New features and enhancements summary

This section provides summaries of new features and enhancements available in this release. References to documentation describing these features and enhancements are also provided, when available.

• General features and enhancements
• Android and Android Enterprise features and enhancements
• iOS and macOS features and enhancements
• Windows features and enhancements
• Mobile Threat Defense features

For new features and enhancements provided in previous releases, see the release notes for those releases.

General features and enhancements

This release includes the following new features and enhancements that are common to all platforms.

• Certificate pinning to prevent Man-in-the-middle attacks: Man-in-the-middle attacks would allow an attacker to impersonate a Core server and send commands to the device. This results in device compromise and confidential data leakage. To prevent this, a new Pinned Server Certificate policy has been added to deliver a set of certificates that clients can expect a Core server to present during check-in and similar traffic. This feature is applicable for post-first-time use, for steady-state assurance that the client is connecting to the correct Core.

  If none of the certificates configured match the active certificate in use on the Core server, then devices will strictly honor the pinning policy and fail to connect until a correction of the certificate pinning policy is sent.

  This pinning policy supports multiple entries to enable a smooth transition when the Core server's certificate is about to expire. Administrators can include the renewal certificate before it is active on the server and keep the expiring certificate in this policy for seamless transition to the renewed certificate. Ivanti advises administrators to set up Core system certificate expiration alerts to be warned when Core's server certificate is about to expire.

  Any Certificate Pinning policy created in Core 11.2.0.0 will be disabled upon Core 11.3.0.0 upgrade. Core will not push that policy. Instead, if or when the Admin edits the Certificate Pinning policy, Core will push the policy using a new Core property.

  Applicable to Mobile@Work for iOS 12.11.30 devices and supported later versions. Also applicable to Mobile@Work for Android 11.3.0.0 devices and supported later versions. For more information, see Configuring certificate pinning for registered devices in the Core Device Management Guide.

• HTTP Basic Authentication for Apps@Work deprecated in favor of Certificate Authentication: In the Core 11.3.0.0 Apps > Apps@Work Settings page, the App Storefront Authentication settings box no longer displays. Certificate-based authentication is required for Apps@Work 11.3.0.0, and is now enabled by default. For more information about certificate-based authentication for AppConnect, see Setting authentication options for Apps@Work for iOS devices in the Core Apps@Work Guide.

• Mutual authentication required for certificate pinning policy: Administrators who wish to distribute a certificate pinning policy to iOS devices must enable mutual authentication to allow certificate pinning through port 443. When a new certificate pinning policy is saved without mutual authentication enabled, a message displays: "You need mutual authentication enabled to create and distribute certificate pinning policy."

  For more information about certificate pinning, see Configuring certificate pinning for registered devices in the Core Device Management Guide for iOS and macOS Devices." For more information about mutual authentication, see "Mutual authentication between devices and Core" in the Core Device Management Guide for iOS and macOS Devices."

• Automatic pruning of Core Local CA CRL now available: Revoked certificates can now be automatically pruned from a Core Local CA Certificate Revocation List (CRL). To configure the CRL pruning, from the Core Admin portal, go to Services > Local CA page, select a certificate, and choose Edit from the Actions menu. Below the CA Certificate text, there are three new fields:
  • CRL Pruning checkbox (it is off by default)
  • Number of days of revoked certificates to include in CRL (default is 365)
  • CRL Lifetime (hours) (default is 168 (7 days)
  • Android - Pruning revoked CRL certificates
  • iOS - Pruning revoked CRL certificates
  • Windows - Pruning revoked CRL certificates

• Sentry TLS certificate expiration event notifications now available: You can now create a system event notification for Sentry Transport Layer Security (TLS) certificates before they expire. From the Admin portal Logs > Event Settings > New System Event menu, select the option Certificate Expired or Certificate Error to create a Sentry TLS certificate notification.

Android and Android Enterprise features and enhancements

This release includes the following new features and enhancements that are specific to the Android and Android Enterprise platforms.

