New features summary

• Pagination request limit increased: Pagination requests limit on the Device and Audit log page increased from 10,000 records to 200,000 records.

General features

• Rebranding for this release: All product or brand name strings, text, and messages in the following portals have been rebranded to use rebranded words instead of MobileIron or Core: Admin Portal, System Manager Portal, Connector Base Portal, Reporting Database Portal, Self Service Portal, Base Portal.

• New tab "Integrated App Catalog" added to App Catalog for custom branding: A new tab, Integrated App Catalog, has been added to [email protected] Settings for ease of custom branding. Within this tab, the administrator can enter the custom name (20 characters max.) to display in the App Catalog tab within [email protected] The App Name will display at the top of the screen, above the All Apps tab, and in the small tab at the bottom of the [email protected] screen. Applicable to iOS only.

  For more information, see [email protected] branding in the Ivanti EPMM [email protected] Guide.

• Extended expiration renewal window for mutual authentication certificates: The window to renew mutual authentication certificates has increased from 60 to 270 days. For more information, see the Ivanti EPMM Device Management Guide for your OS:

  • Handling client identity certificate expiration for Android devices

  • Handling client identity certificate expiration for iOS devices

• Managed App Configuration for apps: Previously, in Ivanti EPMM 11.8.0.0 and lower, when the administrator saved the configuration, Ivanti EPMM added the All-Smartphones label by default. In Ivanti EPMM 11.9.0.0 and later, administrators can change the label. The last/lowest priority configuration must have a label, thus making it the default configuration. This means that the All-Smartphones label is not required on all configurations.

  For more information, see App Configuration Choices for iOS public apps in the Ivanti EPMM [email protected] Guide.

• Increase in LDAP Custom Attributes support: Ivanti EPMM now supports a maximum of 20 LDAP Custom Attributes as substitution variables. Further Custom Attributes can only be used to define Labels. To create these custom attributes, go to Core > Go to Services > LDAP > Modify LDAP form. For more information, see "Adding custom attributes to users and/or devices" in the Ivanti EPMM Device Management Guide for your OS: Android, iOS, or Windows.

• Upgraded Elasticsearch service version: Ivanti EPMM upgraded support for ElasticSearch from v1.7.2 to v7.17.x.

• Web Application support for Integrated App Catalog: Web Applications are now supported for Integrated App Catalog and they are now visible in the [email protected] section in [email protected]

  For more information, see Working with web applications for iOS and macOS in the Ivanti EPMM [email protected] Guide.

• VPP support for Integrated App Catalog: Along with Web Applications, VPP apps are now supported for Integrated App Catalog and they are now visible in the [email protected] section in [email protected]

• Logs now exported to splunk and syslogs: The /var/log/httpd, servicestatus logs, and /var/log/elasticsearch/elasticsearch.log are now exported to the splunk and syslog settings. For more information, see Working with Logs in the Ivanti EPMM System Manager Guide.

• Administrators who modify CE settings now identified as also causing corresponding configuration changes: When administrators modify a certificate enrollment (CE) setting, they cause changes to configurations that use that CE setting. The modification history field now identifies the administrator who made the CE setting change as the administrator who caused the configuration changes. For more information, see "Certificate Enrollment settings" in the Ivanti EPMM Device Management Guide for your OS: Android, iOS, or Windows.
• Event Center templates changes: The $SERVER_IDENT variable was removed from the $DEFAULT_POLICY_VIOLATION_MESSAGE variable and is now part of the Event Center template. Add the $SERVER_IDENT variable to the template to display server identity in an alert message. The $SERVER_IDENT variable is also a substitution variable in compliance actions. Use of this variable depends on whether the compliance action was updated from version 1 to version 2. For V1 actions, include this variable in the Event Center template or as part of the alert message text in the compliance action. For V2 actions, include this variable only as part of the alert message text in a compliance action. For more information, see "Customizing Event Center messages" in the Ivanti EPMM Device Management Guide for your OS: Android, iOS, or Windows.
• New restricted Manage Devices role created for remove and push profile actions: The Manage Devices role includes the following permissions: Push profiles, Remove profiles, and Update Intune Compliance Status. As an administrator, you can remove the Manage Devices role from a user and, instead, give the user the Manage Devices Restricted role, which omits these three roles. In addition to this restricted role, you can grant the three separated roles in any combination.

  For more information, see User management overview in the Getting Started with Ivanti EPMM Guide.

Android features

• Set managed app config settings that are required to be sent to the device: In many cases, the default values of Android Enterprise managed app configurations may or may not be made available; Ivanti EPMM will still send these default settings to the device, thus causing unwanted settings on the device. Administrators can now choose the behavior for constructing managed app configurations. By default, Ivanti EPMM only pushes settings with valid values defined to device/app. Now a new option allows administrators to push all settings, irrespective of the value. This allows for apps with different behaviors to be compatible with Ivanti EPMM. It is recommended to only change this setting if defaults are causing issues with app performance. This applies to Ivanti EPMM upgrades and new installations. Applicable to Android Enterprise and Android Open Source Project (AOSP) mode in-house and public apps.

  For more information, see App configuration for Android Enterprise apps in the Ivanti EPMM [email protected] Guide.

• Support to provide certain apps to have more permissions: The administrator can provide other apps some Delegated Permissions. These new permissions are:

  • Manage app configurations
  • Manage blocking app uninstallation
  • Manage enabling system apps
  • Manage certificate selection
  • Manage retention of uninstalled apps
  • Manage network log collection
  • Manage security log collection
  • Manage installation of existing apps

Applicable to public, private and in-house apps. For more information, see Adding in-house apps in the Ivanti EPMM [email protected] Guide.

• Download Android Bulk Enrollment CSV: In the Device Details page, administrators can now download the CSV by selecting the Export to CSV button to the right of the Add button. For more information, see Android Bulk Enrollment in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Android Bulk Enrollment - delete profile and devices: Once the administrator has uploaded the device CSV via Android Bulk Enrollment and a profile and its associated devices have been created, the administrator can delete the profile and its devices. Active and Retire Pending devices cannot be removed, but inactive devices can be deleted. Note that delete action is only supported from global space. For more information, see Deleting a profile and associated device in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• New fields added - Allow Nearby Notification Streaming and Restrict input methods to system inputs:

  • Allow Nearby Notifications Streaming: In the Lockdown policy for managed device and managed profile section, the administrator can set Allow Nearby Notifications Streaming to the following values: Not Controlled by Policy (default), Enabled, Disabled, and Enabled for Same Account. Applicable to Work Profile mode, Work Managed Device mode, and Work Profile on Company Owned Device mode. Notifications streaming is sending notification data from pre-installed apps to nearby devices.
  • Restrict input methods to system inputs allows the device user on their device / personal profile to use the system input. When the administrator enables this option, the device user cannot use any other external keyboards. Applicable to Work Profile on Company Owned mode.

For more information, see Lockdown policy fields for Android Enterprise devices in Work Profile mode, Lockdown policy fields for Android Enterprise devices in Work Managed Device mode and Managed Device with Work Profile mode, and Lockdown policy fields for Android Enterprise devices in Work Profile on Company Owned Device mode in the Getting Started with Ivanti EPMM Guide guide.

• MAC Address Randomization: On Android 13 devices or supported newer versions, upon installation or upgrade, the administrator can enable or disable the MAC Address Randomization for the Wi-Fi configuration. If the MAC Address Randomization is not selected, the randomization type is not pushed; the Wi-Fi and Inventory MAC Address are the same for a device. Applicable to Wi-Fi configurations for all authentication types in:
  • Work Managed Device (DO) mode
  • Work Profile (PO) mode
  • Work Profile on Company Owned Device (EPO) mode

  • Android Open Source Project (AOSP) mode

  For more information, see Wi-Fi settings in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Samsung Knox APIs Deprecated: Because the Samsung Kiosk mode is deprecated in Android 8.1 and above, you must implement Android kiosk mode instead.

  For more information, see Deprecated features. See also the Samsung Deprecation of APIs in Knox article and Samsung Knox Developer Documentation > Deprecated API methods.

iOS features

• New fields are introduced in the Web Clip configuration: The following new fields have been added to the Web Clip configuration:
  • Ignore Manifest Scope (iOS)

  • Target Application Bundle Identifier (iOS and macOS)

    For more information, see iOS and macOS settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices. 

• Administrators can copy existing managed app configuration settings: In the Ivanti EPMM App Catalog, Administrators can go into an edited app and copy managed app configurations to experiment with new settings that app developers may have released. This helps prevent Administrators having to manually go through the entire managed app configuration schema just to create a duplicate configuration.

  For more information, see iOS managed app configuration in the Ivanti EPMM [email protected] Guide.

