2021 Release Notes

Cloud Release Summaries

10.83 Release Summary

iOS

Advanced iOS 15 restrictions >>

MaaS360 adds advanced policy settings for iOS 15 devices:

  • Force On Device only Translation: When this setting is turned on, the Translate app does not send any content to the Siri servers for the purposes of translation. The default value is False. Supported on iOS 15 and later.
  • Allow iCloud Private Relay: When this setting is turned off, the Private Relay option under iCloud+ is unavailable. Note: Supported only on iOS 15+ Supervised devices.
  • Allow Pasteboard content between managed and unmanaged apps: When this setting is turned off, restricts copy and paste between managed and unmanaged apps through pasteboard. If this setting is turned on, copy and paste functionality respects Allow Open from Managed to Unmanaged Apps and Allow Open from Unmanaged to Managed Apps.

    Example scenario:

    Allow Open from Managed to Unmanaged Apps = False
    Allow Open from Unmanaged to Managed Apps = True
    Allow Pasteboard content between managed and unmanaged apps = True
    Managed documents cannot be opened with unmanaged apps.
    Unmanaged documents can be opened with managed apps.

    The data that is copied from managed apps cannot be pasted in unmanaged apps.

    The data that is copied from unmanaged apps can be pasted in managed apps.

iOS 15 same-day support >>

MaaS360 announces same-day support for iOS 15. With this support, new iOS 15 devices enroll with MaaS360, and existing devices upgrading to iOS 15 continue to work seamlessly without any disruption.

macOS

Advanced macOS 12 policies >>

MaaS360 adds two new policy settings for macOS 12 devices:

  • Allow erase all content and settings: The Erase All Content and Settings option in Settings > General > Reset is used to erase all settings, media, and data on macOS devices. When this setting is turned off, the Erase All Content And Settings option in the Reset UI is unavailable. Supported on macOS 12 and later. The default value is True.
  • Allow non-admin user to approve kernel extensions: In the previous releases, only admin users could approve kernel extensions that are not explicitly allowed by configuration profiles. When this setting is turned on, non-admin users can approve additional kernel extensions in the Security & Privacy preferences.  Supported on macOS 11 and later. The default value is False.

Certificate pinning support for macOS >>

MaaS360 now extends cert pinning support to macOS devices. With this support, the MaaS360 app validates the server certificate as a part of communication to MaaS360 servers, including enrollment. If an insecure network connection or proxy is detected on the device, MaaS360 displays the Untrusted connection error message and then terminates the enrollment or stops the apps such as MacOS agent, App Catalog, or App Packager from functioning.

Note: Customers must reach out to the MaaS360 Support team for enabling the new cert pinning feature. Requires macOS agent app version 2.43.100, App Catalog version 1.54.000, and App Packager version 1.44.000.

macOS 12 Monterey same-day support >>

MaaS360 announces same-day support for macOS 12 Monterey. With this support, new macOS 12 devices enroll with MaaS360, and existing devices upgrading to macOS 12 continue to work seamlessly without any disruption.

Android

ZT-iFrame for Google Devices >>

MaaS360 embeds the zero-touch iframe in the MaaS360 portal. The zero-touch iframe allows administrators to configure zero-touch enabled devices with a device policy controller (DPC) directly from within the MaaS360 portal. In the previous releases, administrators had to download the DPC configuration (JSON file) and then manually apply the configuration through the zero-touch portal. With iframe, administrators can link their zero-touch accounts with MaaS360 Portal. As part of this process, administrators create a default zero-touch configuration profile that is automatically applied to devices without a configuration. Note: Administrators can continue to use the zero-touch portal to upload and modify configuration profiles.

Fixed background location access notifications issue >>

During the Android Enterprise (DO and PO) enrollment, the MaaS360 for Android app granted itself Location permission in the background without allowing users to modify the permission from the device Settings. Effective OS version 11, Android started displaying periodic notifications to remind the users that the MaaS360 app has access to their location. To avoid the background location access reminders, MaaS360 now allows administrators to configure runtime permissions in a way that the Location permissions are controlled by the end-users. MaaS360 adds a new policy setting to mark devices as non-compliant if the MaaS360 app does not have location permission.

