Client Settings

This section addresses client settings.

Android specific settings
iOS specific settings

Android specific settings

Ivanti Mobile Threat Defense supports Android 10 OS with the following configuration caveats:

If location services are not enabled in Android Enterprise mode, the threats Rogue Wi-Fi are not detected.

**Table 9.** Expected behavior for new and upgraded Android 10 installations
Deployment mode	Expected behavior
All modes	The local action Disconnect Wi-Fi cannot be applied to Android 10 devices.
Android Enterprise (Profile Owner mode)	During installation or upgrade of the client on Android 10, the user is prompted to turn on location services for both device and profile settings: If the user agrees, the app opens the device location service setting, so the user can enable it. To complete the process, the user must manually navigate to the Profile settings to enable location services for the Profile. If the user does not enable the location services, Rogue Wi-Fi threats are not detected. If Disallow share location is enabled in the PO lockdown config, this will block the user's ability to turn on location services. Uncheck this feature to prompt the user to enable location services.
Android Enterprise (DO mode)	For Android Enterprise Device Owner (DO) Location settings are enabled without user action, allowing Ivanti Mobile Threat Defense detection of all network threats.
Device administrator (DA mode)	Rogue Wi-Fi network threats cannot be detected for these devices.

iOS specific settings

For information about privacy configuration for Ivanti Mobile@Work iOS client, see "Privacy configuration" in the Ivanti MDM Administrator Guide.

Enabling Phishing and Content Protection on iOS devices

In order for Phishing and Content Protection to function, iOS device users need to enable the Secure DNS profile.

Enabling the iOS significant location change service

Note the following:

Privacy policies are supported on Windows 10 devices.
Privacy policies are not supported on macOS devices.
Location and Apps privacy settings currently apply only to iOS devices.

Privacy policies specify which files to synchronize with Ivanti and whether activity or content should be synchronized for each type of data. Privacy policies also specify which information the Ivanti Mobile@Work app should include in its log.

To create a privacy policy, go to Policies & Configs > Policies. Click Add New > Privacy. Use the following guidelines to create or edit privacy policies:

The following table summarizes fields and descriptions in the Privacy Policy window.

