New Features

The following table describes major features that are introduced in the corresponding release:



Release 9.1R16.1 Features

No new features applicable to this release.

Release 9.1R16 Features

Microsoft 365 support through re-writer

Ivanti Connect Secure supports Microsoft Office 365 through re-writer.

PSAL browser extension

An option for administrator to enable browser extension for the end-users. For installation instructions refer to Pulse Secure Application Launcher Deployment Guide under Ivanti Secure Access Client Documents.

Ivanti Neurons for MDM (formerly MobileIron Cloud)

Ivanti Connect Secure now supports Ivanti Neurons for MDM (formerly MobileIron Cloud).

Release 9.1R15 Features

End user bookmark creation

This feature allows the users to create SSH/Telnet/VNC HTML5 bookmarks to initiate which SSH/Telnet/VNC connections.

This feature also allows admins to select the bookmark types that users can create.

Admin controlled session recording

This feature allows admins to control and store the session recordings, for end user and admin created bookmarks, to internal or external storage on Advanced HTML5 sessions.

Intune integration enhancement

This feature allows to check compliance of an end user and retrieval of Device attributes using the Device ID.

Support Intune Government cloud is available in Preview only mode for this release.

DHCP options enhancement

This feature allows ICS to act as a relay agent and communicate to the DHCP server the subnet/link to allocate an IP address.

This feature allows Admins to configure any sub-option (1-255) for DHCP option including DHCP option 82, sub-option 5.

OAuth/OpenId Connect Enhancements

This feature enhancement includes:

using an URL to fetch OAuth metadata

force authentication

traffic segregation for OAuth server

Accessibility Conformance report

Accessibility conformance report helps to check the level of accessibility compliance of the product.

Release 9.1R14 Features

oAuth/openID support for authentication

Ivanti Connect Secure supports OAuth as an Auth Server which can be added and configured for End User authentication.

OAuth is an open-standard authorization protocol or framework that describes how unrelated servers and services can safely allow authenticated access to their assets without sharing the initial, related, single logon credential. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol.

This feature allows users to authenticate with any standard OpenID Provider like Google, OKTA, Azure AD, to connect to Ivanti Connect Secure.

REST API enhancements

The new REST API methods allows the admin to configure and manage the Ivanti Connect Secure seamlessly. Supports new REST API functions for Upgrade, Reboot, Rollback, Read-Only Admin, Console password protection, Monitor NTP status, Map interfaces to certificates, Toggle Fault Tolerance and Telemetry Settings.

SAML enhancements

A new option introduced in SAML Auth Server config, where admin can override default FQDN and provide custom FQDN to talk to SAML providers and end user authentications.

Advanced HTML5 enhancements

For RDP bookmarks, fetch domain feature supports automatic detection of domain for AD servers. This feature supports AD servers only.

License count is changed from session basis to user login basis.

Admin Authentication fallback URL

Introduced an option to provide a fallback URL in case the Auth server is not reachable while admin tries to login.

Geo-Location to the realm restrictions

This feature provides an option to restrict or allow logins based on location.

Note: Ensure UEBA package is uploaded on the ICS for this feature to work.

Kerberos e-type extension

This feature allows Kerberos to use AES128 as the highest encryption type.

Audio Support on Citrix desktops

Audio support for Citrix desktops that are hosted on a Citrix server using an admin created VDI bookmark.

Release 9.1R13.1 Features

ISA virtual platforms as license clients

ISA virtual platforms can be configured as license clients from 9.1R13.1. For more information, refer to the License Management Guide.

Release 9.1R13 Features

AWS marketplace publishing

AWS marketplace publishing with GP3 AMI image to reduce the Ivanti Connect Secure upgrade time on AWS.

Release 9.1R12.1 Features

No new features applicable to this release.

Release 9.1R12 Features

Integrity Checker

The integrity tool allows an administrator to verify the Ivanti Connect Secure package installed on Virtual or Hardware Appliances This tool checks the integrity of the complete file system and finds any additional/modified files in the system.

Intune integration enhancements

This feature enhancement allows Windows users to fetch attributes from Intune by using MAC address option.

Advanced HTML5 Enhancements

The feature enhancement allows users to create admin/end-user Advanced HTML5 bookmarks.

SeamlessMigration of Ivanti Connect Secure instance in AWS.

This feature allows to modify internal port and external port of Ivanti Connect Secure deployed in AWS.

Choice of interface for each configured syslog server

This feature enhancement allows to add Source interface selection for each syslog servers configured in the Ivanti Connect Secure. It enables the admin to select a source interface with which address packets are sent to the syslog server.

REST API Enhancements for Named Users

This feature enables the admin to access the named users and its information and delete them on both Ivanti Connect Secure and License Server in Named User Repository mode using REST APIs.

Release 9.1R11.5 Features

No new features applicable for this release.

Release 9.1R11.4 Features

No new features applicable for this release.

Release 9.1R11.3 Features

No new features applicable for this release.

Release 9.1R11 Features

Advanced HTML5 solution

(General Availability version)

Ivanti Connect Secure supports Advanced HTML5 Access solution. This Advanced HTML5 Access solution supports two Advanced HTML5 sessions by default and includes multiple monitors, session recording, audio recording, high sound quality, and camera support.

From 9.1.R11, Advanced HTML5 access is available as General Availability version.

Release 9.1R10 Features

No new features applicable for this release. Refer to Noteworthy Information in 9.1R10 Release for more details.

Release 9.1R9.1 Features

No new features applicable for this release.

Release 9.1R9 Features

SNMP v3 multiple user support

Ivanti Connect Secure supports two users to be registered with an SNMP engine with different authentication and privilege settings.

ESP Tunnel for Mixed Mode

Ivanti Connect Secure provides option to use ESP tunnel for 6in4 and 4in6 traffic.

Advanced HTML5 solution

(Trial version)

Ivanti Connect Secure supports Advanced HTML5 Access solution. This Advanced HTML5 Access solution supports two Advanced HTML5 sessions by default and includes multiple monitors, session recording, audio recording, high sound quality, and camera support.

Remote microphone support in WTS

Supports microphones connected to the client computer during the remote session.

Release 9.1R8.2 Features

No new features added in this release.

Release 9.1R8.1 Features

No new features added in this release.

Release 9.1R8 Features

UEBA package for fresh installation of Ivanti Connect Secure/Ivanti Policy Secure

In case you have a fresh installation of Ivanti Connect Secure/Ivanti Policy Secure, you may download latest UEBA package from Support Site ( and add the package at Behavior Analysis page before using Adaptive Authentication or Geolocation based Conditional Access.

Show users by access type

Apart from showing the number of concurrent user sessions, Ivanti Connect Secure Dashboard now shows the L4 access type (PSAM) and Clientless access type (Browser) logins as non-tunnel users.

Ivanti Connect Secure Protection from Overload

This feature disallows user login, user login via Pulse Desktop, HTML5 connection or connection to a web resource when the CPU load is above a certain threshold. By default, this option is disabled for Ivanti Connect Secure upgrades and enabled for new installation.

Reset/Unlock TOTP user through REST API

This release provides REST API to Reset/Unlock a user under a TOTP server.

New license SKUs for Ivanti Connect Secure/Ivanti Policy Secure

In this release, added around 120 new license SKUs for Ivanti Connect Secure/Ivanti Policy Secure.

Support for pool of NTP servers and NTP status check

Ivanti Connect Secure now supports pool of NTP servers up to 4 NTP servers to sync date and time.

Release 9.1R7 Features

Automatic enable/disable ICE license

This release provides automatic management of ICE license. Ivanti Connect Secure enables ICE license when the logged in users count crosses the maximum licensed users count and disables ICE license when the logged in users count drops below the maximum licensed users count.

As an example, If you installed 100 licensed user counts, when the 101th user logs in, ICE license gets automatically enabled.

Show current HTML5 RDP sessions in Dashboard

This release provides HTML5 sessions information in the dashboard and the trend graph that helps admin to view the CPU usage and take necessary action to provide better remote access experience for the users.

Support for srcset attribute in HTML

Ivanti Connect Secure provides support for the responsive images (in web applications) via rewriter by rewriting the srcset attribute value. The corresponding images would be fetched on client application based on screen size, resolutions and other features.

Enable/Disable FQDN ACL

FQDN ACL feature was enabled by default earlier even though there are no policies configured. A new admin configurable option to enable or disable FQDN ACL feature is added in 9.1R7 at System > Configuration > VPN tunneling.

Release 9.1R6 Features

Hyperlink to Host Checker Policies

In the User Realms > Authentication Policy > Host Checker page, the policy names now have hyperlinks. Click the link to view the policy configuration.

Hardware ID in the System Maintenance page

The System > Maintenance > Platform page displays Hardware ID along with the other platform details.

Serial number in the Licensing screen

The System > Configuration > Licensing page, displays Hardware Id and Serial number.

Enable/Disable option for ICE license

This release provides REST API to do the following on a Standalone/Cluster:

enable/disable ICE license

get the current status of ICE license.

Release 9.1R5 Features

Terraform template support for AWS and Azure

Ivanti Connect Secure can be deployed using Terraform templates on supported hypervisors and cloud platforms.

Location based Conditional Access

Conditional Access feature for Cloud Secure now provides a mechanism to enforce access control policies based on location parameters by defining policies for applications.

Password management for Open LDAP

LDAP based password management works with generic LDAP servers such as OpenLDAP.

Microsoft Intune MDM integration

In this release, device access management framework supports integration with Microsoft Intune.

HTML5 Sessions report

Active number of HTML5 sessions on Ivanti Connect Secure can be obtained using a REST API call to api/v1/stats/active-html5-sessions.

MSSP Reporting enhancements

It is now possible to extract any particular license client/cluster report through REST API. Enhancements include:

Cluster-wise view in the license report.

License report in JSON format through REST.

Options to get cluster/client/period sub-section of the granular report through REST.

SSLDump for VLAN

In this release, SSLDump utility supports VLAN. Admins can use this tool for debugging / data collection purpose.

Edit default gateway configuration

In Ivanti Connect Secure hosted on a cloud environment, it is now possible to edit default gateway configuration from UI.

Host Checker feature enhancement

Host Checker policy to detect and allow hard disk in which encryption is in progress.

License server with Active-Active cluster

Administrators can:

create license server with Active Active cluster on virtual/cloud and hardware platforms.

lease all different type of licenses to license clients from any node of active-active cluster.

surrender/recall licenses from any node of active-active cluster.

Release 9.1R4.3 Features

No new features added for this release

Release 9.1R4.2 Features

No new features added for this release

Release 9.1R4.1 Features

No new features added for this release

Release 9.1R4 Features

Ivanti Connect Secure VA on Alibaba Cloud

Ivanti Connect Secure now supports VA deployment on Alibaba Cloud.

Conditional Access

Conditional Access feature for Cloud Secure provides a mechanism to enforce access control policies based on user and device parameters by defining policies for applications. Conditional Access policies are evaluated during application access time while roles are mapped to the session during the session creation time.

REST API enhancements

Enhancements include:

Update to “Getting Active Sessions”

Update to “Getting System Information”

Added “Fetching the User Login Statistics”

Added “Health Check Status”

Added “VIP Failover”

Added “Applying License”

Added “Deleting License”

Added “Getting License Clients”

Added ”Getting License Report from License Server”

Added Profiler REST APIs

vTM and Ivanti Connect Secure Integration for Load Balancing

The Platform Limit, Maximum Licensed User Count and Cluster Name attribute values are available for optimal load balancing.

Support for Windows Redstone 6

In 9.1R4 release, Windows Redstone 6 - version 1909 is qualified.

Support for SharePoint 2019

In 9.1R4 release, SharePoint 2019 is qualified.

Support for VMware VDI 7.9, and 7.10

In 9.1R4 release, VMware VDI versions 7.9 and 7.10 are qualified.

Support for Citrix Virtual Apps and Desktops 7 1909

In 9.1R4 release, Citrix Virtual Apps and Desktops 7 1909 is qualified.

Protect passwords stored in local auth server using stronger hash

When a new local authentication server is created, now admin has a choice to store the password with strong hashing using pbkdf2.

Support license reporting per license client

Licensing report is enhanced with usage statistics for each Ivanti Connect Secure instance - maximum user count per month per Ivanti Connect Secure/per MSSP.

MSSPs can now:

generate accurate usage reports of their customers.

make the structured report in XML format to enable for parsing and usage for dashboard.

Release 9.1R3 Features

Consolidated system and troubleshooting logs

The various system logs and troubleshooting logs that help in investigating user access issues and system issues can be configured and accessed using the Log Selection page.

Connect to nearest available DC

The LDAP authentication configuration is enhanced in 9.1R3 to locate the nearest Microsoft domain controllers, which are spread across the globe, by resolving DNS SRV records.

Zero touch provisioning

From 9.1R3 release, Ivanti Connect Secure can detect and assign DHCP networking settings automatically at the Ivanti Connect Secure VM boot up. In the script included in the PSA-V package, the Ivanti Connect Secure parameters should be set to null in order to fetch the networking configuration automatically from the DHCP server.

This feature is not supported on PSA hardware.

Ivanti Connect Secure hosted in OpenStack cloud

OpenStack is an open source cloud computing platform that allows deploying and managing a cloud infrastructure as an IaaS service. As part of this release, Ivanti Connect Secure supports deploying Ivanti Connect Secure KVM in OpenStack cloud.

VMware tools support

From 9.1R3 release, VMware support is qualified for VMware 10.3.10, ESXi 6.7 Update 2c.

Debug Log storage expansion

From 9.1R3 release, the maximum debug log size is increased to 1024 MB on hardware platforms.

Periodic iostat data collection

From 9.1R3 release, the “iostat” information is gathered periodically and made available as part of node monitoring in system snapshot.

Control copy/paste option for a user from an HTML5 session

9.1R3 release provides option to the administrators as well as end-user to enable/disable copy/paste from HTML5 RDP sessions. This option will be available under User Roles as well as Admin Created Bookmarks”.

Enhancements to Local Authentication Server default password

From 9.1R3 release, for a fresh installation, the valid password range defined is 0-999. Minimum length 10 and maximum length 128 are set as default values.

Restricting access to default resource policies

From 9.1R3 release, for a fresh installation, the following predefined resource policies are set to “Deny” state by default.

Web Access Resource Policy “Initial Policy for Local Resources”

Windows File Access Resource Policy “Initial File Browsing Policy”

The predefined policy for VPN Tunneling is not provided.

IKEv2 Fragmentation

IKEv2 packets can be larger than the MTU especially the IKE_AUTH packets which include the certificate chain. These larger IKE packets get fragmented in the intermediate devices. This feature implements fragmentation at IKE level and avoids IP fragmentation.

MSS value for TCP connections on Tun devices

Due to larger IPv6 header as compared to IPv4, if the MSS of the Ivanti Connect Secure external interface is not set appropriately, the packets would be dropped on the external interface. This feature enables to set MSS to a lower value so that TCP connections are not dropped for 6-in-4 cases or when there is NAT translation somewhere in the network before reaching Ivanti Connect Secure.

Release 9.1R2 Features

SP-Initiated SAML SSO

Ivanti Connect Secure supports SP-initiated SAML SSO when Ivanti Connect Secure is configured as IdP in gateway mode. Ivanti Connect Secure uses the existing user session in generating SAML assertion for the user for SSO.

