New features summary

Android version 15 support: Starting from this release, Mobile@Work for Android now supports Android version 15.

The user interface for Zimperium Dynamic Threat detection is redesigned on Mobile@Work for Android: The client's Threat Defense UI is redesigned to support dynamic threats detected by the server. The threat defense card displays count based on severity, while the Threats Defense page lists all types of threats, sorted based on their severity.

Support to allow Lost Mode on Android with audio: Administrators have the option to send a message to the device that has been lost. Administrators must select the device in the EPMM admin portal > Devices & Users and navigate to Actions > More Actions > Lost Mode to enable the feature. Once Lost Mode is enabled, the device displays the Lost Mode screen with a message, contact number, footnote, and Lost Mode Sound.

Support to integrate Lookout SDK: Lookout SDK version 4.1.14.13 is now supported with this release.

Support to integrate Zimperium SDK: Zimperium SDK version 5.4.53 is now supported with this release.

Allow Mobile@Work to open Captive portal Wi-Fi authentication: A new option is added in security policy. Required Mobile@Work for Captive Portal Wi-Fi Authentication that allows Mobile@Work for Android to intercept and process authentication requests for Wi-Fi connections through a captive portal and overrides the operating system (OS) behavior that allows authentication without a trusted or valid TLS certificate.

Local Compliance Action with Dynamic Threats Supported in MDM Server: Zimperium has introduced new threat rules in the MTD Local Actions Policy under the Network, Device, and App categories. You can enable the threats as per your requirements and apply them to the selected devices for threat detection.

Support Zimperium v5 Console functionality: The v5 Console is a new updated console from Zimperium; devices need to register newly on the v5 console and go through license activation and support threat defense. It is compatible with all existing functionalities of Mobile@Work for Android.

Support to allow Nearby Streaming: Administrators can now toggle the Nearby streaming to video stream applications to nearby devices. This is applicable for Android 14+ devices.

Support for Catalan language: Mobile@Work now supports Catalan language.

Support to configure Android Shared Kiosk to clear application data of Google Chrome: Android Shared Kiosk is configured to clear application data and force reinstall for Shared Users. When the user logs out, Chrome application data is cleared.

Support to re-authenticate a new OAuth token: OAuth API call is updated for non-mutual authenticated setup when an active token expires in old or new client.

Support to 'Allow Wi-Fi Direct' option: Administrators can now toggle the 'Allow WIFI direct' option for Devices in Managed Device, Managed Device- non GMS, and Managed Device with Work Profile Modes to allow or disallow the Wi-Fi Direct on a device. This is applicable for Android 13 and later devices.

Support to provide dynamic threat detection for Zimperium: The Threat Defense section of Mobile@Work now displays threats based on the severity of the threat: the Critical Threats and Important Threats. Clicking on these threats provide more information about the threat.

Support to disable the lockscreen shortcuts on an Android device: The administrators can allow or disallow lockscreen shortcuts by enabling or disabling 'Block keyguard shortcuts' option in Ivanti EPMM. This option is available for DO and EPO modes and is disabled by default.

Support to Ultra-wideband restriction: The Ultra-wideband restriction can be set only by a device owner or a profile owner of an organization-owned managed profile on the parent profile. In both cases, the restriction applies globally on the device and will disable the ultra-wideband radio.

Support to update imprint link for DT client: The imprint link is now updated for DT client to open Telekom imprint link.

Support to integrate Zimperium SDK: Zimperium SDK version 5.3.17 is now supported with this release.

Support to integrate Lookout SDK: Lookout SDK version 4.1.12.897 is now supported with this release.

Support to display recent users logging into the kiosk mode: Selecting the 'Display Recent Users on Login Screen' option in the staging policy for kiosk mode, displays the recent users to track the users logging into the kiosk mode. If the option is disabled, the recent users will not be displayed for the client.

Support to control Samsung Knox Mobile@Work license activation: Administrators can now control the license activation. The activation can be disabled when required from the New Samsung General Policy.

Support for new lockdown to allow network reset: Administrators can toggle the Allow Network Reset option for Devices in Managed Device, Managed Device- non GMS and Managed Device with Work Profile Modes to allow or disallow resetting the mobile network, WIFI, and bluetooth options on the device.

Support for Lookout SDK 4.1.11: Lookout SDK version 4.1.11 is now supported with this release.

Support for Zimperium V5 SDK: Mobile@Work is now supported with Zimperium V5 SDK.

Support for Android bug report: Administrators can now include or exclude android bug report while performing Pull Client Logs on a device in DO mode only. A new checkbox "Collect Android Bug Report Logs" is introduced in Pull Client Logs.