Enhancements to Android Enterprise runtime permissions >>

MaaS360 now allows administrators to control how Location, Storage, and Phone permissions are granted to the apps. In the previous releases, those permissions were auto-granted during the enrollment. MaaS360 removes the unsupported permissions, adds support to grant all permissions at once, and more.

Deprecation of Samsung Knox License (SKL) policy >>

Samsung makes premium Knox Platform for Enterprise (KPE) licenses available to all customers at no cost. See the announcement here: https://www.samsungknox.com/en/blog/knox-platform-for-enterprise-free-for-customers. In previous releases, customers had to purchase the premium Knox Platform for Enterprise (KPE) licenses and activate those licenses through security policies in the MaaS360 portal. Effective 10.83, MaaS360 removes the policy setting Samsung Knox License (SKL) from the MDM policies. Path: Android MDM policies > OEM Settings > Samsung License Management > Samsung Knox License (SKL)

Note: This change will be implemented as a part of DD after the 10.83 release. Customers who have already activated KPE Premium licenses through the MaaS360 Security policies must upgrade to the MaaS360 for Android app version 7.55 or later to avoid unexpected issues that might lead to re-enrollment of devices or license expiration error messages.

Trusteer Threat Management enhancements >>

MaaS360 includes new trigger events for the quicker detection of risk items on devices such as Root status change, Insecure Wifi detection, Malware detection, and so on. Effective 10.83, MaaS360 uploads the scan results to the MaaS360 portal in near real-time. In the previous releases, it took about 20 minutes for MaaS360 to upload the latest scan data to the MaaS360 portal. In addition to that, MaaS360 adds support for automatic uninstallation of the apps on Device Owner devices if the malware is detected.

Improvements to zero-touch JSON file size and download speed  >>

MaaS360 improves the zero-touch JSON file download speed and removes the file size restriction of 2 KB.

Validation for Factory Reset Protection (FRP) policy setting >>

The Factory reset protection (FRP) policy setting determines which users can unlock a device that is reset to factory settings. When the administrators enable FRP, they must provide at least one Google User ID in the policy setting: Authorized accounts to override. If this prerequisite is not met, a validation message is displayed when publishing the policy. To know more about FRP in MaaS360, see Factory reset protection. Note: The existing policies that have the FRP policy enabled and the setting: Authorized accounts to override left blank will display an error message when those policies are published.

Disable Factory Reset Protection (FRP) when issuing device wipe action >>

Factory Reset Protection (FRP) is automatically activated on Device Owner (DO) and Work Profile on Corporate Owned (WPCO) devices after the device wipe. Effective 10.83, when issuing the wipe action, administrators can select Remove Factory Reset Protection to disable activation of FRP on DO and WPCO devices. When this option is selected, users can unlock the device without the Google Account verification and start using the device after the device wipe. Note: The Remove Factory Reset Protection option is displayed on the Wipe action workflow regardless of whether the FRP policy is enabled or not. In the previous releases, this option was displayed only when the FRP policy was enabled.

Android 12 Zero-day support >>

When MaaS360 runs on Android 12, there will be behavior changes that impact some of the features in the MaaS360 app. MaaS360 first-party apps and SDK apps will continue to work on Android 12.

