Product Lifecycle
Abstract
Overview of the IBM MaaS360 TLS 1.0 deprecation
Content
MaaS360 TLS v1.0 Support Deprecation - (Platform Deprecation set for June 25, 2018)
What is TLS?
The primary goal of the TLS (Transportation Layer Security) protocol is to provide privacy and data integrity between two communicating applications. The protocol is composed of two layers: TLS Record Protocol and TLS Handshake Protocol. At the lowest level, layered on top of some reliable transport protocol (e.g., TCP), is the TLS Record Protocol. It is the most widely deployed security protocol used today. It is used for web browsers and other applications that require data to be securely exchanged over a network or internet. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification. The versions of TLS available today are TLS 1.0, 1.1, and 1.2.
How this relates to the MaaS360 Product Suite
Starting from Aug 17, 2017, IBM MaaS360 will start deprecating support for TLS 1.0 and will disable encryption protocol across services. MaaS360 continues to support newer versions of security protocols (TLS 1.1 and above) to align with the PCI security standards and ensure highest security and safety of your data. The deprecation will have impact on all MaaS360 customers currently using TLS 1.0, and it is advised that you check if you're going to be affected. MaaS360 solution contains the platform, on-premise agents and mobile apps; each component will have a different path of upgrade and the below information will outline the areas where this deprecation will be affected. This project will start with different apps and agents that will need to be upgraded and then eventually will entail the deprecation of TLS v1.0 version on the MaaS360 Platform. After the deprecation occurs on the MaaS360 platform, any agent that has not been upgraded will no longer be able to connect and be managed by the platform.
MaaS360 TLS Platform deprecation will occur on June 25, 2018. Please review section below for each offering on how devices, Cloud Extender and web services need to be upgraded. As the date for deprecation is decided upon, we will leverage the MaaS360 Developer Works Wiki and the MaaS360 Insight Advisor tool within your portal to alert you about devices and agents that will be impacted.
Described below are the compatibilities across MaaS360 Apps, Agents, Web Services, and Web Browsers:
- Cloud Extender and MEG Agents
- Android Apps, SDK and App Wrapping
- Windows/WinPhoneApps and Agents
- WebServices
- iOS Apps, SDK and App Wrapping
Cloud Extender and MEG Agents
The Cloud Extender(CE) and Mobile Enterprise Gateway (MEG) services are comprised of two components: the core and modules. The core agent of the CE and MEG service v2.70 and below will need to be upgraded to the 2.91.001 Core agent. For more details on how to upgrade this agent, please click Here. The CE and MEG Modules will not be affected by the TLS 1.0 security protocol deprecation directly, but it is suggested to upgrade the modules to the latest along with the Core Agent upgrade.
|
MaaS360 Offering |
MaaS360 Version |
Impact |
Required Action |
|
Cloud Extender Agent |
v2.70 and Below |
If the CE Agent is 2.70 or below, it will stop communicating to the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
Upgrade the Cloud Extender agent to 2.91.001 or higher. 2.91.001 Core agent For more details on how to upgrade this agent, please click Here. |
|
Cloud Extender Module |
v2.70 and Below |
If the CE modules are 2.70 or below, they will stop communicating to the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
Allow Automatic updates for Modules to 2.91 or higher. See below for details. |
|
MEG Agent |
v2.70 and Below |
Same as CE Agent details above |
Same as CE Agent details above |
|
MEG Modules |
v2.70 and Below |
If MEG modules are 2.70 or below, they will stop communicating to the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
Upgrade Modules to 2.91.000 or higher. Unlike CE Modules, MEG modules are not automatically downloaded. For more details on how to upgrade MEG Module, please click Here. |
To view version of Cloud Extender Agent installed:
1. Log into customer portal within MaaS360 Portal.
2. Navigate to Setup / Cloud Extender.
3. Open the Device view for the installed Cloud Extender. If there are more than one Cloud Extender installed, select the specific server that is to be reviewed.
4. Under the Hardware Inventory section, view version listed under Agent Version.
To allow automatic updates to Modules, as an administrator, follow these steps to automatically upgrade your CE modules:
1. Open the Cloud Extender Configuration Tool.
2. Go to the last window of the configuration wizard, and then enable the Automatic Updates setting.
Note: Enabling this setting triggers an automatic download and applies the latest modules.
3. Go to the MaaS360 Portal, and then view the Cloud Extender Summary window to confirm that the updates were applied (based on module versions).
