Resolved issues

• Security updates to third-party components: This release also includes the following security fix to third-party components:

  • CVE-2024-6387

• The following CVEs are addressed in this patch release:

  • CVE-2023-46806

  • CVE-2023-46807

• CVE-2024-22026: This CVE is fixed as part of this release.

• VSP-71202: Previously, after a device was back from roaming, the International roaming ended event was created at every check-in. This issue is now fixed.

• VSP-71208 : Previously, bulk application updates and install process took long time to process the request for iOS devices. This issue is now fixed.

• VSP-71213: Previously, after registering the iOS devices, the applications were not installed immediately. This issue is now fixed.

• VSP-71238: Previously, the application installation and updates failed when sent to more than one macOS device. This issue is now fixed.

• VSP-71359: Previously, the Scheduled Notification Interval could not be configured for more than four hours. This issue is now fixed. The time interval is now configured for 23 hours.

• VSP-69341: Previously, in the System Management portal, the log entries for keystore handling startup process made diagnosis of startup issues confusing.
  This issue is now fixed.

• VSP-69672: Previously, it was unable to enroll a device with a custom attribute in the Android Open Source Project (AOSP) configuration. This issue is now fixed.:
  

• VSP-69822: Previously, changing Apps@Work port to 8443 caused errors in the Sentry mutual authorization flow.
  This issue is now fixed.

• VSP-69838: Previously, clicking re-import downloaded a new set of screenshots. However, the old screenshots were not removed at the directory /mi/files/appstore/<catalog_id> in stored files. This issue is now fixed.

• VSP-69916: Previously, freshly installed instances of Ivanti EPMM did not write logs to miserviceswatch.log for MIFS service. This issue is now fixed.

• VSP-69924: Previously, an administrator was unable to save the Exchange profile setting with the user/device attributes for the UserName field. This issue is now fixed.

• VSP-69979: Previously, Developer Info Field was limited to 127 characters and an application could not be added. Now, the field is increased to 255 characters. This issue is now fixed.

• VSP-69980: Previously, on freshly enrolled devices, configuring WiFi failed after updating the security patch. This issue is now fixed.

• VSP-69986: Previously, there was an exception when the default Elastic Search mapping limit exceeded. This issue is now fixed.

• VSP-70014: Previously, after a failover detection occurred on a standby secondary, the failover mechanism would start some services that Ivanti EPMM normally uses. This issue is now fixed.

• VSP-70019: Previously, email client applications caused correlation failure in the ActiveSync flow from Ivanti Standalone Sentry to a device in Ivanti EPMM. This issue is now fixed.
  For Android devices (excluding email client app configurations), use $SERIAL_NUMBER_SUBSTITUTE$ to get the device serial number. For other platforms, use DEVICE_SN to get the device serial number.

• VSP-70032: Previously, when editing a web clip, disabling the 'full screen' option failed if the option was already enabled. This issue is now fixed.

• VSP-70044: Previously, after Lookout was removed from the device, custom attributes relating to Lookout were left in the device information. As per design, once the device is removed from Lookout MTD, the Custom Attribute ivantiMTDThreatLevel set to value as none remains applied to the device to mark that the device was enrolled with Lookout MTD.

• VSP-70059: Previously, when the iOS and tvOS labels were manually removed for the iOS Enterprise Appstore SCEP certificate, and if these labels were present in the Native App Catalogue setting, they were not reapplied automatically after a Tomcat restart. This issue is now fixed.

• VSP-70082: Previously, the LDAP groups were not displayed in the User Interface details page in Service > LDAP > Select a LDAP > LDAP Groups. This issue is now fixed.

• VSP-70106: Previously, with every tomcat restart of EPMM, one MobileIron Bridge with version was added to the app_catalog table. This issue is now fixed.

• VSP-70108: Previously, the Native App catalog used a different process to determine the update status for applications instead of Apps@Work. This issue is now fixed to use Apps@Work implementation to display the update status.

• VSP-70258: Previously, unlocking an Android device through public API or User Portal when mutual auth was enabled failed as Ivanti EPMM failed to send the unlock PIN to the device. This issue is now fixed. Ivanti EPMM now sends the unlock PIN of 0000.

• VSP-70300: Previously, Ivanti EPMM System Manager did not allow the user to configure username for the email when it exceeded 31 characters.
  This issue is now fixed to allow username length to 255 characters.

• VSP-70302: Previously, when the logs in the MIFS log area were large enough, MIFS failed to start due to an archival operation on those logs. This issue is now fixed.

• VSP-70371: Previously, compliance violations failed to send out the appropriate notifications even when configured for it. This issue is now fixed.

• VSP-70474: iOS 15.7.9 version is now added in 'When iOS version is less than' setting in the Ivanti EPMM security policy.

• VSP-70500: Previously, there were errors while registering devices from Ivanti EPMM, when MTD configurations were applied to the device added using 'Add single device' option. This issue is now fixed.

• VSP-70565: Previously, the default lockdown policy was in a partially applied state and was not applied completely. This issue is now fixed.

• VSP-70576: Previously, the "msa/v1/cps/rule/deviceGuid" API did not respond to fetch the associated labels with the device UUID . This issue is now fixed.

• VSP-70582: Previously, the new feature to retire duplicate Android devices checked the serial numbers of multiple registered devices incorrectly. This issue is now fixed.

• VSP-70749: CVE-2023-46604 is addressed in this release. Apache ActiveMQ is upgraded to the latest version.

• VSP-70636: Previously, the feature to retire duplicate Android devices was checking for 00000000000 serial number of registered devices. This issue is now fixed and the devices with 00000000000 serial number are skipped while retiring the duplicate devices.

• VSP-70741: Previously, LDAP sync was successful even if the LDAP server was unreachable. The LDAP user data and the label information was also removed from database. This issue is now fixed.

• VSP-70442: Previously, the migration service was failing to start. This issue is now fixed.

• VSP-70433: The heartbeat check failure between primary and secondary EPMM server for high availability deployment is fixed.

• VSP-70436: Previously, the objectGuid attribute was decoded from hex to UUID, but for SSO with Access integration, a hex value is expected for the objectGuid attribute by the Office 365 service provider. This issue is now fixed.

• The following CVEs addressed in the release:

  • CVE-2023-35078

  • CVE-2023-35081

  • CVE-2023-35082

• VSP-67696: The Use Tunnel for Anti-phishing only option was not being saved as the default configuration in the Tunnel app. This issue has been fixed.

• VSP-68613: Previously, the system had various internal limits that could artificially prevent it from performing to the limits of its abilities. In some environments, those limits had resulted in various failures due to reaching the limits prematurely. In this release, the limits have been raised considerably, with the intent of having the system hardware be the ultimate limitation on the performance of the system.

• VSP-69306: Ivanti EPMM will create alerts for the tiers in the tiered compliance.

• VSP-69456: Previously, the Apple Device Enrollment page failed to load enrollment profiles and device counts, and displayed a RequestTimeout error 30 seconds later. In addition, some property values were not displayed inline in the diff icon before and after section. In this release, navigate to Apple Device Enrollment in the Admin Portal, then select Enrollment Profile or Device Count to view account profiles or device counts.

