New features summary

Support for Zero Touch VPN Anti-phishing protection: Select the Ivanti Mobile@Work for Android and anti-phishing configuration to enable and distribute the Always On VPN configuration. The device client app will no longer display the VPN permission dialog prompt after installing the configurations.

Support for Lookout SDK: Ivanti Mobile@Work for Android now integrates with Lookout SDK version 4.1.17.63.

Support for Zimperium SDK: Ivanti Mobile@Work for Android now integrates with Zimperium SDK version 5.6.37.

Introducing new app restrictions: New app restrictions will enable periodic activation checks and threat notifications for Zimperium to perform periodic checks.

Threat defense update: Ivanti Mobile@Work for Android now integrates with Lookout SDK version 4.1.16.39.

End of support for older Android versions: Starting from this release, Ivanti Mobile@Work for Android will no longer support devices running on Android versions 8.x or lower.

Support for AI Assist Lockdown: AI Assist Lockdown now supports Android 15+ in the PO, DO, and EPO modes.

Support for Private Space Lockdown: Administrators can now allow or disallow the creation of a Private Space on Android 15+ devices for organization-owned managed profile devices.

Enhanced Microsoft authentication: Due to Microsoft changes related to enabling browser access mode, administrators should enable or add Manage Certificates settings. Perform the actions by navigating to App Configurations Summary > Delegated Device Permissions > Manage Certificates for Microsoft Authentication app distribution.

SafetyNet / Play Integrity attestation: SafetyNet was used for devices below Android 14 and Play Integrity for Android 14 and above before client version 12.3.1.0. From client version 12.3.1.0 onwards, Play Integrity applies to all Android versions starting from 8.x.

Android version 15 support: Starting from this release, Mobile@Work for Android now supports Android version 15.

The user interface for Zimperium Dynamic Threat detection is redesigned on Mobile@Work for Android: The client's Threat Defense UI is redesigned to support dynamic threats detected by the server. The threat defense card displays count based on severity, while the Threats Defense page lists all types of threats, sorted based on their severity.

Support to allow Lost Mode on Android with audio: Administrators have the option to send a message to the device that has been lost. Administrators must select the device in the EPMM admin portal > Devices & Users and navigate to Actions > More Actions > Lost Mode to enable the feature. Once Lost Mode is enabled, the device displays the Lost Mode screen with a message, contact number, footnote, and Lost Mode Sound.

Support to integrate Lookout SDK: Lookout SDK version 4.1.14.13 is now supported with this release.

Support to integrate Zimperium SDK: Zimperium SDK version 5.4.53 is now supported with this release.

Allow Mobile@Work to open Captive portal Wi-Fi authentication: A new option is added in security policy. Required Mobile@Work for Captive Portal Wi-Fi Authentication that allows Mobile@Work for Android to intercept and process authentication requests for Wi-Fi connections through a captive portal and overrides the operating system (OS) behavior that allows authentication without a trusted or valid TLS certificate.

Local Compliance Action with Dynamic Threats Supported in MDM Server: Zimperium has introduced new threat rules in the MTD Local Actions Policy under the Network, Device, and App categories. You can enable the threats as per your requirements and apply them to the selected devices for threat detection.

Support Zimperium v5 Console functionality: The v5 Console is a new updated console from Zimperium; devices need to register newly on the v5 console and go through license activation and support threat defense. It is compatible with all existing functionalities of Mobile@Work for Android.

Support to allow Nearby Streaming: Administrators can now toggle the Nearby streaming to video stream applications to nearby devices. This is applicable for Android 14+ devices.

Support for Catalan language: Mobile@Work now supports Catalan language.

Support to configure Android Shared Kiosk to clear application data of Google Chrome: Android Shared Kiosk is configured to clear application data and force reinstall for Shared Users. When the user logs out, Chrome application data is cleared.

Support to re-authenticate a new OAuth token: OAuth API call is updated for non-mutual authenticated setup when an active token expires in old or new client.

Support to 'Allow Wi-Fi Direct' option: Administrators can now toggle the 'Allow WIFI direct' option for Devices in Managed Device, Managed Device- non GMS, and Managed Device with Work Profile Modes to allow or disallow the Wi-Fi Direct on a device. This is applicable for Android 13 and later devices.

Support to provide dynamic threat detection for Zimperium: The Threat Defense section of Mobile@Work now displays threats based on the severity of the threat: the Critical Threats and Important Threats. Clicking on these threats provide more information about the threat.

Support to disable the lockscreen shortcuts on an Android device: The administrators can allow or disallow lockscreen shortcuts by enabling or disabling 'Block keyguard shortcuts' option in Ivanti EPMM. This option is available for DO and EPO modes and is disabled by default.

Support to Ultra-wideband restriction: The Ultra-wideband restriction can be set only by a device owner or a profile owner of an organization-owned managed profile on the parent profile. In both cases, the restriction applies globally on the device and will disable the ultra-wideband radio.

Support to update imprint link for DT client: The imprint link is now updated for DT client to open Telekom imprint link.

Support to integrate Zimperium SDK: Zimperium SDK version 5.3.17 is now supported with this release.

Support to integrate Lookout SDK: Lookout SDK version 4.1.12.897 is now supported with this release.

Support to display recent users logging into the kiosk mode: Selecting the 'Display Recent Users on Login Screen' option in the staging policy for kiosk mode, displays the recent users to track the users logging into the kiosk mode. If the option is disabled, the recent users will not be displayed for the client.

Support to control Samsung Knox Mobile@Work license activation: Administrators can now control the license activation. The activation can be disabled when required from the New Samsung General Policy.

Support for new lockdown to allow network reset: Administrators can toggle the Allow Network Reset option for Devices in Managed Device, Managed Device- non GMS and Managed Device with Work Profile Modes to allow or disallow resetting the mobile network, WIFI, and bluetooth options on the device.

