Known issues

VSP-70322: The objectGuid attribute was decoded from hex to UUID, but for SSO with Access integration, a hex value is expected for the objectGuid attribute by the Office 365 service provider.

Workaround: None.

VSP-69664: Pull Client Logs action from the Admin Portal Device Page fails to pull the client logs.
Workaround: None.

VSP-69765: Duplicate devices in DA mode cannot be deleted using Managed Duplicate Devices Cleanup Scheduler.
Workaround: None.

VSP-69822: Changing Apps@Work port to 8443 causes errors in the Sentry mutual authorization flow.
Workaround: None.

VSP-69842: The Pulse secure VPN config sends out an incorrect identifier (net.pulsesecure.PulseSecure.vpnplugin). The correct identifier is net.pulsesecure.pulsesecure.
Workaround: None.

VSP-69916: Freshly installed instances of EPMM do not write logs to miserviceswatch.log for MIFS service.
Workaround: None.

VSP-69924: Administrator receives error popup and is unable to save the Exchange profile setting with the user/device attributes for the UserName field.
Workaround: None.

VSP-70005: SCEP and Entrust certificates are always generated with both "signing" and "encipherment" regardless of the selection made for the certificate enrollment setting.

VSP-70008: In any LDAP user search in the Users page when a Domino server is added (and enabled) to the Ivanti EPMM, there are no results but it displays a message "The query result is too large, consider to refine your search string" even though there is a single result for the query.
Domino LDAP does not support the VLV (Virtual List View) Control, which means pagination is not supported in the Domino LDAP server.

VSP-70044: After Lookout is removed from the device, custom attributes relating to Lookout are left in the device information.
Workaround: None.

VSP-70046: The application update notification text is not translated into local languages.
Workaround: None.

VSP-70059: When the iOS and tvOS labels are manually removed for the iOS Enterprise Appstore SCEP certificate, and if these labels are present in the Native App Catalogue setting, they will be reapplied automatically after a Tomcat restart.

VSP-70086: On the Ivanti EPMM user page, when you search for LDAP user in the category field, it throws a warning message javax.naming.CommunicationExceptions.

VSP-70161: LDAP user search fails and throws an error when Connector is enabled.

VSP-70268: Upgrading the connector from 11.11.0.0 GMRC to 11.11.0.0 GA displays a warning, enforcing the mutual authentication when the default URL is used in the Software repository configuration.
Workaround: Use either the 11.11.0.0 GA repository URL from System manager portal or use CLI command 'software update'.

VSP-69520 :If a banner style is configured for another application in the Integrated App Catalog, then the Mobile@Work client displays only the Light Banner Style.
Workaround: None.

VSP-69747: Duplicate IMEI2 columns are displayed in CSV data when you use the Export to CSV function.

Workaround: None.

VSP-69713: The device details pane does not automatically resize itself when the content is larger than the pane, so some information might not display correctly or appears truncated.
Workaround: None.

VSP-69710: The subject and issuer fields on the SAML self-signed certificate are incorrect. Although there are no security issues stemming from this mistake, the certificates will have an erroneous validity of 100 years.
Workaround: None.

VSP-69689: After upgrading to Ivanti EPMM 11.10.0.0, LDAP user search fails if multiple LDAP servers are configured in Ivanti EPMM.
Workaround: None.

VSP-69664: Pull Client Logs action from the Admin Portal Device Page fails to pull the client logs.
Workaround: None.

VSP-69576: Managed Apps are not getting removed from Android devices even though the device is quarantined. This occurs when a compliance action with the quarantine option selected and the "Enforce Compliance Actions Locally on Devices" field is deselected.
Workaround: None.

VSP-69523: If a device was previously registered through Android Bulk Enrollment and then wiped or retired, the device cannot be re-registered on the same Ivanti EPMM instance.
Workaround: None.

VSP-69520: For Integrated App Catalog, if any other banner style is configured for another application, the Mobile@Work client will display only the Light Banner Style.
Workaround: None.

VSP-69502: High Availability (HA) synchronization is not working on the IPv6 Interface.
Workaround: None.

VSP-69479: System backup fails for secondary Ivanti EPMM High Availability (HA) and the following error is displayed in the ShowTech log/tomcat2 directory: Elasticsearch data backup failed In the 'bkstatus.log' file.
Workaround: None.