• VSP-69457: Previously, only 20 results were displayed in the Admin Portal > Settings > Templates > Others > Language: All page. In this release, all results are displayed, and the number of pages is automatically determined based on the total number of entries.

• VSP-69467: Previously, customer LDAP attributes 5 through 20 failed to generate a test certificate. In this release, the same custom attributes are used in the Simple Certificate Enrollment Protocol (SCEP) and the test certificate is generated correctly.

• VSP-69468: Previously, some property values were not displayed inline in the diff icon before and after section. In this release, the property values display correctly.

• VSP-69471: Previously, you could not create a Local Simple Certificate Enrollment Protocol (SCEP), and a Request Timed error was displayed. In this release, the protocol can be created, and the error is not displayed.

• VSP-69479: Running system backup no longer fails for secondary Ivanti EPMM High Availability (HA).

• VSP-69520: Previously, for Integrated App Catalog, if any other banner style was configured for another application, the Mobile@Work client displayed only the Light Banner Style. In this release, the client displays the styles as expected.

• VSP-69521: You can add 10000 characters in the Extensible Single Sign SSO Policy on "AppPrefixAllowList" and "AppAllowList".

• VSP-69523: If a device was previously registered through Android Bulk Enrollment and then wiped or retired, the device can now be re-registered on the same Ivanti EPMM instance.

• VSP-69598: Previously, starting and running the Admin Portal sometimes resulted in internal portal failures if a High Availability (HA) synchronization was running at the same time. In this release the Admin Portal is prevented from starting if an HA sync is running, and, similarly, an HA synchronization is prevented from starting if the Admin Portal is running.

• VSP-69631: Previously, when Ivanti EPMM sent an APN configuration to the Android 12L device, the configuration was not sent to the device. This issue has been fixed.

• VSP-69638: Previously, for Apps@Work in full-screen mode on iPhones, the page slide used to close or move an open application did not allow access to the menu buttons. In this release, the overlap of the menu buttons is no longer occurring and the issue has been fixed.

• VSP-69656: Previously, a devices v2 API call failed after upgrade to Ivanti EPMM 11.9.0.1 or later with a ContentTooLongException error when the result size exceeded 100 Mb. In this release, as part of the fix, the pagination size was reduced to avoid the error.

• VSP-69689: Previously, after upgrading to Ivanti EPMM 11.10.0.0, LDAP user search failed if multiple LDAP servers were configured in Ivanti EPMM. In this release, the LDAP user search is working correctly.

• VSP-69710: The subject and issuer fields on the SAML self-signed certificate are incorrect. Although no security issues stem from this error, the certificates had a 100 year validity. Ivanti changed the validity to 3 years and corrected the naming error.

• VSP-69721: The $TIMESTAMP_MS$ substitution value in the App-specific Configurations section is not supported when using the email_watermark key in an Ivanti Email+ configuration.

• VSP-69747: Duplicate IMEI2 columns no longer are displayed in CSV data when you use the Export to CSV function.

• VSP-69761: Previously, deselecting the Allow use of Safari option caused all sub-options to be unchecked instead of retaining their selected values. In this release, the sub-options maintain their selected values.

• VSP-69945: iOS 15.7.7 has been added to the DPU.

• VSP-69946: Google for Android released security patch in June 2023. After the patch release, security patch devices are not able to connect to corporate Wi-Fi. In this release, Ivanti EPMM enhanced to accommodate domain field in Wi-Fi Configuration to extract domain name.

• VSP-70019: Use $SERIAL_NUMBER_SUBSTITUTE$ to get the device serial number for Android devices (excluding email client app configurations). For other platforms, use DEVICE_SN to get the device serial number. Using $SERIAL_NUMBER_SUBSTITUTE$ for email client apps will cause correlation failure in the ActiveSync flow from Sentry to a device in the VSP. This issue is now fixed.

• VSP-70090: Previously, after upgrading from 11.8.0 to 11.9.x.x and above, the Ivanti EPMM Admin portal was inaccessible due to a Too Many Request error from the Elastic Search service. This issue is now fixed.

• VSP-70122: Previously, if one of the LADP servers was not reachable, the system could not switch to the second LDAP server to search for the user or register the device on the EPMM Administrator portal. This issue is now fixed.

• 'VSP-70169: The platform name for tvOS devices with OS version 16.3 and above are renamed from AppleTV by Apple to tvOS. Fixed the query to ensure that the system default tvOS label is applied to these updated tvOS devices in version 16.3 and above.

• Ivanti EPMM 11.10.0.1 Resolved issues

  VSP-69744: In previous releases, after upgrading to Ivanti EPMM 11.10.0.0, LDAP user search failed if multiple LDAP servers were configured in Ivanti EPMM. In this release, LDAP user search functions correctly even if there are multiple LDAP servers configured in Ivanti EPMM.

• VSP-69609: In previous releases, export to CSV functionality on the devices page failed when custom attributes were selected in the export option. In this release, export works as expected even when custom attributes are selected.

• VSP-69525: In Ivanti EPMM 11.8.0.0 and earlier, non-boolean values for boolean-type device search fields in the label, space, and compliance rules were accepted. However, because Elasticsearch rejects non-boolean values, Ivanti EPMM 11.9.0.0 and later only accepts boolean values. Using non-boolean values with Ivanti EPMM 11.9.0.0 and later can cause start-up failures. In this release, a new validation to resolve this issue was created as part of the existing ESUnsupportedFieldsCheck function in the pre-upgrade validation. To apply the validation and be able to use non-boolean values in the search fields, administrators should follow the steps in the KB article: EPMM 11.9.x.x - Unsupported custom criteria for Label, Space and Search features.

• VSP-69420: In previous releases, compliance rule violations were not displayed in the UI in the Devices page for the device models section. In this release, violations are displayed.

• VSP-69343: In previous releases, Ivanti EPMM erroneously deployed to macOS devices (13.0 or later) a Wi-Fi configuration with the Wi-Fi Protected Access WPA encryption protocol, despite an administrator having specified the Wi-Fi Protected Access WPA3/WPA encryption protocol when creating the Wi-Fi configuration. In this release, the correct configuration is deployed. Wording here = Jira? Yes -- Wording approved? yes

• VSP-69309: In previous releases, if the LDAP user Custom Attributes field contained anything other than alphanumeric characters, hyphens, and underscores, it was necessary to remove the characters from the user attribute before upgrading. However, in the current release, the LDAP user Custom Attributes are validated to only permit letters, numbers, hyphens, and underscores. This ensures that other characters are not allowed in the field and eliminates the need to remove them when upgrading Ivanti EPMM. Wording here = Jira? Yes -- Wording approved? yes

• VSP-69308: In previous releases, you could not use LDAP user non-custom attributes (User > LDAP > User attributes), such as sAMAccountName, mail, and sn. In this release, you can use non-custom attributes.Wording here = Jira? Yes -- Wording approved? yes

• VSP-69269: In previous releases, when you created a Wi-Fi configuration with Wi-Fi Protected Access 2 (WPA2 Personal) encryption security protocol and deployed it to an iOS device, the system erroneously created a Wi-Fi Protected Access (WPA) encryption protocol instead. In this release, the WPA protocol is not created. Wording here = Jira? Yes -- Wording approved? Yes -- Venkat Kunce

