New features summary
These are cumulative release notes. If a release does not appear in this section, then there were no associated new features and enhancements.
Product nomenclature: This is cumulative documentation and the product names you encounter in this documentation were accurate at the time of publication. Ivanti updates each new section to reflect evolving product nomenclature, but leaves legacy citations intact to ensure proper frame of reference for the reader.
-
SafetyNet / Play Integrity attestation: SafetyNet was used for devices below Android 14 and Play Integrity for Android 14 and above before client version 12.3.1.0. From client version 12.3.1.0 onwards, Play Integrity applies to all Android versions starting from 8.x.
-
Android version 15 support: Starting from this release, Mobile@Work for Android now supports Android version 15.
-
The user interface for Zimperium Dynamic Threat detection is redesigned on Mobile@Work for Android: The client's Threat Defense UI is redesigned to support dynamic threats detected by the server. The threat defense card displays count based on severity, while the Threats Defense page lists all types of threats, sorted based on their severity.
-
Support to allow Lost Mode on Android with audio: Administrators have the option to send a message to the device that has been lost. Administrators must select the device in the EPMM admin portal > Devices & Users and navigate to Actions > More Actions > Lost Mode to enable the feature. Once Lost Mode is enabled, the device displays the Lost Mode screen with a message, contact number, footnote, and Lost Mode Sound.
-
Support to integrate Lookout SDK: Lookout SDK version 4.1.14.13 is now supported with this release.
-
Support to integrate Zimperium SDK: Zimperium SDK version 5.4.53 is now supported with this release.
-
Allow Mobile@Work to open Captive portal Wi-Fi authentication: A new option is added in security policy. Required Mobile@Work for Captive Portal Wi-Fi Authentication that allows Mobile@Work for Android to intercept and process authentication requests for Wi-Fi connections through a captive portal and overrides the operating system (OS) behavior that allows authentication without a trusted or valid TLS certificate.
-
Local Compliance Action with Dynamic Threats Supported in MDM Server: Zimperium has introduced new threat rules in the MTD Local Actions Policy under the Network, Device, and App categories. You can enable the threats as per your requirements and apply them to the selected devices for threat detection.
-
Support Zimperium v5 Console functionality: The v5 Console is a new updated console from Zimperium; devices need to register newly on the v5 console and go through license activation and support threat defense. It is compatible with all existing functionalities of Mobile@Work for Android.
-
Support to allow Nearby Streaming: Administrators can now toggle the Nearby streaming to video stream applications to nearby devices. This is applicable for Android 14+ devices.
-
Support for Catalan language: Mobile@Work now supports Catalan language.
-
Support to configure Android Shared Kiosk to clear application data of Google Chrome: Android Shared Kiosk is configured to clear application data and force reinstall for Shared Users. When the user logs out, Chrome application data is cleared.
-
Support to re-authenticate a new OAuth token: OAuth API call is updated for non-mutual authenticated setup when an active token expires in old or new client.
-
Support to 'Allow Wi-Fi Direct' option: Administrators can now toggle the 'Allow WIFI direct' option for Devices in Managed Device, Managed Device- non GMS, and Managed Device with Work Profile Modes to allow or disallow the Wi-Fi Direct on a device. This is applicable for Android 13 and later devices.
-
Support to provide dynamic threat detection for Zimperium: The Threat Defense section of Mobile@Work now displays threats based on the severity of the threat: the Critical Threats and Important Threats. Clicking on these threats provide more information about the threat.
-
Support to disable the lockscreen shortcuts on an Android device: The administrators can allow or disallow lockscreen shortcuts by enabling or disabling 'Block keyguard shortcuts' option in Ivanti EPMM. This option is available for DO and EPO modes and is disabled by default.
-
Support to Ultra-wideband restriction: The Ultra-wideband restriction can be set only by a device owner or a profile owner of an organization-owned managed profile on the parent profile. In both cases, the restriction applies globally on the device and will disable the ultra-wideband radio.
-
Support to update imprint link for DT client: The imprint link is now updated for DT client to open Telekom imprint link.
-
Support to integrate Zimperium SDK: Zimperium SDK version 5.3.17 is now supported with this release.
-
Support to integrate Lookout SDK: Lookout SDK version 4.1.12.897 is now supported with this release.