VSP-69471: Unable to create Local SCEP on Ivanti EPMM. A Request Timed error is displayed.
Workaround: None.

VSP-69456: The Apple Device Enrollment page fails to load Enrollment profiles and device counts, and displays a Request Timeout error 30 seconds later. In addition, some property values are not displayed inline in the diff icon before and after section.
Workaround: None.

VSP-69401: Substitution variables do not work if one of the substitution variables has no value or is wrongly configured.
Workaround: Check that there is substitution mapping available for all the substitution variables ($ABC$) being used in the uploaded plist.

VSP-69341: Log entries for keystore handling in the System Management Portal start-up process makes diagnosis of start-up issues confusing.
Workaround: None.

VSP-69245: After an upgrade, devices that are relinquished, but fail to send an acknowledgment back to Ivanti EPMM, remain in a Relinquish Pending status. These devices cannot be retired by any means.
Workaround: None.

VSP-69159: When you select Settings->Users and Devices > Device Registration, then select Restrict device registrations by enrollment type > Apple devices that are part of the Automated Device Enrollment Program, the "Allow silent in-app registration only once. (iOS and macOS)" and "Silent in-app registration timeout limit (minutes) (iOS and macOS)" options at the same location are hidden.
Workaround: Select the "Allow silent in-app registration only once (iOS and macOS)" checkbox, then select the "Apple devices that are part of the Automated Device Enrollment Program" checkbox. The "Allow silent in-app registration only once. (iOS and macOS)" option remains hidden, but the workaround enables it.

VSP-68613: Thread pool sizing and Apache worker count is not adequate for systems with high device loads.

Workaround: None.

VSP-69761: The iOS Restriction profile only allows selection of a subkey, such as Allow javascript, if the Allow use of Safari option is selected.

Workaround: None.

VSP-69656: Devices v2 API call fails after upgrade with a ContentTooLongException error when the result size exceeds 100 Mb.

Workaround: None.

VSP-69609: Export to CSV functionality on the devices page does not function correctly when custom attributes are selected in the export option.

Workaround: None.

VSP-69525: Non-boolean values for boolean-type device search fields in the label, space, and compliance rules were accepted in Ivanti EPMM 11.8.0.0 and earlier. However, because Elasticsearch rejects non-boolean values, Ivanti EPMM 11.9.0.0 and later only accepted boolean values. Using non-boolean values with Ivanti EPMM 11.9.0.0 and later caused start-up failures.

Workaround: A new validation was created as part of the existing ESUnsupportedFieldsCheck function in the pre-upgrade validation. To use non-boolean values in the search fields, administrators should follow the steps in the KB article:
EPMM 11.9.x.x - Unsupported custom criteria for Label, Space and Search features.

VSP-69523: If a device was previously registered through Android Bulk Enrollment and then wiped or retired, the device cannot be re-registered on the same Ivanti EPMM instance.

Workaround: None.

VSP-69521: You cannot add more than 1024 characters in the Extensible Single Sign SSO Policy on the AppPrefixAllowList key.

Workaround: None.

VSP-69468: Some property values are not displayed inline in the diff icon before and after section.

Workaround: None.

VSP-69309: If anything other than alphanumeric characters, hyphens, and underscores are included in the LDAP user Custom Attributes field, you must remove those characters before upgrading. Otherwise, the Tomcat service will be unresponsive after the upgrade. .

Workaround: None.

VSP-69308: New labels cannot use LDAP user non-custom attributes (User > LDAP > User attributes), such as sAMAccountName, mail, and sn.

Workaround: Use custom LDAP user attributes, such as user.ldap.user_attributes.custom1, or use the alternative attributes available directly in User > SAM Account Name (user.sam_account_name).

VSP-69309: If anything other than alphanumeric characters, hyphens, and underscores are included in the LDAP user Custom Attributes field, you must remove those characters before upgrading. Otherwise, the Tomcat service will be unresponsive after the upgrade.

VSP-69115: When audit logs are exported through syslog, the syslog process erroneously spams the logs with messages that say that /dev/null is a directory, not a file. The audit log data arrives into syslog directly, so you can ignore these messages.
Workaround: None.