• Select the checkbox for client logs along with android bug report to be requested from Mobile at Work.

• Deselect the checkbox for silent logs to be requested from Mobile at Work. The android bug report is excluded in this request.

Mobile@Work switches to Play Integrity API from SafetyNet: A failover mechanism has been integrated to re-initiate certification check to use SafetyNet if the Play Integrity check fails. Upon client upgrade, Mobile@Work executes the Play Integrity attestation first. It is applicable to all Android devices in all modes.

Support to enable driver safety feature: Devices that are deployed in the Kiosk (GMS or non-GMS) and the user is in the Kiosk (shared or unshared) with driver safety feature turned on, and if the speed is greater than 12 miles per hour, then all the applications are blocked and Driver safety enabled! Access to apps may be restricted.' message is displayed. Only applications such as Google maps that are designated to be available when driving are enabled.

Support for Zebra firmware updates: Zebra firmware updates are now managed with a true delta URL for upgrade on Android 11 and later devices.

Support for Kiosk Mode folder structure: Administrators can now group multiple applications together and also define folders in the Kiosk mode.

Support to notify the administrators about empty upgrade URL: The ERROR_DOWNLOAD_EMPTY_URL is displayed in the System Update field under device details, if the upgrade URL is empty for a Zebra Device.

Support for Lookout SDK 4.1.7: Lookout SDK version 4.1.7 is now supported with this release.

Phishing Threat Notification: With this release, clicking on a Lookout threat notification navigates to the Mobile@Work notifications screen where the notification details are displayed.

Android 14 support : Ivanti Mobile@Work now supports Android 14.

Support to add domain names in Wifi configuration: The domain names can now be configured in the Wifi settings for TLS and TTLS authentication protocols.

Enhanced network slicing feature added to define network slices on a 5G network: In Ivanti EPMM, the administrator can configure slice configuration, which allows the devices to route the traffic for all the apps as per the configured enterprise network slices. 5G network slicing is supported on Android 13+ devices in Work Managed Device mode and Work Profile mode.

New override APN settings for Android Enterprise: To accommodate new features added to Android 13+ Android Enterprise, three new fields have been added in Ivanti EPMM.

For Android 13+ devices in Work Managed Device mode, Ivanti EPMM now supports 5G network slicing: Administrators can set app traffic through one enterprise 5G network slice. Applies to Work Managed Device (DO) mode. (5G support for Android 12+ devices are supported in Work Profile mode and Work Profile for Company Owned mode.) Requires support from 5G service provider.

• Work Managed Device mode

• Work Managed Device Non-GMS mode (AOSP)

• Work Profile mode

• Work Profile on Company Owned Device mode

• Name change under the server details
• Notifications are updated
• My Devices tab is updated
• Brand logo is updated in Settings >Troubleshoot >Send Mobile@Work Logs
• Icons are updated
• References to the product name in the text are updated
• References to the product name in messages are updated

• Work Managed Device mode

• Managed Device with Work Profile mode

• Work Managed Device Non-GMS mode (AOSP)

Unlock PIN extended: For all registration options, in Ivanti EPMM, administrators can set the Unlock PIN between 6-8 digits and optionally, make the PIN alphanumeric.

User and Registration PIN options added for all registration options: When this new option is selected, the client will display the username option along with the PIN on the registration screen. After entering incorrect credentials based on the number of failed attempts configured on the server, the device user will be blocked on the server side. When this occurs, an error message "Authentication failed: Invalid Credentials" displays.

Android 13+ devices Wi-Fi Security level: The Wi-Fi security level can now be set (enforced) using a new lockdown control for all Android 13+ devices. Applicable to Work Managed Device mode, Work Profile on Company Owned Device mode, and Work Managed Device non-GMS mode (AOSP) in the following security levels:

• WIFI_SECURITY_OPEN
• WIFI_SECURITY_PERSONAL
• WIFI_SECURITY_ENTERPRISE_EAP
• WIFI_SECURITY_ENTERPRISE_192

Changes to Relinquish and Retire: If customers are using Ivanti EPMM 11.10.0.0 and above:

• "Relinquish" has been replaced with "Retire." If "Relinquish" is tried, an information message displays stating to use the "Retire" option.

• For new device users in Work Profile on Company Owned Device mode, the "Relinquish" option has been replaced with "Retire." When a device is Retired, the organizational data and organizational apps are removed from devices with no loss of personal data.

• Retire action is not supported for all other Android devices in non-Work Profile on Company Owned Device mode.

• Retire option will be available from My devices for Work Profile on Company Owned Device mode.