Support for Lookout SDK 4.1.11: Lookout SDK version 4.1.11 is now supported with this release.

Support for Zimperium V5 SDK: Mobile@Work is now supported with Zimperium V5 SDK.

Support for Android bug report: Administrators can now include or exclude android bug report while performing Pull Client Logs on a device in DO mode only. A new checkbox "Collect Android Bug Report Logs" is introduced in Pull Client Logs.

• Select the checkbox for client logs along with android bug report to be requested from Mobile at Work.

• Deselect the checkbox for silent logs to be requested from Mobile at Work. The android bug report is excluded in this request.

Mobile@Work switches to Play Integrity API from SafetyNet: A failover mechanism has been integrated to re-initiate certification check to use SafetyNet if the Play Integrity check fails. Upon client upgrade, Mobile@Work executes the Play Integrity attestation first. It is applicable to all Android devices in all modes.

Support to enable driver safety feature: Devices that are deployed in the Kiosk (GMS or non-GMS) and the user is in the Kiosk (shared or unshared) with driver safety feature turned on, and if the speed is greater than 12 miles per hour, then all the applications are blocked and Driver safety enabled! Access to apps may be restricted.' message is displayed. Only applications such as Google maps that are designated to be available when driving are enabled.

Support for Zebra firmware updates: Zebra firmware updates are now managed with a true delta URL for upgrade on Android 11 and later devices.

Support for Kiosk Mode folder structure: Administrators can now group multiple applications together and also define folders in the Kiosk mode.

Support to notify the administrators about empty upgrade URL: The ERROR_DOWNLOAD_EMPTY_URL is displayed in the System Update field under device details, if the upgrade URL is empty for a Zebra Device.

Support for Lookout SDK 4.1.7: Lookout SDK version 4.1.7 is now supported with this release.

Phishing Threat Notification: With this release, clicking on a Lookout threat notification navigates to the Mobile@Work notifications screen where the notification details are displayed.

Android 14 support : Ivanti Mobile@Work now supports Android 14.

Support to add domain names in Wifi configuration: The domain names can now be configured in the Wifi settings for TLS and TTLS authentication protocols.

Enhanced network slicing feature added to define network slices on a 5G network: In Ivanti EPMM, the administrator can configure slice configuration, which allows the devices to route the traffic for all the apps as per the configured enterprise network slices. 5G network slicing is supported on Android 13+ devices in Work Managed Device mode and Work Profile mode.

New override APN settings for Android Enterprise: To accommodate new features added to Android 13+ Android Enterprise, three new fields have been added in Ivanti EPMM.

For Android 13+ devices in Work Managed Device mode, Ivanti EPMM now supports 5G network slicing: Administrators can set app traffic through one enterprise 5G network slice. Applies to Work Managed Device (DO) mode. (5G support for Android 12+ devices are supported in Work Profile mode and Work Profile for Company Owned mode.) Requires support from 5G service provider.

• Work Managed Device mode

• Work Managed Device Non-GMS mode (AOSP)

• Work Profile mode

• Work Profile on Company Owned Device mode

• Name change under the server details
• Notifications are updated
• My Devices tab is updated
• Brand logo is updated in Settings >Troubleshoot >Send Mobile@Work Logs
• Icons are updated
• References to the product name in the text are updated
• References to the product name in messages are updated

• Work Managed Device mode

• Managed Device with Work Profile mode

• Work Managed Device Non-GMS mode (AOSP)

Unlock PIN extended: For all registration options, in Ivanti EPMM, administrators can set the Unlock PIN between 6-8 digits and optionally, make the PIN alphanumeric.

User and Registration PIN options added for all registration options: When this new option is selected, the client will display the username option along with the PIN on the registration screen. After entering incorrect credentials based on the number of failed attempts configured on the server, the device user will be blocked on the server side. When this occurs, an error message "Authentication failed: Invalid Credentials" displays.

Android 13+ devices Wi-Fi Security level: The Wi-Fi security level can now be set (enforced) using a new lockdown control for all Android 13+ devices. Applicable to Work Managed Device mode, Work Profile on Company Owned Device mode, and Work Managed Device non-GMS mode (AOSP) in the following security levels:

• WIFI_SECURITY_OPEN
• WIFI_SECURITY_PERSONAL
• WIFI_SECURITY_ENTERPRISE_EAP
• WIFI_SECURITY_ENTERPRISE_192

Changes to Relinquish and Retire: If customers are using Ivanti EPMM 11.10.0.0 and above:

• "Relinquish" has been replaced with "Retire." If "Relinquish" is tried, an information message displays stating to use the "Retire" option.

• For new device users in Work Profile on Company Owned Device mode, the "Relinquish" option has been replaced with "Retire." When a device is Retired, the organizational data and organizational apps are removed from devices with no loss of personal data.

• Retire action is not supported for all other Android devices in non-Work Profile on Company Owned Device mode.

• Retire option will be available from My devices for Work Profile on Company Owned Device mode.

• All other Android devices in non-Work Profile on Company Owned Device mode are Wiped. "Wipe" removes all data/factory resets the corporate devices. A warning message is displayed before the device is Wiped.

Android 13+ MAC Address Randomization: Ivanti recommends customers use persistent-randomization setting to allow the device to report the persistent randomized MAC to the Ivanti EPMM server and to use the same for connecting to Wi-Fi. Device users can not change this setting and therefore ensures consistency of information between what-is-on-device and what-is-reported-to-server.

It is recommended to NOT disable randomization on Work Profile devices as the Wi-Fi MAC address reported to Ivanti EPMM will not be the physical MAC being used by the device (to preserve user privacy.) However, the device will use actual (physical) MAC for Wi-Fi connection.