New features summary
If a release does not appear in this section, then no associated new features were added to this document for that release.
Product nomenclature: This is cumulative documentation and the product names you encounter in this documentation were accurate at the time of publication. Ivanti updates each new section to reflect evolving product nomenclature, but leaves legacy citations intact to ensure proper frame of reference for the reader.
Configuring ACME Certificates: If attestation is enabled, your device can now request a client certificate from an Automated Certificate Management Environment (ACME) server.
For more information, see Configuring ACME Certificates in the Ivanti EPMM Device Management Guide for iOS and macOS devices.
Automated Device Cleanup: In the Settings > System Settings section of Ivanti EPMM, the Users & Devices > Retire and Delete Retired Devices section has been renamed Automated Device Cleanup. Use this page for retiring and cleaning up unused devices. Additional states have been added for the administrator to select for automated device cleanup. The full list is now: Retired, Retire Pending, Wiped and Wiped Pending.
After saving the settings, to view the logs for the automated device cleanup, use the Filters section on the left side of the Audit Logs page to narrow the search.
For more information, see Automated Device Cleanup.
Kerberos support: Ivanti EPMM now supports Kerberos authentication to communicate between Ivanti EPMM and the SCEP server.
For more information, see Enabling Kerberos Authentication between EPMM and the SCEP and LDAP servers.
- Additional support for independent, customized messages for each Compliance Action tier: In the "Alert" aspect of Server compliance actions resulting from compliance conditions, the number of characters allowed for messages has been expanded from 800 characters to 65,530. For more information, see the Server compliance conditions and actions table > Alerts in Managing device compliance checks.
- Branding update: Ivanti [email protected] app is now re-branded to Ivanti [email protected] on Android and iOS platforms.
- Relinquish Ownership has been deprecated, use Retire instead: When administrators use the Relinquish Ownership option, a warning displays stating that the action has been deprecated. If you need to remove organizational information and apps from devices, use Actions > Retire in the Devices & Users page. Personal data is not lost and the end user can then use the device as a personal device, with full access to all device controls and settings. After upgrade, for Work Profile for Company Owned Device mode in Android 11+ devices:
- In Relinquish Pending state - the work profile gets relinquished.
- Selecting Devices & Users > Actions > Android Only > Relinquish Ownership will display a warning message.
- Selecting the Devices & Users > Actions > Retire action will remove work profile (organizational data and apps.) (Previously, in Ivanti EPMM 188.8.131.52 and before, the Retire action would factory reset the device.)
For Work Managed Device mode, Work Managed Device - Non GMS mode, and Managed Device with Work Profile modes on Android 8-10 devices:
The Retire action is only available from the local compliance action in Ivanti EPMM's security policy. Administrators will need to use the Wipe action instead.
For more information, see Relinquishing ownership of a device, Retiring a device, and Wipe.
Warning displays when using Retire action: When the administrator uses the Retire command on devices, a warning displays notifying that one or more devices in this list are corporate owned Android devices in Fully Managed mode (Device Owner) or Managed Device with Work Profile (Android 8-10 devices, COPE.) The Retire command is not supported on these devices. Wipe command is supported in these modes. (Previously, in Ivanti EPMM 184.108.40.206 and before, the warning message was different and was applicable to Work Managed Device and Work Profile for Company Owned Device modes.)
If the administrator selects Retire after acknowledging this warning, and if any of the selected devices are in Work Managed Device mode, Managed Device with Work Profile mode, then Retire will not work on those devices. A message will display stating "Mobile Platform not Supported."
For more information, see Retiring a device.
- Changes in modification history for configuration and policy attributes: Changes in the modification history for configurations and policies attributes were already displayed in the Configuration Details page, which shows before and after content. In this release, the changes are now highlighted and in blue text for easy reference. For more information, see "Audit log information" in the Ivanti EPMM Device Management Guide for your system.
- Unlock PIN extended: Administrators can set the Unlock PIN to be between 6-8 digits and optionally, alphanumeric. Ivanti recommends using six numbers only, as the alphanumeric method can cause problems with different keyboards in different languages. For more information, see the following:
Registration authentication to support username and PIN on Android devices: Administrators can set it so client device users can register their devices with their username and PIN. The device user is allowed configured number of login attempts (default is 5) before Ivanti EPMM blocks the device. When this occurs, an error message "Authentication Failed: Invalid Credentials" displays. For more information, see Registration methods.
