What's New
These are cumulative release notes. If a release does not appear in this section, then there are no associated new features.
Product nomenclature: This is cumulative documentation and the product names you encounter in this documentation were accurate at the time of publication. Ivanti updates each new section to reflect evolving product nomenclature, but leaves legacy citations intact to ensure proper frame of reference for the reader.
General features
-
Support to add ability to retrieve the install date for managed applications: An 'App Install Date' API has been introduced to retrieve the install date for managed applications and also update the date for operating system. For more information, see Get installed app details of a device in the Ivanti EPMM V2 API Guide.
An 'getOSUpdateDate' API has been introduced to fetch the device OS update details. For more information, see Get OS Update Date > Device Management" In the Ivanti EPMM V2 API Guide. -
Support to add a warning message for Sentry Self-signed certificates: Standalone Sentry now displays new warning message to discourage the use of Sentry Self-signed certificates for TLS handshake between Sentry and Tunnel.
Android features
-
Support to allow Nearby Streaming: Administrators can now toggle the Nearby streaming to video stream applications to nearby devices. Navigate to EPMM admin portal > Devices and Users > Devices > Managed device > Lockdown Policy. This is applicable for Android 13+ devices. For more information, see Support to allow Nearby Streaming in Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
-
Support for Unlock V2 API: Unlock V2 API now supports the custom unlock pin option for Android devices. Administrators can send a new optional query parameter "unlockPin", to unlock an Android device. If unlockPin is not sent using an API, the device will be unlocked with default pin, 0000. For more information, see Unlock devices in the Ivanti EPMM V2 API Guide.
-
Support to update Kiosk Exit PIN: Administrators can now update the Kiosk Exit PIN for Kiosk policies using an API endpoint.
-
/api/v2/policy/list
-
/api/v2/policy/androidkioskmode/exitpin
For more information, see Policy Management in the Ivanti EPMM V2 API Guide.
-
-
Support to increase the device serial number field: Android Bulk Enrollment now allows maximum length of the serial number to 20 characters.
-
Support to clear the user data from Google Chrome: Android Shared Kiosk for Shared Users retained app data despite force reinstall on the Google Chrome application causing privacy issues. To enable, navigate to App Catalog Apps > Allow Google Chrome cache to cleared if enabled only when devices are in shared kiosk mode. For more information, see Support to clear the user data from Google Chrome in Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
iOS and macOS features
-
Support to allow users from installing apps through web distribution: A new option 'Allow users from installing apps through Web Distribution' is introduced in EPMM admin portal> Policies & Configs > Configurations > Add New > Apple > iOS / tvOS > Restrictions settings. By default, this feature is enabled, and it allows you to install applications directly from the web distribution. This feature is available only for iOS 17.5 and later supervised devices and for selected EU countries. For more information, see iOS and tvOS restrictions settings in the Ivanti EPMM Device Management Guide for iOS and macOS Devices.
-
Support to view Login items on the macOS devices: A new feature 'Login Items' is introduced in the EPMM admin portal > Policies & Configs > Configurations > Add New > Apple > macOS Only > Login Items. This feature is available only for macOS 13 and later devices. Once the appropriate login item is configured and a profile related to the configuration is installed on the device, the corresponding login item will be automatically greyed out in MDM to disallow users from either enabling or disabling it. For more information, see Login items for macOS in the Ivanti EPMM Device Management Guide for iOS and macOS Devices.
-
Support to Allow Live Voice mail and Force ESIM: Two new options, 'Allow live voice mail' and ‘Force preserve eSIM on erase’, are introduced in the EPMM admin portal> Policies & Configs > Configurations > Add New > Apple > iOS / tvOS > Restrictions settings.
-
By default, 'Allow live voice mail' is enabled, and it allows you to enable live voice mail on the device.
-
By default, ‘Force preserve eSIM on erase’ is disabled. Once you enable it, it allows the system to preserve eSIM when it erases the device due to too many failed password attempts.
These features are available only for iOS 17.2 and later supervised devices. For more information, see iOS and tvOS restrictions settings in the Ivanti EPMM Device Management Guide for iOS and macOS Devices.
