v11.00 — Build 12975 — January 10, 2014
- Support for iOS 7 MDM features including App management, data leakage prevention from Managed Apps, and the management of device features such as Touch ID.
- Support for Samsung KNOX including containerization of enterprise data, and increased device security and integrity monitoring.
- New App Configuration methods including native iOS 7 App Config, URI based configuration for both Android and iOS App Catalogs, and the ability to script Android intents.
- Support for managing Windows Phone 8 devices.
- Support for managing Amazon Kindle HDX devices.
- Improved Self Service Portal design including custom branding options.
- Support for scheduling administrative reports.
- Multi-file upload functionality in the Content Library.
Windows Phone 8 Features
Introduces support for the enrollment and management of Windows Phone 8 (WP8). Enrollment of devices can be initiated directly from the “Company Apps” section of a WP8 device and does not require an agent.
- During enrollment, automatic discovery of the target device group will occur based on the LDAP group matched against available add device rules.
- The WP8 > Information Panel will display inventory of device attributes such as Model, OS Version etc.
- Support for distribution of an in-house “Company Hub” application during enrollment is provided under All Devices > Servers > Global Settings. Development of a Company Hub requires registration with Microsoft and a Symantec Code Signing Certificate. Refer to https://dev.windowsphone.com, or contact SOTI Support for more details.
- The following policies can be configured under the Device Configuration section:
- Device Authentication Policy including complexity, history, and enforcement.
- Device Feature Restrictions for disabling access to the SD card and enforcing device encryption.
- Distribution of public-keyed certificates.
- Distribution of email configurations for POP, IMAP, and Exchange.
- Support for a Full Device Wipe or Device Lock is provided as a Right-Click (on device) > Action option.
- Two new App Configuration methods are available for iOS under the Application Configurationbutton within an App Catalog rule.
The “Configuration Command” leverages the native and automatic configuration for iOS 7 apps, whereas the “Configuration URI” option supports a broader range of operating systems and is initiated by the end user from the App Catalog webclip.
- Added the following MDM payloads to the Device Configuration section.
- Single Sign On
- Web Content Filter with Adult Content filter and Whitelisting/Blacklisting that applies to Safari and 3rd party browsers obtained from the App Store.
- VPN (Per App)
- AirPlay for the configuration of mirroring destinations and passwords
- AirPrint for the configuration of print resources
- Fonts for installing custom fonts
- Updated WiFi configuration to support Hotspot 2.0 configuration parameters
- Adds Global HTTP Proxy support (iOS 6)
- Single App Mode (iOS 6) including iOS 7 enhancements
- “Feature Control” policies under Device Configuration has been reorganized and renamed to “Restrictions”.
- Add Device Rules now include the ability to customize the device’s client certificate obtained during enrollment, allowing the selection of an external Certificate Authority.
- The Right Click (on device) > Action > Device Lock action has been extended to optionally allow for the customization of the lock screen to include a phone number and a custom message useful when attempting to retrieve lost or stolen devices.
NOTE: With the appropriate cellular access the phone number can be dialed from the lock screen.
- Support Contact info under iOS > Right Click (on Device Group) > Advanced has been extended to customize MDM dialogs. For example, App Installation prompts will now show the “Company Name” instead of the server URL.
- Added the following configuration options to the Restrictions payload under the Device Configuration section:
- Disable Account Modifications
- Disable AirDrop
- Disable App Cellular Data Usage Modification
- Disable Siri User Generated Content
- Disable Find My Friends Modification
- Disable Touch ID (fingerprint scanner) to unlock device
- Disable Host Pairing
- Disable Control Center on Lock Screen
- Disable Notification View on Lock Screen
- Disable Today View on Lock Screen
- Disable Open From Managed to Unmanaged
- Disable Open From Unmanaged to Managed
- Disable OTA PKI Updates
- Permitted Apps for Autonomous Single App Mode
- Force Limited Ad Tracking
- Disable Bookstore (iOS 6)
- Disable Erotic Books (iOS 6)
- Disable Game Center (iOS 6)
- Disable Interactive Profile Installation (iOS 6)
- Disable App Removal (iOS 6)
- Allow Shared Photostream (iOS 6)
- Disable Siri Profanity Filter (iOS 6)
- Disable Siri While Device is Locked (iOS 6)
- Show Passbook notifications when locked (iOS 6)
- Added the following device attributes in the iOS > Information Panel, and as triggers for Alert Rules:
- Whether Find My iPhone is enabled
- Whether a device is Supervised
- Whether iTunes account is logged in
- Whether Do Not Disturb is enabled
- Whether Personal Hotspot is enabled
Samsung KNOX provides an OS level container for separating work data including email, contacts, and even applications. Additionally KNOX provides enhanced device security, 3rd party attestation of security status, and real time monitoring of device integrity.