• New iOS restrictions are added: The following restrictions can be added for devices with iOS 16:
  • Allow Rapid Security Response Installation
  • Allow Rapid Security Response Removal

  This feature can be used once Apple implements the functionality. For more information, see iOS and tvOS restrictions settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Windows features

• Azure AD compliance with Ivanti EPMM: Ivanti EPMM integration as compliance partner with Azure Active Directory in Common Criteria mode is supported. For more information, see Adding Ivanti EPMM as a compliance partner in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

General features

• Ivanti Support Maintenance for App Gateway (appgw.mobileiron.com): Ivanti will be performing a scheduled network infrastructure maintenance on December 16, 2022, and your action is required if your organization uses explicit firewall rules.

  The following App Gateway (appgw.mobileiron.com) services will be unavailable during the maintenance window:

  • Firebase Cloud Messaging for Android device messaging

  • Mobile carrier lookup

  • Gateway location database update

  • SMS delivery

  • Device image look-up

  • Apple Push Notification service (APNs)

  • In-app device registration (auto-discover)

  • Apple MDM certificate renewal

  • Reg-service for Ivanti EPMM hostname lookup based on phone number (Android only)

  • Creation of Android for Work enrollment through the Ivanti Support site

Action: If you use explicit firewall rules, you must append your rules with the following new IP addresses by December 16, 2022:

• 34.227.203.115

• 34.231.78.119

• 35.168.168.163

• 18.207.62.107

• 18.209.150.213

• 23.21.143.22

Allow traffic to both the current and new IP addresses prior to December 16, 2022. You will receive a customer communication email with more information about the maintenance window when it is confirmed.

For more information, see External and Internet Rules in the Ivanti EPMM On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector and Urgent Ivanti Endpoint Manager Mobile (MobileIron Core) Gateway Update.

• Rebranding changes: As part of the MobileIron to Ivanti rebranding in this release, page titles, logos, product names, images, and guide names have been changed. In addition, the following Core (now Ivanti EPMM) component names and user interfaces have been rebranded:

  • Core Admin Portal = EPMM Admin Portal

  • Core System Manager Portal = EPMM System Manager

  • Self Service Portal = Ivanti Self Service Portal

  • Connector Base = EPMM Connector

  • Reporting DB System Manager = Ivanti System Manager

• New consolidated EULA: A consolidated product End User License Agreement (EULA) replaced the previous version. The EULA is displayed during initial installation.

• Migrating Intune Azure graph to Microsoft Graph Due to the upcoming retirement of Azure Graph APIs in December 2022, Ivanti has enabled Ivanti EPMM releases to work with Microsoft Graph APIs. See the Microsoft information here.

• Query cellular device information: Starting with iOS 16.0, the device's phone number will be retrieved from the list of SIMs in the ServiceSubscriptions query.

• New Action menu item to synchronize device compliance status with Azure: Administrators can synchronize the compliance status only for authorized devices from Ivanti EPMM to Azure. When synchronizing for non-authenticated/non-related Azure devices, an error message displays listing device names. When the administrator performs a manual synchronization, a detailed Audit Log is generated for the devices. Applicable to all types of Azure tenants, for example: Standard, GCC_High, and DOD.

  For more information, see "Syncing the Device Compliance status of devices" in the Ivanti EPMM Device Management Guide of your OS system: Android, iOS.

• Export to CSV Installed Apps (App Inventory) Search Results: Administrators have the ability to export the results of an advanced search of the App Inventory page to a CSV file. The CSV would include all the fields in Summary View and Detail View. Applicable to all apps in the App inventory page.

  For more information, see Managing app inventory > "Exporting search results to a CSV" section in the Ivanti EPMM [email protected] Guide.

• Samsung Firmware E-FOTA decommissioned: As of August 2022, Samsung discontinued the Samsung E-FOTA service. As a result, upon upgrade to Ivanti EPMM 11.8.0.0, the following occurs:

  • In Policies > Add New > Android Firmware Policy dialog box, the "Enable Samsung Firmware Policy" field is disabled.

  • Upon upgrade, in the existing policy and new policy (in the case where the license has not yet been deactivated), the "Enable Samsung Firmware" field will still be visible; however, it will be Read-Only. The administrator will need to delete the existing policies and deactivate the license before creating the new policy.

  • The Services > Samsung > Samsung Firmware E-FOTA License Management page is disabled; the administrator cannot activate or deactivate an E-FOTA license. If you have an existing E-FOTA license already set up, the Deactivate button is enabled and the administrator will need to manually deactivate the Samsung Firmware E-FOTA License.

    For more information, see Activating the Samsung firmware E-FOTA license in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices. See also End of Life (EOL) and alternatives: Samsung Knox EOL article.

• New warning for registration PIN passcode settings: If you try to extend the registration PIN passcode settings beyond the default value, the following warning is displayed: Increasing the validity period for the PIN may pose a security risk and it is not recommended best practice. For more information, see Setting passcode and registration code defaults in the Getting Started with Ivanti EPMM Guide guide.

• Support for pushing OS software to multiple devices: The administrator now has the option to select multiple devices and push OS software updates from the Ivanti EPMM Admin Portal's Devices page to multiple devices. All the eligible iOS devices from the selected devices can be updated to the latest version or to a version specified by the administrator.

  For more information, see Updating the OS on supervised iOS devices in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Ability to set the frequency of application notifications: The native App Catalog receives notifications when application updates are available in [email protected] Starting in this release, administrators can configure device user notifications for new application updates that are available in the App Catalog, and set the frequency to once a day or once a week. Applicable to iOS devices only. For more information, see iOS [email protected] AppStore Features in the Ivanti EPMM [email protected] Guide.

• IMEI information for inactive SIM slots now displayed: In the past, only IMEI information for the active SIM slot was displayed in Ivanti EPMM. Now, device information on active and inactive SIM slots displays. In addition, CSV-exported data now includes the information for inactive slots. For more information, see Advanced searching in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Support for independent, customized messages and email subjects for each Compliance Action tier: In previous releases, only one customized message could be sent for all Compliance Action tiers supported in Compliance Policies > Compliance Policy Rule. Starting in this release, administrators have the ability to create and send independent, customized messages and email subject lines for each of the now 20 possible Compliance Action tiers.

  For more information on customized messages and email subject lines for compliance action tiers, see "Custom compliance policies" in the Ivanti EPMM Device Management Guide for your system: Android, iOS, Windows.

• Send device compliance data to single/multiple Microsoft Office 365 GCCH/DoD tenants: Device compliance status can be sent to GCCH and DoD Tenants. For more information, see Office 365 GCC High and DoD.

Android features

• Enable app restrictions for all supported devices: In the App Catalog, a new check box has been added "Enable app restrictions for all supported devices" for Android Enterprise in-house apps to display in the App view page of the App Catalog. Applicable to:

  • Work Managed Device mode
  • Managed Device with Work Profile mode

  For more information, see Adding in-house apps for Android in the Ivanti EPMM [email protected] Guide.

• Changes to a field in the App Catalog: The field called "Enable AOSP app restrictions" has been changed to: "Enable app restrictions only for AOSP" and now only applies to Android Enterprise devices in Work Managed Device - non GMS (AOSP) mode.

  For more information, see Adding in-house apps for Android in the Ivanti EPMM [email protected] Guide.

• Advanced Search for devices with non-compliant passwords: The new "Data Protection Enabled" field allows you to find devices with non-compliant passwords.
  For more information, see Advanced searching in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• New option for Unlock command provided: For Android Enterprises, administrators can set a six-digit unlock PIN for specific devices. If this setting is used, "Unlock Device with Custom Pin <Pin value>" will display in the audit logs. For more information, see Setting the unlock PIN for a specific device in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Support for app restrictions and permissions on In-house apps for Android devices: The administrator can now set restrictions and grant or revoke permissions on In-house apps for Android devices. Applicable to: Work Managed Device (DO) mode, Managed Device with Work Profile, and Work Managed Device non-GMS (AOSP) mode.

For more information, see Adding in-house apps for Android in the Ivanti EPMM [email protected] Guide.

• Android Enterprise Enable Single App Kiosk added to pin a single app to device screen: Administrators can select the Enable Single App Kiosk check box and then select the (single) app to pin to the device screen. This setting allows one app to be pinned to the device screen in most conditions. The dedicated single app mode will allow other apps to be available on the device, but they will not be available for the device user to directly launch. These other apps will only be launched through the pinned app. For example, Email is the pinned single app, and the device user receives an email with a link to the Google Maps app. When the device user taps on that link, it opens the Google Maps app.

  The pinned single app will be launched only when it is part of the Allowed App list, the Kiosk Mode Allowed Apps list, and installed on the device. Applicable to Work Managed Device mode (DO) and Work Managed Device-non-GMS mode (AOSP).