-
Support to display recent users logging into the kiosk mode: Selecting the 'Display Recent Users on Login Screen' option in the staging policy for kiosk mode, displays the recent users to track the users logging into the kiosk mode. If the option is disabled, the recent users will not be displayed for the client.
-
Support to control Samsung Knox Mobile@Work license activation: Administrators can now control the license activation. The activation can be disabled when required from the New Samsung General Policy.
-
Support for new lockdown to allow network reset: Administrators can toggle the Allow Network Reset option for Devices in Managed Device, Managed Device- non GMS and Managed Device with Work Profile Modes to allow or disallow resetting the mobile network, WIFI, and bluetooth options on the device.
-
Support for Lookout SDK 4.1.11: Lookout SDK version 4.1.11 is now supported with this release.
-
Support for Zimperium V5 SDK: Mobile@Work is now supported with Zimperium V5 SDK.
-
Support for Android bug report: Administrators can now include or exclude android bug report while performing Pull Client Logs on a device in DO mode only. A new checkbox "Collect Android Bug Report Logs" is introduced in Pull Client Logs.
-
Select the checkbox for client logs along with android bug report to be requested from Mobile at Work.
-
Deselect the checkbox for silent logs to be requested from Mobile at Work. The android bug report is excluded in this request.
-
-
Mobile@Work switches to Play Integrity API from SafetyNet: A failover mechanism has been integrated to re-initiate certification check to use SafetyNet if the Play Integrity check fails. Upon client upgrade, Mobile@Work executes the Play Integrity attestation first. It is applicable to all Android devices in all modes.
-
Support to enable driver safety feature: Devices that are deployed in the Kiosk (GMS or non-GMS) and the user is in the Kiosk (shared or unshared) with driver safety feature turned on, and if the speed is greater than 12 miles per hour, then all the applications are blocked and Driver safety enabled! Access to apps may be restricted.' message is displayed. Only applications such as Google maps that are designated to be available when driving are enabled.
-
Support for Zebra firmware updates: Zebra firmware updates are now managed with a true delta URL for upgrade on Android 11 and later devices.
-
Support for Kiosk Mode folder structure: Administrators can now group multiple applications together and also define folders in the Kiosk mode.
-
Support to notify the administrators about empty upgrade URL: The ERROR_DOWNLOAD_EMPTY_URL is displayed in the System Update field under device details, if the upgrade URL is empty for a Zebra Device.
-
Support for Lookout SDK 4.1.7: Lookout SDK version 4.1.7 is now supported with this release.
-
Phishing Threat Notification: With this release, clicking on a Lookout threat notification navigates to the Mobile@Work notifications screen where the notification details are displayed.
-
Android 14 support : Ivanti Mobile@Work now supports Android 14.
-
Support to add domain names in Wifi configuration: The domain names can now be configured in the Wifi settings for TLS and TTLS authentication protocols.
-
Enhanced network slicing feature added to define network slices on a 5G network: In Ivanti EPMM, the administrator can configure slice configuration, which allows the devices to route the traffic for all the apps as per the configured enterprise network slices. 5G network slicing is supported on Android 13+ devices in Work Managed Device mode and Work Profile mode.
-
New override APN settings for Android Enterprise: To accommodate new features added to Android 13+ Android Enterprise, three new fields have been added in Ivanti EPMM.
-
For Android 13+ devices in Work Managed Device mode, Ivanti EPMM now supports 5G network slicing: Administrators can set app traffic through one enterprise 5G network slice. Applies to Work Managed Device (DO) mode. (5G support for Android 12+ devices are supported in Work Profile mode and Work Profile for Company Owned mode.) Requires support from 5G service provider.
