Known issues
These are cumulative release notes. If a release does not appear in this section, then there are no associated known issues.

-
VSP-69115: When audit logs are exported through syslog, the syslog process erroneously spams the logs with messages that say that /dev/null is a directory, not a file. The audit log data arrives into syslog directly, so you can ignore these messages.
Workaround: None. -
VSP-69051: tvOS devices do not support passwords or data protection. If you apply a policy that requires either a password or data protection to a tvOS devices, the devices fails to meet the requirements and is out of compliance.
Workaround: None. -
VSP-69039: Ivanti EPMM 365 App Protection implementation ignores Microsoft Exclusion Groups and causes misconfiguration on Microsoft Intune endpoints. In addition, Excluded Groups are synced as Included.
Workaround: None. -
VSP-68978: You can no longer add a URL that contains characters (such as ':' or "/") to the "Proxy Server URL" field under the Child SA Parameters in a VPN configuration.
Workaround: None. -
VSP-68795: The App Auto Update process is not working for VPP apps in iOS systems.
Workaround: None. -
VSP-68723: Cellular and GLOBALHTTPPROXY policy profiles uninstall themselves when you upgrade the iOS version.
Workaround: None. -
VSP-68722: When you edit the webclip configuration, the edited data disappears.
Workaround: None. -
VSP-68708: When the device count is more than 10,000 devices (which is the maximum allowed), an error message is displayed, but the user interface displays a device count of more than 10,000 devices.
Workaround: None. -
VSP-68688: Policy Violation Event (PVE) messages are empty when the event language and the EPMM Admin Portal system default language are not the same.
Workaround: None. -
VSP-68672: The Ivanti EPMM Client TLS Certificate does not get updated on the Admin Portal even after it is renewed on the System Manager.
Workaround: None. -
VSP-68382: Expired provisioning profiles are not deleted automatically when the app dependency is deleted, and these expired profiles cannot be deleted manually in the user interface. Administrators continue to receive system notifications about the expired profiles.
Workaround: None. -
VSP-67538: Some user enrolled devices show configurations and policies in Pending Install state when these configurations and policies are not supported in user enrollment. See the MDM logs to find out the exact error.
Workaround: Remove the device from the labels that are assigned to that configuration or policy. -
VSP-66882: When you uninstall the [email protected] client, then issue the Wipe command from Ivanti EPMM, re-registering the device with the same user does not wipe the device but instead Retires it. However, the device's status is erroneously displayed as Wiped.
Workaround: None. -
VSP-64711: Ivanti EPMM periodically attempts to contact the Apple "feedback" server for diagnostic purposes.
Workaround: None.