Android Apps, SDK and App Wrapping
MaaS360 discontinues support for the devices running Android OS versions below 4.1. MaaS360 adds newer security protocol support for the devices running Android OS versions ranging from 4.1 to 4.4.4 through MaaS360 app for Android version 5.88.
|
MaaS360 Offering |
MaaS360 Version |
OS Version |
Impact |
Required Action |
|
Android SDK |
Below 5.88 |
Below 5.0 |
HTTP client used in SDK no longer supports TLS v1.0, even when communicating with the customer's own server. Minimum supported SDK version is increased from 14 to 16 (Android 4.1) for MaaS360 SDK apps.
|
Before upgrading to the 5.88+ SDK, ensure server receiving traffic support TLS 1.1 or higher. Before wrapping Apps post 10.64 platform release, ensure server receiving traffic supports TLS 1.1 or higher. |
|
Android Wrapping |
Below 10.64 |
Below 5.0 |
||
|
MaaS360 for Android and MaaS360 for Samsung |
Below 5.88 |
4.0.x |
MaaS360 discontinues support for Android OS version 4.0.x. So, officially, 5.85 was the last supported version on those devices. The devices with MaaS360 app version 5.85 will not be able to communicate with the MaaS360 portal after the TLS 1.0 security protocol is deprecated on the Portal. |
Android device with OS v4.0.x will need to be upgraded to 4.1+. If device is unable to be upgraded, it will not be able to be managed by the MaaS360 Portal after the portal has TLS 1.0 deprecated. These devices should be replaced with a device that can be upgraded. |
|
MaaS360 for Android |
Below 5.88 |
4.1 – 4.4.4 |
Devices will not be able to be managed by the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
MaaS360 for Android App should be upgraded to version 5.88 or higher. |
|
Below 5.88 |
4.1 – 4.3 |
Devices cannot be managed by the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
MaaS360 for Android App should be upgraded to version 5.88 or higher. Limitation: The new WebView based enrollments are not supported for these OS versions. As a result, SAML auth and Enroll on behalf will not work, even with 5.88 app. It uses old (non-WebView based) enrollments on these OS versions. |
|
|
MaaS360 Docs |
Below 5.88 |
4.1 – 4.4.4 |
Devices will not be able to be managed by the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
MaaS360 Docs App should be upgraded to version 5.88 or higher. MaaS360 Browser App should be upgraded to version 5.88 or higher. |
|
MaaS360 Secure Browser |
||||
|
MaaS360 Secure Chat |
Below 5.88 |
Below 5.0 |
The version currently in Play Store is 5.55 which will not be managed by the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
TBD |
|
MaaS360 Kiosk |
Below 5.88 |
4.0.x |
MaaS360 discontinues support for Android OS version 4.0.x. So, officially, 5.85 was the last supported version on those devices. The devices with MaaS360 app version 5.85 will not be able to communicate with the MaaS360 portal after the TLS 1.0 security protocol is deprecated on the Portal. |
Android device with OS v4.0.x will need to be upgraded to 4.1+. If device is unable to be upgraded, it will not be able to be managed by the MaaS Portal after the portal has TLS 1.0 deprecated. These devices should be replaced with a device that can be upgraded. |
|
Below 5.88 |
4.1 – 4.4.4 |
Devices will not be able to be managed by the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
MaaS360 Kiosk App should be upgraded to version 5.88 or higher. | |
|
MaaS360 for Samsung |
Below 5.88 |
4.1 – 4.2 |
The last version of the MaaS360 for Samsung App was v5.45, released July 2016. There is no upgrade path from that app to the latest 5.88 app. Devices cannot be managed by the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
MaaS360 for Samsung app v5.45 will need to be uninstalled, and MaaS360 for Android app v5.88 will need to be installed and enrolled. SAFE API's won't work as ELM is not supported for OS 4.1-4.2. As a result, ELM migration not possible. |
|
Below 5.88 |
4.3 – 4.4.4 |
The last version of the MaaS360 for Samsung App was v5.45, released July 2016. Devices cannot be managed by the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
If devices are not migrated before TLS 1.0 is deprecated, then these devices will need to uninstall and re-enroll. After migration or for new installations, the MaaS360 for Android App should be version 5.88 or higher. |
|
|
MaaS360 for LG |
Below 5.88 |
Below 5.0 |
Devices that have the MaaS360 for LG App v5.70 or lower will not be able to be managed by the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
Existing Customers: Uninstall MaaS360 for LG and re-enroll with MaaS360 app for Android version 5.88 using the LG helper app. New Customers: Enroll with MaaS360 for Android version 5.88 using the LG helper app. |
|
MaaS360 for OnPrem |
Below 5.88 |
Below 5.0 |
onPrem Servers that use TLS 1.0 are unsupported in MaaS360 for Android app version 5.88.
|
OnPrem servers will need to ensure that their network support TLS 1.1 and 1.2 before moving to the MaaS360 for Android version 5.88 or higher. |
|
MaaS360 Remote Control for Samsung |
Below 5.88 |
Below 5.0 |
The version currently in Play Store is 5.25 which will not be managed by the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
See note above for Samsung ELM migration, and uninstall this App. |
Windows/WinPhoneApps and Agents
The Windows agents and apps will need to be upgraded to Enterprise Services version 3.93 and higher to support TLS v1.1 and v1.2.