• VSP-69181: In previous releases, the Ivanti EPMM dashboard section Devices by compliance did not display any data. In this release, the data is displayed correctly. Wording here = Jira? Yes -- Wording approved?Yes -- Kiran Paila

• VSP-69162: In previous releases, in macOS, the silent installation for Mobile@Work client failed when you restricted device registrations only for the Apple devices that are part of the Automated Device Enrollment Program option. In this release, the silent installation occurs normally. Wording here = Jira? Yes -- Wording approved? yes -- Venkat Kunce

• VSP-69160: In previous releases, on iOS devices, due to incorrect keywords in the Information property list (plist) file, the OnDemand action specified was never applied when rules matched in the configured encryption DNS configuration. In this release, the OnDemand action is applied correctly. Wording here = Jira? Yes -- Wording approved? yes -- Venkat Kunce

• VSP-69115: In previous releases, when audit logs were exported through syslog, the syslog process erroneously spammed the logs with messages that said that /dev/null was a directory, not a file. In this release, log spamming no longer occurs. Note that after upgrading, if you have audit log exports enabled and are experiencing this issue, disable the log exports (MICS->Settings->Data Export->Syslog Data->Audit Log), then apply, then re-enable, and finally apply again, then save it. Wording here = Jira? Yes -- Wording approved? yes -- Chandramouli

• VSP-69070: In previous releases, the secondary server wrote ambiguous messages to mics.log with every HA heartbeat check. In this release, the ambiguous messages no longer appear.

• VSP-69051: In previous releases, tvOS devices did not support passwords or data protection. If you applied a policy that required either a password or data protection to tvOS devices, the devices failed to meet the requirements and were out of compliance. In this release, the Password section of the security policy displays the following message: Platforms Supported (AppleTV devices do not support passwords, so any security policy applied to them must have the Password item set to Optional).

• VSP-68978: In previous release, special characters like ':' or "/" could not be used in VPN configuration. In this release, you can now add a URL that contains characters (such as ':' or "/") to the Proxy Server URL field under the Child SA Parameters in a VPN configuration.

• VSP-68795: In previous releases, the App Auto Update process was not working for Volume Purchase Program (VPP) apps in iOS systems. In this release, the process is working correctly.

• VSP-68723: In previous releases, Cellular and GLOBALHTTPPROXY policy profiles uninstalled themselves when upgrading the iOS version. The profiles no longer uninstall themselves when you upgrade the iOS version.

• VSP-68722: In previous releases, when you edited the web clip configuration, the edited data disappeared. In this release, the edited data no longer disappears.

• VSP-68672: In previous releases, the thread CertAutoGenerateThread, which gets executed upon a Tomcat restart and is responsible for updating settings like web-clip, was not able to execute successfully because of an exception arising in the thread. In this release, the thread executes successfully.

• VSP-68603: In previous releases, the Target Bundle Identifier field, which is applicable to both iOS and macOS, was erroneously displayed in the iOS Only Settings section of the create/edit Webclip dialog box. In this release, the field is correctly displayed above the iOS Only Settings section.

• VSP-64711: In previous releases, Ivanti EPMM periodically attempted to contact the Apple "feedback" server for diagnostic purposes. In this release, that service has been deprecated, and the diagnostic no longer attempts to connect to that server.

• VSP-69633: In Ivanti EPMM 11.8.0.0 and earlier, non-boolean values for boolean-type device search fields in the label, space, and compliance rules were accepted. However, because Elasticsearch rejects non-boolean values, Ivanti EPMM 11.9.0.0 and later only accept boolean values. Using non-boolean values with Ivanti EPMM 11.9.0.0 and later can cause start-up failures. In this release, a new validation to resolve this issue was created as part of the existing ESUnsupportedFieldsCheck function in the pre-upgrade validation. To apply the validation and be able to use non-boolean values in the search fields, administrators should follow the steps in the KB article: EPMM 11.9.x.x - Unsupported custom criteria for Label, Space and Search features.

• VSP-69632: In previous releases, export to CSV functionality on the devices page did not work correctly when custom attributes were selected in the export option. In this release, the export works correctly even when custom attributes are selected in the export option.

• VSP-69257: In the Ivanti EPMM 11.9.0.0 release, device search queries failed if they did not use the supported full path search, causing devices to lose apps, configurations, and spaces. In this release, the system runs a pre-upgrade check validation to stop the upgrade if there are any unsupported fields. The system also performs additional validations when you create or update labels and spaces. See the following KB article for more information on what to do if unsupported fields are found: https://forums.ivanti.com/s/article/EPMM-11-9-x-x-Unsupported-custom-criteria-for-Label-Space-and-Search-features
  Note: When you upgrade, use the System Manager portal only so that the pre-upgrade unsupported fields checks can take place.

• VSP-69248: In previous releases, pagination requests on the Device and Audit log page could only request up to 10,000 records. In this release, this limit is extended up to 200,000 records.

• VSP-69240: In previous releases, the Ivanti EPMM weekly background statistics job failed to prepare statistics files if there were more than 1000 devices. In this release, statistics files are prepared successfully regardless of the number of devices.

• VSP-69239: In previous releases, dynamic label evaluation did not always assign labels to new device enrollments immediately. As a result, managed apps were not getting installed for the affected labels. In this release, assignment occurs immediately.

• VSP-69238: In previous releases, the Ivanti EPMM dashboard section Devices by compliance did not display any data. In this release, the data is displayed correctly.

• VSP-69234: In previous releases, some existing devices had labels removed and added back. As a result, managed apps were erroneously removed if they were associated with the affected labels. In this release, the label evaluation is functioning correctly, and no managed apps are removed.

• VSP-68803: In previous releases, if you chose "Automatically update app when new version is available" in the AppCatalog for VPP Apps, the update failed. In this release, the update occurs as expected.

• VSP-68712: In previous releases, the User Portal displayed incorrect wording for device actions in the German language browser. In this release, the correct wording is displayed.

• VSP-68699: In previous releases, the following error is displayed when you try to save a new Compliance action: Alert subject is missing for language with I {0}when send email is NONE. In this release, saving a new Compliance action works as expected.

• VSP-68623: In previous releases, after pushing an IOS software update policy to the devices, the update was downloaded but the installation did not happen automatically on the device. In this release, the installation occurs automatically.

• VSP-68549: In previous releases, pairing of the Remote app/Control Center widget's remote control to an Apple TV device could not be disabled, due to an incorrect spelling in the configuration. In this release, pairing can be disabled.

• VSP-68515: In previous releases, if you tried to edit the configuration file server.xml (/mi/tomcat/conf/server.xml) to control performance characteristics, the system failed to boot in FIPS mode due to package integrity check failures. In this release, you can edit the file.

• VSP-68514: In previous releases, if the Admin Portal was associated with port 8443, and that port was not open to the Internet, the multi-user portal failed to load CSS files. In this release, loading CSS files is occurring normally.

• VSP-68513: In previous releases, duplicate device identification entries in the mi_device_detail table caused reporting problems for Azure Intune compliance details in the Ivanti EPMM and Azure portals. In this release, there are no duplicate entries and the reporting is working as expected.

• VSP-68471: In previous releases, while installing on iOS 16 devices, the User Enrollment registration failed with the following error: Profile.Error: Profile Failed to Install. In this release, the User Enrollment registration works as expected.