  Note the following:

  • Single app Kiosk is only applicable to regular Kiosk mode. Single app kiosk can only be exited remotely from the Ivanti EPMM Admin Portal > Devices page. [email protected] displays the toast message "Kiosk Exit" in the app but the dedicated single-app may still remain on screen, as it cannot be closed due to Android limitations.
  • The Lock Task mode can only be enabled when the home screen is in the foreground. If the dedicated single-app is in the foreground, then it is not possible to enable Lock Task mode.

    Workaround: Device user must tap the back or home button; the Lock Task mode becomes enabled.

    On devices Android 9 and below, when the single app Kiosk is disabled, then the device user may need to tap the back/home button to see the Kiosk home screen again. The launched app may remain pinned to the foreground and the Kiosk home screen may not display due to Android limitations

    For regular kiosk mode information, see Creating a shared-kiosk-mode policy for the shared kiosk users in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices

    For shared-kiosk mode, see Setting the kiosk policy for Android managed devices in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

iOS features

• Remote Authentication and Apple ID Default Domains for Shared iPads: In iPadOS 15 and below, Shared iPad required the device be connected to the internet when a user signs in. In iPadOS 16+, Shared iPad defaults to using the local passcode for existing users on the device, thus reducing the need for an internet connection. Ivanti EPMM administrators can choose to always enforce remote authentication, or by setting the number of days, provide the flexibility to determine when the remote passcode changes take effect on the existing cached sign-ins. Administrators can also set the default domains to make signing in to Shared iPads easier. For more information, see Creating an Apple Device Enrollment Profile in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Additional Skip option added: Skips the Terms of Address pane option has been added to the Devices & Users > Apple Device Enrollment. Availability: iOS 16+ and macOS 13+. For more information, see Creating an Apple Device Enrollment Profile in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Apple Cellular.APNsItem DefaultProtocolMask property no longer supported: Starting with this release, Ivanti EPMM no longer supports the deprecated Cellular.APNsItem DefaultProtocolMask Apple property.

• New support for the Apple property Cellular.APNsItem EnableXLAT464: Ivanti EPMM now supports the Cellular.APNsItem EnableXLAT464 Apple property, which enables the XLAT-464 option to provide access service for IPv6 across IPv6 networks.

  For more information, see Cellular Policies in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• New macOS restrictions: New macOS restrictions have been added to help administrators delay when device users can download software updates. There are three types of delay options, each with additional options for setting the number of days of delay:

  • Allow Universal Control - prohibits the control of multiple Apple devices - including an iMac, MacBook, and iPad - all with the same keyboard and mouse.

  • Allow UI Configuration Profile Installation - prohibits the user from installing configuration profiles and certificates interactively. Requires a supervised device. Available in iOS 6 and later, and macOS 13 and later.

  • Allow USB Restricted Mode - if disabled, allows the device to always connect to USB accessories while locked. On macOS, allows new USB accessories to connect without authorization.

  For more information, see macOS settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• macOS silent registration added: Administrators now have the option to have silent registration for macOS devices and thus not require device users to register manually. In System Settings > Device Registration, administrators would select the "Allow silent in-app registration only once (iOS and macOS)" field. Prerequisite: Administrators will need to upload [email protected] for macOS under Apps > App Catalog and assign a macOS label.

  In the same location, administrators can also set "Silent in-app registration time limit (minutes) (iOS and macOS)." This option enables a time limit to complete silent in-app registration. If macOS devices fail to register within this time frame, device users will be forced to register manually using their credentials.

  For more information, see Registration Considerations in the Getting Started with Ivanti EPMM Guide and Registering iOS and macOS devices through the web in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• [email protected] available from [email protected] for iOS: Starting from Ivanti EPMM release 11.8.0.0 you can transition to [email protected] native experience from the [email protected] application. The [email protected] native AppStore is deployed automatically with the [email protected] client. Once the administrator enables Mutual Authentication and applies device labels to the (new) App Catalog configuration, the [email protected] native AppStore is deployed with the [email protected] client.

  Note: Devices should be migrated to Mutual Authentication to support native App Catalog.

  Administrators can configure the integrated [email protected] device user notifications; they can choose to enable, disable or set cadence. The [email protected] tab is displayed on the [email protected] client task bar and device users can view and install their company-approved apps from [email protected] Starting with the Ivanti EPMM 11.8.0.0 release, [email protected] Webclip and Integrated [email protected] are supported.

  **When an update is available to an app, [email protected] will display a badge/notification. Badging is only for apps that are already installed and have updates. Applicable to in-house and public apps.

  Note: Volume Purchase Program (VPP) apps are not supported.

  For more information, see [email protected] (iOS) and iOS [email protected] AppStore Features in the Ivanti EPMM [email protected] Guide.

• iOS Enrollment Certification chain now visible: When you navigate to MICS (System manager portal) > Security > Certificate Mgmt > iOS Enrollment certificate > View, click on View Certificate in Ivanti EPMM, the entire iOS Enrollment Certification chain is visible, not just the immediate issuing CA certificate. For more information, see Viewing, replacing, and deleting certificates in the user portal in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• New Encryption Algorithm: The ChaCha20Poly1305 encryption algorithm is supported while configuring the Always On VPN configuration for iOS devices. For more information, see IKEv2 (iOS Only) in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Available in macOS 11.3.0.0 and later.

The new restrictions are not automatically pushed to the devices when you upgrade. Instead, to force-push the restriction to all devices, open it and save it.

Windows features

There were no new features for Windows in this release.

General features

• Changes to instructions in [email protected]: In [email protected], the instructions in the enrollment and remediation pages have been updated.

• Run Reporting Database reports on user and device attributes: The Reporting Database now includes user and device attributes in its reports. See the latest Ivanti Reporting Database Essentials guide for more information.

• Ability to delete multiple local users: Administrators can now delete multiple users. You cannot delete multiple users if:

  • a user you are trying to delete is currently logged in (administrator)

  • a user is an administrator user - you first need to remove the administrator role of the user

  • there is a non-retired device associated to the user

    For more information, see Deleting multiple local users in the admin portal in the Getting Started with Ivanti EPMM Guide guide.

• Registration passcode expiry maximum time increased: You can now customize the number of hours the registration password is valid, from 4 hours (default) to a maximum of 4320 hours (6 months). For more information, see Setting passcode and registration code defaults in the Getting Started with Ivanti EPMM Guide guide.

• Symantec name change updated in user interface: Symantec Web Services Managed PKI has changed its name to DigiCert PKI Platform, therefore, you may note associated textual changes in the Core user interface.

• Support for optional KVP on Email+: The KVP email_user_certificate_self_service can optionally be set to the ‘retired’ certificate value for a device user by prefixing it with [optional].(email_user_certificate_self_service is a mandatorily configurable KVP for all the Core users.)
  [optional]email_user_certificate_self_service is an alternative configurable KVP for applicable device users that Core will push to the user’s device only when the value is non-empty. Developers of AppConnect apps now have the option to create [optional] keys so that if the value is null/empty, it will not send that key/value to the AppCconnect app.
  For more information, see the Ivanti Email+ for Android Guide.

• New Force Retire Option: Usually, when you issue a Retire command for a device, it is moved to a Retired state and is considered "Retire Pending." Sometimes the devices remain in the Retire Pending state. Core offers a Force Retire check box to make sure the device is Retired. You can also schedule the retirement of Retire Pending devices. In Core, go to Settings > Users and Devices > Retire and Delete. In the retire devices section, there are settings that allow you to retire the retire pending devices, based on the last check-in time, with on-demand actions and scheduled actions. For more information, see "Retiring a device" and "Retiring the Retire Pending devices" in the Core Device Management Guide of your OS.

• Client ID added to Device Details: For troubleshooting purposes, Client ID has been added to the Device Details page. Administrators can also search for Client ID as well. For more information, see "Advanced Searching" in the Core Device Management Guide of your OS.

• Ability to remove profiles from individual devices: Similar to the Push Profiles option is a new feature that allows administrators to manually Remove Profiles from specific devices. This feature is helpful for troubleshooting specific devices, for example, overriding the default label for that device. For more information, see "Pushing and removing device profiles" in the Core Device Management Guide of your OS.

• Hyper-V 2019 server is supported for core and enterprise connector installations: With this release, Core can be installed on a Microsoft Hyper-V 2019 server. The Hyper-V 2019 includes Windows Hypervisor, a Windows server driver model, and virtualization components. Hyper-V is delivered as part of Microsoft Windows Server 2019. For more Hyper-V information, see Virtual Core requirements in the On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector guide.

• Advanced search enhancements: In Apps > Installed Apps, Administrators can search apps with specific criteria according to attributes combinations, in addition to searching a specified term in different attributes. For more information, see Managing app inventory in the Ivanti EPMM [email protected] Guide guide.

