Upgrade information for Standalone Sentry

Previous topic: Software download for Standalone Sentry

Next topic: Documentation resources

This section provides the upgrade information for this release and contains the following sections:

• Before you upgrade Standalone Sentry
• Supported upgrades paths for Standalone Sentry
• Upgrade URL for CLI upgrades for Standalone Sentry
• TLS compliance utility
• Upgrade notes for Standalone Sentry
• Upgrade steps for Standalone Sentry

Before you upgrade Standalone Sentry

• Ensure that the Standalone Sentry System Manager (MICS) portal certificate has not expired.
  AL-12204: If the Standalone Sentry portal certificate has expired prior to a software upgrade, Standalone Sentry generates a new self-signed certificate after the upgrade and does not initialize correctly. As a result, the Standalone Sentry System Manager (MICS) on port 8443 and the Standalone Sentry server on port 443 will not be accessible. The "show log message" CLI displays the following error: "portal-ca-setup: /mi/portalCA/ca-cert.pem not valid for /mi/portalCA/server-cert.pem".
• Plan for 5 to 20 minutes downtime. Email and app tunnel traffic will be down during the upgrade.
• If you have multiple Standalone Sentry in your our installation, allow for a rolling upgrade to minimize downtime. Do not upgrade all Sentry instances at the same time.
• Ensure that MobileIron Core is running and reachable to allow Standalone Sentry to upgrade successfully.
• Verify that your current environment meets the requirements as listed in the Support and compatibility for Standalone Sentry of this document.
• Check disk space availability. At least 2 GB of disk space must be available in the / (root) directory for an upgrade to be successful.
• Back up the Standalone Sentry installation configuration.
• Test your connection to support.mobileiron.com. You can use the following command:
  telnet support.mobileiron.com 443.
• Ensure that supportcdn.mobileiron.com is reachable.
• For improved security, MobileIron recommends that TLS v1.2 is used and TLS v1.0 and v1.1 are disabled. Run the TLS compliance utility to check the TLS compliance for the servers connecting to Standalone Sentry. See TLS compliance utility.
• See also Upgrade notes for Standalone Sentry.

Supported upgrades paths for Standalone Sentry

The following table provides the supported upgrade paths for Standalone Sentry for this release.

table 1. supported paths for upgrade

Current Standalone Sentry version	Upgrade path to 9.8.0
9.7.3	9.7.3 > 9.8.1 > 9.9.0 9.7.3 > 9.9.0
9.8.0	9.8.0 > 9.8.1 > 9.9.0 9.8.0 > 9.9.0
9.8.1	9.8.1 > 9.9.0
9.8.5	9.8.5 > 9.9.0

Upgrade URL for CLI upgrades for Standalone Sentry

Use the following URL if you are upgrading using the CLI upgrade method:

https://support.mobileiron.com/mi/sentry/9.9.0/

TLS compliance utility

MobileIron provides an utility that checks if Sentry can successfully connect with the server on TLS v1.2.

NOTE:

You must have Sentry 9.6.0 or later as a minimum version of TLS compliance utility.

From the Standalone Sentry command line interface, enter the following command in EXEC PRIVILEGED mode to run the utility:

#install rpm url https://support.mobileiron.com/tlscheck/mobileiron-sentry-tlscheck-1.0.0-1.noarch.rpm

The command executes a script that checks the servers that Sentry connects with and returns an OK or FAILED value for each server it checks. The script uninstalls after each run.

The results are also recorded into a log file /var/log/TLSTrafficTool-timestamp.log. The log file is included in ShowTech-All. In case of failure, additional error message content as provided by OpenSSL displays and is recorded in the log file. MobileIron recommends upgrading the failed servers to support TLS v1.2.

After upgrading to 9.7.0, use the tlscheck command from the Standalone Sentry command line interface (CLI) to check TSL compliance. See "Using CLI command to check TLS compliance" in the MobileIron Sentry Guide.

Upgrade notes for Standalone Sentry

Before you upgrade, read the following upgrade notes:

Telnet

Telnet server capability is not supported from Standalone Sentry 9.5.0 onwards. Disable Telnet before upgrading to 9.7.0. Upgrade fails if Telnet is not disabled. You will see the following Preflight check failed error message if Telnet is enabled.

Figure 1. Preflight check failed error message

Click OK, then disable Telnet. To disable Telnet, in Standalone Sentry system manager, go to Settings > CLI.

NOTE:

You will also see the following log message in Monitoring > Alert Viewer:

 

Upgrade failure: Telnet server is not supported anymore. You must first disable telnet before upgrade. The system will continue to run as Current Sentry Version.

Support for SMB

MobileIron dropped support for SMB 1.0 CIFS servers and added support for SMB 2.0 and 2.1. If you were accessing an SMB 1.0 CIFS server through Standalone Sentry, upgrading to Standalone Sentry 9.4.1 through the latest version as supported by MobileIron results in users not being able to authenticate and therefore access the CIFS server.

Workaround: MobileIron recommends updating the file server to SMB 2.0 or 2.1 before upgrading to Standalone Sentry 9.4.1 through the latest version as supported by MobileIron.

Supported upgrade versions for Standalone Sentry

If you are upgrading from a version not listed in Supported upgrades paths for Standalone Sentry, then you need to complete one or more previous upgrades first. See the release notes for the version to which you will upgrade.

IBM Lotus Notes Traveler

If you are using IBM Lotus Notes Traveler, SSLv3 protocol is disabled by default. This may impact device connectivity if you are using older versions of IBM Lotus Notes Traveler. Some older versions of Lotus Notes Traveler have not implemented TLS 1.0, resulting in the failure to negotiate a connection after the upgrade. IBM has released an interim fix to address this issue. For more information on how this upgrade may impact your environment see the Sentry 7.0 and Traveler Environments Knowledge Base article in the MobileIron support community at https://help.mobileiron.com.

Missing command outputs in archived showtech.txt file

AL-9823: The version-showtech-date.txt files in the upgrades directory in showtech.zip are different from the showtech.txt in the zip file. The version-showtech-date.txt files are created soon after the system reboots and before the installation of any packages starts. Since there is no system service running at that time, some of the commands, which require system service running, have the empty outputs. This is seen in the following upgrade paths: 8.0.1 > 8.5.0 and 8.0.1 > 9.0.0.

Upgrade steps for Standalone Sentry

For upgrade instructions, see the following sections in the MobileIron Sentry Guide for the release:

• For upgrade instructions using the Standalone Sentry System Manager UI, see “Standalone Sentry software updates.”
• For upgrade instructions using the Standalone Sentry command line interface (CLI), see “Upgrading using CLI.”
• For multiple Sentry upgrade instructions using the Standalone Sentry CLI, see "Upgrading multiple Standalone Sentry."