- Administrators who modify CE settings now identified as also causing corresponding configuration changes: When administrators modify a certificate enrollment (CE) setting, they cause changes to configurations that use that CE setting. The modification history field now identifies the administrator who made the CE setting change as the administrator who caused the configuration changes. For more information, see Monitoring modifications to certificate enrollment settings.
- Extended expiration renewal window for mutual authentication certificates: The window to renew mutual authentication certificates has increased from 60 to 270 days. For more information, see
Handling client identity certificate expiration for Android devices.
Event Center templates changes: The $SERVER_IDENT variable was removed from the $DEFAULT_POLICY_VIOLATION_MESSAGE variable and is now part of the Event Center template. Add the $SERVER_IDENT variable to the template to display server identity in an alert message. The $SERVER_IDENT variable is also a substitution variable in compliance actions. Use of this variable depends on whether the compliance action was updated from version 1 to version 2. For V1 actions, include this variable in the Event Center template or as part of the alert message text in the compliance action. For V2 actions, include this variable only as part of the alert message text in a compliance action.
For more information, see Adding custom Event Center messages.
- Android Bulk Enrollment - delete profile and devices: Once the administrator has uploaded the device CSV via Android Bulk Enrollment and a profile and its associated devices have been created, the administrator can delete the profile and its devices. Active and Retire Pending devices cannot be removed, but inactive devices can be deleted. Note that delete action is only supported from global space. For more information, see Deleting a profile and associated device. .
- Download Android Bulk Enrollment CSV: In the Device Details page, administrators can now download the CSV by selecting the Export to CSV button to the right of the Add button. For more information, see Android Bulk Enrollment.
- MAC Address Randomization: On Android 13 devices or supported newer versions, upon installation or upgrade, the administrator can enable or disable the MAC Address Randomization for the Wi-Fi configuration. If the MAC Address Randomization is not selected, the randomization type is not pushed; the Wi-Fi and Inventory MAC Address are the same for a device. Applicable to Wi-Fi configurations for all authentication types in:
- Work Managed Device (DO) mode
- Work Profile (PO) mode
- Work Profile on Company Owned Device (EPO) mode
- Work Managed Device Non-GMS mode (AOSP)
For more information, see Wi-Fi settings.
- Azure AD compliance with Ivanti EPMM: Ivanti EPMM integration as compliance partner with Azure Active Directory in Common Criteria mode is supported. For more information, see Adding Ivanti EPMM as a compliance partner.
- Increase in LDAP Custom Attributes support: Ivanti EPMM now supports a maximum of 20 LDAP Custom Attributes as substitution variables. Further Custom Attributes can only be used to define Labels. To create these custom attributes, go to Core > Go to Services > LDAP > Modify LDAP form. For more information, see Adding custom attributes to users and/or devices.
- Samsung Knox APIs Deprecated: Because the Samsung kiosk mode is deprecated in Android 8.1 and above, you must implement Android kiosk mode instead. See "Deprecated features" in Support and Compatibility in the Ivanti EPMM Release Notes and Upgrade Guide.
New option for Unlock command provided: For Android Enterprises, administrators can set a six digit unlock PIN for specific devices. If this setting is used, "Unlock Device with Custom Pin <Pin Value>" will display in the audit logs.
For more information, see Setting the unlock PIN for a specific device and Assigning user portal device management roles.
New Action menu item to sync device compliance status with Azure: Administrators can sync the compliance status only for authorized devices from Ivanti EPMM to Azure. When syncing for non-authenticated / non-related Azure devices, an error message displays listing device names. When the administrator performs a manual sync, a detailed Audit Log is generated for the devices. Applicable to all types of Azure tenants, for example: Standard, GCC_High, and DOD.
For more information, see Syncing the Device Compliance status of devices.
Advanced Search for devices with non-compliant passwords: The new Data Protection Enabled field allows you to find devices with non-compliant passwords.
For more information, see Advanced searching
Samsung Firmware E-FOTA decommissioned: As of August 2022, Samsung discontinued the Samsung E-FOTA service. As a result, upon upgrade to Ivanti EPMM 220.127.116.11, the following occurs:
- In Policies > Add New > Android Firmware Policy dialog box, the "Enable Samsung Firmware Policy" field is disabled.
Upon upgrade, in the existing policy and new policy (in the case where the license has not yet been deactivated), the "Enable Samsung Firmware" field will still be visible; however, it will be Read-Only. The administrator will need to delete the existing policies and deactivate the license before creating the new policy.