|
MaaS360 Offering |
MaaS360 Version |
Windows OS Stack |
Impact |
Required Action |
|
Any |
Any |
Windows Phone 8.0 |
The WinPhone 8.0 OS is no longer supported by Microsoft: https://support.microsoft.com/en-us/lifecycle/search?alpha=Windows%20Phone%208 Any devices that have MaaS360 MDM control, will not be able to be managed by the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
Devices with this OS will need to be upgraded to 8.1 or higher. If device is not able to be upgraded, the only solution will be to replace device. |
|
Company Hub |
Below 2.1.3 |
Window Phone 8.1 |
Enrollment and management will continue to work, but some actions will fail if version are below that noted in the MaaS360 Version listed to the left. It is also to be noted that Microsoft ended support for Windows Phone 8.1 as of July 11, 2017. So, MaaS360 recommends customers to upgrade to Windows 10 Mobile OS at the earliest. |
Devices should be upgrades to :
|
|
PIM |
Below 2.2 |
|||
|
Browser |
Below 2.2 | |||
|
Docs |
Below 2.2 |
|||
|
Core App |
Below 3.1 |
Windows Desktop OS 10 (MDM)
|
Enrollment and management will continue to work, but some actions will fail if version are below that noted in the MaaS360 Version listed to the left. |
Devices should be upgraded to 3.1 or higher |
| Browser | Below 3.1 | Windows Phone 10/Windows Desktop OS 10 (MDM) | ||
|
MES |
v1.20 and Below | Windows Desktop OS 10 (MDM) | MES agent will fail to communicate to the MaaS360 Platform |
The MaaS360 Platform should have already upgraded these agents to MES v1.25. Note: If device is found with v1.20 or below uninstall the app and then initiate the "Request Data Refresh" action, which will install the MES v1.25+ agent. |
|
Any |
Any |
Windows XP |
Window XP is no longer supported by Microsoft: Any laptops that have MaaS360 LTM control, will not be able to be managed by the MaaS360 Portal after the TLS 1.0 security protocol is deprecated. |
Laptops with this OS will need to be upgraded to OS 7 or higher. If laptop cannot be upgraded, then the only solution will be to replace laptop. |
|
LTM Visibility (Windows DTM Enrollment)
|
Below 3.93 |
Windows 7, 8.1 and Windows 10 DTM |
New enrollments will fail, if Visibility Installer v3.93 is not used. Existing Visibility v2.x and below v3.93 will fail to communicate to the MaaS360 Portal if the installed service of 'Enterprise Services' if not equal to 3.93 or above. |
Visibility of v 3.93 will be available week of Dec 1, 2017 along with the 10.65 Platform release. Enterprise Services v 3.93 is GA and all existing agents should have this version. To confirm run a smart search for Installed services, Module: Enterprise Services below v 3.93. If this module is below v3.93, please contact customer service. |
|
LTM MDM Control (Windows MDM Enrollment)
Core App |
Below 3.1 |
Windows Desktop OS 10 (MDM) |
Enrollment and management will continue to work, but some actions will fail if version are below that noted in the MaaS360 Version listed to the left. |
Devices should be upgraded to Core App and Browser v3.1 or higher.
The MaaS360 Platform should have already upgraded these agents to MES v1.25. Note: If device is found with v1.20 or below uninstall the app and then initiate the "Request Data Refresh" action, which will install the MES v1.25+ agent. |
| MES | V1.20 and Below | |||
| Browser | Below 3.1 |
WebServices
For those customers using WebServices/API's on the MaaS360 Platform, the API client used on the Customer side may require adjustments or upgrades. Please check with your client's documentation on how to upgrade to TLS 1.1 or TLS 1.2 support.
Steps to check for API compatibility
- Set up an API client in a test environment. This could be any software or library that you are using to integrate to MaaS360 or any custom integration code that you have written. The examples cited in this write up uses python as a client language. This could be Java or any other language in your environment.
- A web service client usually makes GET and POST requests to servers.
- Using your client test environment, make a GET request to the following URL https://tlstest.maas360.com/.
- Your version of client library should be able to make a successful GET request to the URL above and receive a result of "0". This response means that underlying TLS v1.0 connection is successful.
- If you get anything other than "0" in the result, it would indicate that the client you have could not make a successful connection to our servers which has TLS v1.0 disabled. You need to upgrade your client library which supports TLS v1.1 and above versions and run the same test to confirm you are getting a result of "0".
An example of doing this in a python script is as follows:
import requests
url = "https://tlstest.maas360.com/"
data = requests.get(url)._content
assert data == "0"
If you are using python for consuming MaaS360 web services then, run this code to see if your client connects to a URL that has TLS v1.0 disabled.
Note: If you are using a different programming language, you can write similar code in that environment language and verify using the test URL if the client works with the URL that has TLS v1.0 disabled.
iOS Apps, SDK and App Wrapping
No Action required. iOS supports TLS 1.1 and 1.2 security protocol natively from version iOS 6.0 and higher, therefore all MaaS360 Apps, SDK and App Wrapping products have no impact.
Was this topic helpful?
Document Information
Modified date:
28 August 2018
UID
ibm10729573