-
VSP-69162: In macOS, the silent installation for [email protected] client fails when you restrict device registrations only for the Apple devices that are part of the Automated Device Enrollment Program option.
Workaround: Select Settings > Users and Devices > Device Registration. In the In-App Registration Requirement section, select Allow silent in-app registration only once. (iOS and macOS). -
VSP-69160: On iOS devices, due to incorrect keywords in the Information property list (plist) file, the OnDemand action specified is never applied when rules match in the configured encryptedDNS configuration.
-
VSP-69159: When you select Settings > Users and Devices > Device Registration, then select Restrict device registrations by enrollment type > Apple devices that are part of the Automated Device Enrollment Program", the "Allow silent in-app registration only once. (iOS and macOS)" and "Silent in-app registration timeout limit (minutes) (iOS and macOS)" options at the same location are hidden.
Workaround:1. Select the Allow silent in-app registration only once. (iOS and macOS) checkbox.
2. Select the Apple devices that are part of the Automated Device Enrollment Program checkbox.
The Allow silent in-app registration only once. (iOS and macOS) option remains hidden, but the workaround enables it.
-
VSP-68484: LDAP groups are erroneously moved to different organizational units. When administrators mistakenly add these groups into the LDAP configuration in the Admin Portal, duplications occur. In addition, synchronized users are added to the older distinguished name and no groups are added to the new distinguished name. If the LDAP groups are deleted in the active directory during synchronization, Ivanti EPMM is not updated.
-
VSP-68471: While installing on iOS 16 devices, the User Enrollment registration fails with the following error: Profile.Error: Profile Failed to Install.
-
VSP-68462: Post the Sentry 9.15.0 and Core (now Ivanti EPMM) 11.5.0.0 releases, the "Last sync time" field in the ActiveSync tab on the Admin Portal is no longer updated automatically. As a result, the field erroneously displays the date the devices were first synchronized, not the time of the last synchronization. The lack of correct synchronization dates affects compliance actions.
Workaround: None. -
VSP-68455: Even if the iOS restriction "Force Translation Processing Only" is deactivated on devices, it still displays as activated in the profile (under VPN > Device Management). iOS restrictions cause On-Device Mode processing issues. In addition, On-Device Mode on iPhones and iPads cannot be edited in the Translation section if the iOS restriction is assigned to the device.
Workaround: None. -
VSP-68453: In devices registered with the Arabic language, the Amharic language erroneously appears instead in the Devices & Users > Devices > Language field.
Workaround: None. -
VSP-68390: The Terms of services screen is erroneously displayed in the AOSP registration even though the Terms of Service checkbox is not selected in the registration settings.
Workaround: None. -
VSP-68385: Enrollment of a device that has been externally decommissioned should cause the old device record to display as "retired", not "retired pending". The device cannot be retired successfully in the "retired pending" state because the old device record has a different management token.
Workaround: None. -
VSP-68382: Expired provisioning profiles are not deleted automatically when the app dependency is deleted, and these expired profiles cannot be deleted manually in the user interface. Administrators continue to receive system notifications about the expired profiles.
Workaround: None. - VSP-68370: Ivanti EPMM reports a device's compliance information to Azure even though the device is not fully registered, that is, the Mobile Device Management (MDM) certificate is not installed on the device.
-
VSP-68344: When you navigate to Maintenance > Export Configuration and perform an export, then import the configuration to the MobileIron Configuration Service (MICS), the following error is displayed in the logs: Observed "errorCode = 1006: Device "GigabitEthernet2" does not exist" error in mics logs while importing config.
Workaround: None. -
VSP-68292: When you update an app, the app's status is not updated in the category tab as expected.
Workaround: None. -
VSP-68248: When you set Enterprise Apps Distribution Preference as [email protected], import a public app, and install it on the device, the app status displays as free in the [email protected] apps list, even though the status is updated to installed when you click on the app.
Workaround: None. -
VSP-68233: When you try to log out of an SAML-enabled Ivanti EPMM server from either the Admin Portal or Self-Service User Portal, the session logs out and closes, but immediately afterward the session opens again and logs back in to the portal.
Workaround: None. -
VSP-68120: Even though the Avaya Managed App configuration has been deleted, Ivanti EPMM pushes the configuration to the device, shows Avaya values as still present, and does not send a null value.
Workaround: None. -
VSP-68088: LDAP synchronization erroneously occurs twice a day even if you set synchronization for only once every 24 hours.
Workaround: None.

-
VSP-67818: Apple-driven UE registration fails when the email ID is used as the username.
Workaround: None. -
VSP-67696: Currently, the Use Tunnel for Anti-phishing only option is not saved as the default configuration in the Tunnel app.
Workaround: Add another configuration (other than the default), set it to Anti-Phishing only, and then select Save. -
VSP-67686: Currently, you receive an "Internal Server Error" message if you try to enter a special character in the Custom Attribute field. This field does not accept special characters.
Workaround: None. -
VSP-67672: Currently, when you try to edit a VPN with a Device Channel type in the configuration view, the channel type is erroneously displayed as a User Channel type. If you try to change the User Channel type back to a Device Channel type the system displays the following error: "Nothing has changed." The channel type is correctly displayed in the Configuration Details pane on the configuration page.
Workaround: None. -
VSP-67619: Currently, you are unable to save Sentry settings after disabling an ActiveSync service that was enabled with Kerberos authentication.
Workaround:-
Edit the Sentry Settings.
-
Enable the ActiveSync service> scroll down > Change the Authentication to Pass Thru page.
-
Disable ActiveSync.
-
Delete the Certificate Mapping field.
-
Save the Sentry settings.
-
-
VSP-67603: Currently, no confirmation message pops up when you perform Force retire the retire pending devices now and Force retire all the retire pending devices actions.
Workaround: None. -
VSP-67600: Currently, the Core server erroneously creates SCEP certificates even though the device VPN configuration has been deleted.
Workaround: None. -
VSP-67598: Currently, using the Advanced search criteria for the RETIRE_PENDING status in combination with other criteria results in an error.
Workaround: Enclose the RETIRE_PENDING status search criteria in parentheses: ("common.status" = "RETIRE_PENDING") AND "common.platform" = "macOS". -
VSP-67557: Currently, the VPP app license is revoked even though a device is in a Retire Pending state.
Workaround: None. -
VSP-67421: Currently, when you apply multiple Single-App Mode policies to a device, only the policy that arrives first is applied, even if another policy with higher prioritization is applied later.
Workaround: None. -
VSP-67389: When the administrator adds devices through the Android Bulk Enrollment profile, information is displayed, even if all the devices fail to import.
Workaround: None. -
VSP-67386: Currently, the Device Detail window shows software version update options for devices that are in the Active state, in addition to devices that are in the Retire Pending state. The window should only show options for devices in Active state.
Workaround: None. -
VSP-67361: Currently, multi-user webclips fail to install because they are not supported in this version.
Workaround: None. -
VSP-67353: Currently, software update information for a device is unavailable when there is a error communicating with Apple.
Workaround: None.