IDP initiated SAML Single Logout

This feature provides a single logout functionality wherein if a user gets logged out of a session from one application, Ivanti Connect Secure (configured as IdP) notifies all other connected applications of that user with Single Logout.

Flag Duplicate Machine ID in access logs

Pulse client expects the machine ID is unique on each machine. If multiple endpoints have the same machine ID, for security reasons, the existing sessions with the same machine id are closed.

A new access log message is added to flag the detection of a duplicate Machine ID in the following format:

Message: Duplicate machine ID "<Machine_ID>" detected. Ending user session from IP address <IP_address>. Refer document KB25581 for details.

Microsoft RDWeb HTML5 Access

The newly introduced Microsoft RDWeb resource profile controls access to the published desktops and applications based on HTML5. The Microsoft RDWeb templates significantly reduce the configuration time by consolidating configuration settings into one place and by pre-populating a variety of resource policy settings.

In the 9.1R2 release, Microsoft RDWeb HTML5 access does not support Single Sign On. SSO will be made available in the future release.

Backup configs and archived logs on AWS S3/Azure Storage

Two new methods of archiving the configurations and archived logs are available now apart from SCP and FTP methods:

Ivanti Connect Secure now supports pushing configurations and archived logs to the S3 bucket in the Amazon AWS deployment and to the Azure storage in the Microsoft Azure deployment.

V3 to V4 OPSWAT SDK migration

Ivanti Connect Secure supports the migration of servers and clients to OPSWAT v4 to take advantage of latest updates.

Report Max Used Licenses to HLS|VLS

From 9.1R2 release, the licensing client (Ivanti Connect Secure) starts reporting maximum used sessions count instead of the maximum leased licenses count. For MSP customers, this change helps in billing the tenants based on maximum sessions used.

VA Partition Expansion

Ivanti Connect Secure/Ivanti Policy Secure supports upgrading from 8.2Rx to 9.1R2 for the following supported platforms:

VMware ESXi

OpenStack KVM


When upgrading a VA-SPE running 8.2R5.1 or below that was deployed with an OVF template to a higher version, the upgrade was failing. This feature solves the upgrade problem for VMware, OpenStack KVM and Hyper-V. Refer KB41049 for more details.

Release 9.1R1 Features

Software Defined Perimeter

SDP uses ICS appliances which individually act as either an SDP controller or an SDP gateway. Mobile users of the Pulse Client perform authentication on an SDP controller which runs an Authentication, Authorization and Accounting (AAA) Service. The SDP controller then enables direct communication between the user and the SDP gateways that protect the user’s authorized resources and enables requested encryption.

DNS traffic on any physical interface

Prior to 9.1R1 release, DNS traffic was sent over the Internal interface. Starting with 9.1R1 release, an administrator can modify the DNS setting to any physical interface namely Internal Port, External Port or Management Port.

Authentication failure management

Account Lockout option is provided to manage user authentication failures for admin users of local authentication server. The admin user account will be locked after specified number of consecutive wrong password attempts. The account will be unlocked after the specified lockout period or by using the Unlock option.

Support for “client-name” parameter in HTML5 Access

User can pass "client-name" in HTML5 rdp using launcher method. The %clientname% variable is matched with a workstation ID and normally that variable is unique and dedicated remote desktop computer name.

Deploying PSA-V in OpenStack KVM

User can deploy PSA-V in OpenStack KVM using a template.

User access to internet resources on an Azure-based or AWS-based Ivanti Connect Secure

AWS VPC GW and Azure VNet GW drop packets if the source IP is the endpoint tunnel IP. This feature NATs endpoint tunnel IP to Internal interface IP. The NAT allows user to access internet resources when connected to a VPN tunnel on an Azure or AWS-based Ivanti Connect Secure.

REST API enhancements

Enhancements include:

Getting Config without Pulse packages such as ESAP package and Pulse Client package

Backing up and restoring binary configuration