KNOX is enabled under the Android Device Configuration section, and includes the following features when a value-added per user KNOX license is present:
- Container-level features:
- Enforcing Passcode policy including complexity and container timeouts.
- Configure containerized POP, IMAP, and/or Exchange email with forwarding restrictions.
- Configure Apps for Single Sign On.
- Configure Browser Policy.
- Perform Silent installation, inventory, and blacklist of KNOX Apps.
- Configure VPN for KNOX container or on Per App basis (requires installation of service APK).
- Remotely Lock/Unlock container.
- Restriction to Disable Camera while in container.
- Restriction to Disable Share via List while in container.
- Restriction to Use Secure Keypad while in container.
- Restriction to Disable addition of new email accounts.
- KNOX Device-level features:
- Enforce CAC Authentication for the lock screen, browser, and VPN
- Use of “Attestation” to verify the authenticity of a hardware key that was fused in the device during manufacturing in order to prove the device is not, and has not ever been “rooted”. Devices whose key is invalidated because of “rooting” will be flagged in the Android+ > Information Panel, and through Alert Rules.
- Integrity Service (requires installation service APK) performs an initial baseline scan of the device and applications, and continuously monitors for changes that would indicate the device was compromised.
- Configure Alert Rules to be notified of any integrity violation.
- Introduces ability to send intents via Right Click (on device) > Send > Script to trigger App behavior and/or configure the App.
- App Catalog now features the ability under the Application Configuration section to provide a configuration URI that allows an end user to initiate the configuration of an installed App.
- The MobiControl agent now includes Filter/Sort capabilities in the Content Library and App Catalog.
- Adds support for a custom value for the Maximum Screen Timeout values in the Authentication Policy.
- Adds Call Log as a Data Collection Rule option.
- Added a report for data usage on a per-application basis.
- Adds additional device script commands including:
- Power off device
- Wake device on schedule
- Enable/disable WiFi radio
- Enable/disable Cellular radio
- Lockdown can now launch .cmd file from lockdown for the purpose of executing pre-defined scripts.
The following features were added to the Device Configuration section of the Android+ tab and are specific to Samsung devices only:
- WiFi Hotspot for configuring a device’s hotspot remotely
- Device Restrictions
- Block OS Upgrade
- Disable Voice Dialer/S-Voice
- Disable Multi-Window
- Disable USB On-the-Go
- Disable addition of new email accounts
- Disable Incoming SMS Messaging
- Disable Outgoing SMS Messaging
- Disable Incoming MMS Messaging
- Disable Outgoing MMS Messaging
- Prevent Uninstallation of Managed Apps
- Disable Portal WiFi Hotspot Changes
Support for the following device restrictions has been added for LG Android devices:
- Disable Voice Dialer
- Disable GPS Mock Locations
- Disable Microphone
- Disable NFC
- Disable USB Debugging
- Enforce GPS
- Disable Bluetooth Tethering
- Disable WiFi-Tethering/Portal WiFi Hotspot
- Enforce Minimum WiFi Security Level
- Prevent Uninstallation of Managed Apps
- Disable Outgoing SMS Messaging
Support for the following features has been added for Motorola Android devices:
- Adds support for SD Card encryption
- Adds support for distribution of private keyed certificates
- Adds support for configuring system settings via MX XML
- Add Device Rules now include an option to Cache Password to improve user experience during enrollment.
When configured the password used for authentication will be used for initial device configurations such as Email, WiFi, and VPN, and then is discarded.
- Added support in the Add Device Rules for restricting enrollment to one or more approved LDAP groups.
- Added support for customizing the naming convention of devices used during enrollment through anAdd Device Rule.
- Added manual configuration support for authenticating to the Web Console using Windows NTLM or Kerberos authentication.
- Added manual configuration support for authenticating iOS device communication through a reverse proxy which forwards NTLM or Kerberos credentials.
- Added support for retrieving Custom Data from XML files in Data Collection Rules.
- Introduced Cloud Link as replacement to “Connection Proxy” to extend corporate resources such as LDAP and Certificate services to MobiControl Cloud. Cloud Link can be configured under All Devices > Servers.
- MC Admin now provides support for customizing the SSL certificates used by the Deployment Server allowing for the use of trusted and/or enterprise certificate authorities.
- Enhanced security during initial untrusted SSL communication between device agent and the MobiControl server.
NOTE: Users are allowed to make trust decisions on initial enrollment if using an untrusted SSL certificate, and where the SOTI Enrollment service is not utilized.
- Enhanced audit trail of user performed and server-initiated actions in the Events Panel of the Web Console.
- Certificate Services now includes support for requesting certificates from a SCEP server on behalf of a device.
- Certificate Services now provides the option of specifying Subject Alternative Names in certificate requests.
- Certificate Services for ADCS over HTTPS now supports Kerberos authentication.
- Certificate Services added support for publishing issued certificates to LDAP server of authenticated user.
- Provided more granular log and alert truncation options, configured under All Devices > Servers > Global Settings.
- File Sync Rules now support providing network credentials in UNC paths.
- Added LAN Connection as a network requirement for Package Deployment Rules.
- During package installation, the destination directory will now be created during deployment if it doesn’t exist.
- Relocation Rules now support Device Group targets, and no longer apply globally.
- Alert Rules have been expanded to support the variety of following triggers including but not limited to:
- SIM Card Change
- SIM Card Inserted
- SIM Card Removed
- ELM Activation Errors
Extended Features – Web Console
- During device deletion the administrator can now choose to revoke issued device certificates.
This functionality requires integration with an enterprise CA using DCOM.
- Improved the license information screen to show breakdown of license use by OS.
- Logged on administrators and their IPs are now shown under All Devices > Servers.
- Event Log Panel now includes a filter to view User or Device – generated events individually.
- Console Security now includes a feature for controlling the administrative view of installed applications.
- Console Security now allows for multiple LDAP servers to be used for authentication to the Web Console.
- Deployment Server (DS) and Deployment Server Extensions (DSE) logs are now available for viewing from the ? menu.
- Customizations to the device grid columns are now persistent across browsers based on authenticated user.
- Web Console will now warn of APNS expiry 30 days in advance upon logging into Web Console.
- Sending an SMS message will save the telephone number entered for subsequent use.
- Public Web API has been extended to support sending scripts, including a message.
Windows Mobile/CE Features
- Added support for Cold (CE) Clean (Mobile) boot on Motorola devices.
- Added support for persistent storage of packages on Motorola devices.
ELM Agent for Samsung Android
After upgrade, Samsung Android devices with MDMv4 capabilities will receive a new type of Device Agent during enrollment, referred to as the “ELM Agent”. Without compromising management functionality, Samsung’s Enterprise License Manager (ELM) allows SOTI to deliver timelier updates of the device agent in order to serve our customers better. The following observations however should be considered before upgrading MobiControl:
- The ELM Agent requires Internet connectivity during enrollment, and periodically thereafter, to validate MDM licensing against Samsung servers.
- End Users will be required to accept a privacy dialog during enrollment to acknowledge that non-identifying device information will be used to perform MDM license validation.
- Migration to the ELM agent for devices with MDMv4 capabilities is advised for all devices currently enrolled in the system. A Right-Click (on device) > Agent Update > Migrate to ELM Agent option has been added to the Web Console to initiate the migration process. Migration may temporarily roll back policies and will require end user action as described above.
- The Web Console will show the agent type installed on each device under the Android+ > Information Panel. “ELM” represents the new agent while “Signed” is used to represent the older agent.
- The “Signed” agent is still available for download and manual installation under Android+ > Rules > Add Devices > Right Click (on rule) > Download Device Agent but is deprecated for Samsung devices with MDMv4 and higher, and may not be included in future releases.
Virtual Group Behavior Modification
Virtual Groups created in v11 will only include devices that reside in the parent Device Group(s) for which the Virtual Group also resides. That is to say, if you nest a Virtual Group in a Device Group, the scope of the Virtual Group is limited to the parent Device Group(s). Existing Virtual Groups will maintain the old functionality until deleted.