Removed Samsung Keyboard options from App Compliance policies >>

MaaS360 removes the Samsung keyboard settings from security policies to prevent administrators from disabling the native Samsung keyboard on the devices. Samsung includes the native keyboard on the devices by default. Administrators did not have to enable them through policies. But when the keyboard settings were disabled through policies, the native keyboard was completely blocked on the devices. Effective 10.83, the following policy settings are unavailable in the MaaS360 portal:

  • MDM policies > Android Enterprise Settings > App Compliance > Samsung Keyboard (OneUI 2.0) and Samsung Keyboard (OneUI 2.1)

New custom command to remotely clear app data >>

In the previous releases, MaaS360 added custom command support, allowing administrators to execute remote actions on the managed Android devices. In this release, MaaS360 adds a new command to allow administrators to remotely clear the app data. Syntax: clear-app-data <comma-separated app IDs>. Example: clear-app-data com.ibm.security.verifyapp, com.ibm.gts.banorte.epass. Note: Requires MaaS360 for Android app version 7.60 or later. Supported only on Android Enterprise devices running OS version 9 or later. The action fails if the target apps are not installed on the device.

Removed ActiveSync support for Motorola email client >>

MaaS360 removes Motorola email client support from the Device Admin ActiveSync policies. As a result, administrators can no longer use Device Admin policies to configure ActiveSync on the Motorola email client.

Strict scheduler for device payloads >>

MaaS360 extends strict scheduler support from device heartbeat to payloads. With this support, MaaS360 uploads payloads in real-time. When this policy is turned on, the payloads upload timer strictly follows the value defined in the Data Collection Frequency policy setting.

Refactored code to stop requesting permissions during the Bulk Enrollment >>

In the previous releases, MaaS360 allowed customers to enable the MaaS360 app to request permissions during the enrollment process. Effective 10.83, the MaaS360 app requests all the required permissions at the runtime for Device Admin Bulk Enrollments.

Minor UX changes to the Remove Work Profile action in the MaaS360 portal >>

MaaS360 renames the device-level acton Remove Work Profile to Remove Control in an effort to provide a consistent user experience across all Android Enterprise modes of operation - DO, PO, and WPCO. For WPCO devices, the default device wipe mode selection on the Remove Control window is changed from Wipe all data to Wipe work profile only.

AAPT2 enabled by default for Android app wrapping >>

In the previous releases, administrators had to use app wrapping parameters to enable AAPT2. Effective 10.83, AAPT2 is enabled by default for Android app wrapping. Note: Customers can continue to use the app wrapping parameters to set enableAAPT2 to false.

Platform

Downloading device agent logs from the MaaS360 Portal >>

Portal or partner administrators with master administrator status can now download device logs from the MaaS360 Portal that are uploaded to IBM Cloud without having to contact IBM Support to access these logs.

Note: This feature is only available to administrators or partner administrators with the Send Logs Mode access right that is assigned by default to the Service Administrator role.  

MaaS360 audit data reports >>

To provide audit data for various reports, logs, and user interfaces that are available within the MaaS360 administration portal, the MaaS360 audit data reports offer a summary of audit logs. Currently, the audit logs are available for enrollments, devices, users, portal administration, policies, rules, settings, and services actions in the MaaS360 portal.

Cert pinning enhancements >>

Cert pinning can now be directly enabled at the customer level through the MaaS360 portal Settings page. MaaS360 adds the new Validate Server Certificate setting on the Settings page. Path: Setup > Settings > Device Enrollment Settings > Advanced > Validate Server Certificate. In the previous release, administrators had to contact support to get the cert pinning feature enabled for their accounts.

The MaaS360 app validates the server certificate as a part of communication to MaaS360 servers, including enrollment. If an insecure network connection or proxy is detected, MaaS360 displays an error message and then terminates the enrollment process.
Note: The enrollment/activation is terminated when an untrusted connection or proxy is detected on the device even if Certificate pinning is turned off.

Analytics

Enhancements to the User Risk Management feature >>

The Security Management feature comprises the Security Dashboard and Risk Rule Configurator. In 10.83, the feature offers the following enhancements that allow administrators to use the security dashboard and manage risk rules that apply to the MaaS360 customer account. 