-
-
The new set of Apple restrictions for iOS and macOS are now listed in Device details page > Restrictions tab..
Apple Restrictions:Apple Restriction
Description
iOS 18.0 or later versions ALLOW ESIM OUTGOING TRANSFERS Allow ESIM Outgoing Transfers (iOS 18.0 and later devices only ALLOW IMAGE WAND Allow Image Wand (iOS 18.0 and later devices only), "allowImageWand" ALLOW PERSONALIZED HANDWRITING RESULTS Allow Personalized Handwriting Results (iOS 18.0 and later devices only ALLOW VIDEO CONFERENCING REMOTE CONTROL
Allow Video Conferencing Remote Control
iOS 18.0, macOS 15.0 and later
ALLOW GENMOJI
Allow Genmoji (iOS 18.0, macOS 15.0 and later devices only)
ALLOW IMAGE PLAYGROUND
Allow Image Playground (iOS 18.0, macOS 15.0 and later devices only)
ALLOW WRITING TOOLS
Allow Writing Tools (iOS 18.0, macOS 15.0 and later devices only)
ALLOW_IPHONE_MIRRORING
Allow iPhone Mirroring (iOS 18.0, macOS 15.0 and later devices only)
-
Support for Apple Watch enrollment and Management: In this release we are adding the ability to enroll Apple Watch. A new iPhone configuration has been added which allows for any Apple watch paired to be enrolled and managed via MDM. Only supported by iPhones on iOS16+.
After the configuration is applied, any Apple Watch running WatchOS 10 is enrolled in Device Management when paired. If an Apple Watch is already paired, it must be removed and paired to the iPhone again to be enrolled. As part of the process, supervision is enabled on Apple Watch. This supervision allows the MDM to perform actions such as Configuring Settings, Retrieving Device Information, Clearing the passcode, and Locking or Erasing the device. After a successful pairing, the Managed Apple ID is automatically signed in on the Apple Watch.
For more information, see Support for WatchOS enrollment in the Ivanti EPMM Device Management for iOS and macOS Guide. -
Support to view device battery health status: A new field, Device Battery Health status for iOS and macOS devices is now included in Devices & Users > Devices > Device Details tab of the device. Apple Device Declarative Management must be enabled for this feature to be available. For more information, see Viewing device battery health status in the Ivanti EPMM Device Management for iOS and macOS Guide.
-
Support for Software Update Enrollment Policy: The Software Update Enrollment Policy is an Apple Device Declarative Management feature. The Software Update policy lets the administrators perform the following tasks:
-
Administrators can set up a deadline to force upgrade the device.
-
Administrators can also set a URL with a message to display on the Settings of the device to notify the upcoming software update.
For more information, see Software Update Enrollment Policy in the Ivanti EPMM Device Management for iOS and macOS Guide.
-
-
Support to add new Distributor Identifier on App Details for alternative marketplaces: A new column ‘DISTRIBUTOR IDENTIFIER’ is added in the EPMM admin portal > Apps > Installed Apps on the application details page.
This ‘DISTRIBUTOR IDENTIFIER’ is also available in the EPMM admin portal > Devices & Users > Devices on the device details page under the APPS section. It shows the marketplace-hosted application’s distributor ID. This value is available on iOS 17.4 and later devices.
On the Installed Apps page > Advanced Search, you can use the Distributor Identifier as a filter for advanced search, and once you select Export to CSV, the ‘DISTRIBUTOR IDENTIFIER’ column appears in app inventory search results. For more information, see Managing installed iOS and macOS apps in the Ivanti EPMM Apps@Work Guide.
General features
-
Support to pull logs through new Ivanti Bridge: Ivanti EPMM sends a request to the Windows device to pull bridge logs through Ivanti Bridge. The functionality of the Send Current Log and Send All Logs options, available in EPMM admin portal> Device & Users > Devices > Actions > Windows Only > Ivanti Bridge, fetched the bridge logs present on the device. However, the functionality was broken.
With Ivanti EPMM 12.1.0.0, this broken functionality is fixed. This functionality works for both MobileIron Bridge and the Ivanti Bridge. For more information, see Bridge logs overview in Ivanti EPMM Device management Guide for Windows.