The Services > Samsung > Samsung Firmware E-FOTA License Management page is disabled; the administrator cannot activate or deactivate an E-FOTA license. If you have an existing E-FOTA license already set up, the Deactivate button is enabled and the administrator will need to manually deactivate the Samsung Firmware E-FOTA License.
For more information, see Activating the Samsung firmware E-FOTA license . See also Samsung Knox EOL article.
Android Enterprise Enable Single App Kiosk added to pin a single app to device screen: Administrators can select the Enable Single App Kiosk check box and then select the (single) app to pin to the device screen. This setting allows one app to be pinned to the device screen in most conditions. The dedicated single app mode will allow other apps to be available on the device, but they will not be available for the device user to directly launch. These other apps will only be launched through the pinned app. For example, Email is the pinned single app, and the device user receives an email with a link to the Google Maps app. When the device user taps on that link, it opens the Google Maps app.
The pinned single app will be launched only when it is part of the Allowed App list, the Kiosk Mode Allowed Apps list, and installed on the device. Applicable to Work Managed Device mode (DO) and Work Managed Device - non GMS mode (AOSP.)
Note the following:
- Single app Kiosk is only applicable to regular Kiosk mode. Single app Kiosk can only be exited remotely from the Ivanti EPMM Admin Portal > Devices page. Ivanti [email protected] displays the toast message "Kiosk Exit" in the app but the dedicated single-app may still remain on screen, as it can not be closed due to Android limitations.
The Lock Task mode can only be enabled when the home screen is in the foreground. If the dedicated single-app is in the foreground, then it is not possible to enable Lock Task mode. Workaround: Device user needs to tap the back or home button; the Lock Task mode becomes enabled.
On devices Android 9 and below, when the single app Kiosk is disabled, then the device user may need to tap the back/home button to see the Kiosk home screen again. The launched app may remain pinned to the foreground and the Kiosk home screen may not display due to Android limitations.
For regular kiosk mode information, see Setting the kiosk policy for Android managed devices.
For shared-kiosk mode, see Creating a shared-kiosk-mode policy for the shared kiosk users.
Support for independent, customized messages and email subjects for each Compliance Action tier: In previous releases, only one customized message could be sent for all Compliance Action tiers supported in Compliance Policies > Compliance Policy Rule. Starting in this release, administrators have the ability to create and send independent, customized messages and email subject lines for each of the now 20 possible Compliance Action tiers.
For more information on customized messages and email subject lines for compliance action tiers, see and Custom compliance policies.
Send device compliance data to multiple Microsoft Office 365 tenants: Administrator can configure device compliance data to be sent to multiple Microsoft Office 365 tenants in standard environments.
For more information see Connecting Microsoft Azure to Ivanti EPMM.
- New Global Policy to configure apps per label in bulk: Administrators can deploy an app to different kinds of users using different settings (silent install, auto-update, mandatory, etc.) for different labels. Administrators can create one policy to configure one or multiple apps at the same time. After setting a basic global policy, administrators can edit all the settings for each label assigned to the app. When viewing and editing the per-label settings, administrators can set the app to default to the global setting so only the settings that are different for that label need to be changed. For more information, see Global App Config Settings policy.
- New Force Retire Option: Usually, when you issue a Retire command for a device, it is moved to a Retired state and is considered "Retire Pending." Sometimes the devices remain in the Retire Pending state. Core offers a Force Retire check box to make sure the device is Retired. You can also schedule the retirement of Retire Pending devices.
Go to Settings > Users and Devices > Automated Device Cleanup. In the retire devices section, there are settings that allow you to retire the retire pending devices, based on the last check-in time, with on-demand actions and scheduled action.
For more information, see Retiring a device and .
Ability to remove profiles from individual devices: Similar to the Push Profiles option is a new feature that allows administrators to manually Remove Profiles from specific devices. This feature is helpful for troubleshooting specific devices, for example, overriding the default label for that device. For more information, see Pushing device profiles.
Client ID added to Device Details: For troubleshooting purposes, Client ID has been added to the Device Details page. Administrators can also search for Client ID as well. For more information, see Advanced searching .
- File Transfer Configuration: A new configuration File Transfer is available for Android devices. This configuration can be used to transfer files to the device and these files can be shared from Ivanti [email protected] to other apps on the same device. Target apps that are consuming the files should support ContentURI to access these files on the device.