• Send device compliance data to single/multiple Microsoft Office 365 GCCH/DoD tenants: Device compliance status can be sent to GCCH and DoD Tenants. For more information on GCCH, DoD, see "Office 365 GCC High and DoD."

• New Global Policy to configure apps per label in bulk: Administrators can create global policies with different app settings (silent install, auto-update, mandatory, etc.) and can assign it to different labels. By creating a global policy, administrators can avoid editing each app and configuring the settings. When viewing and editing the per-label settings, administrators can set the app to default to the global setting so only the settings that are different for that label need to be changed. For more information, see Global App Config Settings policy in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Create a default label name: Starting with the 11.6.0.0 release, administrators had the ability to manually create a label (for Windows, Windows Phone or macOS) that does not contain any criteria. After it is created, the label automatically becomes a default label and cannot be removed or edited. Upon upgrade to version 11.7.0.0, Core does not apply these labels to devices because they do not contain criteria. Administrators must apply the labels manually.

Android features

• Support for Private DNS: On fully-managed devices running Android 10 or later, the administrator can specify whether the device should use a private DNS server for encrypted domain name resolution, and if so, which one. Applicable to: Android 10+ devices in Work Managed Device mode. For more information, see Lockdown policy fields for Android Enterprise devices in Work Profile mode in the Getting Started with Ivanti EPMM Guide guide.

• File Transfer Configuration: A new configuration File Transfer is available for Android devices. This configuration can be used to transfer files to the device and these files can be shared from [email protected] to other apps on the same device. Target apps consuming these files must support ContentURI to access files locally on the device.

  For more information, see Android File Transfer Configuration in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• [email protected] auto-granted permissions reduced on all Android device versions: Administrators can provide device users more choice on Android 11 and below Work Profile devices by allowing the device user to choose whether [email protected] should be granted location permissions. The default behavior allows [email protected] to automatically grant this permission. In Core 11.7.0.0, when the [email protected] auto-grant location permission check box is selected, the administrator would see a warning in Core and device users would receive a prompt to grant [email protected] location permission during registration of devices in Work Profile mode.

  Phone permission is required to collect device information. Phone permission allows [email protected] to get information about device identifiers such as IMEI. This permission was originally only available in Device Admin mode, but has been extended to Work Profile mode. Device user consent is required for [email protected] to have phone permission.

  For more information, see Privacy policies and Understanding the Registration page in the Getting Started with Ivanti EPMM Guide guide.

• Shared kiosk mode app settings: Upon upgrade, two new settings for Shared kiosk mode can be utilized in the New Android Kiosk App Setting Policy dialog box > Kiosk Mode Allowed Apps section:

  • Clear App Data is indicated by a "broom" icon. A broom with check mark icon indicates to clear the app data when the device user logs out of shared kiosk. A broom with a "not allowed" icon indicates do not clear app data when the user logs out of shared kiosk.

  • Android settings are indicated by a "gear" icon. A gear with check mark icon means allows device-wide settings for the selected app to be made available to the device user. A gear with a "not allowed" icon means disallow it.

    For more information, see Configuring the Android shared-kiosk mode in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Android Bulk Enrollment: Administrators can do registration of Android 7+ devices in batches (1000+) by uploading a CSV file. For each profile, a token will be generated with a default expiration time of 7 days. This token can be further extended for 7 days minimum to 99 days maximum. Optionally, the token can be regenerated (a completely new token is created for the profile with a default of 7 days of expiration.) Applicable to Work Managed Device mode, Managed Device with Work Profile mode, Work Profile on Company Owned Device mode, and AOSP mode.

  For more information, see Android Bulk Enrollment in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Additional battery health information provided: Additional battery health statistics per-device are now provided:
  • Android Battery Charging Status
  • Android Battery Health Status
  • Battery Charge Cycles (OEM)*
  • Battery Health Percentage (OEM)*
  • Battery Manufacture Date (OEM)*

  For more information, see Advanced searching in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

  *The OEM fields will only populate if the device is a Zebra device. For more information, see Advanced searching in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• MobileIron Cloud is now Ivanti Neurons for MDM: All the instances of Cloud in Core documentation have been updated to Ivanti Neurons for MDM.

iOS features

• Update iOS Software Version button allows administrators to update iOS devices to a specific OS version: The Device Details page has a new "Software Version Update" button for administrators to update specific devices to any supervised DEP and non-DEP iOS versions. A list of only the applicable iOS versions to the device displays for the administrator to choose, and then execute the update. For more information, see Updating the iOS manually on a single supervised iOS device in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• New macOS restrictions: New macOS restrictions have been added to help administrators delay when device users can download software updates. There are three types of delay options, each with additional options for setting the number of days of delay.

  • Delay OS Software Update - you can set the delay of a software update on the device and set the delay of minor software updates to the device. The device user will not see a software update until the set number of days after the software release date.

  • Delay App Software Update - you can set the delay of a software update on the device and set the delay of non-OS software updates to the device. The device user will not see a non-OS software update until the set number of days after the software release date.

  • Delay Major Software Upgrade - you can set the delay of a major software upgrade on the device. The device user will not see the major software upgrade until the set number of days after the software release date.

    Available in macOS 11.3 and later.

    Additionally, Allow Erase All Content and Setting was added for resetting of iOS devices. Applicable to iOS 8+ and macOS 12+. For more information, see macOS settings and iOS and tvOS restrictions settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

    Upon upgrade, the new restrictions will not be pushed to the devices. The easiest way to do this is to open the restriction and then save it. This will force-push to all the devices.

• Skip options added to Device Enrollment Profile: To assist with easy installation, two additional options were added to Device Enrollment Profile:

  • Skips Device to Device Migration pane. Availability: iOS 13+.

  • Skips the iMessage pane. Availability: iOS 10+.

  For more information, see Creating an Apple Device Enrollment Profile in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• macOS registration configurations enabled upon upgrade: For new Core deployments, Ivanti’s support for macOS device management is available in Core, Ivanti EPM, and Ivanti Neurons for MDM.

• Version number updated: Core applications have received the version numbers that are being updated: AppleTV, iOS 15.5 and 15.5.X, macOS 12.4.

• New iOS Restrictions added to Configurations > New Restrictions Setting dialog box:

  • Allow Apple TV's automatic screen saver restriction

  • Allow Mail Privacy Protection - helps protect device users' privacy by preventing senders from learning about device users' email activities. When the Allow Mail Privacy Protection configuration is installed and enabled from Core, the Protect Mail Activity toggle is enabled on the device and the following options are visible to the device user:

    • Hide IP Address - The email sender cannot link the email to the device user's online activity or determine location.

    • Block All Remote Content - Prevents the email sender from seeing the device user's email activities.

    For more information, see iOS and tvOS restrictions settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Windows features

• Windows registration configurations enabled upon upgrade: For new Core deployments, Ivanti’s support for Windows device management is available in Core, Ivanti EPM, and Ivanti Neurons for MDM.

General features

• Changes to the identity certificate alias make selecting the right one easier: Previously, identity certificates were given an alias such as CERTIFICATE_22_9013_15 with the word CERTIFICATE as the prefix. Identity certificates will be given more admin-friendly names such as MSSCEP-TUNNEL_22_9013_15, with the prefix being the certificate enrollment configuration name. The new prefix was applicable for all the certificate enrollment configurations. With this release, the new prefix is applicable to all certificate enrollment configurations except Single File Identity.

General features

• Disabling "Save User Password" now clears all LDAP user passwords: Previously, the Save User Password checkbox in Settings > Ownership settings was disabled by default. However, if it was enabled and then disabled, Core did not delete all the Lightweight Directory Access Protocol (LDAP) user passwords already in its database. With this release, the checkbox will still be disabled by default. But if Save User Password is enabled and then disabled, a pop-up message appears, warning that all stored passwords will be deleted.

• Unregistered devices can now redirect to Core from Office 365: With this release, when a user of an unregistered device tries to access Office 365 services, they will be redirected to a [email protected] enrollment page for device registration (https://<Core fully qualified domain name>/mifs/aadIntuneEnrollment.jsp). This feature is dependent upon a correctly-configured enrollment URL for iOS and Android in the Device Compliance settings.

• Support for Sentry-to-Core TFE mutual authentication: With this release, Core supports mutual authentication (MA) with Sentry through a Trusted Front End (TFE). The TFE server will verify the mutual authentication before forwarding it to Core. The minimum version requirements are:

  • Standalone Sentry - 9.15.0 and newer versions
  • Core - 11.5.0.0 and newer versions

  Note the following

  • Core initiates mutual authentication only if Sentry is running 9.15.0 or newer software.
  • If you would like a copy of the TFE server configuration template for mutual authentication, see your MI Core support representative.

  For more information, see Advanced: Trusted Front End in the Ivanti EPMM System Manager Guide.