-
Support for Expired state for Automated Device Cleanup: The 'Expired' state is now provided in EPMM admin portal> Settings > Users & Devices > Automated Device Cleanup to cleanup PIN expired devices. For more information, see Automated device cleanup in the Ivanti EPMM Device Management Guide.
-
Support to view Installed Apps in Custom Space: With managed services, administrators can now view the installed applications for Android and iOS devices that are in the Custom Space. Enable 'View app inventory' for Custom Spaces from EPMM admin portal> Admin > Actions > Edit Roles. To view the installed applications, navigate to EPMM admin portal> Apps > Installed Apps.
To see the list of devices on which the app is installed, click on the number of devices that is being displayed in Devices Installed column.
Support to see if the application is hidden on a particular device: Clicking the Export to CSV button in the above window and displaying the list of devices on which the application is installed lets you download the list of devices. This CSV will also contain a 'Hidden' Column, stating whether that application is hidden on that particular device or not. This is available only for supervised iOS devices.
For more information, see Viewing Installed Apps in the Ivanti EPMM Apps@Work Guide.
-
Support to provide bundle identifier: The Provider bundle identifier field is available when the Connection Type is selected as Custom SSL. Using this, the application can be configured with different Provider Bundle Identifiers. Navigate to EPMM admin portal>Policies & Configs > VPN Configuration. For more information, see Custom SSL in Ivanti EPMM Device Management Guide.
-
Support for a new description field in the Standalone and Integrated Sentry services: A new field for description is now added to help manage Sentry servers from Ivanti EPMM. Navigate to EPMM admin portal> Services > Sentry.
-
Support to enable new Help@Work (Teamviewier) integration for Android: From EPMM version 12.1, there is an option to have a modern integration experience (based on authorization) when integrating with TeamViewer.
It is recommended that existing active integrations migrate to the new integration option after EPMM server upgrades to version 12.1 version. For new integrations, only modern workflow (based on authorization) is supported. For more information, see Transitioning Help@Work to the Modern workflow for Android in Ivanti EPMM Device Management Guide for Android and Android Enterprise Devices and Transitioning Help@Work to the Modern workflow@Work for iOS in Ivanti EPMM Device Management Guide for iOS and macOS Devices.
Android features
-
Support device's mac address value as substitution: The $DEVICE_INVENTORY_MAC$ is a new variable supported only for Android devices with managed or managed devices with work profile (DO, AOSP, COMP, EPO). This variable substitution is supported in app restrictions, custom lockscreen message in Lockdown policy, compliance actions, and certificate enrollment setting. Since this is an Android specific variable and does not report MAC addresses for all registration modes, it must be carefully configured. For more information, see Certificate Enrollment settings in Ivanti EPMM Device Management Guide for Android and Android Enterprise devices and App configuration for Android Enterprise apps in Ivanti EPMM 11.4.0.0 - 11.12.0.0 Apps@Work Guide.
- Since this is a android specific variable and does not report mac address for all registration modes it must be carefully configured.
-
Support to disable the lockscreen shortcuts on an Android device: A new 'Block keyguard shortcuts' option is available in EPMM admin portal> Policies & Configs > Policies > Security Policy > Android enterprise section. This option is disabled by default. For more information, see Security Policies in the Getting Started with Ivanti EPMM Guide.
-
Select the checkbox to disable the lockscreen shortcuts on the device.
-
Deselect the checkbox to enable the lockscreen shortcuts on the device.
-
- In Lockdown and/or Kiosk policies, if the keyguard option is disabled, the lockscreen and the shortcuts are not available. To view the impact, ensure to enable the keyguard option in Lockdown and/or Kiosk policies (if applicable).
This new feature enables/disables the lockscreen shortcuts setting directly in the device's display settings (rather than just not displaying the shortcuts on lockscreen)
-
Support to Ultra-wideband restriction: The Ultra-wideband restriction can be set only by a device owner or a profile owner of an organization-owned managed profile on the parent profile. In both cases, the restriction applies globally on the device and will turn off the ultra-wideband radio if turned on. Navigate to EPMM admin portal > Devices and Users > Devices > Managed device > Lockdown Policy.