VSP-69051: tvOS devices do not support passwords or data protection. If you apply a policy that requires either a password or data protection to a tvOS devices, the devices fails to meet the requirements and is out of compliance.
Workaround: None.

VSP-69039: Ivanti EPMM 365 App Protection implementation ignores Microsoft Exclusion Groups and causes misconfiguration on Microsoft Intune endpoints. In addition, Excluded Groups are synced as Included.
Workaround: None.

VSP-68978: You can no longer add a URL that contains characters (such as ':' or "/") to the "Proxy Server URL" field under the Child SA Parameters in a VPN configuration.
Workaround: None.

VSP-68795: The App Auto Update process is not working for VPP apps in iOS systems.
Workaround: None.

VSP-68723: Cellular and GLOBALHTTPPROXY policy profiles uninstall themselves when you upgrade the iOS version.
Workaround: None.

VSP-68722: When you edit the webclip configuration, the edited data disappears.
Workaround: None.

VSP-68708: When the device count is more than 10,000 devices (which is the maximum allowed), an error message is displayed, but the user interface displays a device count of more than 10,000 devices.
Workaround: None.

VSP-68688: Policy Violation Event (PVE) messages are empty when the event language and the EPMM Admin Portal system default language are not the same.
Workaround: None.

VSP-68672: The thread CertAutoGenerateThread, which gets executed upon a Tomcat restart and is responsible for updating settings like web-clip, does not execute successfully because of an exception arising in the thread.
Workaround: None.

VSP-68382: Expired provisioning profiles are not deleted automatically when the app dependency is deleted, and these expired profiles cannot be deleted manually in the user interface. Administrators continue to receive system notifications about the expired profiles.
Workaround: None.

VSP-67538: Some user enrolled devices show configurations and policies in Pending Install state when these configurations and policies are not supported in user enrollment. See the MDM logs to find out the exact error.
Workaround: Remove the device from the labels that are assigned to that configuration or policy.

VSP-66882: When you uninstall the Mobile@Work client, then issue the Wipe command from Ivanti EPMM,  re-registering the device with the same user does not wipe the device but instead Retires it. However, the device's status is erroneously displayed as Wiped.
Workaround: None.

VSP-64711: Ivanti EPMM periodically attempts to contact the Apple "feedback" server for diagnostic purposes.

Workaround: None.

VSP-69747: Duplicate IMEI2 columns are displayed in CSV data when you use the Export to CSV function.

Workaround: None.

VSP-69713: The device details pane does not automatically resize itself when the content is larger than the pane, so some information might not display correctly or appears truncated.
Workaround: None.

VSP-69631: When Ivanti EPMM sent an APN configuration to the Android 12L device, the configuration was not sent to the device.
Workaround: None.

VSP-69523: If a device was previously registered through Android Bulk Enrollment and then wiped or retired, the device cannot be re-registered on the same Ivanti EPMM instance.
Workaround: None.

VSP-69306: Ivanti EPMM does not create alerts for tiered compliance.
Workaround: None.

VSP-69162: In macOS, the silent installation for Mobile@Work client fails when you restrict device registrations only for the Apple devices that are part of the Automated Device Enrollment Program option.
Workaround: Select Settings > Users and Devices > Device Registration. In the In-App Registration Requirement section, select Allow silent in-app registration only once. (iOS and macOS).

VSP-69160: On iOS devices, due to incorrect keywords in the Information property list (plist) file, the OnDemand action specified is never applied when rules match in the configured encryption DNS configuration.

VSP-69159: When you select Settings > Users and Devices > Device Registration, then select Restrict device registrations by enrollment type > Apple devices that are part of the Automated Device Enrollment Program", the "Allow silent in-app registration only once. (iOS and macOS)" and "Silent in-app registration timeout limit (minutes) (iOS and macOS)" options at the same location are hidden.
Workaround:

1. Select the Allow silent in-app registration only once. (iOS and macOS) checkbox.

2. Select the Apple devices that are part of the Automated Device Enrollment Program checkbox.

The Allow silent in-app registration only once. (iOS and macOS) option remains hidden, but the workaround enables it.

VSP-68484: LDAP groups are erroneously moved to different organizational units. When administrators mistakenly add these groups into the LDAP configuration in the Admin Portal, duplications occur. In addition, synchronized users are added to the older distinguished name and no groups are added to the new distinguished name. If the LDAP groups are deleted in the active directory during synchronization, Ivanti EPMM is not updated.