• All other Android devices in non-Work Profile on Company Owned Device mode are Wiped. "Wipe" removes all data/factory resets the corporate devices. A warning message is displayed before the device is Wiped.

Android 13+ MAC Address Randomization: Ivanti recommends customers use persistent-randomization setting to allow the device to report the persistent randomized MAC to the Ivanti EPMM server and to use the same for connecting to Wi-Fi. Device users can not change this setting and therefore ensures consistency of information between what-is-on-device and what-is-reported-to-server.

It is recommended to NOT disable randomization on Work Profile devices as the Wi-Fi MAC address reported to Ivanti EPMM will not be the physical MAC being used by the device (to preserve user privacy.) However, the device will use actual (physical) MAC for Wi-Fi connection.

• Screen unlock: "Your screen unlock code will soon expire. Set up a new code to continue having seamless access to your work data." This displays during the last seven days until the password is changed.

• Work profile (access): "Your profile lock code will soon expire. Set up a new code to continue having seamless access to your work data."

• Work profile (apps): "Your profile passcode needs to be updated in order to continue use your work apps."

• Kiosk: "Your device passcode is about to expire. Please contact your administrator."

Samsung Knox APIs Deprecated: Because the Samsung kiosk mode is deprecated in Android 8.1 and above, you must implement Android kiosk mode instead. For more information, see Deprecated features in the Ivanti EPMM Release Notes and Upgrade Guide. See also the Samsung Deprecation of APIs in Knox article and Samsung Knox Developer Documentation > Deprecated API methods.

Security and logging enablement: Mobile@Work 11.8.0.0 is now able to configure security and network logging on the device according to the state of "Enable Security Logging on Android" and "Enable Network Logging on Android" options of the Security Policy.

If Security Logging is enabled for the device, then Mobile@Work will be able to receive batches of security log events from Android version 12 for collecting and processing. Security logging is supported now for the devices registered in Work Managed Device mode, and Work Profile on Company Owned Device mode.

If Network Logging is enabled for the device, then Mobile@Work will be able to receive batches of network log events (DNS and Connect) from Android version 12 for collecting and processing. Network logging is supported now for the devices registered in Work Managed Device mode and Work Profile on Company Owned Device mode.

Security and network logs, along with the regular client logs, are included in a zip file created by Mobile@Work on demand of device user with "Send logs" command (Settings menu) or as a response to the "Pull Client Logs" administrator command.

The set of the latest security log events in the form of JSON-formatted strings up to 10 MB total may be found in files with names beginning with a "security" prefix. The most recent log events will be represented by readable security.txt file (up to 1MB). Older security log events will be zipped in a series of zip files, i.e., security1.zip, security2.zip, etc. The same applies to network logs, except the file names begin with the "network" prefix.

JSON formatting for security and network logs is a compromise between the human-friendly readability and potential automated logs processing on the server side.

Device ownership maintained even with reboots during device registration: During registration, if a reboot/shutdown of device occurs (due to reasons such as a battery failure) while going through Zero Touch or bulk enrollment, after the reboot, the device's ownership status is maintained as Company-owned.

Retire option for DO, EPO and COMP modes deprecated: In My Devices, the option to retire devices in Work Managed Device mode, Work Profile on Company Owned Device mode, and Managed Device with Work Profile mode has been deprecated.

New option for Unlock command provided: For Android Enterprises, administrators can set a six digit unlock PIN for specific devices.

Enable app restrictions for all supported devices: In addition to the AOSP mode, the administrator can now enable Android Enterprise in-house app restrictions for all supported devices to display in the App view page of the App Catalog. Applicable to:

• Work Managed Device mode

• Managed Device with Work Profile mode

Android Enterprise Enable Single App Kiosk added to pin a single app to device screen: Administrators can set a Single App Kiosk to have a single app pinned to the device screen. The dedicated single app mode will allow other apps to be available on the device, but they will not be available for the device user to directly launch. These other apps will only be launched through the pinned app. For example, Email is the pinned single app, and the device user receives an email with a link to the Google Maps app. When the device user taps on that link, it opens the Google Maps app. The pinned single app will be launched only if the app is installed on the device. Applicable to Shared-Kiosk mode, Work Managed Device mode (DO) and Work Managed Device - non GMS mode (AOSP.)

Note the following:

• For regular Kiosk only, device users can exit Kiosk remotely. Mobile@Work displays the toast message "Kiosk Exit" in the app but the dedicated single-app may still remain on screen, as it cannot be closed due to Android limitations.

• The Lock Task mode can only be enabled when the home screen is in the foreground. If another app is in the foreground, then it is not possible to enable Lock Task mode. Workaround: Device user needs to tap the back or home button; the Lock Task mode becomes enabled.

