Release notes for 2018 (10.66 - 10.71)

• Enroll non-DEP iOS 11 devices from Apple Configurator by using an enrollment URL: Administrators can now use an enrollment URL in the MaaS360 Portal that supports the following enrollment methods:
  • With Authentication method: This enrollment process involves an authentication step during enrollment. This method accepts MaaS360 user, LDAP, and AD user credentials. This method does not support Portal admin credentials. Administrators cannot complete the enrollment process unless authentication is successful. Since this method involves user authentication, the iOS device is assigned to the user.
  • Without Authentication method: This enrollment process does not involve user authentication. The workflow is similar to the With Authentication method except that the URL that is used in this workflow varies.
• DNS proxy support in the MDM policy for iOS 11.0+ devices: A new policy payload for iOS 11.0+ devices called DNS Proxy provides configuration options for the App Bundle ID, the Provider Bundle ID, and Provider Configuration.
• Preserve Data Plan attribute for iOS 11.0+ devices: During the process of wiping or erasing a device, the administrator can now enable the Preserve Data Plan option in the MaaS360 Portal to preserve an active data plan on the device that is being wiped or erased.
• Update the device certificate for iOS devices that are configured with the Persona policy: Administrators can now update device certificates for iOS activated and enrolled devices that are managed by the Persona policy.

• New device group actions for Zebra devices: Administrators can now use new real-time actions to upgrade the OS on Zebra devices, roll back the OS, or install security patches. This feature is not enabled by default. To enable this feature, contact IBM Support. This feature is only supported by Zebra devices that are installed with the MaaS360 agent version 5.85 and later.
• Advanced Android zero-touch enrollment for Android Enterprise devices: Administrators can now preconfigure devices before those devices are shipped to users. Administrators can deploy corporate-owned devices in bulk without having to manually set up each device.

  With the new zero-touch feature, enterprise customers can purchase devices through an authorized reseller. The reseller creates an Android Zero Touch Portal and transfers the device-related information, such as the IMEI number and the serial number to the Android Zero Touch Portal. An authorized administrator logs in to the Zero Touch console and assigns a device with an IBM MaaS360 DPC (Device Policy Controller). Administrators can also prepopulate devices with basic information, such as the Enrollment Email ID and the Corporate ID. The IBM MaaS360 DPC and the other configuration options reach the device when the device starts for the first time or after a device reset.

• Enforce complex numeric passcodes in the Secure policies: Administrators can now prevent users from using repetitive numeric characters (1111) or consecutive numbers (1234) in their passcodes. This feature is available for both the Android MDM policy and the Android Enterprise policy.
• Deploy enrollment settings by using a QR code: Administrators can now deploy enrollment settings during the QR code enrollment. In previous releases, only wifi settings were deployed through QR code-based enrollment. This feature eliminates the need to create a separate enrollment request for Android Enterprise devices.
• EFOTA (Enterprise Firmware Over The Air)-publish test-only firmware on test devices: Administrators can now push test-only firmware updates that test an update on test devices before the update is pushed to all devices. In previous releases, administrators had to create a separate group for testing purposes.

• L2TP VPN support for Windows 10+ MDM Laptop and Desktop devices: The L2TP VPN configuration supports only password-based authentication for users and works based on a pre-shared key (PSK). This VPN configuration is not supported on Windows Phone devices.
• Windows App Catalog enhancements: This release of the Windows App Catalog distributes and updates script files (batch files (.bat), VBScript (.vbs), PowerShell (.ps1), registry files (.reg), Python(.py)) and web clips within the App Catalog, supports App Bundles, and updates the most downloaded apps, the latest apps, reviews/ratings of apps, and sorting and filtering of apps display.

• Departmentalization based on device groups: A global administrator can now create one or more device group administrators to manage specific device groups, who then distribute apps and assign policies and rule sets to devices. To enable this feature, contact IBM Support.
• New user interface for MaaS360 Portal: For 10.66 and later releases, the new UI for the MaaS360 Portal is made available by default to all new customers. Existing MaaS360 customers are provided an option in the Portal under the User Profile to switch between the new and the existing UI.
• New Quick Start wizard for new MaaS360 Portal user interface: Administrators can now configure settings to quickly get started with using the MaaS360 Portal. For 10.66 and later releases, the new UI for the MaaS360 Portal is made available by default to all new customers. Existing MaaS360 customers are provided an option in the Portal under the User Profile to switch between the new and the existing UI.
• App approval workflow: Administrators can now set up quality standards and guidelines for the app store. An application that is submitted to the app store must pass those requirements before the app is published. For this release, enhancements were made mainly to the roles and privileges that are required for managing app approvals. This feature is not available by default. To enable this feature, contact IBM Support.