VSP-68471: While installing on iOS 16 devices, the User Enrollment registration fails with the following error: Profile.Error: Profile Failed to Install.

VSP-68462: Post the Sentry 9.15.0 and Core (now Ivanti EPMM) 11.5.0.0 releases, the "Last sync time" field in the ActiveSync tab on the Admin Portal is no longer updated automatically. As a result, the field erroneously displays the date the devices were first synchronized, not the time of the last synchronization. The lack of correct synchronization dates affects compliance actions.
Workaround: None.

VSP-68455: Even if the iOS restriction "Force Translation Processing Only" is deactivated on devices, it still displays as activated in the profile (under VPN > Device Management). iOS restrictions cause On-Device Mode processing issues. In addition, On-Device Mode on iPhones and iPads cannot be edited in the Translation section if the iOS restriction is assigned to the device.
Workaround: None.

VSP-68453: In devices registered with the Arabic language, the Amharic language erroneously appears instead in the Devices & Users > Devices > Language field.
Workaround: None.

VSP-68390: The Terms of services screen is erroneously displayed in the AOSP registration even though the Terms of Service checkbox is not selected in the registration settings.
Workaround: None.

VSP-68385: Enrollment of a device that has been externally decommissioned should cause the old device record to display as "retired", not "retired pending". The device cannot be retired successfully in the "retired pending" state because the old device record has a different management token.
Workaround: None.

VSP-68382: Expired provisioning profiles are not deleted automatically when the app dependency is deleted, and these expired profiles cannot be deleted manually in the user interface. Administrators continue to receive system notifications about the expired profiles.
Workaround: None.

VSP-68344: When you navigate to Maintenance > Export Configuration and perform an export, then import the configuration to the MobileIron Configuration Service (MICS), the following error is displayed in the logs: Observed "errorCode = 1006: Device "GigabitEthernet2" does not exist" error in mics logs while importing config.
Workaround: None.

VSP-68292: When you update an app, the app's status is not updated in the category tab as expected.
Workaround: None.

VSP-68248: When you set Enterprise Apps Distribution Preference as Apps@Work, import a public app, and install it on the device, the app status displays as free in the Apps@Work apps list, even though the status is updated to installed when you click on the app.
Workaround: None.

VSP-68233: When you try to log out of an SAML-enabled Ivanti EPMM server from either the Admin Portal or Self-Service User Portal, the session logs out and closes, but immediately afterward the session opens again and logs back in to the portal.
Workaround: None.

VSP-68120: Even though the Avaya Managed App configuration has been deleted, Ivanti EPMM pushes the configuration to the device, shows Avaya values as still present, and does not send a null value.
Workaround: None.

VSP-68088: LDAP synchronization erroneously occurs twice a day even if you set synchronization for only once every 24 hours.
Workaround: None.

VSP-67818: Apple-driven UE registration fails when the email ID is used as the username.
Workaround: None.

VSP-67696: Currently, the Use Tunnel for Anti-phishing only option is not saved as the default configuration in the Tunnel app.
Workaround: Add another configuration (other than the default), set it to Anti-Phishing only, and then select Save.

VSP-67686: Currently, you receive an "Internal Server Error" message if you try to enter a special character in the Custom Attribute field. This field does not accept special characters.
Workaround: None.

VSP-67672: Currently, when you try to edit a VPN with a Device Channel type in the configuration view, the channel type is erroneously displayed as a User Channel type. If you try to change the User Channel type back to a Device Channel type the system displays the following error: "Nothing has changed." The channel type is correctly displayed in the Configuration Details pane on the configuration page.
Workaround: None.

VSP-67619: Currently, you are unable to save Sentry settings after disabling an ActiveSync service that was enabled with Kerberos authentication.
Workaround:

1. Edit the Sentry Settings.

2. Enable the ActiveSync service> scroll down > Change the Authentication to Pass Thru page.

3. Disable ActiveSync.

4. Delete the Certificate Mapping field.

5. Save the Sentry settings.

VSP-67603: Currently, no confirmation message pops up when you perform Force retire the retire pending devices now and Force retire all the retire pending devices actions.
Workaround: None.