**Table 10.** Privacy policy fields
Item	Description	Default Policy Setting
Name	Required. Enter a descriptive name for this policy. This is the text that will be displayed to identify this policy throughout the Admin Portal. This name must be unique within this policy type. Tip: Though using the same name for different policy types is allowed (e.g., Executive), consider keeping the names unique to ensure clearer log entries.	Default Privacy Policy
Status	Select Active to turn on this policy. Select Inactive to turn off this policy.	Active
Priority	Specifies the priority of this custom policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is associated with a specific device. Select Higher than or Lower than, then select an existing policy from the drop-down list. For example, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”. Because this priority applies only to custom policies, this field is not enabled when you create the first custom policy of a given type.
Description	Enter an explanation of the purpose of this policy.	Default Privacy Policy
Apps	All Apps: Instructs the device to return the status of all the installed non-system apps on devices with this policy. App Catalog apps: Instructs the device to return the installed status of only the apps in Apps@Work on devices with this policy. App Control rules are not applied. Essentially, the client first checks if it's a system app. If it is, the client skips that app from the reporting list. If it's not a system app, then: All apps allowed by the privacy policy will report all of the installed non-system apps. Otherwise, the client reports only apps existing in the App Catalog.	App Catalog Apps
SMS Log	For Android devices only: Specify synchronization for SMS: Sync Content - Clear Text: Select to archive mobile data. Sync Content - Encrypted: Select to archive the mobile data in encrypted format. None: Select to collect no SMS data.	None
Call Log	For Android devices only: Specify synchronization for Call: Sync - Clear Text: Archive mobile data. Sync - Encrypted: Archive the same data in encrypted format. None: Do not collect Call statistics or store Call data.	None
iOS Location-Based Wakeups	For iOS devices only: iOS 6 and earlier devices use Significant Location Change for background wakeups. These wakeups impact jailbreak detection and updates to certain policies. The significant location change service provides a low-power way to get the current location of an iOS device and be notified when significant changes occur. This feature governs whether the OS can periodically bring Ivanti Mobile@Work into memory. The following options are available: Enabled on iOS 6 and earlier: Recommended if you want to support devices running iOS 6 and earler. Enabled: Select this only if you want to continue using SLC. Disabled: Select this only if you want to discontinue use of SLC, regardless of the device version. Selecting this option greatly reduces the likelihood that jailbreaks will be detected on devices that do not support silent APNS or are running Ivanti Mobile@Work 6.0 and earlier supported releases. On iOS 8, 8.1, and 8.1.1, disabling Location Services in the OS or in Ivanti Mobile@Work may result in device users receiving a notification indicating that the current configuration requires enabling access to Location Services. In Ivanti EPMM, a setting in the Default Privacy Policy allows toggling location based wakeups on or off. If this setting is enabled, and a user disables Location Services or disallows Location Services for Ivanti Mobile@Work, they will receive the notification. This notification does not mean that the device is out of compliance, rather, it indicates that has enabled location-based wake ups, which the device will be unable to perform.	Disabled
Location	Specify which location data, if any, is stored on Ivanti EPMM. The Sync Cell Tower option is only available to Android devices. None: No location data is stored. Sync Cell Tower: Cell tower data is stored. Sync GPS if available: GPS data is stored.	None
Collect Roaming Status	When enabled, roaming information is collected from the device and roaming status displays in Device & Users > Devices on the Device Details panel. When disabled, Ivanti Mobile@Work for Android does not report any roaming status to Ivanti EPMM. Available in Ivanti Mobile@Work for Android version 7.0 or later.	Disabled
Enable Configuration Profiles	Clear this setting if you do not want Ivanti EPMM to send non-AppConnect-related configurations and certificates to MAM-only iOS devices, including the Apps@Work web clip and certificate. For more information, see “Configurations and certificates for MAM-only devices” in theIvanti EPMM Apps@Work Guide.	Enabled
Prompt User to Enable Location Services if Wi-Fi/MTD configuration is pushed (Android enterprise)	Administrators have the ability to prompt device users to enable the device's location setting and to do it silently based on the nature of the device user. This setting is useful if the device user resides in a EU country that has GDPR requirements. If this check box is selected, the device user is prompted to enable the location setting during the registration process. If the device user does not grant permission, the configuration will fail. To resolve this, the device user will need to manually enable the device's location setting, thus triggering a device check-in to get the Wi-Fi / MTD configurations installed onto the device. Applicable only for Work managed device (DO) mode and Managed device with Work profile mode on Android 10+ devices.	Disabled
Disable Auto-Grant Location Permissions for Work Profile Devices	When this option is selected, a warning displays: Wi-Fi and MTD configurations can partially fail on older Android versions and device will fail to be located if user denies permission. Note the following: If the Privacy Policy > Disable Auto-Grant Location Permissions for Work Profile Devices field is de-selected, then the client will auto-grant Location Permissions, irrespective of configuration being pushed. If the Privacy Policy > Disable Auto-Grant Location Permissions for Work Profile Devices field is selected, then the client will not auto-grant Location Permissions. The client will only seek Location Permissions if it detects configurations that require Location Permissions. Depending upon server-wide settings, Location Permissions is auto-granted for Android 10 and 11 devices to use for Wi-Fi and MTD configuration. Additionally, the administrator may want to locate a device on-demand. Not applicable to Android 12 devices.	Disabled
App Filters	For iOS apps only
iOS Installed App Inventory	All Apps: Instructs devices to report to Ivanti the apps installed to devices. Select All Apps: if you are converting unmanaged apps to managed apps. See Ivanti EPMM Apps@Work Guide. Managed Apps Only (iOS 7 and later): Instructs devices to report to Ivanti the managed apps installed to devices. For devices running iOS 7 through the most recently released version of iOS as supported by Ivanti. Specified Apps Only (iOS 7 and later): Instructs devices to report to Ivanti the status of installed apps and managed apps whose bundle identifiers you specify here. For devices running iOS 7 through the most recently released version of iOS as supported by Ivanti. See the Ivanti EPMM Apps@Work Guide for information about managed apps.	Managed Apps Only (iOS 7 and later)
Windows 10 Inventory	This feature is supported by Windows 10 devices only.
App Store Inventory	Displays all the App Store apps installed on the device. The options are Enable and Disable	Disable
Non Store Inventory	Displays all the Non Store apps installed on the device. The options are Enable and Disable	Disable
System Inventory	Displays all the System Inventory apps installed on the device. The options are Enable and Disable	Disable
Win 32 Inventory	Displays all the Win 32 Inventory apps installed on the device. The options are Enable and Disable For Windows 10 devices with more than 100 apps, the App inventory is updated in the database.	Disable
Android Warning Banner on the Device Reboot
Enable Warning Banner	For Android devices only: Administrators can add a warning banner that displays upon device reboot. This is helpful for companies that require all approved mobile operating systems, such as Android 9.0, to be managed according to a security baseline / guidance. Device users will see the warning banner upon device reboot and will have to acknowledge it before continuing use of the device. This feature is applicable only to: Samsung devices with Samsung Knox API 2.2 Samsung devices in Work Managed Device mode Samsung devices in Work Profile on Company Owned Device mode Procedure Select the Enable Warning Banner check box. A text box displays. Enter the text that you want to appear on the device. Click Save. The default policy will be applied to all smart phones and labels to which no other policy has been applied.	Unchecked

----

Administering the client app

This section includes information and tasks that MTD administrators may find helpful when troubleshooting Ivanti Mobile@Work clients. We will be adding more information as the opportunity arises. For more MTD documentation, knowledge base articles, product bulletins, and forum groups, see Ivanti support page.

Logging and enhanced logging for iOS clients

If iOS device users experience issues with the Ivanti Mobile@Work client, they can reproduce the issue and send the logs to their administrator. Enhanced Logging encrypts the logs for safe transport to the support Admin.

This feature is for troubleshooting, and is disabled by default.

Sending Ivanti Mobile@Work client logs to MTD Support

Open Ivanti Mobile@Work.
Tap Settings.
To enable debug-level encrypted logging of your phone information, tap Enhanced Logging.
If you do not require encryption, make sure Enhanced Logging is toggled off.
Reproduce the issue on the device.
Go back to Ivanti Mobile@Work, and tap Settings > Send Ivanti EPMM Go Logs.
Select a method to send the log information to Ivanti Mobile Threat Defense support. Options include email, SMS, AirDrop, and others.
Enter a support address and tap Send.