New features and enhancements summary

This section provides summaries of new features and enhancements available in this release of MobileIron Core. References to documentation describing these features are also provided, when available.

For new features and enhancements provided in previous releases, see the release notes for those releases, available in MobileIron Core Product Documentation. MobileIron Support credentials are required to access the site.

General features and enhancements

This release includes the following new features and enhancements that are common to all platforms.

  • Weaker SSH algorithms removed from Core in favor of stronger ones: The following SSH algorithms have been removed from the options on the System Manager> Security > Advanced > SSH Configuration page:

    • diffie-hellman-group-exchange-sha1

    • diffie-hellman-group14-sha1

    • hmac-sha1

    Admins are encouraged to use the stronger algorithms, such as diffie-hellman-group-exchange-sha256 and hmac-sha2-512 instead. For more information, see Advanced: SSH Configuration in the Security Settings chapter of the MobileIron Core System Manager Guide.

  • Confirmation email sent automatically for new client registrations: When a device user accepts the Terms of Service (ToS) agreement in a registration invitation, the admin automatically receives an audit email confirming the registration, from Core version 11.1.0.0 through the most recently released version as supported by MobileIron. The email consists of a message and identifying client information:

    "The following user has accepted device registration terms and has attempted to enroll a new device:" User name, display name, email address, date and time, IP address, platform, employee owned.

    For more information, see "Configuring an end user Terms of Service agreement" in the Self-service user portal chapter of the MobileIron Core Device Management Guide for your operating system.

  • New option to hide QR code and registration URL: A new configuration checkbox has been added to the Settings > System Settings > Users & Devices > Device Registration page that allows you to choose whether or not to show users a QR code and registration URL. This option is enabled by default. When enabled, the QR code and registration URL display to users. For more information, see "Disabling the QR code and registration URL" in the MobileIron Core Device Management Guide for your operating system.

  • New option to hide self-service portal (SSP) Activity page: A new configuration checkbox has been added to the Settings > System Settings > General > Self-Service Portal page that allows you to choose whether or not to show users their activity in the SSP. This option is enabled by default. When enabled, the SSP Activity page displays to users. For more information, see "Disabling device history logs in the self-service user portal" in the MobileIron Core Device Management Guide for your operating system.

  • AppConnect passcode history updates: The Passcode history option in the AppConnect Global policy is changed as follows:

    • The value options are updated to 12. This means that you can restrict device users from reusing any password up to the past 12 passwords.

    • The passcode reuse is case insensitive. This means that the passcode case is not considered for reuse. Device users cannot change the case for past passcodes and reuse them. Password and passWord are considered the same.

    These feature updates require Mobile@Work 12.11.10 for iOS.

  • Increased capacity for broadcast notification messages to all device users: When an administrator sends a message out to all device users via label, and the label contains more than 200 device users, Core now sends the messages out in batches, and so is not limited to only sending 200 at a time. Administrators can send, monitor, and confirm this process from the Devices & Users > Labels tab.

    Because of the potential for accidental or deliberate spamming of users with this feature, Core provides two levels of confirmation before sending the message. For more information, see "Notifying all device users using labels" in the Managing Labels chapter of Getting Started with MobileIron Core.

  • "Unlock User" option available to MobileIron administrators: MobileIron administrators now have the ability to unlock users who have locked themselves out of the user portal. Typically, if a user does not log in correctly within a configured number of tries, the user must wait the configured time before they can log in again. This option allows the administrator to reset the account immediately, through the Devices & Users > Users > Actions menu. This feature is available on Core 11.1.0.0 through the most recently released version as supported by MobileIron. For more information, see "Unlocking locked-out local users in the admin portal" in the User Management chapter of Getting Started with MobileIron Core.

  • New endpoint for mutual certification authentication: New mutual authentication device endpoints are available for use by iOS and Android clients. The existing (old) OAuth endpoint is not protected by 2FA or mutual certificate authentication and is vulnerable to password spraying and DOS attacks. The administrator can disable the original OAuth endpoint and utilize the new endpoint. This feature is applicable on Mobile@Work for Android version 11.1.0.0 and Mobile@Work for iOS version 12.11.10 through the latest versions as supported by MobileIron. For more information, see "New endpoint for mutual certification authentication" in the MobileIron Core Device Management Guide for Android and Android Enterprise Devices or the MobileIron Core Device Management Guide for iOS and macOS Devices.

Android and Android Enterprise features and enhancements

This release includes the following new features and enhancements that are specific to the Android and Android Enterprise platforms.

  • New Lockdown Policy field added: "Allow install from unknown sources on the device" allows installation of apps from untrusted sources in the personal profile. Unless this field is selected, the work profile never allows installation of apps from unknown sources. Applicable for Android 11+ devices. For more information, see "Lockdown policy fields for Android Enterprise devices in Work Managed Device mode and Managed Device with Work Profile mode" and "Lockdown policy fields for Android Enterprise devices in Work Profile for Company Owned Device mode" in the Getting Started with MobileIron Core.

  • Support for Samsung Knox Dual Encryption (DualDAR): Support for Dual Encryption (DualDAR) has been added to further secure and protect sensitive data on devices. Samsung Knox includes a FIPS 140-2 certified encryption module within the inner layer of the encryption. DualDAR is applicable to Knox 3.0 on Android 8.0 devices through the latest version as supported by MobileIron. DualDAR is applicable to Android Enterprise:

    • Work Profile mode

    • Managed Device with Work Profile mode

    For more information, see "Samsung Knox Dual Encryption (DualDAR) support" in the MobileIron Core Device Management Guide for Android and Android Enterprise Devices.

  • New Lockdown Policy field added: "Enable Cross profile whitelisting of Apps" allows users to share information from specific apps from within the work profile to the personal side of the device. This allows data from the Work Profile container to share data to the exact same app that is located on the personal side. Applicable for Android 11+ devices. For more information, see "Lockdown policy fields for Android Enterprise devices in Work Profile for Company Owned Device mode" in Getting Started with MobileIron Core.

  • Ability to set apps to the foreground in devices: A new field setting, Auto Launch Application on Install, allows administrators to set Android Enterprise apps to the foreground upon registration or installation. A typical use case would be for a security/VPN app that needs to be configured by the device user before the device can be protected. Applicable to:

    • Any Android Enterprise app in the App Catalog

    • Android devices version 6.0 through the latest version as supported by MobileIron

    • Device Owner, Managed Device with Work Profile, Work Profile on Company Owned Device modes

    For more information, see "Adding in-house apps" and "Public and private Android Enterprise app deployment" in theMobileIron Core Apps@Work Guide.

  • Added support for app restrictions with in-house applications for Android non-GMS devices: For devices registered to Core in modes other than Google Mobile Services (GMS) mode, administrators can apply Android Open Source Project (AOSP) in-house app restrictions to these devices. Using the "Enable AOSP app restrictions" field, the administrator can now set the in-house restrictions to display in the App view page of the App Catalog.

    Applicable to the following Android Enterprise modes:

    • Work Managed Device mode

    • Work Profile mode

    • Managed Device with Work Profile mode

    • Work Profile on Company Owned Device mode

    For more information, see "App restrictions with in-house applications for Android" and "Adding in-house apps" in the MobileIron Core Apps@Work Guide.

iOS and macOS features and enhancements

This release includes the following new features and enhancements that are specific to the iOS and macOS platforms.

  • Two new fields have been added to Apple Per-App VPN configurations - Associated Domains and Excluded Domains: In the Per-app VPN and in the MobileIron Tunnel configurations, administrators can specify associated and excluded domains to be considered for association or exclusion from the per-app VPN and tunnel server connections. Applicable to iOS 14.3 and macOS 11.0 through the latest version as supported by MobileIron. For more information, see "Managing VPN Settings" in the MobileIron Core Device Management Guide for iOS and macOS Devices.

  • Support for IdP-based device registrations: As part of the DEP profile, the MDM server provides Custom enrollment URL along with a standard URL to get the MDM profile to the Apple server. This URL can be used by administrators to enforce their own authentication model or provide any other information. An example use case would be where administrators cannot use their organization’s Identity provider "as is" for DEP authentication without heavy changes on the infrastructure. For more information, see "Customized registration using SAML IdP" and "Creating Apple Device Enrollment profiles" in the MobileIron Core Device Management Guide for iOS and macOS Devices.

  • New option to parse or not parse .mobilconfig file: In the Configuration Profile Setting dialog box, there is a new field "Send File Verbatim" that you can select if you wish to deploy a signed .mobileconfig file, for example, Apple debug configurations via MobileIron MDM. Because Core does not expect a signed file, it would not be able to parse it and inject a substitution variable because it would change the signature of the signed file. Files uploaded with this option selected are sent "as is" to the device without parsing, validating, or signing of the file by MobileIron. For more information, see "Configuration profile settings (iOS, tvOS, and macOS)" in the MobileIron Core Device Management Guide for iOS and macOS Devices.

  • Supported certificate type values for iOS IKEv2 VPN configurations: iOS VPN configurations using Internet Key Exchange version 2 (IKEv2) need to include a selected value from the following list of certificate types:

    • RSA

    • ECDSA256

    • ECDSA384

    • ECDSA512

    For more information, see "IKEv2 (iOS Only)" in the "Managing VPN Settings" chapter of the MobileIron Core Device Management Guide for iOS and macOS Devices.

MobileIron Threat Defense features

MobileIron Threat Defense protects managed devices from mobile threats and vulnerabilities affecting device, network, and applications. For information on MobileIron Threat Defense-related features, as applicable for the current release, see the MobileIron Threat Defense Solution Guide for Core, available on the MobileIron Threat Defense for Core Documentation Home Page at MobileIron Community.

NOTE: Each version of the MobileIron Threat Defense Solution guide contains all MobileIron Threat Defense features that are currently fully tested and available for use on both server and client environments. Because of the gap between server and client releases, MobileIron releases new versions of the MobileIron Threat Defense guide as the features become fully available.