• VSP-68462: In previous releases, the "Last sync time" field in the 'ActiveSync' tab on the Admin Portal was not updated after Sentry and Ivanti EPMM were upgraded. In this release, after the upgrades, the "Last sync time" field is updated automatically.

• VSP-68455: In previous releases, if you deactivated the iOS Restriction > Force Translation Processing Only on Device (iOS 15.0 and later), you could not edit the On-Device Mode in Translation > Settings on the iPhone or iPad. In this release, translation editing can occur.

• VSP-68453: In previous releases, when "device language" was set to Arabic, the Amharic language was reported instead. In this release, the correct language (Arabic) is reported.

• VSP-68450: In previous releases, the apps list in the Device Details page was not displayed if an app was imported into both the main device space and an alternate space. In this release, the list displays correctly.

• VSP-68425: In previous releases, the device compliance processing flow prevented other devices from checking in reliably. In this release, the check-ins are completed normally.

• VSP-68404: In previous releases, configuring email with 'smtpAuth' in the System Manager prevented Ivanti EPMM from sending email when administrators chose the option Devices > Send Message > Email. In this release, administrators can send email as expected.

• VSP-68385: In previous releases, enrollment of a device that was externally decommissioned changed the old device record to "Retired Pending." In this release, the record displays as "Retired."

• VSP-68120: In previous releases, even though the Avaya Managed App configuration had been deleted, Ivanti EPMM pushed the configuration to the device, and displayed Avaya values as if they were still present. In this release, Ivanti EPMM no longer pushes the configuration or displays the Avaya values.

• VSP-68088: In previous releases, LDAP synchronization occurred twice a day even if synchronization was set for once every 24 hours. In this release, synchronization occurs only once a day.

• VSP-67872: In previous releases, when the Ivanti Tunnel Cisco VPN setting Per App VPN was set to No, domains remained visible. Users could still enter domain details, which could disrupt device wide tunnel configurations. In this release, setting Per App VPN to No correctly hides the domains.

• VSP-67353: In previous releases, Ivanti EPMM software update information (such as descriptions) for iPad/iPhone devices was either incorrect or missing due to errors communicating with Apple, Inc. Sometimes the latest release number would be missing in release number drop-down fields. In this release, an explanation replaces missing or incorrect information, and you can enter the version number in drop-down fields manually.

• VSP-66298: In previous releases, script-run Get MDM Profile API requests failed when the special characters "+", "/", or "=" were included in the deviceInfo parameter. In this release, the API requests run correctly.

• VSP-65148: In previous releases, the latest wallpaper policy was not applied when there was a change in distribution and the policy was in a pending state. In this release, the latest wallpaper policy is applied.

• TPUBS-2811: To increase clarity, in the Ivanti EPMM Device Management Guide of your OS:
  • Added related topics links to "Using the query builder" - Android, iOS, Windows
  • Added a screen shot to "Using a manually edited search expression" - Android, iOS, Windows
• TPUBS-2807: Updated Security Policies in theGetting Started with Ivanti EPMM Guideto explain that password and data protection are not supported on tvOS. If you apply a policy that requires either a password or data protection to a tvOS devices, the devices fails to meet the requirements and will be out of compliance.
• TPUBS-2791: For clarity, added cross-references in "Hide or display Activity Logs and Settings menu" so the reader can easily find time settings. See the Ivanti Device Management Guide of your OS: Android, iOS, Windows.
• TPUBS-2784: Updated Signing your shell script for macOS in the Ivanti EPMM Device Management Guide for iOS and macOS devices with the link to downloading the Ivanti EPMM signing tool.
• TPUBS-2783: To assist with troubleshooting managed app configurations, added new topic "Troubleshooting configurations" in the Ivanti EPMM Device Management GuideAndroid, iOS.
• TPUBS-2782: Updated Apple Device Enrollment with Ivanti EPMM overview in the Ivanti EPMM Device Management Guide for iOS and macOS devices with a NOTE stating Apple Device Enrollment is different from other methods of enrolling / registering devices.
• TPUBS-2762: Updated "Managing Duplicate Devices" with information about Ivanti EPMM matching devices by device type in the Ivanti EPMM Device Management GuideiOS, Windows.
• TPUBS-2761: Updated Managing devices in Apple MDM lost mode in the Ivanti EPMM Device Management Guide for iOS and macOS devices with information about finding a lost device.
• TPUBS-2754: Updated Android File Transfer Configurations for improved clarity in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

• VSP-68335: In previous releases, Recommendation Cadence did not work correctly because the cadence value was a string, but an integer is required instead. In this release, the cadence value is an integer, and Recommendation Cadence works as expected.
• VSP-68333: In previous releases (when you upgraded to 11.6.0.1 or 11.7.0.0), certificate-based authentication failed for new devices on Android enterprise application configuration, if, prior to upgrade, you had already registered a device and Ivanti EPMM generated a user certificate, or you uploaded you own certificate. In this release, Ivanti EPMM uses a different method of caching certificates, and certificate-based authentication for both new devices and existing devices works as expected.
• VSP-68280: In previous releases, when you searched for devices to apply an action, the Found dialog window erroneously displayed the Force Retire checkbox. This checkbox should only be displayed when performing a Retire action. In this release the checkbox no longer appears in the Found window.
• VSP-68161: In previous releases, the Need Android Setting button was coupled with the Enable Lock Task Mode. That is, when you selected the Enable Lock Task Mode option, the gear icon became visible in both non-shared and shared kiosk policies. In this release, the Need Android Setting button is only shown in the shared kiosk, whether or not the Enable Lock Task Model is selected.
• VSP-68103: In the previous releases, in German, when you upgraded to Ivanti EPMM 11.7.0.0, then pushed the user profile, the view logs for the Device and Software Version Update were not visible. In this release, the view logs display as expected.
• VSP-68095: In the previous releases, the Volume Purchase Program (VPP) apps failed to be installed because the apps were not supported. In this release, the VPP apps are supported and install normally.
• VSP-68046: In previous releases, when you registered an Android device as a managed device and added the $DEVICE_SN$ variable as the lock screen message in the lock-down policy, the device lock screen erroneously displayed the registration UUID. In this release, the screen correctly displays the serial number instead.
• VSP-68018: In previous releases, when you set the allowDeviceSleep restriction for the Apple TV to True, then registered the Apple TV in the DEP or other registered device, the restriction was displayed as not set. In this release, the restriction status displayed as expected.
• VSP-67939: In the Ivanti EPMM 11.7.0.0, a change was made that caused backups to CIFS shares to stop working. In this release, the backups are working as expected.
• VSP-67818: In previous releases, Apple-driven UE registration failed when the email ID was used as the username. In this release, registration no longer fails.
• VSP-67770: In previous releases, you could not send Data Access Point Name (APN) settings through a cellular policy. In this release, sending the settings works correctly.
• VSP-67686: In previous releases, you received an Internal Server Error message if you tried to enter a special character in the Custom Attribute field because this field did not accept special characters. In this release, the Custom Attribute field accepts special characters.
• VSP-67672: In previous releases, when you tried to edit a VPN with a Device Channel type in the configuration view, the channel type was erroneously displayed as a User Channel type. If you tried to change the User Channel type back to a Device Channel type, the system displayed the following error: Nothing has changed. The channel type was correctly displayed in the Configuration Details pane on the configuration page. In this release, the channel type is displayed correctly.
• VSP-67619: In previous releases, you could not save Sentry settings when you tried to disable the previously enabled ActiveSync service with Kerberos authentication. In this release, you can save Sentry settings with ActiveSync service disabled.
• VSP-67600: In previous releases, even though you deleted a VPN configuration from a device, Ivanti EPMM continued to issue new SCEP certificates for the device. In this release, no new SCEP certificates are issued for devices whose VPN configuration has been deleted.
• VSP-67599: In previous releases, iOS device users who did not have Apple User Enrollment privileges could still complete Apple user enrollment for their device. In this release, users without the privileges cannot complete the enrollment.
• VSP-67598: In previous releases, using the Advanced search criteria for the RETIRE_PENDING status in combination with other criteria resulted in an error. In this release, the error no longer occurs.
• VSP-67587: In previous releases, audit log entries were unreliably retrieved by syslog through file monitoring. In this release, the log entries are injected directly into syslog.
• VSP-67421: In previous releases, when you applied multiple Single-App Mode policies to a device, only the policy that arrived first was applied, even if another policy with higher prioritization was applied later. In this release, policy application functions as expected.
• VSP-67393: In previous releases, when you install a custom app from Apple Business manager, the app's latest details and version sometimes failed to update in the App Catalog. In this release, the updates occur as expected.
• VSP-66718: In previous releases, a booting or rebooting of a system that had both FIPS and Common Criteria modes enabled caused a package integrity check to occur. If the check failed, the system performed several reboots and then shut down. Pressing Enter during the reboots allowed a compromised, inherently insecure system to function. In this release, a failed check causes the system to fall into immediate emergency recovery mode. In addition, the root account is disabled, and the system prompts you to enter a root password. Contact Ivanti Support to provide the requested password and to help recover the system.
• VSP-66123: In previous releases, Ivanti EPMM audit logs listed fake installation, which filled audit logs. In this release, Ivanti EPMM audit logs do not list fake installations, but existing audit log entries of fake installations will continue to show up in the listing.
• VSP-63894: In previous releases, when a user device state changed to non-compliant, Ivanti EPMM published the device status change event to its subscribers, and erroneously continued to publish the status at regular intervals. In this release, publishing occurs only once.
• VSP-63785: In previous releases, a race condition prevented App Tunnel from re-populating in Ivanti EPMM when the App Tunnel was deleted. In this release, repopulating occurs as expected.