• New "Retire Pending" status for devices slated for retirement: In previous releases, when a device administrator retired a device, if the device owner chose not to acknowledge the action, it was difficult to know whether or not the device really was retired. In this release, a new Retire Pending device status in the Devices & Users > Devices page displays when a device has been retired from Core, but has not yet checked in to confirm the action.

• Information access control tightened within Roles - Previously, information that was meant to be seen only by users with certain roles could potentially be viewed by unauthorized roles. With this release, Core users will not be able to view information outside of their designated roles.

• LDAPS over SSL (LDAPS) protocol recommended for this release: Ivanti recommends that you adopt Lightweight Directory Access Protocol over Secure Sockets Layer (LDAPS) on port 636 when upgrading to the Core 11.6.0.0 release. For more information, see Configuring LDAP servers in Getting Started with Ivanti EPMM Guide.

• PIN and password device authentication strongly recommended: New installations of Ivanti EPMM 11.6.0.0 and higher will default to the device authentication choice of PIN+Password. We suggest that current Core administrators consider the security benefit of a PIN plus a password for device registration and adopt PIN+Password going forward.

• Tooltip added to "Enabling Server Name Lookup" field: In the Core Settings > System Settings > Users & Devices > Device Registration page, there is a radio button "Enable Server Name Lookup." A tooltip was added for administrators to follow specific, important instructions. For more information, see "Enable Server Name Lookup" in the Ivanti EPMM Device Management Guide of your OS.

• Redirect device users to the [email protected] app page from the Enrollment and the Remediation pages:

  • If an iOS device is not enrolled in Azure Active Directory (AAD) and the device user launches any of the Office 365 applications, the default MobileIron Core Enrollment page displays the Install [email protected] button that directs the device user to the [email protected] app store page.
  • If the enrolled device is out of compliance and the device user accesses any of the Office 365 applications, the default MobileIron Core Remediation page displays the Open [email protected] button which launches the [email protected] application.

• New "Upgrade" audit log captures Core upgrade user information: There is a new Upgrade log file option available in the System Manager > Troubleshooting > Logs > View Module Logs section. With this release, when an administrator upgrades Core, an audit log entry is created, listing the time, user ID, and IP address of the person doing the upgrade. For more information about Core logs, see Working with logs in the Ivanti EPMM System Manager Guide.

• More visibility in run-time logs when a Core update check fails: Previously, when an administrator clicked the Check Updates button in the System Manager > Maintenance > Software Updates section, if there were problems retrieving the information, there was only the message "Software repository is not configured," with no way to log and view these issues. With this release, if Core attempts to check for system updates and fails, a new upgradeStatus module displays in the live logs, showing the relevant information.

• Changes to the identity certificate alias make selecting the right one easier: Previously, identity certificates were given an alias such as CERTIFICATE_22_9013_15 with the word CERTIFICATE as the prefix. With this release, identity certificates will be given more admin-friendly names such as MSSCEP-TUNNEL_22_9013_15, with the prefix being the certificate enrollment configuration name.

• New Device User Role for control of SSP "Trust/Untrust" feature: A new role is available to device users, giving them rights to use the Trust/Untrust feature in the Self-service User Portal (SSP). The Trust/Untrust feature allows a device user to self-designate his device as Trusted or Untrusted, depending upon the locational risk. For example, a device user might designate his device as Untrusted while in a busy airport. This feature is disabled by default for new users. A device administrator can enable it for users through the Users > Actions > Assign/Edit Roles > User Portal roles list. For more information, see Assigning user portal device management roles in the Ivanti EPMM Device Management Guide.

Android Features

• Administrators can copy existing managed app configuration settings and download updates:
• In the Ivanti EPMM App Catalog, Administrators can go into an edited app and copy managed app configurations to experiment with new settings that app developers may have released. This helps prevent Administrators having to manually go through the entire managed app configuration schema just to create a duplicate configuration for testing.
• Under the Configurations Choices section of an edited app, Core will notify Administrators if there's a new schema to download.

For more information, see App configuration for Android Enterprise apps in the Ivanti EPMM [email protected] Guide.

• Additional warning added for retiring devices: When retiring a device, a warning has been added to alert administrators that devices in Device Owner mode or Work Profile on Company Owned Device mode are wiped or erased and the action is not reversible. Administrators need to read the warning and check the box before retiring the device(s). For more information, see Retiring a device in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Customized Lock screen message on Android devices: As part of a Lockdown policy, administrators can now set a message on the Lock screen on company-owned Android devices. Applicable to the following modes:

  • Work Profile Managed Device
  • Managed Device with Work Profile
  • Work Profile for Company Owned Device
  • Work Managed Device - Non-GMS mode

  Both device and user attributes (default and custom) can be used with the Lock screen message. For more information, see Lockdown policies in Getting Started with Ivanti EPMM Guide.

• Changes to "Allow unknown sources in personal profile" option in Lockdown policy:

  • Field renamed to "Allow Unknown Sources in Personal and Work Profile" - This controls the use of unknown sources in the personal profile and in Work Profile mode. Requires Google Play update.
  • When the above field is selected, the "Allow Unknown Sources in Work Profile" displays. Selecting it indicates to restrict the Allow Unknown Source setting to the Work Profile mode only. Use case: This allows third-party apps like games from outside the Google Play store to be installed in the personal profile.

  For more information, see Lockdown policies in Getting Started with Ivanti EPMM Guide.

• For Android 12+ devices, Core now supports 5G network slicing: Administrators can set app traffic through one enterprise 5G network slice. Administrators can set this feature in Lockdown policies, conduct advanced searches and make compliance rules in Core. Applies to Work Profile and Work Profile for Company Owned devices. Requires support from 5G service provider. For more information, see Lockdown policy fields for Android Enterprise devices in Work Profile mode and "Lockdown policy fields for Android Enterprise devices in Work Profile on Company Owned Device mode" in Getting Started with Ivanti EPMM Guide.

• Default ownership of corporate-owned Android devices can be set based on device registration method: Applicable to the following Android devices using:

  • Google Zero Touch (ZT)
  • Samsung Knox Mobile Enrollment (KME)
  • Non-GMS mode (Android Open Source Project (AOSP)

  For more information, see Registration methods and Setting up Core with a closed network / AOSP deployment in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices. See also Understanding the Registration page in Getting Started with Ivanti EPMM Guide.

• Option to not display Terms of Service on the above modes: Administrators can now set in Core whether the Terms of Service will display on client devices for KME/ZT/Non GMS registrations. For more information, see Configuring the default ownership for newly registered devices in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Devices that are Non-GMS will be identified and reported to Core: With the addition of the device ownership in Non-GMS mode, reporting of said devices are sent to Core. In the Device Details page, Administrators can view individual devices and run a search for "Non GMS Device." For more information, see Setting up Core with a closed network / AOSP deployment in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

iOS Features

• Certificate Revocation Checking configuration added: Administrators can now use the Certificate Revocation Checking configuration to check if configurations have been revoked from an iOS device. Administrators can specify a certificate authority (CA) that allows the configuration to enable revocation checking for all the certificates that are linked to that CA. Applicable to iOS 14.2+. For more information, see Certificate Revocation Checking Configuration in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• App restriction configuration now automatically gets pushed to Apple TV: The App Restrictions configurations are now supported for tvOS devices. Applying the "iOS and tvOS" label to the App Restrictions configuration now automatically pushes it to Apple TV. This setting applies to iOS and tvOS 11.3 and later supervised devices. For more information, see App restrictions configuration setting in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• TV remote support and Conference Room display support added: Two new tvOS policies have been added:

  • TV Remote - Applicable to supervised devices: iOS and tvOS 11.3 and later.
  • Conference Room Message - Applicable to tvOS 10.2 and later. The Conference Room Message policy requires Apple TV supervised devices.

  After the policy is created, apply labels to your Apple TV devices. For more information, see tvOS policy settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Hoedus REST API is End of Life: Because the REST API Hoedus is end of life (EOL), the public API has been removed from Core:
  GET, /api/v2/appstore/googleplay.
  For more information, see this knowledge-based article: https://forums.ivanti.com/s/article/End-of-Life-timelines-for-proprietary-app-discovery-service. An Ivanti Community login may be required.

• Log out single user or all users on shared iPad session: The administrator can now delete a single user or all users on a shared iPad device's session. Applicable to Apple School Manager and Apple Business Manager in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Version number updated. Core applications have received the version numbers that are being updated: AppleTV, iOS 15.4 and 15.4.X, macOS 12.3.

• Clarification on iOS and tvOS labels: Previous Core versions had an "iOS" label and a "tvOS" label. The definition for the "iOS" label was to include both iOS and tvOS devices, causing confusion. Core now has two labels:

  • "iOS label" (for iOS devices only)

  • "iOS and tvOS" label (to mean both iOS and tvOS (Apple TV)

    There is still a "tvOS" label.