• Support for Common Criteria (CC) mode extended to Android 11+ devices:

  Applicable to Managed Device with Work Profile mode and Work Profile on Company Owned Device mode. For more information, see the following in Getting Started with Core:

  • Lockdown policy fields for Android Enterprise devices in Work Profile for Company Owned Device mode
  • Lockdown policy fields for Android Enterprise devices in Work Profile mode
  • Lockdown policy fields for Android Enterprise devices in Work Managed Device mode and Managed Device with Work Profile mode

• End of support for Android 5.0 and Android 5.1: Support for Android 5.0 and Android 5.1 has ended. Core now supports Android 6.0 and supported newer versions.

  Core server will still allow existing registered devices with Android 5.0 and Android 5.1 to run.

  For more information, see Registration methods in the Core Device Management Guide for Android and Android Enterprise Devices and Security policies in the Getting Started with Core.

• Relinquish ownership of devices in Work Profile on Company Owned Device mode: When viewing the device list or specific device details, you can relinquish ownership of Android devices in Work Profile on Company Owned Device mode. Relinquishing ownership of a device in this mode removes the work profile and retires the device from Core, without affecting personal apps and data. The device user can then use the device as a personal device, with full access to all device controls and settings.

  For more information, see Relinquishing ownership of a device in the Core Device Management Guide for Android and Android Enterprise Devices.

• Suspend personal apps when work profile turned off for specified time: Administrators can configure the Lockdown & Kiosk: Android enterprise configuration to set a maximum time that the device user can turn off the work profile before Core suspends personal apps on the device. The device user sees a message prompting to turn on the work profile to enable suspended apps. Available for Android 11+ devices in Enhanced Work Profile mode.

  For more information, see Lockdown policy fields for Android Enterprise devices in Work Profile mode in the Getting Started with Core.

• New Android 10+ devices limited to Android Enterprise or MAM-only modes: From Core 11.3.0.0 and newer releases, Core will prevent the following Android 10 and later version devices from registering:

  • Android 10 and later releases in Device Admin mode (DA)

  • Android 10 devices with no Android Enterprise configuration assigned to the correct label

   Android 10+ devices that are already registered on Core in Device Admin mode will be allowed to migrate to Cloud. The Android 10+ device will be retired if there is no Android Enterprise configuration in place.

  MAM-only scenarios will still be supported, but the Quick setup policy with Device Admin mode will be disabled.

  For more information, see Registering Android devices in the Core Device Management Guide for Android and Android Enterprise Devices.

• Ability to remotely reboot a device: Administrators can now remotely reboot devices using Core. In the Device Details page, Elapsed Time Since Reboot (minutes) indicates the amount of time, in minutes, since the device was last rebooted. Applicable to Android 7.0 managed devices, Managed Device with Work Profile, and Samsung Device Admin (DA) modes.

  For more information, see Rebooting a device in the Core Device Management Guide for Android and Android Enterprise Devices.

• New field added to Enrollment profile to assist with macOS device setup: For your convenience, Auto Advance Setup was added to the Add Enrollment Profile dialog box. Selecting this check box will tell the Setup Assistant to automatically advance through its screens (Applicable for tvOS and macOS 11.0 and and later versions.) For more information, see Creating an Apple Enrollment profile for Apple Business Manager in the Core Device Management Guide for iOS and macOS Devices.

• New Managed App settings: For your convenience, the fields in the App Catalog > Managed App Settings has been updated. The new fields are:

  • Send installation request on device registration or sign in
  • Send installation request to quarantine devices
  • Send convert unmanaged to managed app request on device registration or sign-in (iOS 9 or later)
  • Send convert unmanaged to managed app request for quarantine devices (iOS 9 or later)

  An example use of these settings: when a device user converts a Microsoft Office 365 app from unmanaged to managed, Microsoft Intune App Protection is not applied. This leads to violation of company-set rules about printing a Microsoft Word document.

  Applicable for public and in-house apps. For more information see Populating the iOS and macOS App Catalogs and Unmanaged to managed app conversion on iOS devices in the Core Apps@Work Guide.

• Apple Business Manager now has Shared iPad device capability: If you have an Apple Business Manager account loaded in Core, you can enable Shared iPad devices between multiple employees. Employees sign in with a Managed Apple ID and their mail, files, iCloud Photo Library, app data, etc displays in their partition of the Shared iPad device. This is useful for a frontline workforce, for example, a hospital environment, without compromising your organization's security and data.

  Requirements of Shared iPad devices in Apple Business Manager:

  • An Apple Business Manager account.

  • Managed Apple ID - Admins can manually create these accounts or federate to an identity provider like Azure Active Directory.

  • Shared iPad devices must have at least 32 GB of storage and be supervised.

  • Only Apple-licensed apps are sent to Shared iPad devices through registration. This is set up in the Send Installation Request on device registration or sign in option in the App Catalog. For more information, see Using the wizard to import iOS apps from the Apple App Store and Apple license users in the Core Apps@Work Guide.

  • Administrators can set the Shared iPad device sessions based on user login or guest/temporary logins.

  • Administrators can see the Shared iPad device session information in the Device Details page. For more information, see Advanced searching.

  • Administrators can set Compliance policy rules for Shared iPad devices. See Custom compliance policies in the Core Device Management Guide for iOS and macOS Devices.

  For full information about Shared iPad devices, see Shared iPad devices with Apple Business Manager in the Core Device Management Guide for iOS and macOS Devices.

• New restrictions added for iOS 14.5 devices: Three new iOS restrictions have been added:

  • Join only WiFi networks installed by a WiFi payload
  • Allow auto unlock
  • Allow putting into recovery mode from an unpaired device

  For more information, see iOS and tvOS restrictions settings in the Core Device Management Guide for iOS and macOS Devices.

• Device enrollment profile updated to include new Shared iPad devices labels: Two new labels have been added to the Managed App Config dialog box: Allow only Temporary Session and Set Timeout for User Session - Seconds. For more information, see Configuring the Managed App Config setting in the Core Device Management Guide for iOS and macOS Devices.

• Substitution variable support for Shared iPad devices added: Where applicable, support for user substitution variables on user channel for Shared iPad devices. Admins will need to use $Managed_Apple_ID$ in place of, for example, Username and Email. This is applicable to the following:

  • CALDAV - User Name
  • CARDAV - User Name
  • EMAIL - User Email, User Name (incoming) & Server User Name (outgoing)
  • EXCHANGE - ActiveSync User Name & ActiveSync User Email
  • GOOGLE_ACCOUNT - Email Address
  • SINGLESIGNON - User Name
  • SUBCAL (Subscribed Calendars) - User Name

  For more information, see Enabling Shared iPad devices for Apple Business Manager in the Core Device Management Guide for iOS and macOS Devices and Substitution variables for configuring iOS apps in the Core Apps@Work Guide.

• Configure Encrypted DNS settings: Encrypted DNS allows administrators to enhance security without needing to configure a VPN. These settings can be managed via MDM. This feature is supported on iOS 14.0+ and macOS 11.0+ devices. For more information, see Configuring encrypted DNS settings in the Core Device Management Guide for iOS and macOS Devices.

• Supported certificate type values for iOS IKEv2 VPN configurations: iOS VPN configurations using Internet Key Exchange version 2 (IKEv2) need to include a selected value from the following list of certificate types:

  • RSA
  • ECDSA256
  • ECDSA384
  • ECDSA512

  ED25519 certificate type is not supported.

  For more information, see IKEv2 (iOS Only) in the Core Device Management Guide for iOS and macOS Devices.

Mobile Threat Defense features

Mobile Threat Defense (MTD) protects managed devices from mobile threats and vulnerabilities affecting device, network, and applications. For information on MTD-related features, as applicable for the current release, see the Mobile Threat Defense Solution Guide for your platform, available under the MOBILE THREAT DEFENSE section on the Ivanti Product Documentation page.

Each version of the MTD guide contains all Mobile Threat Defense features that are currently fully tested and available for use on both server and client environments. Because of the gap between server and client releases, new versions of the MTD guide are made available with the final release in the series when the features are fully functional.