This restriction cannot be turned on via the Settings if it is disallowed. For more information, see Lockdown policy fields for Android Enterprise devices in Work Managed Device mode, Managed device with Work Profile mode, and Work Profile on Company Owned Device mode in Getting Started with Ivanti EPMM Guide. -
Support for Wi-Fi Direct option: Administrators can now toggle the 'Allow WIFI direct' option for Devices in Managed Device, Managed Device- non GMS, and Managed Device with Work Profile Modes to allow or disallow the Wi-Fi Direct on a device. Navigate to EPMM admin portal > Policies and Configs > Policies > Lockdown > Managed device. This is applicable for Android 13+ devices. For more information, see Lockdown policy fields for Android Enterprise devices in Work Managed Device mode, Managed device with Work Profile mode, and Work Profile on Company Owned Device mode in Getting Started with Ivanti EPMM Guide.
iOS and macOS features
-
Support to set notification interval in hours for iOS devices: The time interval set in the notification interval triggers the visible notifications on a device. This time interval can now be set in hours. Navigate to EPMM admin portal> Policies and Configs > Policies > Default Sync Policy. For more information, see Sync Policies in the Getting Started with Ivanti EPMM Guide.
-
Support for admins to disable Visible Notifications (VNS): A new value '0' is added in the Schedule Notification Interval field in the sync policy to disable the VNS notification. Navigate to EPMM admin portal> Policies & Configs > Policies > Sync Policy. For more information, see Sync policies in the Getting Started with Ivanti EPMM Guide and Setting the Schedule Notification Interval for iOS device in MTD Lookout Guide.
-
Support to provide device battery information for macOS 13.3 and later versions: A new field hasBattery is introduced in EPMM admin portal> Devices and Users > Devices > Device Details, which displays the battery information of the device. This filed is included in the 'Advanced search' for administrators to search for devices with battery. For more information, see Advanced searching in the Ivanti EPMM Device Management Guide for iOS and macOS Devices.
-
Support for Apple device declarative management: Apple's Declarative Device Management is a modern management protocol that allows managed devices to proactively and autonomously apply their own management settings with less communication. Declarative Device Management is enabled on newly enrolled devices during the enrollment process or during check-in for existing devices. Navigate to EPMM admin portal> Devices & Users > Devices > Device Details > Apple Declarative Management.
Declarative Device Management is automatically enabled on the following:
-
Computers with macOS 13 or later
-
Devices with iOS 15 or iPadOS 15 only for User Enrollment mode
-
Devices with iOS 16 or iPadOS 16 with all enrollment types including Shared iPad
The Device Details page displays the enrollment details once the device is enabled with Apple Declarative Management. For more information, see Support for Declarative Device Management in Ivanti EPMM Device Management Guide for iOS and macOS Devices.
-
-
Support for Return to Service: Ivanti EPMM supports Return to Service for iOS DEP enrollment devices. This feature lets you configure devices to automatically re-enroll after erasing all data such that users need not re-enroll them manually after a wipe. Return to Service is available in EPMM admin portal > Device & Users > Devices > Actions > Wipe. For more information, see Wipe in Ivanti EPMM Device Management Guide for iOS and macOS devices.
-
Support to allow users from installing new alternative marketplace applications: A new checkbox 'Allow users from installing new alternative marketplace apps' is introduced in EPMM admin portal> Policies & Configs > Configurations > Add New > Apple > iOS / tvOS > Restrictions settings.
By default, this feature is enabled, and it allows you to download applications from alternative marketplaces instead of Apple Store. This feature is available only for iOS 17.4 and later supervised devices and for selected EU countries. For more information, see iOS and tvOS restriction settings in Ivanti EPMM Device Management Guide for iOS and macOS devices.
General features
-
Support for Oracle Linux 8: Ivanti EPMM platform is now upgraded to Oracle Linux 8 from CentOS7.