  For more information, see Default labels in Getting Started with Ivanti EPMM Guide.

• For iOS 11 devices, new parameters added for the AirPrint payload: Port and ForceTLS. For more information, see AirPrint settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Sorting and filtering of Apple Device Enrollment account and profiles: Apple Device Enrollment Account list page now allows for sorting and filtering. The Device Enrollment Profile list page also allows for sorting. For more information, see Creating an Apple Device Enrollment Profile and Managing Apple Device Enrollment accounts in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Windows features

• Support for Windows Bridge Service Failure Recovery options: In some rare cases, the Bridge Service fails without a known reason. In Core 11.6.0.0, Bridge Service failure recovery is pre-configured, thus allowing device users to continue using the Bridge Service without any major issues. Applicable to Bridge release 2.1.14.0.

  The new 2.1.14.0 version of the Bridge application is automatically imported into the App Catalog for Core 11.6.0.0 and higher releases. This Bridge version will be pushed to Windows devices as they check in. For more information, see "Bridge Server Failure Recovery" in the Ivanti EPMM Device Management Guide for Windows devices.

General features

• New force retire option: New Force Retire Option: Usually, when you issue a Retire command for a device, it is moved to a Retired state and is considered "Retire Pending." Sometimes the devices remain in the Retire Pending state. Core offers a Force Retire check box to make sure the device is Retired. You can also schedule the retirement of Retire Pending devices. For more information, see "Retiring a device" and "Retiring the Retire Pending devices" in the Core Device Management Guide of your OS.

• Online release notes now include previous releases: With this release, online release notes becomes cumulative, and you will be able to see releases back at least one current and one prior base release. For example, the online Core 11.5.0.0 release notes include release information from Core 11.5.0.0, 11.4.1.0, and 11.4.0.0. PDF release notes will continue to include only the current release details, with links to the earlier information online.

• New verification of TLS server certificates: Transport Layer Security (TLS) server certificates used to secure Core systems require Certificate Revocation List (CRL) Distribution Point (DP) extensions. Online Certificate Status Protocol (OCSP), is not supported at this time. Previously, an Administrator could upload a TLS certificate that Core does not support. With this release, Core validates that a TLS server certificate includes a CRL DP extension in four actions: activation of the certificate in System Manager, activation of the mutual authentication feature, inclusion in a certificate pinning policy, and inclusion in a certificate pinning request. A TLS server certificate that doesn't pass these four validation checks will generate a message, explaining the error.

• Support for bridging old and new client mutual authentication CA certificates: Previously, updating a Certificate Authority (CA) certificate for client mutual authentication required re-registering all devices currently enrolled under that certification. With this release, you can:

  • Upload and select a new client mutual authentication certificate for devices going forward
  • Retire the previous certificate, while still allow existing devices to check in.

  For more information, see Mutual authentication between devices and Core in the Ivanti EPMM Device Management Guide for your operating system.

• Core support for Splunk Heavy Forwarder mutual authentication: With this release, Core supports the Splunk Heavy Forwarder for secure mutual authentication to Splunk. The feature is enabled from the System Manager Settings > Data Export > Splunk Indexer page, where you can add, modify, delete and view your Splunk indexer information. For full information, see Data export: Splunk in the Ivanti EPMM System Manager Guide.

• Updated Splunk Forwarder supports Splunk Enterprise Server 8.x: The Splunk Forwarder in Core now supports Splunk Enterprise Server 8.x. For more Splunk information, see the Ivanti EPMM System Manager Guide.

• New option to enforce only one Local User: In high-security environments, it is a best practice to allow only one Local User to be enabled. Once installation is complete, use the CLISH limitUser command in the Configuration Wizard to limit the number of Local Users to one (this feature has no effect on the number of LDAP users). Once installed, you will need help from Ivanti customer support to change this configuration. Attempts to create another Local User from the Core Devices & Users > Security > Local Users menu generates an error message explaining the prohibition. In high availability (HA) environments, a reboot is required after a failover to re-enable the restriction. For more information, see Managing local users in the Admin Portal in Getting Started with Core.

• Support for mutual authentication between Core and Sentry: Core 11.5.0.0 now supports mutual authentication with Sentry by default. Minimum version requirements are:

  • Core - 11.5.0.0 and newer versions
  • Standalone Sentry - 9.15.0 and newer versions

  Core will only initiate mutual authentication if Sentry is running 9.15.0 or newer software.

• Registration passcode expiry time now configurable: Previously, when registration invitations were sent, a registration PIN number was generated that was good for five days (120 hours). With this release, you can customize the number of hours the registration password is valid, from 4 hours (the default) to a maximum of 72 hours. For more information, see Setting passcode and registration code defaults in Getting Started with Ivanti EPMM Guide.

• Core support for Apache Log4J logging utility version 2.17.1: In this release, Core support for Log4J logging utility has been upgraded to 2.17.1, to avoid any possibility of a zero-day vulnerability in earlier versions. This update should not affect your system behavior.

• More context for some audit logs: Previously, audit logs only included information about what was changed. With this release, some logs (configurations, policies, labels, compliance groups, rules and actions) will also include the "before" values as well as the "after." You can view the logs from the Core Logs > Audit Logs page. Logs with before and after values display an icon you can click to see the new information. The new log information is generated for the following actions:

  • Create - the "Before" column will be empty.
  • Edit or change - Both before and after values display.
  • Delete - The "After" column will be empty.

  For more information, see Audit log information in the Ivanti EPMM Device Management Guide for your OS.

• Core installation on Hyper-V 2016 server is supported: With this release, Core can be installed on a Microsoft Hyper-V 2016 server. The Hyper-V 2016 includes Windows Hypervisor, a Windows server driver model, and virtualization components. Hyper-V is delivered as part of Microsoft Windows Server 2016. For more Hyper-V information, see Virtual Core requirements in the On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector.

• New customization options for the self-service user portal (SSP): Three new customization options are available in this release:

  • Hide or display the QR code and registration URL: A new configuration check box has been added to the Settings > System Settings > Users & Devices > Device Registration page that allows you to choose whether or not to show users a QR code and registration URL. This option is enabled by default. When deselected, the QR code and registration URL do not display to users.

  • Hide or display the self-service portal (SSP) Activity page: A new configuration check box has been added to the Settings > System Settings > General > Self-Service Portal page that allows you to choose whether or not to show users their activity in the SSP. This option is enabled by default. When deselected, the SSP Activity page does not display to users.

  • Hide or display the Settings option: Previously, the Settings option was always visible to client users from the SSP Action menu (upper-right, under user name). In this release, the administrator has the option to remove the Settings link from the SSP Action menu. Two new check boxes are available from the Core General > Self-Service Portal > Self-Service Portal page:

    • Show settings for local users - Deselecting this option disables the Settings menu for local users.
    • Show settings for LDAP users - Deselecting this option disables the Settings menu for LDAP users.

    These settings determine whether or not clients can see the Settings option in the SSP Action menu.

  For more information, see Disabling options in the SSP in the Ivanti EPMM Device Management Guide for your operating system.

Android Features

• New lockdown options for Android devices using Android Enterprise: In this release, you have new lockdown options for Android Enterprise devices.

  Table 2.  New lockdown Policy options in 11.5.0.0

  Android Enterprise Mode	Lockdown options
  Device Owner or Work Profile on Company-owned devices	Allow location settings modification – If selected, users can modify the location settings of the managed device. This option is available in the Lockdown Policy > Android > Managed device > Device Restriction section. Allow date and time modification – If selected, users can modify the time or date of the managed device. This option is available from the Lockdown Policy > Android > Managed device > Device restrictions section.
  Work Profile and Work Profile on Company-owned devices	Allow back-up service – If selected, users can enable or access the back-up files on the managed profile. This option is available from the Lockdown Policy > Android > Work Profile > Android 8+ section.
  Work Profile on Company-owned devices	Manage personal apps for Work Profile on Company-owned Android devices: Previously, company-owned devices using Work Profile had no app management options for the personal side of their device. The user had full freedom to install any app on their Personal Profile. This freedom may not always meet organizational guidelines for a corporate-owned asset. With this release, administrators can now control the apps a user is allowed to install in the Personal Profile of their managed device (for devices running Android 11.0 and above). The new options are available from the Core Policies & Configs > Policies > Lockdown policy > Android Enterprise section: Enable app control on Personal Profile – When enabled, you can select your level of app management: Allowed Apps – Only allow apps that are explicitly added to this list. No other apps can be installed. Disallowed Apps – Allow all except these specific apps from being installed. Choosing an option displays the Packages table, where you can add, delete, and save the app packages on your list.

  You can view your selections from the Core Devices & Users > Devices > View logs on devices > Policies tab. For more information on Lockdown policies, see Lockdown policies in the Getting Started with Core guide.