-
VSP-67204: Even though a device is retired, Core still displays the license as still in use and Apple still considers the license associated to the device.
Workaround: Manually delete the licenses in Core > Devices & Users > Apple Licenses > Manage license page.

-
VSP-67046: Currently, email sent from System Manager through a StartTLS-required Simple Mail Transfer Protocol (SMTP) server can fail, due to a failure of the STARTTLS authentication process. Previously, the Apache Tomcat web container loaded jar files in alphabetical order, but it now loads them in filesystem-provided order (effectively making the load order unpredictable), which can result in use of code that is unaware of STARTTLS.
Workaround: None. -
VSP-67042: The Bridge log action Get Current, All Logs is not working on Windows desktop devices for this release.
Workaround: None. -
VSP-67036: When the configuration count for an Android app that supports managed app restrictions exceeds 500, Core deletes all the configurations except the Default configuration. Workaround: None. Do not exceed a configuration count of 500 for these apps.
-
VSP-67029: There is an issue when creating managed apps. If the Configuration Choice Name is more than 64 characters, Core displays an error message.
Workaround: None. Use a configuration choice name that has fewer than 64 characters. -
VSP-66993: When Sentry is upgraded to release 9.15.0 from either Core 11.5.0.0 or Core 11.6.0.0, Ivanti EPMM attempts to initiate mutual authentication setup at 0345 Coordinated Universal Time (UTC), as part of its daily certcheckjob action. This action restarts the Sentry service.
Workaround: To avoid this post-upgrade Sentry down time at 3:45 UTC, use the following workaround to initiate the certificate exchange process as part of the Sentry 9.15.0 upgrade:
This action triggers the start of mutual authentication between Sentry and Core.
- Complete the Sentry upgrade to release 9.15.0.
- Verify that Sentry is reachable from the Core Services > Overview page.
- Select the Sentry service and click Edit.
- Click Save. No changes are necessary.
-
VSP-66936: There is an issue with Lightweight Directory Access Protocol (LDAP) Organizational Units (OUs) being erroneously deleted if there is an authentication failure from the LDAP configuration.
Workaround: None. -
VSP-66907: When an Apple_Device_Name policy is attached to a Label and then later removed, the Devices & Users > Devices > Policy Details page erroneously shows the policy as "Pending," even when the policy has been deleted. This is due to an error in the status field of the database.
Workaround: None. -
VSP-66906: There is an issue with [email protected] secondary per-app VPN profiles not going into effect when the primary VPN profile is not available.
Workaround: Reinstall [email protected] to fix the problem. -
VSP-66770: There is an issue with Core not updating its filter Labels to reflect changes in Lightweight Directory Access Protocol (LDAP) groups. When moving users from one LDAP group to another, expected behavior is that the corresponding filter Labels will be updated, as well.
Workaround: None. -
VSP-66741: There is an issue when making Label changes to [email protected] app virtual private network (VPN) configurations. If the VPN ID of the configuration being modified is used by any other VPN, it triggers the same changes in those other configurations, too.
Workaround: To avoid this problem, give your [email protected] app VPN configurations unique VPN IDs. -
VSP-66123: Core audit logs list fake installations of [email protected] and other apps irregularly, thus filling up audit logs. There is no workaround.

