Before you upgrade, you must consider the possible impact of certain security enhancements on your environment.
For heightened security, when you upgrade to Ivanti EPMM 10.3.0.0 or supported newer versions, Ivanti EPMM's configurations for incoming and outgoing SSL connections are automatically updated to use only protocol TLSv1.2. TLSv1.2 cannot be disabled.
This change occurs regardless of the protocol settings before the upgrade.
This change means that Ivanti EPMM now uses only TLSv1.2 for incoming and outgoing connections with all external servers. Examples of external servers to which Ivanti EPMM makes outgoing connections are:
- Standalone Sentry
- SCEP servers
- LDAP servers
- Ivanti EPMM Gateway
- Apple Push Notification Service (APNS)
- Content Delivery Network servers
- Ivanti EPMM support server (https://support.mobileiron.com)
- Outbound proxy for Gateway transactions and system updates
- SMTPS servers
- Public app stores (Apple, Google, Windows)
- Apple Volume Purchase Program (VPP) servers
- Apple Device Enrollment Program (DEP) servers
- Android for Work servers
Therefore, if an external server is not configured to use TLSv1.2, change the external server to use TLSv1.2.
To determine TLS protocol usage with external servers:
- For outgoing connections from Ivanti EPMM to external servers, use the Ivanti utility explained in Core-10-2-upgrade-disables-TLS-1-0-and-TLS-1-1-by-default to determine the TLS protocol usage with those servers.
- For incoming connections to Ivanti EPMM from external servers, determine each server's TLS protocol usage (no Ivanti utility is available).
For more information:
- Threat Advisory: Notice of Deprecation of TLS 1.0 and 1.1 on MobileIron Systems
- Advanced: Incoming SSL Configuration and Advanced: Outgoing SSL Configuration in the Ivanti EPMM System Manager Guide.