• New Security policy options for Android managed devices: In this release, you have new Security policy options for Android Enterprise devices.

  Table 3.  New Security policy options in 11.5.0.0

  Android Enterprise Mode	Security option
  Device Owner or Work Profile on Company-owned devices	Enable Security Logging on Android - When enabled, information is collected for security auditing purposes. These help admins identify suspicious activity by remotely tracking device activity, including app launches, Android Debug Bridge (adb) activity, and screen unlocks. These logs become available to administrators on demand. To protect the privacy of the user, some information (such as personal app launch events) are hidden, or redacted (for example, details of the physical volume mount events).
  For all Android Enterprise devices	Enable Network Logging on Android - When enabled, network and connectivity information is collected. Network logging can be used to troubleshoot any issues with device connectivity for work apps and can be used for historical forensics. Once enabled, Core allows administrators to collect the logs on demand. Network logs contain DNS lookup and connect() library call events. These library functions are recorded while network logging is active: getaddrinfo() gethostbyname() connect() When network logging is enabled for Work Profile devices, the network logs will only include work profile network activity, not activity on the personal profile.

  You can view your selections from the Core Devices & Users > Devices > View logs on devices > Policies tab. For more information on these policies, see Security Policies in Getting Started with Ivanti EPMM Guide.

• Full device passcode attributes: For Android 12 devices in Work Profile mode, complex password type and password length are not supported. As a result, they are reported in Core as "Unsupported." For more information, see Security policies in Getting Started with Ivanti EPMM Guide.

• Always-On VPN for AOSP for Android Enterprise devices: In AOSP mode, you can have Always-On VPN status for devices using Android 10 and later supported versions. For more information, see Managing the closed network / AOSP devices in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
• Android 7+ Inventory MAC address: To preserve device user privacy, on Android 7+ devices, Core accepts a randomized MAC address for inventory purposes and now also collects true physical MAC address for inventory. Inventory MAC is the hardware-based MAC that is reported after a device is registered and is only available for company-owned modes, namely Device Owner mode and Work Profile on Company Owned Device mode. Inventory MAC support is also available via substitution variables. For more information, see Inventory MAC address in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• Corporate wallpaper for Android devices: This new feature for corporate owned Android devices allows the administrator the option of distributing an image as wallpaper and as a Lock screen image. The image will automatically be applied to the device. This feature is only supported in Work Managed Device mode. For more information see Setting wallpapers for devices in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

iOS Features

• OS Software update command removed from menu: Administrators will now only be able to set OS Software updates through a policy. In Devices & Users > Devices page, the Actions menu item has had the following options removed: 'iOS Software Update" and "macOS Software Update." This applies to iOS and macOS devices. See Configuring iOS and macOS software updates in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Software update recommendation cadence: Administrators can set a user's device to allow all available, the highest available, or the lowest available OS software update. Applicable to iOS 14.5 or later and iPadOS 14.5 or later. For more information, see Software update recommendation cadence in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• macOS registration configurations disabled upon upgrade: For new MobileIron Core deployments, Ivanti’s support for macOS device management has been transitioned to Ivanti EPM and MobileIron Cloud.

• Dynamic Privacy Policy presentation: When a device user is registering their device via iReg or with in-app registration, the privacy policy will display. The privacy policy is dynamic, based on the enrollment type. This feature is only applicable to iOS devices. For more information, see the [email protected] 12.11.50 for iOS Release Notes.

• Account-driven Apple User Enrollment: User Enrollment can now be set up so device users can self-enroll in MDM User Enrollment from the Settings page on their device. This feature uses the device user's managed Apple ID, making their devices managed. Once enrolled, administrators can view information in the Apple User Enrolled Device field in the Device Details page. There is required action that must be taken by the device users. See Account-driven Apple User Enrollment in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Changes to User Enrollment: The following configurations and policies are no longer applicable to User Enrollment.
  • Configurations > System > Multi-User Secure Sign-In
  • Configurations > Apple > iOS / tvOS > Managed Domains
  • Configurations > Apple > iOS / tvOS > Encrypted DNS
  • Configurations > Apple > iOS / tvOS > Network Usage Rules
  • Configurations > VPN > all VPN configurations
  • Policies > iOS > iOS Only > Single-App Mode
  • Policies > iOS > iOS Only > Global HTTP Proxy
  • Policies > iOS > iOS Only > Cellular
  • Policies > iOS > iOS Only > Home Screen Layout
  • Policies > iOS > iOS Only > Notification Settings

  Ivanti recommends administrators to update their labels associated to the above configurations and policies to "Apple User Enrolled Device" + "Equals" + "True" or iOS.apple_user_enrolled_device=true. For more information, see Configurations page, Managing Policies, and VPN settings overview in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

  The new Apple User Enrollment registration flow for LDAP Users/Groups must use single invite or bulk invite registration to verify that managed Apple ID was generated correctly. The administrator should also check the logs for any managed Apple ID failures. If the existing registration process is already using PINs, the registration will still work. For more information, see User Enrollment with Apple Business Manager in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• New iOS 15 Restrictions: There are three new restrictions for iOS 15:

  • Force Translation Processing Only on Device
  • Require Managed Pasteboards
  • Allow Cloud Private Relay

  For more information, see iOS and tvOS restrictions settings in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Windows features

• Windows registration configurations disabled upon upgrade: For new MobileIron Core deployments, Ivanti’s support for Windows device management has been transitioned to Ivanti EPM and MobileIron Cloud.

General Features

• ECDSA X.509 certificates must now be formatted with named curves in all modes: In Federal Information Processing Standards (FIPS) and Common Criteria Mode, only secp256r1 (NIST P-256), secp384r1 (NIST P-384), or secP521r1 (NIST P-521) are allowed. With this release, explicitly-defined Elliptic Curve Digital Signature Algorithm (ECDSA) curves certificates cannot be used to represent local certificate authority (CA) certificates. For more information about supported cypher suites, see Advanced: Incoming SSL Configuration in the Security Settings chapter of the Ivanti EPMM System Manager Guide.

• Four-digit year added to secure log file timestamp: The default timestamp for the /var/log/secure log file has been modified to include a four-digit year. The log file format has changed from:
  RSYSLOG_TraditionalFileFormat
  to
  RSYSLOG_SyslogProtocol23Format

  The format is:

  <%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%

  The format RSYSLOG_SyslogProtocol23Format is the format specified in the IETF internet-draft ietf-syslog-protocol-23, which is very close to Syslog Standard RFC5424.

  For information about Core logs, see Working with logs in the Troubleshooting chapter of the Ivanti EPMM System Manager Guide.

• Swedish and Hungarian languages now supported in Core: Two new languages, Swedish and Hungarian, are now supported and available in Core 11.4.0.0 and supported newer versions. For more information about how to select the languages you want to use for messages, applications, and setting and changing the default language, see the chapter Language Support in the Ivanti EPMM Device Management Guide for your operating system.

• Certificate pinning to prevent Man-in-the-middle attacks: Man-in-the-middle attacks would allow an attacker to impersonate a Core server and send commands to the device. This results in device compromise and confidential data leakage. To prevent this, a new Pinned Server Certificate policy has been added to deliver a set of certificates that clients can expect a Core server to present during check-in and similar traffic. This feature is applicable for post-first-time use, for steady-state assurance that the client is connecting to the correct Core. If none of the certificates configured match the active certificate in use on the Core server, then devices will strictly honor the pinning policy and fail to connect until a correction of the certificate pinning policy is sent.

  This pinning policy supports multiple entries to enable a smooth transition when the Core server's certificate is about to expire. Administrators can include the renewal certificate before it is active on the server and keep the expiring certificate in this policy for seamless transition to the renewed certificate. Ivanti advises administrators to set up Core system certificate expiration alerts to be warned the Core server certificate is about to expire.

  Any Certificate Pinning policy created in Core 11.2.0.0 will be disabled upon Core 11.3.0.0 upgrade. Core will not push that policy. Instead, if / when the Admin edits the Certificate Pinning policy, Core will push the policy using a new Core property.

  Applicable to [email protected] for iOS 12.11.30 devices and supported later versions. Also applicable to [email protected] for Android 11.3.0.0 devices and supported later versions. For more information about certificate pinning and devices, see Configuring certificate pinning for registered devices in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices or in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Certificate pinning options now available from Certificate Mgmt page: You can now enable certificate pinning from the System Manager > Security > Certificate Mgmt page. There, you can add certificates, generate a pinning request, and upload your pinning statement. For information about enabling and configuring certificate pinning, see Configuring certificate pinning for registered devices in the Certificate Mgmt section of the Security Settings chapter of the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• Reminder to enable mutual authentication: Core now requires mutual authentication with managed devices for a more secure connection. If Core is installed or updated to 11.4.0.0 release and mutual authentication has not been enabled, a red reminder banner will display in a ribbon just below the Admin portal masthead. To enable mutual authentication, go to Settings > System Settings > Security > Certificate Authentication > Client Mutual Certificate Authentication page. Once enabled, the banner does not appear again. For more information about mutual authentication, see Mutual authentication between devices and Core in the Ivanti EPMM Device Management Guide for your operating system.