• VSP-67777: In previous releases, when you tried to register an iOS device in iReg using an email address as the username and RegMode as the password, a Role Lookup error occurred. In this release, registration with an email username and RegMode as password proceeds as expected.
• VSP-67582: When adding a single device, there were JSON parsing errors. This issue has been fixed.
• VSP-67503: In previous releases, custom apps from the Apple Business manager sometimes failed to update the latest details and versions in the App Catalog. In this release, app detail and version updates occur correctly.

• VSP-67300: In previous releases, the iOS Trusted Operating System (TOS) email to the admin was not delivered. In this release, email delivery occurs normally.

• VSP-67285: In previous releases, copying an existing managed app configuration with the default app configuration failed. In this release, copying the app configuration works as expected.

• VSP-67267: In previous releases, Apps@Work on the iPad did not start in full-screen mode even though it was configured correctly. In this release, Apps@Work opens in full-screen mode.

• VSP-67244: In previous releases, a blank page and an invalid JSON string were sometimes displayed when accessing the Labels tab in the Ivanti EPMM UI. In this release, the Labels tab is displayed correctly.

• VSP-67238: In previous releases, on the Android platform, when the browser language is German, the user portal did not display the registration PIN when the Request Registration PIN operation was performed. In this release, the PIN is displayed as expected.

• VSP-67234: In previous releases, using iReg to download the Mobile@Work client failed if the admin portal was not configured to run on port 443. In this release, the download is successful.

• VSP-67225: In previous releases, entering information in the Notes field of the Devices dialog box automatically enabled the Retire action button. In this release, you must specifically select the new checkbox to enable the button.

• VSP-67204: In previous releases, licenses corresponding to retired devices were erroneously displayed as still in use, and Apple continued to associate the license with the retired device. In this release, these licensing issues no longer occur.

• VSP-67174: In previous releases, quotes and angle bracket errors in the syslog templates caused incorrectly generated syslog configuration files. In this release, the configuration files are generated correctly.

• VSP-67141: In previous releases, failover client-connection commands that disable or enable client connections were only successful on non-mutual-auth Ivanti EPMMs. In this release, the commands are also successful on mutual-auth Ivanti EPMMs.
  Note: After disabling client connections on mutual-auth Ivanti EPMMs, the connections can become spontaneously reenabled if you make changes that affect the port 443 listener configuration, such as when adding or removing ciphers.

• VSP-67113: In previous releases, the Ivanti EPMM server erroneously sent uninstall requests for Android apps that were not in a device's inventory. In this release, only apps that are in the device's inventory receive uninstall requests.

• VSP-67082: In previous releases, when you registered an Android 10 or above device in DA mode on a mutual-auth Ivanti EPMM, entries in the Devices page were deleted. In addition, LDAP and Space syncs failed. In the current release, the entries are no longer deleted and the syncs occur successfully.

• VSP-67046: In previous releases, an authentication error occurred when you sent emails from System Manager through a StartTLS-required Simple Mail Transfer Protocol (SMTP) server. In this release, no error occurs and the emails are sent out as expected.

• VSP-66937: In previous releases, certificate expiry warnings were issued to all certificates in a certificate chain. In this release, certificate expiry warnings are only issued to the certificates that are actually expiring.

• VSP-66907: In previous releases, when an Apple Device Name policy was attached to a Label and later removed, the Device page continued to show the policy as Pending. In this release, the policy is removed from the device as expected.

• VSP-66905: In previous releases, when you selected the Data Sweeper app from the App Catalog, you received an internal server error if the restriction field for restriction_type="BUNDLE" was empty. In this release, no internal error occurs and the values are parsed correctly.

• VSP-66771: In previous releases, an APN configuration failed to be applied to a device if that device was registered to a user who did not have mail. In this release, the configuration is applied successfully.

• VSP-66509: In previous releases, upgrading a FIPS or Common Criteria system using the validate feature could cause a package verification failure and render the system unbootable. In this release, the process works as expected as long as you use the re-validate function instead of the resume validation function during the upgrade.

• VSP-66278: In previous releases, on Windows 10 Desktop touch devices, there was no Ivanti EPMM Admin Portal scroll bar. In this release, the scroll bar is visible.
  Note: To scroll through tables and lists, scroll while holding down the left button on the track pad or mouse.

• VSP-66002: In previous releases, the purgedb operation failed when it did not receive a number of days parameter from the optimizedb operation. In this release, when the optimizedb script does not send a number of days parameter, purgedb purges the records that are older than 7 days.