For more information, see Android File Transfer Configurations.
- Additional battery health statistics per-device are now provided:
- Android Battery Charging Status
- Android Battery Health Status
- Battery Charge Cycles (OEM)*
- Battery Health Percentage (OEM)*
- Battery Manufacture Date (OEM)*
*The OEM fields will only populate if the device is a Zebra device.
For more information, see Advanced searching .
Shared kiosk mode app settings: Upon upgrade, two new settings for Shared kiosk mode can be utilized in the New Android Kiosk App Setting Policy dialog box > Kiosk Mode Allowed Apps section:
Clear App Data is indicated by a "broom" icon. A broom with check mark icon indicates to clear the app data when the device user logs out of shared kiosk. A broom with a "not allowed" icon indicates do not clear app data when the user logs out of shared kiosk.
Android settings are indicated by a "gear" icon. A gear with check mark icon means allows device-wide settings for the selected app to be made available to the device user. A gear with a "not allowed" icon means disallow it.
For more information, see Configuring the Android shared-kiosk mode.
- Android Bulk Enrollment: Administrators can do registration of Android 7+ devices in batches (1000+) by uploading a CSV file. For each profile, a token will be generated with a default expiration time of 7 days. This token can be further extended for 7 days minimum to 99 days maximum. Optionally, the token can be regenerated (a completely new token is created for the profile with a default of 7 days of expiration.) Applicable to Work Managed Device mode, Managed Device with Work Profile mode, Work Profile on Company Owned Device mode, and AOSP mode. For more information, see Android Bulk Enrollment.
This release includes the following new features and enhancements.
Additional warning added for retiring devices: When retiring a device, a warning has been added to alert administrators that devices in Device Owner mode or Work Profile on Company Owned Device mode are wiped / erased and the action is not reversible. Admins need to read the warning and check the box before retiring the device(s). For more information, see Retiring a device.
Default ownership of corporate-owned Android devices can be set based on device registration method: Applicable to the following Android devices using:
Google Zero Touch (ZT)
Samsung Knox Mobile Enrollment (KME)
Work Managed Device Non-GMS mode (AOSP)
For more information, see Registration methods and Setting up Ivanti EPMM with a closed network / AOSP deployment.
Option to not display Terms of Service on the above modes: Administrators can now set in Core whether the Terms of Service will display on client devices for KME/ZT/Non GMS registrations. For more information, see Configuring the default ownership for newly registered devices.
Devices that are Non-GMS will be identified and reported to Core: With the addition of the device ownership in Non-GMS mode, reporting of said devices are sent to Core. In the Device Details page, Administrators can view individual devices and run a search for "Non GMS Device." For more information, see Setting up Ivanti EPMM with a closed network / AOSP deployment.
This release includes the following new features and enhancements.
Support for bridging old and new client mutual authentication CA certificates: Previously, updating a Certificate Authority (CA) certificate for client mutual authentication required re-registering all devices currently enrolled under that certification. With this release, you can:
- Upload and select a new client mutual authentication certificate for devices going forward
- Retire the previous certificate, while still allow existing devices to check in.
For more information, see Bridging old and new client mutual authentication CA certificates.
- More context for some audit logs: Previously, audit logs only included information about what was changed. With this release, some logs (configurations, policies, labels, compliance groups, rules and actions) will also include the "before" values as well as the "after". You can view the logs from the Core Logs > Audit Logs page. Logs with before and after values display an icon you can select to see the new information. The new log information is generated for the following actions:
- Create - The "Before" column will be empty.
- Edit or change - Both before and after values display.
Delete - The "After" column will be empty.
For more information, see Audit log information.
New customization options for the self-service user portal (SSP): Three new customization options are available in this release that determine whether or not clients can see a particular part of the SSP:
Hide or display the self-service portal (SSP) Activity page: A new configuration check box has been added to the Settings > System Settings > General > Self-Service Portal page that allows you to choose whether or not to show users their activity in the SSP. This option is enabled by default. When deselected, the SSP Activity page does not display to users. For more information, see Disabling device history logs in the SSP.
Hide or display the Settings option: Previously, the Settings option was always visible to client users from the SSP Action menu (upper-right, under user name). In this release, the administrator has the option to remove the Settings link from the SSP Action menu. Two new check boxes are available from the Settings > System Settings > General > Self-Service Portal page:
- Show settings for local users - Deselecting this option disables the Settings menu for local users.