- Device users allowed or disallowed to share the admin-configured Wi-Fi: Applicable to Android 13+ devices in:
Work Managed Device mode
Work Managed Device Non-GMS mode (AOSP)
Work Profile mode
Work Profile on Company Owned Device mode
- Branding-related updates in Ivanti Mobile@Work for Android: Mobile@Work for Android is now re-branded to Ivanti Mobile@Work for Android. The following updates were made as part of the branding updates:
- Name change under the server details
- Notifications are updated
- My Devices tab is updated
- Brand logo is updated in Settings >Troubleshoot >Send Mobile@Work Logs
- Icons are updated
- References to the product name in the text are updated
- References to the product name in messages are updated
- Auto rotation and brightness control in Ivanti Mobile@Work: Depending upon the settings the administrator makes in Ivanti EPMM, device users can now configure auto rotation and brightness of the Ivanti Mobile@Work for Android app. Applicable to:
Work Managed Device mode
Managed Device with Work Profile mode
Work Managed Device Non-GMS mode (AOSP)
-
Unlock PIN extended: For all registration options, in Ivanti EPMM, administrators can set the Unlock PIN between 6-8 digits and optionally, make the PIN alphanumeric.
-
User and Registration PIN options added for all registration options: When this new option is selected, the client will display the username option along with the PIN on the registration screen. After entering incorrect credentials based on the number of failed attempts configured on the server, the device user will be blocked on the server side. When this occurs, an error message "Authentication failed: Invalid Credentials" displays.
-
Android 13+ devices Wi-Fi Security level: The Wi-Fi security level can now be set (enforced) using a new lockdown control for all Android 13+ devices. Applicable to Work Managed Device mode, Work Profile on Company Owned Device mode, and Work Managed Device non-GMS mode (AOSP) in the following security levels:
- WIFI_SECURITY_OPEN
- WIFI_SECURITY_PERSONAL
- WIFI_SECURITY_ENTERPRISE_EAP
- WIFI_SECURITY_ENTERPRISE_192
- OpenSSL libraries have been upgraded to OpenSSL 3.0.7.
-
Changes to Relinquish and Retire: If customers are using Ivanti EPMM 11.10.0.0 and above:
-
"Relinquish" has been replaced with "Retire." If "Relinquish" is tried, an information message displays stating to use the "Retire" option.
-
For new device users in Work Profile on Company Owned Device mode, the "Relinquish" option has been replaced with "Retire." When a device is Retired, the organizational data and organizational apps are removed from devices with no loss of personal data.
-
Retire action is not supported for all other Android devices in non-Work Profile on Company Owned Device mode.
-
Retire option will be available from My devices for Work Profile on Company Owned Device mode.
-
All other Android devices in non-Work Profile on Company Owned Device mode are Wiped. "Wipe" removes all data/factory resets the corporate devices. A warning message is displayed before the device is Wiped.
-
-
Android 13+ MAC Address Randomization: Ivanti recommends customers use persistent-randomization setting to allow the device to report the persistent randomized MAC to the Ivanti EPMM server and to use the same for connecting to Wi-Fi. Device users can not change this setting and therefore ensures consistency of information between what-is-on-device and what-is-reported-to-server.
It is recommended to NOT disable randomization on Work Profile devices as the Wi-Fi MAC address reported to Ivanti EPMM will not be the physical MAC being used by the device (to preserve user privacy.) However, the device will use actual (physical) MAC for Wi-Fi connection.
- Support for new scope delegation using EMM DPC: The administrator can provide some apps to receive the following scopes via delegation. Supported modes may vary for different scopes:
- Set and Get App Restrictions - Supported on fully managed, work profile, and work profile on corporate-owned devices
- Manage blocking app uninstallation - Supported on fully managed, work profile, and work profile on corporate-owned devices
- Manage Certificate Selection - Supported on fully managed, work profile, and work profile on corporate-owned devices
- Manage Enabling System Apps - Supported on fully managed, work profile, and work profile on corporate-owned devices
- MobileIron Private: Install and remove existing packages - Supported on fully managed devices
- Manage Retention of Uninstalled Apps - Supported on fully managed devices
- Manage Network Log Collection - Supported on Android 10 and 11 fully managed devices
- For Android 12 and later - Supported on fully managed, work profile, and work profile on corporate-owned devices
- Manage Security Log Collection - Supported on fully managed or work profile on company-owned devices
- Manage Installation of Existing apps - Supported on Fully managed devices
- Disallow use of custom input methods by personal apps on WPCOD device: On devices running Android 12 or later, and deployed in WPCOD (Work Profile on Company-Owned Device) mode, the administrator can disallow the use of custom input methods by all personal apps on the device.
