ended. Core now supports Android 6.0 and supported newer versions.

    Core server will still allow existing registered devices with Android 5.0 / 5.1 to run.

    For more information, see Registration methods and "Security policies" in the Getting Started with Core.

  • New Android 10+ devices limited to Android Enterprise or MAM-only modes: From Core 11.3.0.0 and newer releases, Core will prevent the following Android 10 and later version devices from registering:

    • Android 10 and later releases in Device Admin mode (DA)

    • Android 10 devices with no Android Enterprise configuration assigned to the correct label

     Android 10+ devices that are already registered on Core in Device Admin mode will be allowed to migrate to Cloud. The Android 10+ device will be retired if there is no Android Enterprise configuration in place.

    MAM-only scenarios will still be supported, but the Quick setup policy with Device Admin mode will be disabled.

    For more information, see Registering Android devices.

  • Relinquish ownership of devices in Work Profile on Company Owned Device mode: When viewing the device list or specific device details, you can relinquish ownership of Android devices in Work Profile on Company Owned Device mode. Relinquishing ownership of a device in this mode removes the work profile and retires the device from Core, without affecting personal apps and data. The device user can then use the device asa personal device, with full access to all device controls and settings. For more information, see Relinquishing ownership of a device.

  • Ability to remotely reboot a device: Administrators can now remotely reboot devices using Core. In the Device Details page, Elapsed Time Since Reboot (minutes) indicates the amount of time, in minutes, since the device was last rebooted. Applicable to Android 7.0 managed devices, Managed Device with Work Profile, and Samsung Device Admin (DA) modes. For more information, see Rebooting a device.

  • Automatic pruning of Core Local CA CRL now available: Revoked certificates can now be automatically pruned from a Core Local CA Certificate Revocation List (CRL). To configure the CRL pruning, from the Core Admin portal, go to Services > Local CA page, select a certificate, and choose Edit from the Actions menu. Below the CA Certificate text, there are three new fields:

    • CRL Pruning checkbox (it is off by default).
    • Number of days of revoked certificates to include in CRL: (default is 365)

    • CRL Lifetime (hours) - default is 168 (7 days)

    For information about CRL pruning of Local CA certifications, see Pruning revoked CRL certificates .

  • Content changes for rebranding and distribution: Product documentation has been rebranded to align with Ivanti standards and is now available on the Ivanti Product Documentation page.