- Show settings for LDAP users - Deselecting this option disables the Settings menu for LDAP users.
Hide or display the QR code and registration URL: A new configuration check box has been added to the Settings > System Settings > Users & Devices > Device Registration page that allows you to choose whether or not to show users a QR code and registration URL. This option is enabled by default. When deselected, the QR code and registration URL do not display to users. For more information, see Disabling the QR code and registration URL.
For more information, see Disabling options in the SSP.
- Always-On VPN for AOSP for Android Enterprise devices: In AOSP mode, you can have Always-On VPN status for devices using Android 10 and later supported versions. For more information, see Always-On VPN for AOSP for Android Enterprise devices.
- Android 7+ Inventory MAC address: To preserve device user privacy, on Android 7+ devices, Core accepts a randomized MAC address and now also collects true physical MAC address for inventory purposes. Inventory MAC is the hardware-based MAC that is reported after a device is registered and is only available for company-owned modes, namely Device Owner mode and Work Profile on Company Owned Device mode. Inventory MAC supports is also available via substitution variables. For more information, see Inventory MAC address.
Corporate wallpaper for Android devices: This new feature for corporate owned Android devices allows the administrator the option of distributing an image as wallpaper and as a Lock screen image. The wallpaper will be applied automatically to the device. This feature is only supported in Work Managed Device mode. For more information see Setting wallpapers for devices.
This release includes the following new features and enhancements.
Unique enrollment-specific ID: This new feature provides a unique ID that is guaranteed to be the same value for the same device, enrolled into the same organization by the same managing app. It will remain stable across factory resets or new profile inflation. Access to other hardware identifiers of the device such as IMEI, MEID, or serial number, is removed for personal devices with a work profile in Android 12. This is effective for new installs and post-upgrade to Android 12. Supported modes are Work Profile, Work Profile on Company Owned Device, and Work Managed Device. Please note that the ID will change when the same device is enrolled to the same tenant but uses a different managing package; a new unique ID is presented when the device registers to a new Core instance.
New Update Priority field in App Configuration for Android enterprise section: This new feature adds the ability for High priority, Postpone mode, or Minimum Version Code push that can be applied for application updates. Allows admins to set the priority of updates. High Priority setting forces updates on the device immediately after it is available. Postpone for 90 days delays app updates so updates are not applied until 90 days after the update is available. See: General management of devices.
- Android Enterprise App Maintenance Window Settings Available: You can choose to set a Maintenance Window for auto-updates that will override the update settings users configure. By default this option is unchecked. See: General management of devices.
Google official device administrator deprecation: The following changes have been made as part of Official Device Admin Deprecation from Google with release of Android Operating System 10: https://www.blog.google/products/android-enterprise/da-migration
Below Configurations, Policies and Settings are Deprecated from Core 18.104.22.168 Version.
- Android -> Samsung Browser
- Android -> Samsung KIOSK
- Android -> Samsung Knox Container
- Android -> Android Quick Setup -> Device Administrator (Device Administrator Field is deprecated)
- Android -> Samsung KIOSK
- Lockdown -> Samsung Device Admin Mode (All fields support from Samsung Device Admin Mode is deprecated)
Android -> Android Custom ROM (Android Custom ROM enable/disable Radio Button will be deprecated by default WIPE feature in Compliance Action will be available)
New Azure Device Attributes in Compliance Policy Builder: Support for the following device attributes is now in compliance policy builder. These attributes should be available in the Common category. For more information see Reporting on managed devices.
Redirect page for Core application in Azure: This feature presents a redirect URL in the Core device compliance on prem app for better user experience. The user will redirected back to the Core application from the active directory consent page.
New option to upload Certificate Authority chain for SCEP enrollment configurations: With this release, you can upload a specific Certificate Authority (CA) chain for Simple Certificate Enrollment Protocol (SCEP) enrollment configurations. In some cases, the SCEP CA may send more CA certificates than you need. When you need to use a specific certificate chain, use this feature to upload that exact chain. If you do not upload a CA chain, Core continues its previous behavior of using the CA certificates directly acquired from the SCEP server. For upload instructions, see Uploading a Certificate Authority chain for SCEP enrollment configurations
The upload option is available only for SCEP enrollment configurations. Certificate enrollment settings such as "System - Mutual Auth CE setting" use a local CA, which is already available on Core.