VSP-67600: Currently, the Core server erroneously creates SCEP certificates even though the device VPN configuration has been deleted.
Workaround: None.

VSP-67598: Currently, using the Advanced search criteria for the RETIRE_PENDING status in combination with other criteria results in an error.
Workaround: Enclose the RETIRE_PENDING status search criteria in parentheses: ("common.status" = "RETIRE_PENDING") AND "common.platform" = "macOS".

VSP-67557: Currently, the VPP app license is revoked even though a device is in a Retire Pending state.
Workaround: None.

VSP-67421: Currently, when you apply multiple Single-App Mode policies to a device, only the policy that arrives first is applied, even if another policy with higher prioritization is applied later.
Workaround: None.

VSP-67389: When the administrator adds devices through the Android Bulk Enrollment profile, information is displayed, even if all the devices fail to import.
Workaround: None.

VSP-67386: Currently, the Device Detail window shows software version update options for devices that are in the Active state, in addition to devices that are in the Retire Pending state. The window should only show options for devices in Active state.
Workaround: None.

VSP-67361: Currently, multi-user webclips fail to install because they are not supported in this version.
Workaround: None.

VSP-67353: Currently, software update information for a device is unavailable when there is a error communicating with Apple.
Workaround: None.

VSP-67204: Even though a device is retired, Core still displays the license as still in use and Apple still considers the license associated to the device.

Workaround: Manually delete the licenses in Core > Devices & Users > Apple Licenses > Manage license page.

VSP-69672: Unable to enroll a device with a custom attribute in the Android Open Source Project (AOSP) configuration.
Workaround: None.

VSP-69269: When you create a Wi-Fi configuration with Wi-Fi Protected Access 2 (WPA2 Personal) encrypted security protocol and deploy it to an iOS device, the system erroneously creates a Wi-Fi Protected Access (WPA) encryption protocol instead.
Workaround: None.

VSP-67046: Currently, email sent from System Manager through a StartTLS-required Simple Mail Transfer Protocol (SMTP) server can fail, due to a failure of the STARTTLS authentication process. Previously, the Apache Tomcat web container loaded jar files in alphabetical order, but it now loads them in filesystem-provided order (effectively making the load order unpredictable), which can result in use of code that is unaware of STARTTLS.
Workaround: None.

VSP-67042: The Bridge log action Get Current, All Logs is not working on Windows desktop devices for this release.
Workaround: None.

VSP-67036: When the configuration count for an Android app that supports managed app restrictions exceeds 500, Core deletes all the configurations except the Default configuration. Workaround: None. Do not exceed a configuration count of 500 for these apps.

VSP-67029: There is an issue when creating managed apps. If the Configuration Choice Name is more than 64 characters, Core displays an error message.
Workaround: None. Use a configuration choice name that has fewer than 64 characters.

VSP-66936: There is an issue with Lightweight Directory Access Protocol (LDAP) Organizational Units (OUs) being erroneously deleted if there is an authentication failure from the LDAP configuration.
Workaround: None.

VSP-66907: When an Apple_Device_Name policy is attached to a Label and then later removed, the Devices & Users > Devices > Policy Details page erroneously shows the policy as "Pending," even when the policy has been deleted. This is due to an error in the status field of the database.
Workaround: None.

VSP-66906: There is an issue with Web@Work secondary per-app VPN profiles not going into effect when the primary VPN profile is not available.
Workaround: Reinstall Web@Work to fix the problem.

VSP-66770: There is an issue with Core not updating its filter Labels to reflect changes in Lightweight Directory Access Protocol (LDAP) groups. When moving users from one LDAP group to another, expected behavior is that the corresponding filter Labels will be updated, as well.
Workaround: None.

VSP-66741: There is an issue when making Label changes to Web@Work app virtual private network (VPN) configurations. If the VPN ID of the configuration being modified is used by any other VPN, it triggers the same changes in those other configurations, too.
Workaround: To avoid this problem, give your Web@Work app VPN configurations unique VPN IDs.

VSP-66123: Core audit logs list fake installations of Mobile@Work and other apps irregularly, thus filling up audit logs. There is no workaround.

VSP-66993: When Sentry is upgraded to release 9.15.0 (scheduled release date April 15) attempts to initiate mutual authentication setup at 0345 Coordinated Universal Time (UTC), as part of its daily certcheckjob script. This action restarts the Sentry service.