• VSP-65679: In previous releases, if an administrator specified Auto as the configuration proxy type in the Device Wi-Fi configuration, but did not provide a proxy automatic configuration (PAC) URL, the generated Wi-Fi configuration set the type as None. In this release, the Wi-Fi configuration does not require a proxy automatic configuration URL to generate an Auto configuration type.

  Note: To correct the error in a legacy device whose configuration proxy was already erroneously interpreted in the Device Wi-Fi configuration, repush the configuration proxy.

• VSP-65554: In previous releases, iOS device users could complete the Apple User Enrollment process even if they did not have enrollment privileges. In this release, unenrolled users cannot complete the enrollment.

• VSP-65283: In previous releases, the Storage Capacity and Storage Free fields in the Device Details page were shown only with a power of 10 divisor (for example, MB, GB). In this release, the fields now also shown with a power of 2 divisor (for example, MiB, GiB). For more information, see "Advanced Searching" in the Ivanti EPMM Device Management Guide of your OS.

• VSP-64912: In previous releases, when the Ivanti EPMM Admin portal was configured to access port 8443, the self-service user portal text was misaligned due to a stylesheet issue. In this release, the text is no longer misaligned.

• VSP-67181: There was an issue when upgrading Ivanti EPMM from release 11.5.0.0 to 11.6.0.0. After the upgrade, Android apps that require Certificate Enrollment configuration stopped working, with the following Tunnel error message: "Waiting for identity certificate installation." This issue has been fixed. With this patch, Android apps using the Certificate Enrollment configuration will operate normally after an upgrade to Ivanti EPMM 11.6.0.1.

  Specifically for Single File Identity type Certificate enrollment configuration: if the configuration is pushed to any device after upgrading to Ivanti EPMM 11.6.0.0, there are chances of running into the same issue in Ivanti EPMM 11.6.0.1.
  Workaround: The configuration needs to be re-pushed by re-uploading the same pkcs12 file to the Single File Identity type Certificate enrollment configuration. If it is a direct upgrade to Ivanti EPMM 11.6.0.1 (aka, bypassing Ivanti EPMM 11.6.0.0), this issue will not arise.

• VSP-67246: Configuring Google Chrome app restrictions no longer fails.

• VSP-67205: The new "Cancel retire" feature in Ivanti EPMM 11.6.0.0 was causing Ivanti EPMM to update the registration date to the timestamp of the Cancel retire. This is incorrect because the device registration date was unchanged. This issue has been fixed.

• VSP-66904: When mutual authentication is enabled on Ivanti EPMM, there was an issue when Android devices were retired (Relinquish Ownership). The device remained in the Pending state, and did not resolve to Retired. This issue has been fixed for new devices. Android devices now move as expected through the retirement process from Active to Pending to Retired, whether or not mutual authentication is enabled.
  Note: the upgrade does not resolve the problem for devices already affected by the issue.

• VSP-66772: Previously, the Extensible Single Sign-On (SSO) configuration custom data key (AppAllowList) was limited to 255 characters. With this release, the AppAllowList extensible SSO configuration custom data key will accept key values of up to 1024 characters.

• VSP-66769: Previously, PIN details were not being exported from Ivanti EPMM to Android devices in the following modes:

  • Zero Touch and Samsung Knox enrollment
  • Managed Device/Device Owner

  With this release, the registration PIN details are included in the Comma Separated Values (CSV) file that Ivanti EPMM creates for these devices, as expected.

• VSP-66754: Previously, Ivanti EPMM would validate an incoming Sentry connection using the X-Forwarded-For (XFF) HTTP header field. If, during the transaction, the XFF header was changed, Ivanti EPMM would reject the connection request. With this release, Ivanti EPMM relies on application-specific identifiers which are exchanged between Sentry and Ivanti EPMM.

• VSP-66751: Previously, there was an issue with Docs@Work iOS app configurations in a mutually-authenticated Ivanti EPMM system. If the configuration contained one or more custom Lightweight Directory Access Protocol (LDAP) user attributes, Ivanti EPMM failed to push the configuration to the device. This issue has been fixed. With this release, Ivanti EPMM can successfully push an iOS Docs@Work app configuration with custom LDAP user attributes to its target devices.

• VSP-66750: Previously, the Apple Magnifier app (com.apple.magnifier) was not available for selection from our Ivanti EPMM System App Catalog (Policies & Configs > Configs > App Restrictions). With this release, you can now select this magnifying app for whitelisting or blacklisting.

• VSP-65949: Registered Shared iPads would sometimes show an error in the Device MDM Logs for "Install Configuration Profile" when the Security Policy is installed. This issue has been fixed. The Device MDM logs report as expected.

• VSP-66733: Previously, if there was a custom LDAP user attribute within a compliance rule for iOS devices, Ivanti EPMM was not replacing that attribute with an actual device user when generating an alert, causing the action to fail. With this release, Ivanti EPMM correctly replaces LDAP user attributes within compliance rules during alerts, as expected.

• VSP-66724: Previously, when Ivanti EPMM running 11.5.0.0 was rebooted, the following entry was appearing more than once in the /etc/sysconfig/iptables file:

  • -A CPP -p icmp -m icmp --icmp-type 3 -j ACCEPT

  In this release, no duplicate iptable entries are generated when Ivanti EPMM 11.5.0.0 reboots.

• VSP-66633: Previously, Android device users were not able to download apps to their devices using Apps@Work from a mutual authentication-enabled Ivanti EPMM system. In this release, device users can successfully download apps from Apps@Work from an Ivanti EPMM configured for mutual authentication.

• VSP-66625: Previously, the Pull Client Logs device token expiry time for capturing device bug report information was 36,000 milliseconds (36 seconds), which was not long enough to add the bug report to the milogs.zip file. With this release, the default token expiry time has been extended to 180,000 milliseconds (3 minutes). The nonce validation can be extended or adjusted by updating the client.logs.upload.nonceValidity property in the mins.properties file. For more information, see Working with Logs in the Troubleshooting chapter of the Ivanti EPMM System Manager Guide.

• VSP-66562: There was an issue with macOS reports appearing in the mobile device management (MDM) device logs for shared iPads. This issue has been fixed. The "macOS Restriction Report" has been renamed "Restriction Report."

• VSP-66548: There was an issue with the Mobile4ERP public app failing to install on Android Enterprise devices. The app went into a loop updating details and never resolved. The issue has been fixed. The Mobile4ERP public app now installs on Android Enterprise devices as expected.

• VSP-66496: Previously, administrators were unable to generate Security Assertion Markup Language (SAML) metadata, because there was no option for them to enter a custom URL (known as an entity-based URL) from the mifs.properties file. With this release, administrators can enter an entity-based URL from the mifs.properties file, which can then be used to generate the SAML metadata.

  To add an entity-based URL:

  1. Delete the existing SAML configuration.
  2. Add the property saml.spEntityBaseUrl with the custom URL to the mifs.properties file.
  3. Set up SAML again.

  The new entity-base URL should reflect in the sp-metadata.xml file, for example, https://&lt;Core FQDN>:443/mifs.

• VSP-66485: Previously, installing Ivanti EPMM using RPM Package Manager by way of the CLI command install rpm url could prevent later RPM package installation attempts from succeeding. In this release, RPM installations via CLI command do not block later installation attempts.

• VSP-66462: Previously, the Apple User Enrollment registration process sometimes generated incorrect managed Apple IDs. This issue has been fixed.

• VSP-66442: There was an issue when upgrading from Ivanti EPMM 10.8.0.0 or older to an Ivanti EPMM 11.X release. Backups taken of the upgraded 11.X release failed to restore properly, due to a change in the Unique Identifier (UID) or Globally Unique Identifier (GUID) across the versions. This issue has been fixed.

• VSP-66402: Previously, the German translation of the new In-house app update notification text was incorrect. With this release, the text has been updated to read as expected.

  • Previous (incorrect) text: Update für die Anwendung(en) {0} verfügbar
  • Updated (correct) text: Update für {0} Anwendung(en) verfügbar.

• VSP-66196: Previously, some iOS restrictions, such as Join only WiFi networks installed by a WiFi payload were not displaying correctly in the Policies & Configs > Configurations > Configuration Details page. This has been fixed. In this release, selected iOS restrictions display as expected.

• VSP-64191: Previously, Ivanti EPMM was unable to sync more than 1,000 Lightweight Directory Access Protocol (LDAP) organizational unit (OU) objects from the LDAP server, regardless of how many OUs there actually were. This has been fixed. With this release, Ivanti EPMM admins can now sync and view up to the tested limit of 15,000 OUs.

• VSP-66218: There was an issue with devices running the Samsung Knox operating system (OS) 3.8 and later. The Ivanti EPMM attestation check would fail, even when the check was successful. This was due to an update in the Knox Attestation API from version 2 to version 3. This issue has been fixed. Ivanti now supports Knox Attestation API version 3.

• VSP-66503: There was an issue with the Enterprise Connector displaying the Certificate Pinning option from the System Manager Certificate Mgmt page, although this option is not supported on the connector. This issue has been fixed. The Certificate Pinning option displays for Ivanti EPMM, but not for Connector, from the System Manager.

• VSP-66265: There was an issue in which LDAP attributes present in the Ivanti EPMM Devices & Users > Users > View logs for User > User Groups table were not displaying properly in the user interface. This issue has been fixed. All LDAP attributes now display as expected.

• VSP-66264: Previously, when an iOS app specified a minimum OS version as an integer, that OS version did not display as expected in Apps@Work or the app. This issue has been fixed.

• VSP-66263: Previously, removing a subset of app restrictions against an iOS device would fail, due to improper generation of the action entry in the database. This issue has been fixed.

• VSP-66236: Previously, the iOS section of the Security Policy menu did not include the option for iOS release 12.5.5 in the drop-down menu. This issue is resolved. Release 12.5.5 is now available in the Security Policy > iOS section.

• VSP-66214: There was an issue with some of the Device Registration page submenu options listed under the wrong subheading. This issue has been fixed. The Device Registration menu options display as expected.

• VSP-66110: Ivanti EPMM no longer generates unnecessary system event alerts for expired local certificate authority (CA) certificates after the certificate has been retired.

• VSP-66063: Previously, Windows 10 App Store searches would fail when run from new installations of Ivanti EPMM 11.4.0.0. This issue has been fixed. New installations of Ivanti EPMM 11.4.0.0 can successfully search Windows 10 App Store as expected.

• VSP-66056: A bug fix incorporated into Ivanti EPMM 11.3.0.0 and newer releases drastically slowed one of the Cisco Identity Service Engine (ISE) Application Programming Interface (API) calls. This issue is fixed in this release.

• VSP-66028: There was an issue with Ivanti EPMM not generating an error message when an invalid HTML app configuration file was uploaded. This issue has been fixed.

• VSP-66016: Previously, when a Trusted Host was added, it would sometimes fail to display properly in the System Manager > Maintenance > HA Configuration > Manage SSH Keys pop-up window. This issue has been fixed.

• VSP-65995: Previously, during an upgrade, Ivanti EPMM did not report signature verification failures to the user interface, resulting in the download appearing to be successful. The subsequent attempt to stage for installation resulted in repeating the download, and it was not possible to successfully stage the upgrade under these conditions. This issue has been fixed.

• VSP-65994: There was an issue in which Ivanti EPMM pre-upgrade package files--which are necessary to complete an upgrade-- were not being downloaded correctly when upgrading through the Command Line Interface (CLI). This issue has been fixed. Both upgrades from the CLI and the user interface now download the necessary files to complete the upgrade.

• VSP-65991: Previously, in-house apps (.apk files) failed to upload to the Admin portal App Catalog due to a limitation in the Android application package (APK). This issue has been fixed.

• VSP-65977: There was an issue with Ivanti EPMM rejecting Android XML configurations for Zebra devices if they were larger than 32 KB. This issue has been resolved. Ivanti EPMM accepts these configuration files up to 512 KB.

• VSP-65925: With the release of Windows 11, there was a compatibility issue between Ivanti EPMM and the Windows 11 Operating System Edition name and Platform name. This issue has been fixed. Ivanti EPMM now supports Windows 11 OS as expected.

• VSP-65877: There was an issue where, after an upgrade to Ivanti EPMM, administrators were unable to open the Ivanti EPMM Admin portal in a browser. This issue has been fixed. After an upgrade to 11.5.0.0, the Admin portal will open on supported browsers, as expected.

• VSP-65862: There was an issue whereby Ivanti EPMM did not accept Apple Volume Purchase Plan (VPP) account tokens if the organization name contained 16-bit Unicode characters. This issue has been fixed. Ivanti EPMM now accepts these tokens.

• VSP-65837: Previously, if a user in the Pinned Server Certificate Policy menu clicked Save when no certificate was selected, the console would stop responding. This issue has been fixed. The Save button is not enabled if no certificate is selected.

• VSP-65748: There was an issue when adding a new Device Space from the Admin > Device Spaces page. When adding a list with many different platforms, an incorrect error message would display: "Query size must be between 0 and 2000." This issue has been fixed. Ivanti EPMM now behaves as expected when creating Device Spaces.

• VSP-65689: The option to install Ivanti EPMM 11.4.0.0 on the Ivanti EPMM M2700 appliance with an ISO image from a bootable USB drive now works as intended.

• VSP-65653: The System Manager > Settings > Network > Interfaces > Physical Interfaces table now correctly lists the number of network interface ports (NICs) on an Ivanti EPMM M2700 appliance as six.

• VSP-65481: There was an issue with retired Android devices receiving a new Azure device identifier, even when the new device registration used the previous Azure device identifier. This issue has been fixed.

• VSP-65164: There was an issue with Mobile@Work for Android silent installation requests using the wrong user ID value for Apps@Work requests. This issue has been fixed. Android silent app installation requests now work as expected.

• VSP-64695: There was a minor corner-case issue related to privilege revocation. This issue has been fixed.

• VSP-62502: There was an issue with an LDAP Sync attribute not syncing correctly. This issue has been fixed. The mS-DS-ConsistencyGuid LDAP attribute now syncs as a binary attribute, as expected.

• VSP-61195: The "Touchdown" app has been removed from the Exchange configuration as it is no longer available on the Google Play store.

VSP-66305: Previously, Android Enterprise devices registered to Ivanti EPMM 11.4.0.0 would have missing or incorrect application inventory for the following administrative portal areas:

• Apps > App Catalog page
• Devices and Users > Devices page > Apps tab

This issue has been fixed. Android Enterprise devices registered to Ivanti EPMM 11.4.1.0 now report the correct device application inventory.

• VSP-66024: A bug fix incorporated into Ivanti EPMM 11.3.0.0 and newer releases drastically slowed one of the Cisco Identity Service Engine (ISE) Application Programming Interface (API) calls. This issue is fixed in this release.

• VSP-65922: A new API class was introduced in Ivanti EPMM 11.3.0.0, which inadvertently disabled a number of API calls. This issue has been fixed. The API calls now work as expected.

• VSP-65830: There was an issue with iOS devices failing to register when using Apple Configurator (or other like tools) to manually push exported MDM profile. The first registration would succeed, but if the device was retired and reregistered, the second registration would fail and the admin console will give errors when trying to look at the device details. This issue has been fixed.

• VSP-65829: Apple device configurations using the variable $USERID$ were not correctly generating individual user IDs. There was a similar problem with configurations using the variable $EMAIL$ not substituting the actual email addresses correctly. These issues have been fixed.

  The following changes and updates have been made for this release:

  • Substitution variable support was removed in the Single Sign On Configuration for $MANAGED_APPLE_ID$.
  • $NULL$ (blank/null values) and email addresses are not accepted as valid Principal Names in the Single Sign On configuration when pushed down to the device. Apple will reject any configurations with either of these values.
  • The information bubble has been changed to: Kerberos user name (required). User Name must be a Principal Name, e.g. $USERID$.

• VSP-65789: There was an issue when enrolling iOS devices using Apple Automated Device Enrollment when the Await device configuration during Apple device enrollment option was selected. Despite the configured time limit for device enrollment, Ivanti EPMM would ping the devices every 50 seconds perpetually until the Ivanti EPMM was restarted. This issue has been fixed. With this release, Ivanti EPMM will ping the devices every 50 seconds until the configured time limit has passed, at which point it will stop.

• VSP-65730: There was an issue where the system backup database dump integrity check would fail the backup procedure if the string CREATE TABLE was present in any text field (such as the Description field). This string was inadvertently taken by the database dump integrity check as a directive to create a table, and the resulting mismatched table count resulted in the error. This issue has been fixed. After this bug fix, only actual directives are counted by the integrity check.

• VSP-65550: A change was made to the enable password code for the Ivanti EPMM CLI that resulted in password rejection when used for Ivanti Connector or the Ivanti EPMM relational database (RDB). This issue has been fixed. After update, an enable password you create in the Ivanti EPMM CLI will authenticate correctly with Ivanti Connector and the RDB.

• VSP-65523: There was an issue where the activation link for the Help@Work Enterprise License from the Ivanti Customer Success portal did not work after migrating from Ivanti to Ivanti Salesforce platforms. This issue has been fixed. The Help@Work Enterprise License link from the Ivanti Customer Success portal now works as expected.

• VSP-65417: Beginning with Ivanti EPMM 11.3.0.0, weaker ciphers were moved from the Selected to the Disabled list in the System Manager > Security > Advanced > Incoming SSL Configuration > TLS Cipher Suites configuration list, but only for new installations. This has been corrected. After installation or upgrade to Ivanti EPMM 11.4.0.0, the following cipher suites are disabled by default:

  Incoming:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  Outgoing:

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

    For more information about cipher suites, see the sections "Advanced: Incoming SSL Configuration" and "Advanced: Outgoing SSL Configuration" in the Security Setting chapter of the Ivanti EPMM System Manager Guide.

• VSP-65411: There was an issue with Ivanti EPMM not supporting the iOS AirPrint hostname configuration. iOS AirPrint allows you to control the printing resources that iOS 7 and later devices can access. This issue has been fixed. With this release, you can configure iOS AirPrint hostname configuration from the Admin portal > Policies & Configs > Configurations > New AirPrint Configuration page. For more information about AirPrint settings, see "AirPrint settings" in the Configuring iOS and macOS settings and restrictions chapter of the Ivanti EPMM Device Management Guide for iOS and macOS devices.

• VSP-65367: There was a tooltip in the System Settings > Password Policy > Auto-Lock Time that repeated itself. The issue has been fixed.

• VSP-65335: There was an issue where Apple Automated Device Enrollment tokens were erroneously deleted from the Apple Device Enrollment page when the page was refreshed several times after clicking Check for Updates. This issue has been fixed.

• VSP-65153:There was an issue when the Ivanti EPMM Admin portal was assigned to port 8443 and the fully-qualified domain name (FQDN) for the user portal was entered into a browser, the request redirected the user through a URL on port 8443 even though the user portal is running on port 443. This redirect would cause the request to fail if 8443 was firewalled off from the user. This issue has been fixed. The action now stays on port 443 as it should.

• VSP-64979: There was an issue where the Localhost IP address was erroneously included in the Terms of Service (ToS) registration email. This issue has been fixed. With this release, The ToS registration email works as expected.

• VSP-64883: There was an issue where the fields in the Ivanti EPMM App Catalog > Edit App Configuration window > Managed App Configurations menu were limited to only 512 characters each. This issue has been fixed, and entries of more than 1000 characters are accepted.

• VSP-64318: The Ivanti EPMM self-service user portal uses the mi_settings property defaultUserPortalDeviceOwnership to set the default device ownership during registration. Previously, this property was not configurable. After upgrade, device users can configure or modify the default device owner when they register. This property is listed in the user portal database under the field EMPLOYEE.

  To configure this property:

  1. In the Admin portal, go to Settings > Registration > Ownership Settings, and set the default ownership type for a newly-registered device to Company owned.
  2. Navigate to the employee portal (https://<core fqdn>/employee).
  3. Click on the Registration link. The default option selected is Employee.
  4. Enter the default device owner.

  For more information, see the chapter "Self-service User Portal" in the Ivanti EPMM Device Management Guide for your operating system.

• VSP-63919: On some devices, disabling Chrome from System Apps caused Mobile@Work to crash. This has been fixed.

• VSP-63798: There was an issue in the Ivanti EPMM App Catalog, in which only the primary "version" value of an app displayed, and the "alt_version" value did not. This could occasionally cause the App Catalog page to list what looked like the same app twice, even though their alt_version values differed. This issue has been fixed. The fix adds an app alt version column to the detail view of the Installed Apps page.

• VSP-63217: There was an issue with the option "Removable" not being properly displayed for apps in the Managed app and iBooks inventory list in the Device Details section of the Devices & Users > Devices page. This issue has been fixed. Managed apps in the inventory list can now be tagged as "removable," allowing users to delete the app if they choose.

• VSP-60223: Some devices have an internal limit on the value that can be set for the policy value Maximum Inactivity Timeout. In these cases, the device uses the lowest configured value. For example, the maximum inactivity timeout value for iOS on an iPhone is 5 minutes, and for an iPad is 15 minutes. If, from Admin portal > Policies & Configs > Policies > Security Policy page you set the Ivanti EPMM Maximum Inactivity Timeout for 10 minutes, iPhones with this policy will still time out in 5 minutes (because it hit the device's internal limit), while iPads will time out in 10 minutes (because the specified limit is lower than the device's internal limit). We have added a tooltip to the Security Policy page, reminding Administrators of this.