-
Support to delete an individual device or multiple devices: The individual device record can now be deleted if the device is in any of the following states: Wipe-Pending, Retire-Pending, Unknown, Wiped and Retired. For more information, see 'Automated Device Cleanup' in Ivanti EPMM Device Management Guide for Android and Android Enterprise.
-
Support for Unicode symbols in app names: Ivanti EPMM now supports Unicode characters like emoji symbols in application names if an application's display name contains a Unicode character. You can also add an emoji by editing the application name.
-
DigiCert One Certificate Enrollment Setting: Ivanti EPMM supports DigiCert One option in the Certificate Enrollment setting. Integration with DigiCert enables you to configure certificate-based authentication. For more information, see 'Configuring DigiCert One' in the Ivanti EPMM Device Management Guide for iOS and macOS devices.
-
Support to download client logs for device logs for Android and iOS devices: Administrators can now download the client logs for device logs. In Ivanti EPMM, in Device Details, select View Logs for device to download the client logs of that device. For more information, see 'Pull client logs for client devices' in the Ivanti EPMM Device Management Guide for Android and Android Enterprise.
Android features
-
G Suite Enterprise users can enroll with Android enterprise: Ivanti EPMM provisions and manages users automatically with Google. The following details are required to enroll:
Enterprise Domain Name
Enterprise Domain Email
Enterprise MDM token
Upload json file of service account
- All new customers are recommended to use direct Google integration.
For more information, see 'Setting up directly via Ivanti EPMM' in Ivanti EPMM Device Management Guide for Android and Android Enterprise.
-
Support to control Samsung Knox Mobile@Work activation: Administrators can let Mobile@Work skip the standard Knox license activation carried out during the Samsung Knox device registrations. This requires Samsung General Policy to have 'Activate Knox Feature' disabled. This allows for activation to be skipped and is recommended only in places where internet access to Samsung licensing services is not available. Settings will only take effect for new registrations. For more information, see 'Working with Samsung general policies' in Ivanti EPMM Device Management Guide for Android and Android Enterprise.
-
Support to set notification interval in hours: The time interval set in the notification interval triggers the visible notifications on a device. This time interval can now be set in hours.
-
Support to display recent users logging into the kiosk mode: Selecting the 'Display Recent Users on Login Screen' option in the staging policy for kiosk mode, displays the recent users to log in faster on devices when logging into shared kiosk mode. By default this option is disabled. If the option is disabled, the recent users will not be displayed for the client. For more information, see 'Configuring the Android shared-kiosk mode' in the Ivanti EPMM Device Management Guide for Android and Android Enterprise.
-
Support for new lockdown to allow network reset: Administrators can toggle the Allow Network Reset option for Devices in Managed Device, Managed Device- non GMS and Managed Device with Work Profile Modes to allow or disallow resetting the mobile network, WIFI, and bluetooth options on the device. For more information, see 'Lockdown policy fields for Android Enterprise devices in Work Profile for Company Owned Device mode' in Ivanti EPMM Getting Started Guide.
-
Support to preserve administrator added section when schema changes: Ivanti EPMM tries to preserve the existing setting-values, if the same settings are available in the new app-configuration published by the application developer. This reduces the need to re-define sections. However, it is recommended to test the changes before deployment.
-
Support for Android bug report: Administrators can now include or exclude android bug report while performing Pull Client Logs on a device. A new checkbox 'Collect Android Bug Report Logs' is introduced in Pull Client Logs. For more information, see 'Pull client logs for client devices' in Ivanti EPMM Device Management Guide for Android and Android Enterprise.
-
Select the checkbox for client logs (optionally, if enabled, network and security logs) along with android bug report to be requested from Mobile at Work. This option requires user action.
-
Deselect the checkbox for silent logs (optionally, if enabled, network and security logs) running on device to be requested from Mobile at Work . The android bug report is excluded in this request. This option does not require user action.
-
iOS and macOS features
-
Support to enforce a minimum operating system version: Ability to allow only minimum operating system version on enrolling devices when using Automated Device Enrollment.
-
Support to change properties in the VPN configuration: VPN configuration supports the following properties:
Enforce Routes - This property scopes the included routes to the VPN and the excluded routes to the current primary network interface.