VSP-66576: There is an issue with the Core App Catalog being unable to successfully import the "eCONFIG - Smart-Ex 02" app. Currently, there is no workaround.

VSP-66548: There is an issue with the Mobile4ERP public app failing to install on Android Enterprise devices. The app goes into a loop updating details and never resolves. There is no workaround at this time.

VSP-66524: There is an issue with new Mobile@Work iPhone users who are unable to access their My Devices tab when logged into a Secure Sign-In multi-user web clip with other new users. There is no workaround.

VSP-66462: There is an issue with the new Apple User Enrollment registration process sometimes generating incorrect managed Apple IDs. You must use the single device invitation or the bulk device invitation process to verify that the managed Apple IDs were generated correctly. You should also check the logs for any managed Apple ID failures. If the existing registration process is already using PINs, the registration will still work.

VSP-66451: In Federal Information Processing Standards (FIPS)-enabled Core deployments, Splunk Indexer version 6.x running over Secure Socket Layer (SSL) is unable to securely connect to Splunk. There is no workaround.

VSP-66442: There is an issue when upgrading from Core 10.8.0.0 or older to a Core 11.X release. Backups taken of the upgraded 11.X release fail to restore properly, due to a change in the Unique Identifier (UID) or Globally Unique Identifier (GUID) across the versions.

VSP-66218: The Knox Attestation API version 2 is no longer supported by devices running the Samsung Knox operating system (OS) 3.8 and later. The devices operate normally, except the Core attestation check fails, even when the check was successful.
Workaround: No current workaround. These devices require Knox Attestation API version 3, which Ivanti plans to implement for the next release.

VSP-65924: There is an issue with non-compliant Mobile@Work devices being listed in the Microsoft Azure Device Compliance report as still compliant, with a compliance status code of "Interaction Required on EMM." There is no workaround.

VSP-65679: There is an issue with the Device Wi-Fi configuration. If the administrator specifies "Auto" as the configuration proxy, and does not provide a URL for the proxy automatic configuration (PAC) value, the configuration erroneously treats the configuration proxy as "None" instead of "Auto." This issue is scheduled to be resolved in the next release.

VSP-57766: The /api/v1/dm/labels/{label-name}/{device-uuid} API call returns an error when associating a label containing a forward slash (/).
Workaround: Do not apply device labels through the API if the labels include a forward slash.

VSP-66110: There is an issue with Core generating unnecessary system event alerts for expired local certificate authority (CA) certificates after the certificate has been retired.

VSP-66020: There is an issue with Core not generating call SMS logs for Samsung devices registered to Core in Android Enterprise modes for Core 11.3.0.0 and Core 11.4.0.0.

VSP-66016: There is an issue when adding a Trusted Host, the host sometimes fails to display properly in the System Manager > Maintenance > HA Configuration > Manage SSH Keys pop-up window.
Workaround: To populate the host details, close and re-open the pop-up window.

VSP-66015: The Apache Active MQ message broker service fails when it is enabled in Federal Information Processing Standards (FIPS) mode.

VSP-65995: During an upgrade, Core does not report signature verification failures to the user interface, resulting in the download appearing to be successful. The subsequent attempt to stage for installation results in repeating the download. It will not be possible to successfully stage the upgrade under these conditions. If this happens, contact support.

VSP-65991: In-house apps (.apk files) fail to upload to the Admin portal App Catalog due to a limitation in the Android application package (APK).

VSP-65949: Registered Shared iPads may show an error in the Device MDM Logs for "Install Configuration Profile" when the Security Policy is installed. This is a known issue and will be fixed in the next release.

VSP-65689: The option to install Core 11.4.0.0 on the Core M2700 appliance with an ISO image from a bootable USB is not working.
Workaround: Contact Ivanti support.

VSP-65653: The System Manager > Settings > Network > Interfaces > Physical Interfaces table incorrectly lists the number of network interface ports (NICs) on a Core M2700 appliance as seven, when the correct number is six.

VSP-65554: There is an issue in which an iOS device user without "Apple User Enrollment" privileges can still complete Apple user enrollment for their device. This is a known issue.

VSP-65481: There is an issue with retired Android devices receiving a new Azure device identifier, even when the new device registration uses the previous Azure device identifier.