- Device user warning notifications for work profile or device passcode expiration: The following messages will display to notify device users of impending passcode expiration:
Screen unlock: "Your screen unlock code will soon expire. Set up a new code to continue having seamless access to your work data." This displays during the last seven days until the password is changed.
Work profile (access): "Your profile lock code will soon expire. Set up a new code to continue having seamless access to your work data."
Work profile (apps): "Your profile passcode needs to be updated in order to continue use your work apps."
Kiosk: "Your device passcode is about to expire. Please contact your administrator."
- Support for Arabic language: In this release, Arabic localization (right-to-left) has been added within Mobile@Work.
- Allow Nearby Notification Streaming: Allow Nearby Notification Streaming is a new option in the lockdown policy for managed device and managed profile sections. The administrator can set it to the following values: Not Controlled by policy (default), Enable, Disable, and Enabled for Same Account. The purpose is to prevent data loss via Google's new streaming features. Applies to Android 12+ devices in Fully Managed devices. Similar control is also available for Work Profile and Work Profile on Company Owned mode devices using Android 12+.
- Zimperium SDK version 4.22.8 was integrated into this release.
- Randomization type: In the Wi-Fi configuration, the administrator can allow randomization type. If the Wi-Fi Randomization type is not set, (default setting after Ivanti EPMM upgrade), randomization type is not pushed to devices. Applicable to Android 13+ devices.
-
Samsung Knox APIs Deprecated: Because the Samsung kiosk mode is deprecated in Android 8.1 and above, you must implement Android kiosk mode instead. For more information, see Deprecated features in the Ivanti EPMM Release Notes and Upgrade Guide. See also the Samsung Deprecation of APIs in Knox article and Samsung Knox Developer Documentation > Deprecated API methods.
-
Security and logging enablement: Mobile@Work 11.8.0.0 is now able to configure security and network logging on the device according to the state of "Enable Security Logging on Android" and "Enable Network Logging on Android" options of the Security Policy.
If Security Logging is enabled for the device, then Mobile@Work will be able to receive batches of security log events from Android version 12 for collecting and processing. Security logging is supported now for the devices registered in Work Managed Device mode, and Work Profile on Company Owned Device mode.
If Network Logging is enabled for the device, then Mobile@Work will be able to receive batches of network log events (DNS and Connect) from Android version 12 for collecting and processing. Network logging is supported now for the devices registered in Work Managed Device mode and Work Profile on Company Owned Device mode.
Security and network logs, along with the regular client logs, are included in a zip file created by Mobile@Work on demand of device user with "Send logs" command (Settings menu) or as a response to the "Pull Client Logs" administrator command.
The set of the latest security log events in the form of JSON-formatted strings up to 10 MB total may be found in files with names beginning with a "security" prefix. The most recent log events will be represented by readable security.txt file (up to 1MB). Older security log events will be zipped in a series of zip files, i.e., security1.zip, security2.zip, etc. The same applies to network logs, except the file names begin with the "network" prefix.
JSON formatting for security and network logs is a compromise between the human-friendly readability and potential automated logs processing on the server side.
-
Device ownership maintained even with reboots during device registration: During registration, if a reboot/shutdown of device occurs (due to reasons such as a battery failure) while going through Zero Touch or bulk enrollment, after the reboot, the device's ownership status is maintained as Company-owned.
-
Retire option for DO, EPO and COMP modes deprecated: In My Devices, the option to retire devices in Work Managed Device mode, Work Profile on Company Owned Device mode, and Managed Device with Work Profile mode has been deprecated.
-
New option for Unlock command provided: For Android Enterprises, administrators can set a six digit unlock PIN for specific devices.
-
Enable app restrictions for all supported devices: In addition to the AOSP mode, the administrator can now enable Android Enterprise in-house app restrictions for all supported devices to display in the App view page of the App Catalog. Applicable to:
-
Work Managed Device mode
-
Managed Device with Work Profile mode
-
-
Android Enterprise Enable Single App Kiosk added to pin a single app to device screen: Administrators can set a Single App Kiosk to have a single app pinned to the device screen. The dedicated single app mode will allow other apps to be available on the device, but they will not be available for the device user to directly launch. These other apps will only be launched through the pinned app. For example, Email is the pinned single app, and the device user receives an email with a link to the Google Maps app. When the device user taps on that link, it opens the Google Maps app. The pinned single app will be launched only if the app is installed on the device. Applicable to Shared-Kiosk mode, Work Managed Device mode (DO) and Work Managed Device - non GMS mode (AOSP.)
Note the following:
-
For regular Kiosk only, device users can exit Kiosk remotely. Mobile@Work displays the toast message "Kiosk Exit" in the app but the dedicated single-app may still remain on screen, as it cannot be closed due to Android limitations.
-
The Lock Task mode can only be enabled when the home screen is in the foreground. If another app is in the foreground, then it is not possible to enable Lock Task mode. Workaround: Device user needs to tap the back or home button; the Lock Task mode becomes enabled.
-
On devices Android 9 and below, when the single app Kiosk is disabled, then the device user may need to tap the back/home button to see the Kiosk home screen again. The launched app may remain pinned to the foreground and the Kiosk home screen may not display due to Android limitations.
-
-
Logout mode added to Android Enterprise Shared Kiosk Mode: The administrator can Logout the device user if a session exceeds [0 is default] hours. Applicable to Managed Device with Work Profile mode.
-
IMEI information for inactive SIM slots now displayed: In the past, only the IMEI information of the active SIM slot was displayed in Ivanti EPMM. Now, device information on active and inactive SIM slots displays.
- Certificates revocation enabling controls (CRL) for specific modes: If the certificate revocation check is enabled, OCSP check is executed first. A CRL check is executed as a fall back if the OCSP check failed. Requires Knox premium license to be applied. Applicable to the following modes:
- Device Admin mode
- Managed Device with Work Profile mode
- Work Profile mode
- Work Profile on Company Owned Device mode
- Fully Managed Device mode
-
Private DNS: On fully managed devices running Android 10 or later, the administrator can specify whether the device should use a private DNS server for encrypted domain name resolution, and if so, which one.
-
Send device compliance data to multiple Microsoft Office 365 tenants: Administrator can configure device compliance data to be sent to multiple Microsoft Office 365 tenants in standard environments.
-
File Transfer Configuration: A new configuration File Transfer is available for Android devices. This configuration can be used to transfer files to the device and these files can be shared from Mobile@Work to other apps on the same device. Target apps that are consuming the files should support ContentURI to access these files on the device.
-
Additional battery health statistics per-device are now provided to Core:
- Android Battery Charging Status
- Android Battery Health Status
- Battery Charge Cycles (OEM)*
- Battery Health Percentage (OEM)*
- Battery Manufacture Date (OEM)*
*The OEM fields will only populate if the device is a Zebra device.
Some devices are seen to report unexpected values or information may be missing. It is recommended to report such issues to specific manufacturer. OEM attributes are currently only supported for Zebra devices.
- Privacy updates via notification: Device users in Work Profile mode and Work Profile on Company Owned Device mode will receive a notification when the privacy policy had changed. When the notification is tapped on, device users will be redirected to the privacy screen for information purposes.
- Notifications in Kiosk mode: Android Enterprise Kiosk mode allows administrators to push notifications to the device. This helps administrators to communicate any important messages or alerts using the existing "Push Message" capability." The Kiosk user can access Notifications from the Kiosk settings pane.
- Shared kiosk mode app settings: All apps allowed in Kiosk mode will have an additional "broom" and "settings" icon. Based on the specific app's settings, Mobile@Work will:
- allow Android settings when that specific app is launched
- clear app data when the device user logs out of Shared kiosk
-
Support Bulk Enrollment via Token: Android devices can be seamlessly registered without requiring any manual entry of credentials. New registration is supported by leveraging a new value "token" in QR code and verifying a device's serial number with token during registration with a pre-define list.
Administrators can have a pre-defined list of serial numbers and generate corresponding tokens on Ivanti Endpoint Manager for Mobile. Ivanti Provisioner app for Android can be used to generate the corresponding QR code. Bulk enrollment token is applicable on Android devices 7+ as long as Mobile@Work is able to access the serial number during provisioning.
Applicable to:
- Work Managed Device mode
- Managed Device with Work Profile mode
- Work Profile on Company Owned Device mode
- AOSP mode
For devices older than Android 11, Mobile@Work will auto-grant phone permissions in Work Managed Device mode, making the serial number available.
-
Mobile@Work auto-granted permissions reduced on all Android device versions: Administrators can provide device users more choice on Android 11 and below Work Profile devices by allowing the device user to choose whether Mobile@Work should be granted location permissions. The default behavior allows Mobile@Work to automatically grant this permission. In Core 11.7.0.0, when the Mobile@Work auto-grant location permission check box is selected, administrators would see a warning in Core and device users would receive a prompt to grant Mobile@Work location permission during registration of devices in Work Profile mode.
Phone permission is required to collect device information. Phone permission allows Mobile@Work to get information about device identifiers such as IMEI. This permission was originally only available in Device Admin mode, but has been extended to Work Profile mode. Device user consent is required for Mobile@Work to have phone permission.
- Support for AAD compliance: Company-branded Mobile@Work clients now support Azure Active Directory (AAD) compliance.
- OCSP certificate revocation: Certificate revocation check during TLS certificate validation now defaults to Online Certificate Status Protocol (OCSP).
- Support for Android Wi-Fi device migration: Wi-Fi configuration provisioned on Core will be preserved during Core to cloud migration, to allow communication from client to cloud server after migration, on Wi-Fi only devices. Applicable to the following Android Enterprise modes:
- Device Admin mode
- Work Managed Device mode
- Managed Device with Work Profile mode
- Work Profile mode
- Work Profile on Company Owned Device mode
- Updated Knox Attestation mechanism: Samsung Android 12 devices have an updated mechanism to retrieve Knox Attestation results using new set of APIs. Knox Attestation API on Android 12+ devices will now be reported to Core. To generate Knox Attestation results for existing Android 12 Samsung devices after upgrading to Core 11.6.0.0, administrators can modify the existing Knox policy and then push the update to these devices to re-run the Knox Attestation check. Otherwise, administrators can create new configurations and distribute them based on the Samsung Knox Attestation value to specific devices only.
- Allow Unknown Sources option added: Administrators now can allow/disallow unknown sources in both personal and work profiles.
- Harmony OS is certified for AOSP mode: Certified model - Huawei P20/ Harmony OS 2.0.
- Support for Android Enterprise devices call logs: As part of the Device Admin mode deprecation, call logs are extended to Android Enterprise devices. Applicable to the following Android Enterprise modes:
- Work Managed Device mode
- Managed Device with Work Profile mode
- Work Profile mode
- Work Profile on Company Owned Device mode
- Listing of memory consumption: In Product Details, device users will now see a "Used memory (current/max/min) in MB" option. This displays the memory usage in the device. Applicable to all provisioning modes.
- Customized Lock screen message on Android devices: As part of a Lockdown policy, administrators can now set a message on the Lock screen on company-owned Android devices. Applicable to the following modes:
- Work Profile Managed Device
- Managed Device with Work Profile
- Work Profile for Company Owned Device
- Work Managed Device - Non-GMS mode
- For Android 12+ devices, Core now supports 5G network slicing: Administrators can set app traffic through one enterprise 5G network slice. Applies to Work Profile and Work Profile for Company Owned devices. Requires support from 5G service provider.
- Non-GMS devices will now be identified and reported to Core during device registration: This is used to assign device ownership. Applicable to the following Android devices using:
- Google Zero Touch (ZT)
- Samsung Knox Mobile Enrollment (KME)
- Non-GMS mode (Android Open Source Project (AOSP)
- Allow/disallow personal apps for a Work Profile on Company Owned Device: Administrators can now control the apps a device user is allowed to install in the personal profile. Applies to Android 11 and newer.
- Security and logging enablement: Mobile@Work 11.5.0.0 is now able to configure security and network logging on the device according to the state of "Enable Security Logging on Android" and "Enable Network Logging on Android" options of the Security Policy.
If Security Logging is enabled for the device, then Mobile@Work will be able to receive batches of security log events from Android for collecting and processing. Security logging is supported now for the devices registered in Work Managed Device mode, Managed Device with Work Profile mode, and Work Profile on Company Owned Device mode.
If Network Logging is enabled for the device, then Mobile@Work will be able to receive batches of network log events (DNS and Connect) from Android for collecting and processing. Network logging is supported now for the devices registered in Work Managed Device mode and Work Profile on Company Owned Device mode.
Security and network logs, along with the regular client logs, are included in a zip file created by Mobile@Work on demand of device user with "Send logs" command (Settings menu) or as a response to the "Pull Client Logs" administrator command.
The set of the latest security log events in the form of JSON-formatted strings up to 10 MB total may be found in files with names beginning with a "security" prefix. The most recent log events will be represented by readable security.txt file (up to 1MB). Older security log events will be zipped in a series of zip files, i.e., security1.zip, security2.zip, etc. The same applies to network logs, except the file names begin with the "network" prefix.
JSON formatting for security and network logs is a compromise between the human-friendly readability and potential automated logs processing on the server side.
- Android 7+ Inventory MAC address: To preserve device user privacy, on Android 7+ devices, Core accepts a randomized MAC address and now also collects true physical MAC address for inventory purposes. Inventory MAC is the hardware-based MAC that is reported after a device is registered and is only available for company-owned modes, namely Device Owner mode and Work Profile on Company Owned Devices. Inventory MAC support is also available via substitution variables.
- Client lockdown configurations: The Core administrator now has the ability to make the following lockdown settings:
- Date and Time Settings: Device user can be allowed / disallowed to set the device date and time.
- Location settings: Device user can be allowed / disallowed to change the device location settings.
- Backup Server: Device user can be allowed / disallowed to change the backup server settings.
- Enforce password complexity: Android 12 devices in Work Profile mode does not allow Core to enforce full device passcode attributes - only simplified passcode complexity can be set. This feature allows Mobile@Work to map legacy passcode quality attributes to passcode complexity parameters automatically.
- Corporate wallpaper for Android devices: This new feature for corporate-owned Android devices allows the administrator the option of distributing an image as wallpaper. The image will automatically be applied to the device. This feature is only supported in Work Managed Device mode.
- Remotely Enable Mobile@Work Enhanced Logging: This new feature helps troubleshoot issues that are intermittent by remotely enabling enhanced logging of a device. It can be enabled to collect information and then disabled once done. Supported in Core 11.4.0.0. Actions > More Actions > Enhanced Logging.
- Cert Pinning Configuration - Registration phase: Updates include in-app registration to which users can opt-out; this update only supports Cores that have client mutual authentication enabled; only implemented on port 443 traffic.
- Unique enrollment-specific ID: This new feature provides a unique ID that is guaranteed to be the same value for the same device, enrolled into the same organization by the same managing app. It will remain stable across factory resets or new profile inflation. Access to other hardware identifiers of the device such as IMEI, MEID, or serial number, is removed for personal devices with a work profile in Android 12. This is effective for new installs and post-upgrade to Android 12. Supported modes are Work Profile, Managed Profile on Company Owned Devices, and Managed Devices. Please note that the ID will change when the same device is enrolled to the same tenant but uses a different managing package; a new unique ID is presented when the device registers to a new Core instance.
- Enhancement for Azure Active Directory registration process: This is an enhancement to an existing feature. Users are now prompted to complete the MIcrosoft365 registration and are guided through the process.
- Android 12 upgrade and location services: This new feature is to ensure upgrading to Android 12 happens without material impact to the user experience. There will be no change in permissions for enrolled devices updated to Android 12. For new enrollments with Android 12, if the Wi-Fi config is applied, users will not be asked to enable location services in any mode. If the MTD config is applied, there is no change from the existing behavior and users are still prompted for location services. This new feature is for work profile, Managed Device mode, and Managed Profile on Company Owned Device modes.
New features information from previous releases
Mobile Threat Defense features
Mobile Threat Defense (MTD) protects managed devices from mobile threats and vulnerabilities affecting device, network, and applications. For information on MTD-related features, as applicable for the current release, see the Mobile Threat Defense Solution Guide for Ivanti EPMM for your platform, available under the MOBILE THREAT DEFENSE section on the Ivanti Product Documentation page.
Each version of the MTD guide contains all Mobile Threat Defense features that are currently fully tested and available for use on both server and client environments. Because of the gap between server and client releases, new versions of the MTD guide are made available with the final release in the series when the features are fully functional.