• Core M2700-series on-premise appliance now available: The M2700 series large-scale deployment appliance provides a tightly-integrated solution comprised of a standardized appliance with the resources necessary for larger deployments, and dedicated QA certification of all MobileIron Core functionality. For information about the latest Core appliance, see M2700 Series appliance in the On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector.

• 'Enable' password complexity requirements are now the same for Core CLI and Core UI: With this release, the complexity requirements for creating an enable password from the CLI are the same as when it is created in the Ivanti EPMM user interface. The password must be:

  • Between 6 and 20 characters in length
  • At least one numeric character

  Additionally, the CLI continues to check whether or not the password is based on a word in the dictionary. Case sensitivity and special characters are not required.

• New option to upload Certificate Authority chain for SCEP enrollment configurations: With this release, you can upload a specific Certificate Authority chain for Simple Certificate Enrollment Protocol (SCEP) enrollment configurations. In some cases, the SCEP CA may send more CA certificates than desired. When you need to use a specific certificate chain, use this feature to upload that exact chain. If you do not upload a CA chain, Core continues its previous behavior of using the CA certificates directly acquired from the SCEP server.

  The upload option is available only for SCEP enrollment configurations. Certificate enrollment settings such as System - Mutual Auth CE setting use a local CA, which is already available on Core.

  For upload instructions, see "Uploading a Certificate Authority chain for SCEP enrollment configurations" in the Configuring SCEP section of the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices or in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• New Azure Device Attributes in Compliance Policy Builder: Support for the following device attributes in compliance policy builder. These attributes should be available in common category.

  • AzureDeviceId
  • AzureClientStatusCode
  • AzureIntuneDeviceStatus
  • AzureIntuneStatusUpdatedAt
  • AzureUserUpn

• Users redirected to Core after Microsoft Azure consent: This feature adds a redirect URL in the Core device compliance on prem app for better user experience. The user will redirected back to the core application from the active directory consent page.

• Support for Entrust API version 11: Entrust Managed public key infrastructure (PKI) Services with API version 11 is supported with this release.

Android and Android Enterprise features

• Unique enrollment-specific ID: This new feature provides a unique ID that is guaranteed to be the same value for the same device, enrolled into the same organization by the same managing app. It will remain stable across factory resets or new profile inflation. Access to other hardware identifiers of the device such as IMEI, MEID, or serial number, is removed for personal devices with a work profile in Android 12. This is effective for new installs and post-upgrade to Android 12. Supported modes are Work Profile, Work Profile on Company Owned Device, and Work Managed Device. Please note that the ID will change when the same device is enrolled to the same tenant but uses a different managing package; a new unique ID is presented when the device registers to a new Core instance.

• New Update Priority field in App Configuration for Android enterprise section: Update Priority field provides the ability to control the app updates behavior on Android Enterprise Devices. Allows admins to set the priority of updates. High Priority setting forces updates on the device immediately after it is available. Postpone for 90 days delays app updates so updates are not applied until 90 days after the update is available. Default mode allows app updates to be available as decided by the Google Play store.
  
  Minimum Version Code field provides the ability to make sure the provided (minimum, it can be higher than the provided version) version of the app is installed on the Android Enterprise device. As defined by specification minimum app version code is 7 digit numeric code (1234567) which is the minimum version of the app to be installed on the device.
  
  For example, the installed version of the Whatsapp App is 2.19.10.15 and the latest version available is 2.21.18.17, the minimum version code an admin could enter in EMM console could look like 2210000. In this case app will be upgraded to 2.21.18.17 meeting the minimum version criteria specified by admin. Admins should note this functionality forces an immediate app upgrade and could force an active app session to close abruptly for the upgrade to complete.

• Google official device admin deprecation: The following changes have been made as part of Official Device Admin Deprecation from Google with release of Android Operating System 10.

  • Reference: https://www.blog.google/products/android-enterprise/da-migration
    The configurations, policies and settings are deprecated from Core version 11.4.0.0.

    Configurations

    • Android -> Samsung Browser
    • Android -> Samsung Kiosk
    • Android -> Samsung Knox Container

    Policies

    • Android -> Android Quick Setup -> Device Administrator (Device Administrator Field is deprecated)
    • Android -> Samsung Kiosk
    • Lockdown -> Samsung Device Admin Mode (All fields support from Samsung Device Admin Mode is deprecated)

    Settings
    

    Android > Android Custom ROM (Android Custom ROM enable/disable Radio Button Will be deprecated by default WIPE feature in Compliance Action will be available).

• Android Enterprise App Maintenance Window Settings Available: You can choose to set a Maintenance Window for auto-updates that will override the update settings users configure. By default this option is unchecked.

• Unique enrollment-specific ID: This new feature provides a unique ID that is guaranteed to be the same value for the same device, enrolled into the same organization by the same managing app. It will remain stable across factory resets or new profile inflation. Access to other hardware identifiers of the device such as IMEI, MEID, or serial number, is removed for personal devices with a work profile in Android 12. This is effective for new installs and post-upgrade to Android 12. Supported modes are Work Profile, Work Profile on Company Owned Device, and Work Managed Device. Please note that the ID will change when the same device is enrolled to the same tenant but uses a different managing package; a new unique ID is presented when the device registers to a new Core instance.

• New Update Priority field in App Configuration for Android enterprise section: Update Priority field provides the ability to control the app updates behavior on Android Enterprise Devices. Allows admins to set the priority of updates. High Priority setting forces updates on the device immediately after it is available. Postpone for 90 days delays app updates so updates are not applied until 90 days after the update is available. Default mode allows app updates to be available as decided by the Google Play store.
  
  Minimum Version Code field provides the ability to make sure the provided (minimum, it can be higher than the provided version) version of the app is installed on the Android Enterprise device. As defined by specification minimum app version code is 7 digit numeric code (1234567) which is the minimum version of the app to be installed on the device.
  
  For example, the installed version of the Whatsapp App is 2.19.10.15 and the latest version available is 2.21.18.17, the minimum version code an admin could enter in EMM console could look like 2210000. In this case app will be upgraded to 2.21.18.17 meeting the minimum version criteria specified by admin. Admins should note this functionality forces an immediate app upgrade and could force an active app session to close abruptly for the upgrade to complete.

• Google official device admin deprecation: The following changes have been made as part of Official Device Admin Deprecation from Google with release of Android Operating System 10.

  • Reference: https://www.blog.google/products/android-enterprise/da-migration
    The configurations, policies and settings are deprecated from Core version 11.4.0.0.

    Configurations

    • Android -> Samsung Browser
    • Android -> Samsung Kiosk
    • Android -> Samsung Knox Container

    Policies

    • Android -> Android Quick Setup -> Device Administrator (Device Administrator Field is deprecated)
    • Android -> Samsung Kiosk
    • Lockdown -> Samsung Device Admin Mode (All fields support from Samsung Device Admin Mode is deprecated)

    Settings
    

    Android > Android Custom ROM (Android Custom ROM enable/disable Radio Button Will be deprecated by default WIPE feature in Compliance Action will be available).

• Android Enterprise App Maintenance Window Settings Available: You can choose to set a Maintenance Window for auto-updates that will override the update settings users configure. By default this option is unchecked.

iOS and macOS features

• Remote activation of enhanced logging for iOS [email protected]: This new feature allows the manager to enable enhanced logging remotely using the device manager for a set of devices in order to collect the logging needed, and then to disable the feature once finished. This feature is currently supported in Core 11.4.0.0 and later.

• New iOS15 Restrictions: There are two new restrictions for iOS 15:

  • Force Translation Processing Only on Device (iOS 15 and later, supervised only)
  • Require Managed Pasteboards (iOS 15 and later)

• Setup Assistant skip key available for iOS 15 and macOS 12 and higher devices: This release provides a new option to skip a setup window for iOS 15 and macOS 12 devices. The option UnlockWithWatch allows the device user to skip the Unlock Your Mac with your Apple Watch pane.

• Support for per-account VPN: This new feature supports association of VPN on a per-account basis. The supported types of accounts are Email, Exchange, CardDAV, CalDAV, Google, and Subscribed Calendar. However there is a known issue with LDAP Subscribed Calendar. Details are available on the Apple feedback ticket: https://feedbackassistant.apple.com/feedback/9228418

• Version numbers updated: Core applications have received the version numbers that are being updated: AppleTV, iOS 15.0 and 15.0.X, macOS 12.0.