-
VSP-66993: When Sentry is upgraded to release 9.15.0 (scheduled release date April 15) attempts to initiate mutual authentication setup at 0345 Coordinated Universal Time (UTC), as part of its daily certcheckjob script. This action restarts the Sentry service.
-
VSP-66576: There is an issue with the Core App Catalog being unable to successfully import the "eCONFIG - Smart-Ex 02" app. Currently, there is no workaround.
-
VSP-66548: There is an issue with the Mobile4ERP public app failing to install on Android Enterprise devices. The app goes into a loop updating details and never resolves. There is no workaround at this time.
-
VSP-66524: There is an issue with new [email protected] iPhone users who are unable to access their My Devices tab when logged into a Secure Sign-In multi-user web clip with other new users. There is no workaround.
-
VSP-66462: There is an issue with the new Apple User Enrollment registration process sometimes generating incorrect managed Apple IDs. You must use the single device invitation or the bulk device invitation process to verify that the managed Apple IDs were generated correctly. You should also check the logs for any managed Apple ID failures. If the existing registration process is already using PINs, the registration will still work.
-
VSP-66451: In Federal Information Processing Standards (FIPS)-enabled Core deployments, Splunk Indexer version 6.x running over Secure Socket Layer (SSL) is unable to securely connect to Splunk. There is no workaround.
-
VSP-66442: There is an issue when upgrading from Core 10.8.0.0 or older to a Core 11.X release. Backups taken of the upgraded 11.X release fail to restore properly, due to a change in the Unique Identifier (UID) or Globally Unique Identifier (GUID) across the versions.
-
VSP-66218: The Knox Attestation API version 2 is no longer supported by devices running the Samsung Knox operating system (OS) 3.8 and later. The devices operate normally, except the Core attestation check fails, even when the check was successful.
Workaround: No current workaround. These devices require Knox Attestation API version 3, which Ivanti plans to implement for the next release. -
VSP-65924: There is an issue with non-compliant [email protected] devices being listed in the Microsoft Azure Device Compliance report as still compliant, with a compliance status code of "Interaction Required on EMM." There is no workaround.
-
VSP-65679: There is an issue with the Device Wi-Fi configuration. If the administrator specifies "Auto" as the configuration proxy, and does not provide a URL for the proxy automatic configuration (PAC) value, the configuration erroneously treats the configuration proxy as "None" instead of "Auto." This issue is scheduled to be resolved in the next release.
-
VSP-57766: The /api/v1/dm/labels/{label-name}/{device-uuid} API call returns an error when associating a label containing a forward slash (/).
Workaround: Do not apply device labels through the API if the labels include a forward slash.

-
VSP-66110: There is an issue with Core generating unnecessary system event alerts for expired local certificate authority (CA) certificates after the certificate has been retired.
-
VSP-66020: There is an issue with Core not generating call SMS logs for Samsung devices registered to Core in Android Enterprise modes for Core 11.3.0.0 and Core 11.4.0.0.
-
VSP-66016: There is an issue when adding a Trusted Host, the host sometimes fails to display properly in the System Manager > Maintenance > HA Configuration > Manage SSH Keys pop-up window.
Workaround: To populate the host details, close and re-open the pop-up window. -
VSP-66015: The Apache Active MQ message broker service fails when it is enabled in Federal Information Processing Standards (FIPS) mode.
-
VSP-65995: During an upgrade, Core does not report signature verification failures to the user interface, resulting in the download appearing to be successful. The subsequent attempt to stage for installation results in repeating the download. It will not be possible to successfully stage the upgrade under these conditions. If this happens, contact support.
-
VSP-65991: In-house apps (.apk files) fail to upload to the Admin portal App Catalog due to a limitation in the Android application package (APK).
-
VSP-65949: Registered Shared iPads may show an error in the Device MDM Logs for "Install Configuration Profile" when the Security Policy is installed. This is a known issue and will be fixed in the next release.
-
VSP-65689: The option to install Core 11.4.0.0 on the Core M2700 appliance with an ISO image from a bootable USB is not working.
Workaround: Contact Ivanti support. -
VSP-65653: The System Manager > Settings > Network > Interfaces > Physical Interfaces table incorrectly lists the number of network interface ports (NICs) on a Core M2700 appliance as seven, when the correct number is six.
-
VSP-65554: There is an issue in which an iOS device user without "Apple User Enrollment" privileges can still complete Apple user enrollment for their device. This is a known issue.
-
VSP-65481: There is an issue with retired Android devices receiving a new Azure device identifier, even when the new device registration uses the previous Azure device identifier.