• On devices Android 9 and below, when the single app Kiosk is disabled, then the device user may need to tap the back/home button to see the Kiosk home screen again. The launched app may remain pinned to the foreground and the Kiosk home screen may not display due to Android limitations.

Logout mode added to Android Enterprise Shared Kiosk Mode: The administrator can Logout the device user if a session exceeds [0 is default] hours. Applicable to Managed Device with Work Profile mode.

IMEI information for inactive SIM slots now displayed: In the past, only the IMEI information of the active SIM slot was displayed in Ivanti EPMM. Now, device information on active and inactive SIM slots displays.

• Device Admin mode
• Managed Device with Work Profile mode
• Work Profile mode
• Work Profile on Company Owned Device mode
• Fully Managed Device mode

Private DNS: On fully managed devices running Android 10 or later, the administrator can specify whether the device should use a private DNS server for encrypted domain name resolution, and if so, which one.

Send device compliance data to multiple Microsoft Office 365 tenants: Administrator can configure device compliance data to be sent to multiple Microsoft Office 365 tenants in standard environments.

File Transfer Configuration: A new configuration File Transfer is available for Android devices. This configuration can be used to transfer files to the device and these files can be shared from Mobile@Work to other apps on the same device. Target apps that are consuming the files should support ContentURI to access these files on the device.

Additional battery health statistics per-device are now provided to Core:

• Android Battery Charging Status
• Android Battery Health Status
• Battery Charge Cycles (OEM)*
• Battery Health Percentage (OEM)*
• Battery Manufacture Date (OEM)*

  *The OEM fields will only populate if the device is a Zebra device.

Some devices are seen to report unexpected values or information may be missing. It is recommended to report such issues to specific manufacturer. OEM attributes are currently only supported for Zebra devices.

• allow Android settings when that specific app is launched
• clear app data when the device user logs out of Shared kiosk

Support Bulk Enrollment via Token: Android devices can be seamlessly registered without requiring any manual entry of credentials. New registration is supported by leveraging a new value "token" in QR code and verifying a device's serial number with token during registration with a pre-define list.

Administrators can have a pre-defined list of serial numbers and generate corresponding tokens on Ivanti Endpoint Manager for Mobile. Ivanti Provisioner app for Android can be used to generate the corresponding QR code. Bulk enrollment token is applicable on Android devices 7+ as long as Mobile@Work is able to access the serial number during provisioning.

Applicable to:

• Work Managed Device mode
• Managed Device with Work Profile mode
• Work Profile on Company Owned Device mode
• AOSP mode

  For devices older than Android 11, Mobile@Work will auto-grant phone permissions in Work Managed Device mode, making the serial number available.

Mobile@Work auto-granted permissions reduced on all Android device versions: Administrators can provide device users more choice on Android 11 and below Work Profile devices by allowing the device user to choose whether Mobile@Work should be granted location permissions. The default behavior allows Mobile@Work to automatically grant this permission. In Core 11.7.0.0, when the Mobile@Work auto-grant location permission check box is selected, administrators would see a warning in Core and device users would receive a prompt to grant Mobile@Work location permission during registration of devices in Work Profile mode.

Phone permission is required to collect device information. Phone permission allows Mobile@Work to get information about device identifiers such as IMEI. This permission was originally only available in Device Admin mode, but has been extended to Work Profile mode. Device user consent is required for Mobile@Work to have phone permission.

If Security Logging is enabled for the device, then Mobile@Work will be able to receive batches of security log events from Android for collecting and processing. Security logging is supported now for the devices registered in Work Managed Device mode, Managed Device with Work Profile mode, and Work Profile on Company Owned Device mode.

If Network Logging is enabled for the device, then Mobile@Work will be able to receive batches of network log events (DNS and Connect) from Android for collecting and processing. Network logging is supported now for the devices registered in Work Managed Device mode and Work Profile on Company Owned Device mode.

Security and network logs, along with the regular client logs, are included in a zip file created by Mobile@Work on demand of device user with "Send logs" command (Settings menu) or as a response to the "Pull Client Logs" administrator command.

The set of the latest security log events in the form of JSON-formatted strings up to 10 MB total may be found in files with names beginning with a "security" prefix. The most recent log events will be represented by readable security.txt file (up to 1MB). Older security log events will be zipped in a series of zip files, i.e., security1.zip, security2.zip, etc. The same applies to network logs, except the file names begin with the "network" prefix.

JSON formatting for security and network logs is a compromise between the human-friendly readability and potential automated logs processing on the server side.