• Simultaneously refresh device certificates on multiple devices: This release of Cloud Extender enhances the workflow for refreshing all certificates on a device. In previous releases (10.65 and earlier), the administrator accessed the Device Details page, and manually selected a device to refresh that certificate. With this release, the administrator can now use the Update Certificate option on the Device Inventory page to refresh certificates on multiple devices all at once.
• New setting for AD Account Lockout on Deployment Settings page for Cloud Extender: Administrators can now configure how many times a user provides a password to access the corporate directory for Active Directory authentication before the account is locked for a specific period of time (in hours). This feature prevents users from being locked out of their account indefinitely, which then requires an administrator to manually reset the user account password.
• Multiple Secure Mail notifications support for Cloud Extender mail accounts on iOS devices: Administrators can now configure and enable email notification settings for both primary and secondary Secure Mail accounts that are configured on an iOS device.

• iOS 11.3 enhancements:

  • iOS MDM policy - user restrictions on auto filling passwords or credit card information in the Safari browser or in apps: The Supervised Settings > Restrictions & Network > Enable Authentication for Auto Fill setting requires that users must authenticate with Face ID to allow passwords or credit card information to automatically display in the browser or in an app. If Face ID authentication fails, the user must provide a valid passcode instead. This setting is supported only on iOS 11.0+ devices that support Face ID.
  • iOS MDM policy - user restrictions on configuring delays for software updates: The Supervised Settings > Restrictions & Network > Configure Delay for Software Updates setting delays any updates on devices and hides the update from the device user based on the number of days (1 - 90 days) that is specified by the administrator. This setting is supported on iOS 11.3+ devices.
  • iOS MDM policy - user restrictions on configuring Bluetooth settings: The Supervised Settings > Cellular > Configure Bluetooth Settings setting manages Bluetooth use on iOS 11.3+ devices.
  • Option to skip setup for privacy settings when the administrator adds a DEP profile: The administrator can specify which settings can be skipped by the user for iOS 11.3+ DEP device enrollment:
    • iPhone Home button sensitivity
    • Privacy
    • Onboarding
    • Touch ID settings
    • Apple Terms and Conditions
    To enable this setting:

    1. From the Apple Device Enrollment Program (DEP), select Profiles > Add Profiles.
    2. In the Skip Setup Items section, select the items that the user can skip during DEP device enrollment. Those setups screens are not displayed to the user during DEP device enrollment.
  • Option to skip automatic setup after a device wipe action on iOS 11.3+ devices: The Disable Proximity Setup on next reboot setting disables automatic setup, an Apple feature that set ups your new iPhone 8, iPhone 8 Plus, or iPhone X when you hold the device near an iOS 11.0+ device that you already own. After the user restarts the device, the user must manually set up the device since the Quick Start screen does not automatically display on the device.
• macOS MDM policy - user restrictions for Touch ID and Wallet & Apple Pay settings: The Restrictions > System Preferences > Touch ID and Restrictions > System Preferences > Wallet & Apple Pay setting restrict users from disabling these settings in the system preferences. These settings are enabled by default.
• Delete Apple School Manager (ASM) data from the MaaS360 Portal: Administrators can now make a request with IBM Support to delete ASM data from the MaaS360 Portal. When ASM data is successfully deleted from the MaaS360 Portal, ASM integration with MaaS360 is also disabled by default. Administrators can always re-enable ASM integration from the MaaS360 Portal.
• DEP enrolled iOS devices now display the detailed model name for the device: In previous releases, the Model column in the Device Summary view only displayed the model names, iPad or iPhone. In this release, DEP devices now display a more detailed model name that helps identify the type of iOS device that is enrolled. For example: iPad 7, iPhone 6 Plus, or iPad mini
• Support for device custom attributes in an iOS policy: Administrators can now use placeholder values in any input fields in an iOS policy or in the iPCU settings that use %attribute_name%. In previous releases, only user-defined attributes were supported in iPCU settings.
  To apply device custom attributes for an iOS device in an iOS policy:

  1. Manage device custom attributes for the iOS device:
     1. Go to Devices > Device Attributes, and then select Manage Custom Attributes to add custom attributes or to edit existing custom attributes.
     2. On the Device Summary page, select an iOS device, and then select Custom Attributes. If necessary, change any values in the list.

        You can use the device attributes that the Apple Configurator created by using the %attribute% placeholder, creating a profile, and then importing the iPCU XML file that contains these attributes into the iOS policy. The placeholder values for the attributes are replaced with the actual settings that are defined on the device.

  2. Update the iPCU settings for an iOS policy:
     1. Go to Security > Policies, and select an iOS policy.
     2. From Advanced Settings, go to iPCU Import.
     3. Upload a new iPCU settings XML file to import iPCU settings or select an existing file from the list. The file upload fails if the iPCU settings XML file contains the DOCTYPE declaration.
     4. Save and publish the iOS policy. The saved policy is applied to devices. Placeholder values that are listed for the device custom attributes are replaced with the custom attribute values that are defined for an iOS device in step 1. The policy is then applied to the device.

        Installing a custom iPCU payload on the device fails if custom attributes are not defined for the device, but an iOS policy that contains iPCU settings is applied on the device.

• Support for collecting and uploading agent logs in debug mode: MaaS360 now supports debug logging and agent log collection for the MaaS360 core app, Secure Editor, and Secure Browser. However, only IBM Support can manage this feature, which helps Support track and troubleshoot issues with MaaS360 agents.
• AirPrint configuration for macOS MDM devices: AirPrint allows devices that are connected to the same network to print over the air through a wifi connection. MaaS360 can preconfigure AirPrint settings for users as part of an MDM payload and allows multiple AirPrint-enabled printers configured on the network. AirPrint configuration is supported on macOS 10.10+ devices only.
• Swedish language support for the MaaS360 App Catalog, MaaS360 Packager, and the macOS agent.
• Static password support for the macOS WPA/WPA2 (Enterprise) Wi-Fi profile: In previous releases, only iOS policies were supported. In this release, when a policy reaches the device, the macOS device automatically gains access to the corporate wifi network without having to authenticate to the network.
• New alerts added for issues with Apple Volume Purchase Program (VPP) and Apple Device Enrollment Program (DEP): The MaaS360 Portal Home page now notifies administrators in the My Alert Center about VPP or DEP tokens that are configured on a different MDM server or about upcoming expiration dates for the DEP terms and conditions.
• Locked profiles for iOS support is disabled on the MaaS360 M1 instance: The MaaS360 Security Profile (Locked Profile) for iOS is no longer supported on the MaaS360 M1 instance. This end of support impacts only customers who have the Locked Profile for iOS support feature enabled for their MaaS360 accounts.

• Support for Google Chrome OS (Chromebook) device management: MaaS360 announces a partnership with Google to manage Chrome OS devices. Administrators can easily enroll Chromebooks in the MaaS360 Portal from the Google Admin Console. MaaS360 also uses Google APIs to allow administrators to enforce security policies on Chrome OS devices. For 10.67, this feature is a Beta release feature. To enable this feature, contact IBM Support.
• Support for IBM Trusteer® Threat Management policy enforcement: MaaS360 now supports Trusteer Threat Management policies through Persona policies for mixed mode (MDM+SPS) customers. In previous releases, MDM Trusteer policies took precedence over Persona policies. If a Trusteer Threat Management policy is enabled for both MDM and SPS, the MDM policies take precedence. Other scenarios are explained in the following table:

  MDM policy	Persona policy	Policy that is applied
  Trusteer policy is enabled.	Trusteer policy is not enabled.	MDM policy
  Trusteer policy is not enabled.	Trusteer policy is enabled.	Persona policy
  Enable Trusteer Threat Management setting is enabled. Restrict access to insecure WiFi setting is enabled.	Restrict Devices with Malware setting is enabled. Restrict access to insecure WiFi setting is enabled.	MDM policy is applied for both settings.
  Enable Trusteer Threat Management setting is enabled. Restrict access to insecure WiFi setting is not enabled.	Restrict Devices with Malware setting is enabled. Restrict access to insecure WiFi setting is enabled.	MDM policy is applied. Persona policy is applied.
  Enable Trusteer Threat Management setting is enabled. Restrict access to insecure WiFi setting is enabled.	Restrict Devices with Malware setting is enabled. Restrict access to insecure WiFi setting is not enabled.	MDM policy is applied for both settings.

• Support for reporting devices with dual SIM cards on the network: The MaaS360 agent now reports network information to the MaaS360 Portal about both SIM cards for an enrolled dual-SIM card device. Administrators can search for a device by using the secondary SIM ICCID and IMEI numbers. To view network information about the second SIM card for an enrolled device, go to Devices > Network Information > Secondary SIM Details.
• Support for auto-renewal of certificates for secondary mailbox accounts: In this release, MaaS360 agent automatically sends a certificate request and renews certificates for secondary mailbox accounts in the background. In previous releases, administrators had to reconfigure secondary accounts if a certificate expired.

• Support for Microsoft HoloLens device management: MaaS360 announces a partnership with Microsoft to manage HoloLens devices. Administrators can easily enroll Windows HoloLens devices into MaaS360 by using the normal enrollment workflow. Administrators can use Windows APIs to enforce security policies, compliance rules, and device actions on HoloLens devices.
• Support for new device-level actions on Windows 10 devices: Administrators can now upgrade licenses and change the product key on Windows 10 devices. The following upgrade path is supported:
  • Windows 10 Enterprise to Windows 10 Education
  • Windows 10 Home to Windows 10 Education
  • Windows 10 Pro to Windows 10 Education
  • Windows 10 Pro to Windows 10 Enterprise
  MaaS360 supports activation or product key changes on the following editions of Windows:

  • Windows 10 Education
  • Windows 10 Enterprise
  • Windows 10 Home
  • Windows 10 Pro
  To upgrade a device license or to change a product key, follow these steps:

  1. Go to Devices, and select the device from the list.
  2. Go to More > Update License.
  3. From the Update License window, do one of the following:
     • To upgrade the license:
       1. Select License File.
       2. Click Choose File, and then select the XML license file. The XML license file is acquired from the Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access that Portal. You must also restart the device after you apply the new license file.
     • To change the product key:
       1. Select Product Key.
       2. Provide a new product key. The new key takes about five minutes to apply on the device. The devices does not need to be restarted after the product key is applied.

• Enhancements to the synchronization process between the corporate directory and the MaaS360 Portal for auto-provisioned administrator accounts (phase 2): This enhancement includes an asynchronous method to fetch Portal administrator account status from Active Directory (AD) by using the Cloud Extender 2.94 module. Cloud Extender periodically checks and deactivates any auto-provisioned account if the user account is no longer a member of Active Directory or is a member of an auto-provisioned group.
• Search for a device by using the Platform Serial Number attribute in a Global Search: This feature is supported only for Android and iOS devices.
• Enhancements to the End User Portal (EUP): An issue was resolved where an error occurred on the End User Portal (EUP) when a user tried to reset a new Portal login password from a Forgot Password link. In previous releases, users had to contact an administrator to reset this password. This fix applies only to user accounts with auto-generated user password settings.
• Enhancements to an invite form used by new administrators to sign up with IBMid to access MaaS360 accounts: If a new administrator does not currently have an IBMid, that administrator is sent an email invitation that contains a link to create an IBMid to access the MaaS360 account login page.
• Enhancements to retrieve login credentials for the MaaS360 Portal: If a user forgets their MaaS360 login credentials, the administrator can send instructions to their registered email address on how to retrieve the credentials. This function is supported only for Maas360 customer accounts that use MaaS360 credentials for the authentication mode. This function is not supported for Active Directory (AD), LDAP, SAML, or IBMid authentication methods. In previous releases, password retrieval was only supported and MaaS360 customers had to contact IBM Support to retrieve user names. MaaS360 customers can also access http://login.maas360.com to log in to a MaaS360 account.
• New Settings page for MaaS360 customers and partners: MaaS360 customers and partners can now access Device enrollment settings, User settings, App settings, Doc settings, and Administrator settings from one location on the Settings page. Partners can manage these settings for their customers accounts. To use the new Settings page, MaaS360 customers and partners must be using the new MaaS360 Portal user interface.

• Support for multiple primary Cloud Extenders in an Exchange environment (both On-Premises Exchange 2010, 2013, 2016 servers and Office 365 servers): The Cloud Extender 2.94 release removes the functions that only allowed the administrator to designate one primary Cloud Extender in an Exchange environment. Multiple Cloud Extenders now collaborate through a shared data area to determine which Cloud Extender becomes the primary. This new function eliminates any issues that an administrator might experience with misconfiguring a designated primary Cloud Extender, since configuration is done in the background. For more information, see Primary Cloud Extender in multi-Cloud Extender environments.
• IBM QRadar® can now collect Mobile Enterprise Gateway (MEG) gateway authentication and resource logs by using any configured syslog server. For more information, see Configuring QRadar to collect authentication and resource logs from MEG.

• Apple Volume Purchase Program (VPP) settings are now available on a single Settings page in the MaaS360 Portal: Administrators can now access a single Settings page in the MaaS360 Portal to configure all settings that are required for the Apple Volume Purchase Program (VPP).
• Automatically upload all Apple Volume Purchase Program (VPP) applications that are associated with an Apple VPP token to the MaaS360 App Catalog in the MaaS360 Portal: In previous releases, applications that were associated with an Apple VPP token had to be manually uploaded to the MaaS360 App Catalog in the MaaS360 Portal.
• The following new Classroom Restrictions were added in the iOS MDM policy at Supervised Settings > Restrictions & Network > Classroom Restrictions to manage the Apple Classroom:
  • Join classes automatically
  • Request permission to leave classes
  • Allow app and device lock without prompt
  • Allow screen observation without prompt classroom restrictions
• Recover inactive devices that are marked as User Removed Control by the Apple Feedback Service: Inactive devices that cannot receive push notifications from Apple or MaaS360 are now marked as Unreachable in the MaaS360 Portal. In previous releases, the devices were marked as User Removed Control.
• The following new settings were added for macOS wifi configuration in the macOS MDM policy at Configuration > Wi-Fi:
  • Disable captive network detection
  • Enable QoS marking for apps
• Administrators can now skip setting up the following parameters during Apple Device Enrollment Program (DEP) Profile configuration: FileVault, iCloud Diagnostics, iCloud Storage, and Registration.
• The following new restrictions were added to the macOS Passcode settings in the macOS MDM policy at Restrictions > Password:
  • Grace period for device unlock without passcode in minutes
  • Number of unique passcodes required before reuse allowed (1-50, or blank)
  • Reset passcode on next authentication
• The following new restrictions were added for macOS device functions in the macOS MDM policy at Restrictions > Functionality:
  • Allow use of camera (supported on macOS 11+)
  • Allow Cloud mail (supported on macOS 12+)
  • Allow Cloud calendar (supported on macOS 12+)
  • Allow Cloud reminders (supported on macOS 12+)
  • Allow Cloud address book (supported on macOS 12+)
  • Allow Cloud notes (supported on macOS 12+)
  • Allow Cloud document sync (supported on macOS 12+)
  • Allow iTunes file sharing (supported on macOS 12+)
  • Allow Spotlight internet results (supported on macOS 12+)
  • Allow definition lookup (supported on macOS 12+)
  • Allow music service (supported on macOS 12+)
  • Allow auto unlock (supported on macOS 12+)
  • Configure delay for software updates (supported on macOS 13+)

• TeamViewer unattended access support: Secure TeamViewer unattended access allows administrators to set up permanent access to remote devices from the TeamViewer host app for Android. With this support, administrators can silently install the host app on remote devices and initiate unattended remote support. In previous releases, MaaS360 added support for TeamViewer attended access. For more information, see the TeamViewer site at https://community.teamviewer.com/t5/Knowledge-Base/Supported-manufacturers-for-remotely-controlling-Android-devices/ta-p/4730?pid=social_blog&utm_campaign=Social&utm_content=faqhowtocontrolandroid&utm_medium=social&utm_source=Blog for a list of the manufacturers that support controlling Android devices remotely.
• Disable passcodes on MaaS360 agents: In previous releases, MaaS360 users could use passcode settings in the MaaS360 agent to lock the MaaS360 application, even though the passcode was not enforced through secure policies. In this release, MaaS360 enhances the bulk enrollment feature to allow administrators to disable the passcode settings on the device. The passcode settings are unavailable in the MaaS360 agent after device enrollment.
• Disable a device reset from failed passcode attempts: Administrators can use the Maximum Failed Passcode Attempts policy to specify the number of times a user can enter an incorrect passcode before the device is wiped. For Android Enterprise devices, the Android Enterprise profile is erased from a device after the user reaches the maximum number of failed passcode attempts. In this release, MaaS360 now allows administrators to specify the values of 0 - 16 in the Maximum Failed Passcode Attempts field instead of the previously allowed values of 4 - 16. The value 0 (zero) indicates that the policy is disabled, and devices are not wiped after the user reaches the maximum number of failed passcode attempts.
• M3 Mobile device management: MaaS360 now partners with M3 Mobile to manage rugged M3 SM10 devices in the MaaS360 platform. MaaS360 supports silent installation, upgrades to apps, and new policies that enforce device restrictions on M3 SM10 devices. This feature requires the Android 6.20+ agent. For this release, MaaS360 supports only M3 SM10 devices.

• MaaS360 now validates the target build number against the current build number before it upgrades the OS on Bluebird and Zebra devices. With this enhancement, the build download is initiated only if the target build number is different from the build number that is already available on the device. In previous releases, this validation started immediately after the administrator downloaded the compressed files for the OS update to the device.
• New group-level dynamic actions: Administrators can now easily copy a file from a remote server to a group of Bluebird and Zebra devices.
• New push profile actions on Bluebird devices: Administrators can now deploy predefined profiles immediately on managed Bluebird devices.

• Beta version of the Windows 10 Bulk Provisioning Tool: The Windows 10 Bulk Provisioning Tool allows administrators to automatically enroll Windows 10 laptops if they are using their organization's standard laptop image process.
• Patch source category for patch distribution: For each patch, a source category is now displayed that identifies the category of the patch. Patches are filtered based on the type of source category. MaaS360 also provides a multiple-selection filter option that distributes patches from a specific category to devices. This feature is available for both OS Patches and App Updates on Windows and Mac devices.
• Windows Phone Apps updates version 2.8.1 for Windows Phone Email, MaaS360 Docs, and MaaS360 Browser is now available in the Windows Marketplace, and contains minor bug fixes.
• New real-time actions for Windows devices on the MaaS360 End User Portal (EUP): MaaS360 users can now take actions against Windows 10 enrolled devices, such as locking a device, wiping a device, locating a device, or removing control of a device. In previous releases, the End User Portal (EUP) only supported these actions on Android and iOS platforms.
• Viewing app installation status and canceling app installation in the Windows App Catalog: MaaS360 users can now view all stages of app installation from the Windows App Catalog. MaaS360 also provides an option to cancel the installation, just in case you decide that you do not want to download the app.
• Enable debug logging for MaaS360 Windows agents: Administrators can now capture a detailed activity log from supported Windows agents. The diagnostic logs help the IBM Support team troubleshoot issues with the agent. In previous releases, only the IBM Support team could generate and upload logs from Windows agents.

• General availability of the MaaS360 Unified Enrollment experience for all new and existing MaaS360 users.
• Filter options supported by all columns in the Policies user interface: MaaS360 users can now easily search policies by entering search criteria that is supported by all columns in the Policies page.
• New MaaS360 Portal user interface for all MaaS360 users and partners: MaaS360 offers an improved user interface (UI) for administrators. The new UI that was released a few months ago now displays more content and offers a consistent user experience in the MaaS360 Portal.
• Registering a device that requires Flash: MaaS360 removes the dependency to register a device that requires Flash. If strong authentication is enforced, administrators can now register a device and avoid security checks to access the MaaS360 Portal. However, with the 10.68 release, administrators who previously registered their devices must still undergo additional security checks to reregister their devices. When Flash was blocked in previous releases, administrators still had to pass security checks even though devices were successfully registered.
• Swedish language support for the MaaS360 Portal, the MaaS360 End User Portal (EUP), and the MaaS360 agents.
• Time-based two-factor authentication support for FedRAMP compliance: To comply with the United States Federal Risk and Authorization Management Program (FedRAMP) requirements, Mass360 reinforces security by adding time-based two-factor authentication support for Portal administrators. With this support, administrators must also use a time-based one-time passcode for authentication in addition to their login credentials.

Upload the same app from different sources in the MaaS360 App Catalog: MaaS360 users can now upload apps through other channels if they do not have access to Google Play Store, even if the app is available in the MaaS360 App Catalog. For example, if an app is uploaded from Google Play Store, the same app (with the same bundle ID and version) can be uploaded as an Enterprise app from the MaaS360 App Catalog. To enable this feature, contact IBM Support.

Enhancements to certificate updates in the MaaS360 Portal (Update Device Certificate action): Administrators can now update a single certificate or multiple certificates on devices that are enrolled in the MaaS360 Portal that use the MDM policy and the Persona policy. For more information, see Using the Update Device Certificate action.

• Administrators can now push an iOS update to a device, or to Device Groups and User Groups with devices enrolled in MaaS360.
• Administrators can now import multiple mobile configuration (mobileconfig) files for iOS and macOS devices from iOS and macOS policy settings. In previous releases, MaaS360 allowed only one mobile configuration file imported from policy settings.
• The Certificate Credentials policy now supports publishing Cloud Extender identity certificates to iOS or macOS devices. This feature is supported only on devices that are enrolled through Cloud Extender. You must contact IBM Support to enable these credentials for your account.
• MaaS360 now supports Active Directory account configuration for macOS devices. To enable this setting in the MaaS360 Portal, open a macOS policy, and then select User Settings > Active Directory.
• The Apple Volume Purchase Program (VPP) apps workflow now supports the following menu options:
  • App Addition Status: Displays the upload status of a VPP token, such as scheduled, in progress, or completed.
  • View: Accesses the VPP Token Details page, which displays all the iOS apps that are associated with a VPP token, including license information, the status of adding an app automatically, and reasons why an app failed to upload automatically.
• The Apple Device Enrollment Program (DEP) profile configuration user interface is updated with a new tab for configuring Device Enrollment Program (DEP) profiles that includes skipping configuration settings when iOS and macOS DEP devices are enrolled. The Device Enrollment Program (DEP) workflow is not affected by the new user interface.
• Administrators can now use the MaaS360 Packager to upload shell scripts as an app to the MaaS360 App Catalog. When the app is available in the App Catalog, shell scripts are distributed in the same manner as other apps. This feature requires the App Catalog agent version 1.40+ and the MaaS360 Packager 1.40+.
  Note: MaaS360 uses a default icon for this app that cannot be changed by portal administrators.
• Administrators can now push shell scripts remotely from the Device view to macOS devices.
  Note: Shell scripts are not executed if a device is offline. Shell script execution is supported only on the MaaS360 for macOS agent version 2.35.100.003.

• MaaS360 now supports unified device management between Samsung Knox and Android Enterprise. With this feature, administrators can use both Samsung Knox APIs and Android Enterprise APIs for corporate-owned Samsung devices enrolled in Device Owner (DO) mode. In this release, MaaS360 provides a new setting for Samsung devices called DO with Knox in the Android Enterprise section of the Android MDM policy.
  Note: For existing Device Owner (DO) enrollments on Samsung devices, users can enable the ELM License from Corporate Settings to use this feature. Devices that are enrolled after the 6.25 release are eligible for this feature by default. This feature is supported on Samsung devices that are running Android OS version 6+.
• MaaS360 now supports Knox Mobile Enrollment (KME) based Device Owner mode (Android Enterprise) enrollments. With this feature, organizations can preconfigure work-managed devices through Samsung Knox Mobile Enrollment (KME) so that devices automatically enroll in MaaS360 in DO mode after the first boot or on a device reset.
  Note: This feature supports only Device Owner (DO) mode enrollment and applies only to Samsung devices with Knox 2.8+.
• Administrators can now manually schedule upgrades to Android apps to prevent disruptions on a device.
  Note: If an upgrade is not scheduled by the administrator, the upgrade is downloaded when the administrator pushes the upgrade for the app.
• The QR Code and Zero Touch enrollment workflows now prevent users from skipping device enrollments. In previous releases, users could skip mandatory screens that were required for device enrollments.
• When managed devices enter power-saving mode, features such as background data and location services are restricted and the MaaS360 agent on the device cannot receive important updates from the MaaS360 Portal. In this release, the Device view displays which managed devices are in power-saving mode. Administrators can also use the Advanced Search engine to filter all devices that are in power-saving mode.
• Administrators can now manually schedule actions such as OS downloads, upgrades, copying files on Bluebird and Zebra devices to prevent disruptions on these devices.

• Beta version of the Windows 10 Bulk Provisioning Tool: The Windows 10 Bulk Provisioning Tool allows administrators to automatically enroll Windows 10 laptops if they are using their organization's standard laptop imaging process. In this release, administrators can upload a CSV file containing device hostnames to map users to a device.
• Administrators can now use the Export option to download global reports on OS patches and app updates from the Patch Management workflow in the MaaS360 Portal at Security > Patch Management. Reports are downloaded as CSV or XLS files. The reports provide overall patch compliance status by listing all the patches or app updates that are missing on devices. The report also provides data about devices that are affected by each patch. Administrators can also generate a list of devices that are missing a specific patch or app update by clicking the count of missing devices in the patch management reports.
• MaaS360 automatically attempts to reinstall a Windows package if the app failed to install instantly. MaaS360 attempts to install a package three times over a period of 5 minutes until the app is successfully installed. This feature supports MSI, EXE, and scripts.
• Administrators can now define criteria such as preconditions or prerequisites for installing Windows enterprise apps on a device. With this feature, enterprise apps are installed only on devices that meet the criteria.

• Administrators can now automatically and manually delete Apple School Manager (ASM) user accounts and Local Education users from the MaaS360 Portal permanently. The automatic method deactivates the Apple School Manager (ASM) user account from the Apple School Manager (ASM) portal. The Apple School Manager (ASM) user account is automatically removed from the MaaS360 Portal based on the duration time that is set for permanent deletion.
• The Popular Support Pages menu in the MaaS360 Portal now includes a help link called Engage Professional Services to contact the IBM Security Product Professional Services team. The IBM Security Product Professional Services team specializes in planning, architecting, implementing, and gaining full adoption of IBM MaaS360 in enterprises of any size.
• Administrators can now track an enrolled device in the MaaS360 Portal that was reactivated or re-registered. This feature uses an attribute called Device Registration Date in the Advanced Search engine that allows an administrator to view the last time a device was activated. An administrator can also view the last time a re-enrolled device was registered.

Customers and business partners can now update a Primary Administrator role for their account. In previous releases, customer and business partners had to contact IBM Support to change the Primary Administrator for their account. This feature is restricted to Global Administrators with a Service Administrator role. The new user interface for the MaaS360 Portal is generally available to customer and partner administrators when they first log in to their portal account.