Exclude Local Networks - This property excludes all traffic destined for local networks.
Include All Networks - This property routes network traffic through the tunnel except traffic for designated system services necessary for maintaining expected device functionality.
-
New parameters added to Extensible Single Sign-On: Ivanti EPMM introduced 12 new parameters to support Extensible Single Sign-On configuration for macOS 13 and above devices. You can configure Extensible Single Sign-On on the Admin Portal to access enterprise resources on macOS devices that are registered with Ivanti EPMM.
On the Admin Portal, navigate to Policies & Configs > Configurations > Apple > iOS / macOS / tvOS > Extensible Single Sign-On. Once you enable the Configure Platform SSO checkbox, you can see the 12 new fields. For more information, see 'Extensible Single Sign-On' in the Ivanti EPMM Device Management Guide for iOS and macOS devices. -
Support for Account Driven Device Enrollment (ADDE) for iOS 15+ and macOS 14+ devices: Account-driven device Enrollment (ADDE) is used for devices that are owned by the organization. With ADDE, organizations have higher visibility and management of the device. ADDE utilizes the user's managed Apple ID, which is required and associated with all enterprise apps and data on the device and in Ivanti EPMM. Enable Account-Driven Device Enrollment in the MDM page, by selecting Settings >iOS > MDM > Enable Account Driven Device Enrollment for iOS/Enable Account Driven Device Enrollment for macOS. For more information, see 'Account Driven Device Enrollment' in the Ivanti EPMM Device Management Guide for iOS and macOS devices.
-
Support for macOS apps in Managed App Configuration: Ivanti EPMM supports Managed App Configuration for macOS applications. Managed App Config allows users to specify a configuration dictionary to communicate with and configure third party managed apps. This feature requires a license, before using this feature ensure your organization has purchased the required licenses. Managed App Config is available in Ivanti EPMM Policies & Configs > Configurations > Add New > Apple > iOS / macOS / tvOS > Managed App Config. For more information, see 'Managed App Config settings that use plists' in the Ivanti EPMM Device Management Guide for iOS and macOS devices.
Managed application configuration for macOS is applicable only for VPP apps.
-
Support for configuring relays at the application level: From this release, the Ivanti EPMM supports configuring relays in apps. Applications that support relays can leverage this configuration to access private data or company resources.
A new RELAYS FILTER SETTING section has been added to the Ivanti Admin Portal, where administrators can select relay configurations based on priority and labels.
For more information on creating relay configuration, see 'Network Relay' in the Ivanti EPMM Device Management Guide for iOS and macOS devices and more information on relay filter setting, see 'Populating the iOS and macOS App Catalogs' in the Ivanti EPMM Apps@Work Guide. -
New Cellular Slicing for App Configuration: Ivanti EPMM added a new Cellular 5G Slicing checkbox for app configuration to support iOS 17 or above devices. Cellular 5G slicing allows businesses to control traffic resources on a more granular level. Each slice of traffic can have its own resource requirements, Quality of Service (QoS), security configurations, and latency requirements. Powered by private 5G, each application can operate on its own dedicated slice based on the data network and app category and ensure it remains in operation even when the network is congested. For more information, see 'Populating the iOS and macOS App Catalogs' in the Ivanti EPMM Apps@Work Guide.
-
Associated Domains for macOS: Associated Domains help to build a secure connection between the website and the application. Associated domain allows you to share credentials or add functionality to your app from your website. For more information, see 'Associated Domains for macOS' in the Ivanti EPMM Device Management Guide for iOS and macOS devices.
Mobile Threat Defense features
Mobile Threat Defense (MTD) protects managed devices from mobile threats and vulnerabilities affecting device, network, and applications. For information on MTD-related features, as applicable for the current release, see the Mobile Threat Defense Solution Guide for your platform, available under the MOBILE THREAT DEFENSE section on the Ivanti Product Documentation page.
Each version of the MTD guide contains all Mobile Threat Defense features that are currently fully tested and available for use on both server and client environments. Because of the gap between server and client releases, new versions of the MTD guide are made available with the final release in the series when the features are fully functional.