  • Risky users list: Previously, for a user account, that is under risk and if that user is removed from MaaS360, then, a hyphen was displayed instead of the user name in the 'risky users' list. To effectively show which user account is at risk, the security dashboard now shows user names for such deleted user accounts instead of a hyphen in the 'risky users' list. However, user details such as email, user source, domain, user groups values are shown as hyphens for these user accounts as user details are not available in the MaaS360. On the next security dashboard refresh cycle, user accounts that are deleted in MaaS360 are no more shown in this user list.
  • Administrator actions on the Risk Rule Configurator : In the Risk Rule Configurator, administrators can enable or disable a risk rule for the organization from the predefined risk rules. By default, every risk rule in the ruleset is enabled and severity is associated with each risk rule. With the 10.83 release, the administrator not only can enable or disable a risk rule but can also enable or disable a rule description under a risk rule. This capability provides more flexibility for administrators to use only those risk rule descriptions that are necessary for monitoring an organization's risk factors. This option to enable or disable any rule descriptions under a rule name is available for all risk rules in the ruleset. Example: Administrator can enable the  Older version of MaaS360 app risk rule and choose to monitor only MaaS360 app version =7.30 AND Platform=Android and can enable this rule description and disable other rule descriptions under this rule name.

Apps

New OEM and App configuration >>

MaaS360 makes App Configuration and Android OEMConfig features that support multiple configurations per app available for all customers. This new OEM/App Configuration provides an enhanced administrator experience while configuring and managing them.

OEMConfig -

Administrators can use Android OEMConfig to remotely deploy OEM-specific settings to the managed devices. OEMConfig is an Android standard that allows device manufacturers to create custom OEM-specific settings for Android Enterprise devices. MaaS360 uses OEMConfig apps built by device manufacturers to deploy advanced device configuration settings that are not natively available in the MaaS360 portal. For example, you can use Samsung's Knox Service Plugin app to configure Knox security settings such as advanced VPN configurations on the device. The OEM apps use the managed app configuration to remotely configure those settings on the devices.

App Config -

Administrators can use app configurations to remotely push configuration settings for managed apps. App developers define managed app configurations and program the app to deploy remote settings. Administrators use these managed configurations to remotely push configuration settings for the apps. App configurations are deployed with the managed apps when the apps are distributed through the App Catalog. MaaS360 allows administrators to add multiple app configurations for an app so that each configuration can be distributed to different groups or devices. App configuration is supported for iOS apps, Google Play apps, and Private apps for Android Enterprise.

App Configuration support for Enterprise apps for Android >>

Effective 10.83, MaaS360 extends app configuration support to Enterprise apps for Android. In the previous releases, app configuration was supported for Google Play apps and Private apps for Android Enterprise. Note: Requires MaaS360 for Android app version 7.60+.

Windows

MDM enrollment support for Windows 10 Home devices >>

MaaS360 now allows users to enroll their Windows 10 Home devices into the MaaS360 Portal in MDM mode. 

Previously, Windows 10 Home devices could not be managed by MaaS360 like other Windows 10 editions due to limitations from Microsoft. Also, the MDM agent did not support the installation of the MaaS360 MES agent automatically on Windows 10 Home editions. 

With this release, MaaS360 provides a new section (unified enrollment configuration) in the branding workflow that allows administrators to set up user enrollment settings for Windows 10 Home devices. Before administrators can send out enrollment requests to users, administrators must first set up user enrollment settings for the Windows 10 Home setup page that is explained in Branding settings for Windows devices. The following scenarios are available in the branding settings to administrators for user enrollment settings:

  • provide no setup link and no additional instructions in the branding settings
  • provide only a setup link in the branding settings
  • provide only additional instructions in the branding settings
  • provide a setup link and additional instructions in the branding settings

After user enrollment settings are configured, administrators perform the following actions:

Device users can follow the steps at Enrolling your Windows 10 Home device (MDM) to enroll their Windows 10 Home devices in MDM mode.

Webservices

In this release, the Authentication 2.0 Web service API was updated to include authentication token validation error scenarios that pertain to HTTPS status code 401. The new response structure for any authentication token validation-related errors scenarios is covered in this web service API. For more information, see the latest Webservices guide.




Tags: