MaaS360 Cloud 10.70 Release Summary

Content

iOS / macOS MDM

Web-apps support for iOS Home Screen Configuration >>

MaaS360 extends support for adding web-app to your iOS 12.0+ device home screen by using Home Screen Configuration from Policies page. Previously, only App and Folder configuration from Home Screen page was supported.

Support for Provider Type and Bundle Identifier for F5 Access VPN Profile >>

MaaS360 introduces the following enhancements:

• Provider Type for per-app VPN that supports App Proxy and Packet Tunnel provider types. For iOS 12+ devices, the provider type must be Packet Tunnel for the per-app VPN to work.
• Bundle Identifier is introduced for the VPN payload through which the administrator can provide the app bundle identifier of the VPN app in case the VPN vendor provides two different apps. Note: The Provider Type and Bundle Identifier option is available now for Palo Alto, Aruba, Sonicwall, Juniper, and CustomSSL VPN profile types that are supported in MaaS360.
• For F5 VPN Profile, MaaS360 introduces a new VPN type named as F5 Access and F5 SSL VPN is renamed as F5 Access Legacy. F5 Access supports the new iOS VPN framework that was introduced by Apple in iOS 10.3. An MDM profile with F5 Access works on devices that are iOS 10.3+ with the F5 Access app. The F5 Access Legacy configuration does not work from iOS 12.0 devices.

iOS policy Supervised settings >>

MaaS360 introduces following new Supervised settings under Restrictions & Network.

1. Allow Date and Time Modification in iOS policy: If enabled, users are allowed to change the date and time on the iOS device. The restriction is supported for iOS 12.0+ devices and is enabled by default. To restrict users from editing date and time on the iOS device, disable this setting and publish the policy to the device.
2. New Supervised setting that is named as Allow Proximity Setup to New Devices: If enabled, allows proximity setup for nearby devices. The device with this policy published allows proximity setup on nearby devices and setup by using the same Apple ID as in device with proximity setup policy enabled. The action is same as More > Wipe > Disable proximity setup on next reboot for a selected device from Device Inventory. In this release, the action is extended to Supervised devices by using Supervised settings in iOS policy. The restriction is supported for iOS 11.0+ devices.
3. Allow USB Accessories while Locked: If enabled, allows the device to make USB connection to accessories while the device is locked. The setting is enabled by default in the policy setting and allows USB accessories on the device when it is locked. The restriction is supported for iOS 11.3+ devices.

MaaS360 introduces following new Supervised settings under Notifications to disable selected notifications on iOS 12.0+ devices.

1. Disable Notifications in CarPlay: The notifications on the device are disabled during CarPlay mode. By default, the setting is enabled in the iOS policy. The restriction is supported on iOS 12.0+ devices.
2. Enable Critical Notification: If enabled, an app can mark the notification as a critical notification on the device by overriding Do Not Disturb and device ringer settings. By default, the setting is disabled in the iOS policy. The restriction is supported for iOS 12.0+ devices. Refer to summary of iOS 12 and macOS 10.14 day zero support here.

Skip setup of items during Profile configuration in Device Enrollment Program >>

MaaS360 adds iMessage and FaceTime options in Device Enrollment Program (DEP) Skip Items during Profile configuration for iOS devices. On enabling this option, iMessage and FaceTime is not shown to users for setup during iOS DEP enrollment. The function is supported for iOS 12 devices and for China only.

Android

Set up Android Enterprise during Quick Start >>

MaaS360 adds Android Enterprise to Quick Start, allowing the administrators to easily set up Android Enterprise during the startup. 

Support for additional Android Enterprise policies >>

MaaS360 adds support for additional Android Enterprise policies. 

Support for additional security policies >>

MaaS360 adds support for additional M3, Kiosk, and Bluebird policies.

Support to send identity certificates from Cloud Extender to devices via MaaS360 portal >>

MaaS360 adds support to send individual identity certificates from Cloud Extender to the devices via Android MDM policies in the MaaS360 portal. The authorized third-party apps can use the identity certificates to authenticate users against those apps on the devices. Note: Contact MaaS360 support team to enable this feature for your account.

Beta - Google device attestation during Android Enterprise enrollments >> 

Google mandates SafetyNet Attestation during Android Enterprise enrollment (DO and PO) to ensure that the devices pass Google's compatibility and integrity checks. Any device that fails attestation during the enrollment will not be able to complete provisioning. The status of the Google's SafetyNet device attestation is displayed in the detail view of the device. Previously, the SafetyNet Attestation was performed after the device enrollment. Note: Contact MaaS360 support to enable this feature for your account. 

Manage restrictions on outgoing emails sent to external domains >>

MaaS360 adds support to allow administrators to enable restricts on outgoing emails sent to external domains. Based on the type of restriction, the outgoing emails to external domains are either blocked or a warning message is displayed.

Support for advanced wrapping features >>

MaaS360 revamps app wrapping features as per Android's recommendations.

Prompt for device name during Zero-touch enrollment and QR code for work-managed device enrollments >>

MaaS360 now supports a new configuration option that allows users to set a custom device name for the device that enrolls via Zero-touch (KME + DO, non-Samsung + DO) and QR code for work-managed device enrollments. 

Windows

Support for BitLocker Device Encryption on Windows Pro devices >>

MaaS360 extends BitLocker encryption support for Windows 10 Pro devices. Previously, the feature was limited to Windows 10 Education and Enterprise editions. Note: The existing customers must re-publish the "Require Device Encryption" BitLocker policy on Security policies section to enforce them on Windows 10 Pro devices. Requires MDM Extender agent version 1.90 and Core app version 3.90. The BitLocker Drive Encryption feature is not supported on Windows Home edition.

Backup BitLocker Recovery password >>  

MaaS360 also adds new policies to allow the administrators to backup the BitLocker recovery password to Active Directory (On-Premises or Azure) and MaaS360 End User Portal (EUP). The organizations that enforce BitLocker encryption through channels other than MaaS360 can also use these policies to backup the BitLocker Recovery password on the managed Windows 10 devices.

Device wipe action not supported on MDM enrolled Windows 10 devices below RS3 >>

Due to limitations with Microsoft API in being able to support Wipe action on lower Windows 10 versions, MaaS360 has restricted the device wipe action to the Windows 10 OS version Redstone 3 (RS3) or 1709+. If the Windows 10 OS version is below RS3, the wipe action is not pushed to the device from the MaaS360 portal. Note that this will not affect devices that are enrolled via DTM enrollment method. To view the OS version, navigate to the detail view of the device > Hardware & OS tab > OS version. The OS version is displayed in 10.x.y.z format. The device wipe action is supported on OS versions where y > 15063. If the device wipe action is failed, the status can be tracked in the device history.

Minor usability improvement in Windows 10 enrollment >>

MaaS360 web-based enrollment for Windows 10 retained the enrollment start screen for the user after enrollment was completed, creating an impression that the enrollment was not completed. With this release, after the enrollment is initiated, the enrollment start screen in the Edge browser is automatically closed.

Removal of local administrator privileges on enrolled Windows 10 devices >>

Microsoft requires that the user accounts enrolling in MDM needs to necessarily have local admin rights on the Windows machine. MaaS360 adds a workaround to overcome this limitation for organizations, allowing the users to enroll the Windows 10 devices into MaaS360 without local admin privileges. Note: Some apps that require administrator privileges may not install or function.

Support to receive text notifications about policy changes >>

MaaS360 adds support to receive text notifications on the device whenever administrators enforce new policies or update existing policies. Note: Contact MaaS360 support to enable this feature for your account.

App Management

Deep links for MaaS360 enterprise app catalog >>

MaaS360 adds support for deep links, allowing the users to directly navigate to the detailed view of an application in the enterprise app catalog by just tapping an URL from a different app. For example, an IT administrator can create and distribute a custom URL pointing to the download page of a VPN application.

Viewing distributed apps and their status >>

Administrators can now view the status of the web apps / web clips distributed to an Android user from “App Distributions” tab on device view. Previously, this feature was available for iOS devices only.

Platform

Viewing Audit History in Settings >>

Maas360 All adds a new feature for global administrators with service admin roles to track and view history for any changes made in settings. The feature will track the history of Settings post 10.70 release.

Revamping the user interface of Expense Management View >>

Maas360 has a revamped the look and feel of the Expense Management view to get in tune with new UI of the portal. Expense Management will continue to define, manage and set alerts for the data usage of the Enrolled device with an added sort and filter feature.

Adding Salesforce Self-Serve link in the Help menu >>

Maas360 now enables a one-click link for Salesforce Self-Serve in the Help menu. It would be visible to customers who have Salesforce Self-Serve enabled.

Platform Administrators

Policy recommendation for Administrators >>

On creating a new Community Based policy, organization profile details that are provided during policy creation such as Industry, Region, and Deployment Size are retained and policy recommendations are suggested based on the profile that is selected during policy creation. Previously, the recommendations were based on customer profile detail that is available in MaaS360. 

For existing policies that were added before 10.70 release, the recommendations continue to be based on customer profile that is available in MaaS360 for Industry, Region, and Deployment Size. The function is applicable for iOS, Android, and Persona policy. Note: macOS and Windows platforms do not support Community Based policy.

Clearing device location information based on Privacy Settings >>

Based on Privacy Settings to restrict location information, device location is cleaned up for devices that belong to the applicable ownership and group type that is mentioned in Privacy Settings. The historical location information is cleared up from the MaaS360 portal for these devices. The setting is applicable for all device types and device groups where location information for the device is supported. 

Restricting device enrollment based on IP address within the corporate network >>

Configure Restrict Enrollments by IP setting from Advanced Device Enrollment Settings page to restrict device enrollment or activation by using IP ranges or IP addresses specified in the setting. The administrator can configure one or more allowed IP ranges and IP addresses for allowing device enrollment within the corporate company network. The IP address that is specified must be the final IP address from which request reaches MaaS360 servers. If using VPN, or proxies, the administrator needs to configure the final IP address in the allowed range. Contact IBM MaaS360 Customer Support team to get access to this setting.

The feature works for self-enrollment requests by users and enrollment requests that are created by the administrator. The IP address based enrollment support is not yet available for enrollment programs such as Apple Configurator, Device Enrollment Program (DEP), and license based Windows and Mac enrollments.

Manage Custom Attributes based on Rule Set >>

Based on custom attribute rules configuration, if for a device custom attribute value is anything apart from the allowed value that is configured in Rule Set then, the device is marked as Out of Compliance (OOC). This rule is applicable to 'Not Equal To' and 'Does Not Contain' conditions. Even if no custom attribute value is configured in the ruleset, the device is marked as Out of Compliance. Previously, any device with custom attribute "Compliance" value as null for the enrolled device would not be marked as Out of Compliance (OOC).

Example: Consider custom attribute rule in Compliance Rules > select a rule set name > Custom Attribute Rules. Include custom attribute that is named as testcustom,  Configure the rule for testcustom as Not Equal To 1. When this ruleset is applied on the device, any device whose custom attribute value is anything apart from one or if not configured then the device is marked as Out of Compliance.

Analytics

Show count of mitigated insights in the My Advisor notification email >>

MaaS360 sends My Advisor notification email to administrators who subscribe to it for Insights. This notification email now includes the count of insights that were mitigated in the previous week. If a risk insight is relevant to the customer and later the impacted device count is reduced to zero, it is referred as a 'mitigated insight'.

Cloud Extender 2.95

Zebra Printer Management module >>

MaaS360 introduces a new module for Cloud Extender that allows administrators to remotely manage configuration settings and take actions on Zebra printers that are discoverable on the corporate network. Note: This module is supported for the MaaS360 platform 10.70 release only and requires Cloud Extender 2.95 and the new Cloud Extender Configuration Tool. Contact IBM Support to enable this setting.