Release Notes
Abstract
MaaS360 redesigns the enrollment and authentication settings to support multiple user authentication types. MaaS360 agent apps (Windows, Android, iOS) display consistent user authentication screens for Shared device login, Forgot PIN, password-protected documents, and app sign-in.
Content
In the redesigned Settings page:
- MaaS360 supports multiple authentication types for enrollment. Based on the user-level authentication type, users can authenticate against Azure AD, Corporate credentials, or MaaS360 Directory. For example, administrators can have employees authenticate against Azure AD and contractors use MaaS360 Directory credentials. In previous releases, administrators could select only one authentication type as the default for all enrollments.
- MaaS360 displays configured user directories and authentication types in a centralized location.
Note:
- These settings are available to new customers and are not generally available currently.
- Requires MaaS360 for iOS app 4.80+, MaaS360 for Android app 7.60+, and MaaS360 for Windows app 4.55+ to authenticate against the corporate directory.
- Existing customers must contact the MaaS360 support team to enable this feature for their accounts.
- This feature will be rolled out in phases to existing customers in the future.
Directory and Enrollment settings
Administrators can set up user directories and configure user authentication types from the new Directory and Enrollment Settings page.
User Directory Setup
Click Add Directory to connect to your On-premises directory using Cloud Extender (CE) and Azure AD. If you select Auto provision users in MaaS360, the user information is synced to MaaS360 from the enterprise user directory after authentication.
User Authentication Setup
Click Add Authentication Mode to configure authentication types for users. The authentication type is used during device enrollment, agent sign-in, and End-user portal (EUP) login.
Note: Users are authenticated against the authentication type set at the user level by default. User-level authentication type is generated according to the user source (creation or import of users), and the user authentication type can be changed through the Users workflow.
Default authentication Type
After adding the user directories, administrators can select one authentication type as default. If Corporate (Azure) and Corporate (On-premise) authentication types are configured, either one of these types or both types can be enabled as default.
During auto-provisioning, MaaS360 uses the default authentication type for authentication.
Add user workflow
MaaS360 automatically displays the default authentication type in the Add User workflow. In previous releases, when a user was created manually, the authentication type was set to MaaS360 Directory by default.
Note: Administrators can change the default authentication type.
Add Device workflow
MaaS360 automatically displays the authentication type for enrollment in the Authentication Type.
The Authentication type for enrollment is configured in the following path: Settings > Directory and Enrollment > Basic Enrollment Settings > Authentication Mode for Enrollment.
If the authentication type for enrollment is not configured, the user-level authentication type is displayed. If the user-level authentication is unavailable, MaaS360 displays the default authentication type.
UI changes
MaaS360 renames Device Enrollment Settings to Directory and Enrollment and adds a new section Directory and Authentication.
Old settings menu
New settings menu
Default authentication mode for enrollment
Old workflow
Settings > Device Enrollment Settings > Basic > Select Default Authentication Mode
Two-factor Authentication was one of the user authentication types for enrollment.
New workflow
Those settings are copied over to the following location:
Settings > Directory and Enrollment > Basic Enrollment Settings > Authentication Mode for Enrollment
- When administrators clear the Override authentication mode for enrollment checkbox, MaaS360 uses the user-level authentication type for enrollments.
- Two-factor Authentication is no longer displayed as one of the authentication type options. MaaS360 adds a new checkbox Enable two-factor authentication for enrollment as a separate setting under the authentication type for enrollment options. Administrators can select this checkbox to enable two-factor authentication when performing enrollment or activation using Corporate (Azure AD) or Corporate (On-premise).
Old workflow
The authentication types, Corporate (Azure AD) and Corporate (On-premise) were displayed with the Authenticate against Corporate Active Directory option.
New workflow
The authentication types, Corporate (Azure AD) and Corporate (On-premise) are displayed as two separate options.
Limit devices
MaaS360 combines all related options and adds them under a new section Limit Enrollment and Activation. The new section consists of the following settings:
- By Devices
- By User
- Restrict Enrollments by IP
- Allow only specific user groups to enroll or activate devices
Old workflow
Settings > Device Enrollment Settings > Advanced > Limit devices
New workflow
Settings > Directory and Enrollment > Basic Enrollment Settings > Limit Enrollment and Activation
Self enrollment settings
MaaS360 combines all self-enrollment settings under the new setting Self Enrollment.
Old workflow
Settings > Device Enrollment Settings > Basic
- Default new Device Addition Mode for Self Enrollment
- Default ownership during self-enrollments
New workflow
Settings > Directory and Enrollment > Basic Enrollment Settings > Self Enrollment
User input at authentication
MaaS360 adds a common User Input section for supported authentication types: SAML, Corporate (Azure AD), Corporate (On-premise), and MaaS360 (Local).
Old workflow
Settings > Device Enrollment Settings > Basic > Select Default Authentication Mode > Authentication against Corporate Active Directory > End User Input
Settings > Device Enrollment Settings > Basic > Select Default Authentication Mode > Two-factor authentication > End User Input
Settings > Device Enrollment Settings > Basic > Select Default Authentication Mode > Authenticate using SAML > End User Input
New workflow
Settings > Directory and Enrollment > Basic Enrollment Settings > User Input at Authentication
WorkPlace Persona Policy settings
Customers can no longer configure the following setting in the WorkPlace Persona Policy to prompt users to enter corporate credentials to authenticate instead of using a passcode.
Security > Policy Management > Policies > Workplace Persona Policy setting > Passcode > Use Corporate Password as Passcode
Old behavior
If you enable this setting, users are prompted to enter their corporate credentials to authenticate instead of using a passcode.
New behavior
This policy setting is deprecated and is no longer supported post the upgrade of the MaaS360 app to the Unified Authentication workflow and for device versions later than Android app 7.60 and iOS app 4.80. MaaS360 uses the authentication type that is set at the user-level for enrollments.
Was this topic helpful?
Document Information
Modified date:
06 May 2022
UID
ibm16525278