Before you upgrade

Before you upgrade, you must consider the possible impact of certain security enhancements on your environment.

Understand the impact of TLS protocol changes

For heightened security, when you upgrade to Core 10.3.0.0 or supported newer versions, Core's configurations for incoming and outgoing SSL connections are automatically updated to use only protocol TLSv1.2. TLSv1.2 cannot be disabled.

This change occurs regardless of the protocol settings before the upgrade.

This change means that Core now uses only TLSv1.2 for incoming and outgoing connections with all external servers. Examples of external servers to which Core makes outgoing connections are:

• Standalone Sentry
• Integrated Sentry
• Connector
• SCEP servers
• LDAP servers
• Core Gateway
• Apple Push Notification Service (APNS)
• Content Delivery Network servers
• Core support server (support.ivanti.com)
• Outbound proxy for Gateway transactions and system updates
• SMTPS servers
• Public app stores (Apple, Google, Windows)
• Apple Volume Purchase Program (VPP) servers
• Apple Device Enrollment Program (DEP) servers
• Android for Work servers

Therefore, if an external server is not configured to use TLSv1.2, change the external server to use TLSv1.2.

To determine TLS protocol usage with external servers:

• For outgoing connections from Core to external servers, use the Ivanti utility explained in the following article to determine the TLS protocol usage with those servers:
  https://forums.ivanti.com/s/article/Core-10-2-upgrade-disables-TLS-1-0-and-TLS-1-1-by-default-9256

• For incoming connections to Core from external servers, determine each server's TLS protocol usage (no Core utility is available).
  

For more information:

• Threat Advisory: Notice of Deprecation of TLS 1.0 and 1.1 on MobileIron Systems
• "Advanced: Incoming SSL Configuration" and "Advanced: Outgoing SSL Configuration" in the Core System Manager Guide.