New features and enhancements summary

This section provides summaries of new features and enhancements available in this release of MobileIron Core. References to documentation describing these features are also provided, when available.

• General features and enhancements
• Android and Android enterprise features and enhancements
• iOS and macOS features and enhancements
• iOS and macOS features and enhancements
• MobileIron Threat Defense features

For new features and enhancements provided in previous releases, see the release notes for those releases, available in MobileIron Core Product Documentation. MobileIron Support credentials are required to access the site.

This release includes the following new features and enhancements that are common to all platforms.

• Filter users by LDAP OU in device registration, Spaces, and Labels: You can now include Lightweight Directory Access Protocol (LDAP) Organizational Units (OU) within Space and Label criteria, restricting the results to the users in that OU. This feature set includes the following updates:

  • Updated LDAP Sync: LDAP Sync now returns all LDAP OU information. This information is used to correlate users in the Core to their OU's. It syncs only the OU information itself, not all the OU user information, which would affect performance. See "Synchronizing with the LDAP server" in Getting Started with MobileIron Core.

    NOTE:

    This behavior differs from sync to a Group, which does fetch all the group user information.

  • LDAP OUs in space and label criteria: You can now create device spaces and labels based on LDAP OUs. There is a new attribute in the Admin > Device Spaces > New Admin Space > “Field” menu: Organizational Units > LDAP Organizational Unit Distinguished Name (OUDN). If you select this option, a list of LDAP Organizational Units populates the right-hand drop-down menu, from which you can configure your criteria. See "Searchable fields" in the "Creating device spaces and assigning administrators" section of the MobileIron Delegated Administration Guide.

  • LDAP OUs in device criteria for single device registrations: You can now restrict single device registration queries to users within an LDAP OU. If there is an LDAP OU included in the Space criteria, the Devices & Users > Devices > Add Device > User field will be constrained to that OU (similar to Group behavior). See "Single device registration" in the "Managing Devices" section of Getting Started with MobileIron Core.

    Similarly, if an LDAP OU is part of the space criteria, the following LDAP Entities listing pages will also limit the entries to users within that LDAP OU:

    • LDAP Entities > LDAP Users
    • LDAP Entities > Authorized LDAP Entities
    • LDAP Entities > LDAP OU
    • LDAP Entities > LDAP group (only those belonging to the LDAP OU)

    For more information, see:

    • "Filtering users by OUs and groups" in the MobileIron Core Delegated Administration Guide.
    • "Single device registration" in the Managing Devices section of Getting Started with MobileIron Core.

  • LDAP OUs in device criteria for bulk device registrations: If an LDAP OU or Group is part of the Space criteria, the users in the comma-separated values (CSV) file will be matched against it. From the Devices & Users > Devices > Add Multiple Devices menu, enter a CSV file and click Apply to see the restricted list of users. If the user isn’t in the OU, “User not found” displays in the Message column for that user. For more information, see "Bulk device registration" in the MobileIron Core Getting Started Guide.

    NOTE:

    Bulk device registration fails when using a comma-separated values (CSV) file with more than 2000 device entries.

• Automatic device retirement capability for unused devices: MobileIron Core now supports automatic device retirement for unused devices. You can enable this feature from the Settings > Users & Devices > Retire and Delete Devices > Retire and Delete Retired Devices page. You have the following device retirement options:

  • Retire devices that have been inactive for more than 30 days (this field is configurable).
  • Open a list of devices that have not checked in.
  • Retire up to a configured maximum number of devices per session (default is 100).
  • Create a schedule to retire devices going forward.

  Scheduling options include:

  • Frequency: Daily, weekly, or monthly
  • Start time: Default start time is midnight.

  Retired and deleted devices are listed in the Admin portal Devices page. The Devices page also includes a link to a list of qualified devices that can be retired. For more information, see "Retiring and deleting unused and retired devices" in the MobileIron Core Device Management Guide for your operating system.

• MobileIron Core banner informing of desktop capability on Cloud: If there are any Windows or Mac devices enrolled in Core, a banner displays along the top of the Core UI: "MobileIron offers comprehensive features for Desktop Management on Cloud platform. Try our Cloud solution today." Clicking on the supplied link opens to the MobileIron 30-day free UEM Cloud software page. Administrators can dismiss the banner by selecting the check box "Don't show again" and clicking the "Close" button.

• Shorter certification lifetimes for self-signed TLS certificates: Beginning September 1, 2020, Apple requires that valid Transport Layer Security (TLS) certificates expire in 397 days or less. From Core 10.8.0.0 through the latest release supported by MobileIron, the lifespan of self-signed TLS certificates will be limited to fewer than 398 days. See "Certificates you configure in the System Manager" section of the MobileIron Core System Manager Guide.

• Mobile@Work self-service user portal customization improvements: The Mobile@Work self-service user portal (SSP) has new customization options and capabilities for enabled users. This feature set includes the following updates:

  • QR code-based device registration: A new option to the Mobile@Work Self-service home page allows users to scan a QR code that will take them through device registration. Users now have the option of receiving registration information by SMS message and email, or by scanning a generated QR code. When users log into the self-service user portal home page, they can click one of two registration buttons:

    • Send Invitation – Receive registration information by SMS message and email.
    • Generate QR Code – Scan to be redirected to the appropriate registration page.

    Users scan the QR code and are redirected to a browser to enter their pin or password:

    • iOS users: Once authenticated, iReg profile installation starts, completing device registration.
    • Android users: Once authenticated, the user is redirected to Google Play to download the registration app. Users open the app to complete device registration.

    NOTE:

    Users must be assigned appropriate roles to use the SSP. See “Assigning user portal device management roles” in the Self-service user portal chapter of the MobileIron Core Device Management Guide for your operating system.

    For more information, see "If QR-code registration is enabled" in the Self-service user portal chapter of the MobileIron Core Device Management Guide for your operating system.

  • Cascading style sheets and custom background colors: The self-service user portal has new customization options, including editable cascading style sheets (CSS) and custom background colors. The features are available on the Settings > System Settings > Users & Devices > Registration page. For full information, see "Customizing the self-service user portal" in the MobileIron Core Device Management Guide for your operating system.

  • End User Terms of Service agreements support text and language customization: The Mobile@Work End User Terms of Service page can now be customized to conform to the languages and regulations in your operating region. From the Settings > Users & Devices > Registration page, click Add+ in the End User Terms of Service section to open the Add End User Terms of Service dialog box. From here, you can select the language, country or region, agreement type, and agreement content text. An email address is required. Core generates an audit email when the user accepts the terms and conditions. See "Configuring an end user Terms of Service agreement" in the Self-service user portal chapter of the MobileIron Core Device Management Guide for your operating system.

  • Multiple alias and friendly name support for PFX/P12 user certificates: MobileIron Core now supports the use of aliases and "friendly names" for .pfx and .p12 user certificates in the self-service user portal. For more information, see "About uploading certificates in the user portal" in the Self-service user portal chapter of the MobileIron Core Device Management Guide for your operating system.

  • View Activity displays user device history: Mobile@Work users can access their audit/device history logs from the user portal. From the user portal Welcome drop-down menu, select View Activity. The device activity page opens, displaying search tools and a scrolling table of log entries. Users can access this page from their laptop and mobile devices. For more information, see "Viewing device history logs" in the Self-service user portal chapter of the MobileIron Core Device Management Guide for your operating system.

  NOTE:

  Users must be assigned appropriate roles to use the SSP. See “Assigning user portal device management roles” in the Self-service user portal chapter of the MobileIron Core Device Management Guide for your operating system.

Android and Android enterprise features and enhancements

This release includes the following new features and enhancements that are specific to the Android and Android enterprise platforms.

• New Android enterprise work profile mode: With the introduction of Android 11, a new Android enterprise mode of deployment called Work Profile on Company Owned Devices has been added. The purpose of his new mode is to improve work profile support for company-owned devices by bringing robust asset management and personal usage restrictions to the work profile, while retaining the same privacy protections provided on personally-owned devices. Now IT organizations can deploy the work profile across all their devices regardless of who owns the device. This provides a consistent device user experience and privacy offering to all their employees, along with the management capabilities appropriate to the ownership of the device.

  The key benefit of this mode is to help IT organizations with two difficult choices:

  • Deploying work profiles to enable private personal use, at the expense of asset management and device usage controls crucial to keeping track of their costly devices
  • Deploying fully managed devices to retain those device-level controls, while sacrificing the privacy of personal use valued by organizations and employees alike

  This change only affects devices configured with Managed Device with Work Profile (COPE), provisioned on, or upgraded to Android 11. Work profiles are otherwise unaffected.

  Within Core, the naming terminology has changed. They are as follows:

  • Android versions 8-10: Managed Device with Work Profile (COPE)
  • Android 11 through the latest version as supported by MobileIron: Work Profile on Company Owned Device.

  Upon upgrade to Android 11, legacy work profiles on fully managed devices will be migrated automatically to the new work profile experience. Additionally, Android 11 will not support the provisioning of work profiles in Managed Device with Work Profile mode. Instead, customers can provision a work profile directly from a new or factory reset device and receive the asset management benefits and device controls required for managing company-owned devices, without the need to provision as a Managed Device with Work Profile as well.

  For more information, see:

  • MobileIron Core Device Management Guide for Android and Android enterprise Devices
  • MobileIron Core Apps@Work Guide
  • Getting Started with MobileIron Core

• New registration status added to accommodate "Work Profile on Company Owned Devices" for Android 11 devices: With the introduction of a new Android enterprise mode of deployment called Work Profile on Company Owned Devices for Android 11 devices, a new Registration Status is now supported in the Advanced Search, Tier Compliance policy and Label Evaluation. For more information, see "Advanced searching" in the MobileIron Core Device Management Guide for Android and Android enterprise Devices.

•  Mobile@Work client no longer supports in-house apps for Managed device with Work profile mode on Android 11 devices: Upon upgrade to Android 11, the MobileIron Mobile@Work client no longer supports in-house apps for devices that migrate from Work Profile mode to Work Profile on Company Owned Devices mode. This also applies to new Android 11 devices provisioned as Work Profile on Company Owned Devices. For more information, see the following sections in the MobileIron Core Apps@Work Guide:
  • Features specific to Android enterprise apps
  • Adding in-house apps for Android
  • Public and private Android enterprise app deployment

• Support for freeze period in system update: Administrators can now freeze firmware updates for up to 90 days. This is helpful if your company needs time to figure out the migration plan for changing from Managed Device with Work profile (COPE) mode to Work Profile for Company Owned Device mode. Applicable to Android 11 devices in Device Owner mode and Android 9+ devices in Managed Device with Work Profile (COPE) mode. For more information, see "Setting the system update policy for Android devices" in the MobileIron Core Device Management Guide for Android and Android enterprise Devices.

• Advanced Lock Task Features added: The following advanced settings have been added to the Enable Lock Task Mode field in the New Android Kiosk App Setting Policy dialog box. These options are only applicable to Android 9 devices in Device Owner (DO) mode.

  • System Info: When selected, displays the date/time, connectivity, battery, vibration mode on the status bar. 
  • Keyguard: Enables the keyguard in lock task mode. 
  • Global Actions: Enables the menu that is displayed when the user long-presses the power button. If this option is disabled, the user may not be able to power off the device. 
  • Home button: When enabled, displays the following sub-options:

    • Overview: Enables the Overview button and the Overview screen during lock task mode.

    • Notifications: Enables notifications during lock task mode.

  This includes notification icons on the status bar, heads-up. notifications, and the expandable notification shade.

  Upon upgrade, existing policies get the above default settings. For more information, see "Setting kiosk policy for Android Managed devices" in the MobileIron Core Device Management Guide for Android and Android enterprise Devices.

• Field name change: The field titled Enter Kiosk Mode Immediately has been changed to Enter Kiosk Mode Immediately on registration. When selected, the device will go to Kiosk mode automatically upon registration. For more information, see "Setting kiosk policy for Android Managed devices" in the MobileIron Core Device Management Guide for Android and Android enterprise Devices.

iOS and macOS features and enhancements

This release includes the following new features and enhancements that are specific to the iOS and macOS platforms.

• GDPR-compliant SIM EID field added to Device Details page: Administrators can now search for the SIM EID of a device by using the Advanced Search in Devices & Users > Device Detail page. The EID allows the carriers to assign the SIM to a specific device. Applicable to iOS 14.0 through the latest version of MobileIron.

  New GDPR fields (such as IP Address and SIM EID) are added over MobileIron Core releases. If administrators want to hide the new fields, the GDPR profile will need to be updated.

  For more information, see "Advanced Searching" in the MobileIron Core Device Management Guide for iOS and macOS Devices.

• New field added to Google Account configuration for iOS devices: A new field, Google User's Full Name, has been added to the Google Account Configuration dialog box. When an email is sent from this Google account, the name entered here displays who the email is from. Upgrading from previous releases will fill in the name as per the configuration. This field is required when adding or updating an iOS Google Account Configuration. For more information, see "Google Account" in the MobileIron Core Device Management Guide for iOS and macOS Devices.

• Custom Device Enrollment added: You can now use your own custom web interfaces to authenticate users during Device Enrollment. Display custom information such as authentication type, branding, consent text, and privacy policy in your custom web interface. For more information, see "Creating Apple Device Enrollment profiles" in the MobileIron Core Device Management Guide for iOS and macOS Devices.

• Enrollment Customization added: A new option is available in the Apple Device Enrollment profile that gives the option to provide a Custom Enrollment URL for authentication and any custom messaging (corporate messaging, privacy info, etc.) during Apple Device Enrollment. For more information, see "Adding a custom Automated Device Enrollment web page" in the MobileIron Core Device Management Guide for iOS and macOS Devices.

• Two new distribution options added to configurations: For macOS devices, administrators now have the option to choose to distribute the Wi-Fi and VPN configurations to either the Device Channel (effective for all users on a device) or the User Channel (effective only for the currently registered user on a device). Upon upgrade, for Wi-Fi configurations, the User Channel is the default selection. For VPN configurations, Device Channel is the default selection. For more information, see "Configuring new VPN settings" and "Wi-Fi settings" in the MobileIron Core Device Management Guide for iOS and macOS Devices.

• Ability to specify individual syncing of Outlook Exchange items added: A new field Items to Synchronize (iOS) was added to allow the administrator to specify individual syncing of Outlook items such as Email, Calendar, Contacts, Notes, and Reminders. For more information, see "Exchange Settings" in the MobileIron Core Device Management Guide for iOS and macOS Devices.

• New restriction added for iOS 14.0 devices: A new restriction has been added to Configurations > Apple > iOS / tvOS > Restrictions: Allow App Clips. This allows the device user to add App Clips onto the device.

  Upon upgrade, the new restriction displays in existing iOS configuration and are deselected by default. For more information, see "iOS and tvOS restrictions settings" in the MobileIron Core Device Management Guide for iOS and macOS Devices.

• New restriction added for macOS 11.0 devices: A new restriction has been added to Configurations > Apple > macOS Only > macOS Restrictions: Delay App Software Update for x days. This allows the administrator to specify the number of days to delay software updates. Upon upgrade, the new restriction displays in existing macOS configuration and are deselected by default. For more information, see "macOS settings" in the MobileIron Core Device Management Guide for iOS and macOS Devices.

• New fields added to Device Enrollment Profile: Three new fields have been added to the Apple Device Enrollment Profile dialog box. These features apply to Apple School Manager and Apple Business Manager: 

  • Skip the Accessibility pane - Applicable to macOS 11.0 through the most recently released version as supported by MobileIron.

  • Skip the Restore Completed pane - Applicable to iOS 14.0 through the most recently released version as supported by MobileIron. 

  • Skip the Software Update Complete pane - Applicable to iOS 14.0 through the most recently released version as supported by MobileIron. 

  For more information, see "Creating Apple Device Enrollment profiles" in the MobileIron Core Device Management Guide for iOS and macOS Devices.

• Disable Wi-Fi MAC address randomization field added: In iOS 14.0, Apple changed the default behavior for a device reporting its Wi-Fi MAC address to report a random address for new connections instead of the device's actual Wi-Fi MAC address. In Core, a new option has been added to the Wi-Fi configuration to turn off this randomization. Upon upgrade, this option will be disabled. Administrators can turn off the randomization of the Wi-Fi MAC address by editing the Wi-Fi configuration and selecting the check the box labeled Disable MAC address randomization. This will cause the Wi-Fi configuration to be re-pushed to all devices.

  Device users will see a "Privacy Warning" message on their Wi-Fi settings indicating that the network has reduced privacy protections. The device user will still have the ability to set the device to report a random address for new connections instead of the device's actual Wi-Fi MAC address.

  • For more information, see "Wi-Fi Settings" in MobileIron Core Device Management Guide for iOS and macOS Devices.

  • Also see KB article: https://help.mobileiron.com/s/article-detail-page?urlname=iOS-14-Devices-may-fail-to-join-WiFi-networks-using-enterprise-security.

• Authentication using OAuth: For email apps that support authentication using OAuth, the following additional settings are provided in the Exchange configuration: OAuth Sign In URL and OAuth Token Request URL. The settings are visible if Use OAuth for Authentication in the Exchange configuration is enabled. For more information see the "Exchange settings" table in the "Exchange settings" section in the MobileIron Core Device Management Guide for iOS and macOS Devices.

• AppConfig XML Upload: For an iOS app in the App Catalog, administrators can add a managed app configuration from one of the following:

  • AppConfig Community: Use this option if the app has an AppConfig specification in the community repository. This is the default option.

  • Upload .xml spec: Use this option to upload an XML schema to push a particular version of app configuration for the app.

  For more information, see "Adding a new managed app setting for an app" in the MobileIron Core Apps@Work Guide.

MobileIron Threat Defense features

MobileIron Threat Defense protects managed devices from mobile threats and vulnerabilities affecting device, network, and applications. For information on MobileIron Threat Defense-related features, as applicable for the current release, see the MobileIron Threat Defense Solution Guide for Core, available on the MobileIron Threat Defense for Core Documentation Home Page at MobileIron Community.

NOTE:

Each version of the MobileIron Threat Defense Solution guide contains all MobileIron Threat Defense features that are currently fully tested and available for use on both server and client environments. Because of the gap between server and client releases, MobileIron releases new versions of the MobileIron Threat Defense guide as the features become fully available.