• The Business Dashboards for Apps (Apps Inventory) in the MaaS360 Portal at Reports > Mobile Apps > Apps Inventory is generally available to new and existing customers. The Business Dashboards for Apps (Apps Inventory) reporting data provides overview and trend statistics for managed and non-managed enterprise apps that use the MaaS360 SDK. You must contact IBM Support to enable this feature for your account. Customers must use the new MaaS360 Portal user interface that was introduced in the 10.68 platform release to view the Business Dashboards for Apps.
• The Business Dashboards for Apps at Reports > Mobile Apps > Apps Inventory is now available for MaaS360 customers in SPS only mode. You must contact IBM Support to enable this feature for your account. The Business Dashboards for Apps generates reports for SPS mode customers based on overview and trend statistics.
• MaaS360 provides the Business Template Based policy and Community Based policy in the MaaS360 Portal to all customers. These policies allows customers to add custom policies in the MaaS360 Portal based on business needs and community insights. The Business Template Based policy, which provides settings for configuring policies based on business use cases, is available only for the iOS MDM policy, the Android MDM policy, and the Persona policy. The Community Based policy, which provides recommendations on how to configure a policy based on similar organizations in the business community, is available for all policy types.

Administrators can now delete users who do not have an active Cloud Extender device. In previous releases, an error message was displayed when a user record that was missing active records was deleted.

• Administrators can now enable the App Approval & Publication Process workflow directly from the MaaS360 Portal. The App Approval & Publication Process workflow allows administrators to identify standards and guidelines for publishing apps to the enterprise app store. All apps must pass these requirements before the app is promoted to the App Catalog.

  By default, a new role called App Approver is added to the Primary Administrator role. The App Approver role is assigned to authorized administrators such as security officers or compliance officers and grants privileges to review (accept or reject) apps that are submitted for approval.

• Beta versions of public and private channel Android Enterprise apps can now be distributed for internal testing purposes. Administrators can receive early feedback from users and fix issues before releasing these apps to production.
• Administrators are now notified by email of new permission requests for Android Enterprise apps if automatic re-approval is not enabled. Administrators can approve new permissions directly in the MaaS360 App Catalog. Apps that require an administrator to accept new permissions display a red exclamation point in the app icon.
• Administrators can now submit iTunes and enterprise macOS apps for app approval before promoting those apps to the App Catalog. In previous releases, the App Approval workflow supported only Android, Windows, and iOS apps.
• Administrators can now view the installation status of custom enterprise macOS apps from a progress bar. In previous releases, enterprise apps were installed through MDM.

• Beta feature for Azure Active Directory device status update: MaaS360 introduces a new customer property called Azure AD Device Status Updates. This feature allows administrators to synchronize compliance status in MaaS360 with the Azure Device Directory for Windows 10 devices that are enrolled through the Windows OOBE enrollment mode. You must contact IBM Support to enable this feature for your account.
• Azure AD and On-Premises AD mixed-mode support: MaaS360 introduces support for Azure Authentication and AD/LDAP Authentication mixed-mode setup. For more information, see Supporting mixed-mode and Azure Active Directory (AAD) and On-Premises Active Directory (OPAD) scenarios.

• Administrators can now add web apps to the iOS 12+ device home screen. In previous releases, the iOS policy supported only App and Folder configuration from the Home Screen page.
• The following enhancements are available in the iOS VPN policy for provider type and bundle identifier settings for the F5 Access VPN profile:
  • The provider type for per-app VPN supports App Proxy and Packet Tunnel provider types. For iOS 12+ devices, you must use a Packet Tunnel provider type for the per-app VPN to work.
  • The VPN payload now supports a bundle identifier. If a VPN vendor provides two different apps, an administrator can use an app bundle identifier for each VPN app to differentiate between the two apps.
    Note: The provider type and bundle identifier options are now available for Palo Alto, Aruba VIA®, Sonicwall Mobile Connect, Juniper SSL, and the Custom SSL VPN profile types that are supported in MaaS360.
  • For the F5 VPN profile, MaaS360 supports a new VPN type called F5 Access, and F5 SSL VPN is renamed to F5 Access Legacy. F5 Access supports the new iOS VPN framework that was introduced by Apple in iOS 10.3. An MDM profile with F5 Access works on iOS 10.3+ devices with the F5 Access app. The F5 Access Legacy configuration does not work on iOS 12.0 devices. For more information about these new settings, see the VPN policy topic.
• Administrators can now choose an option to skip the setup of iMessage and FaceTime for users who enroll devices through the Apple Device Enrollment Program (DEP). If this setting is enabled, the iMessage and FaceTime options are not displayed to users during iOS DEP enrollment. This function is supported for iOS 12 devices, and for China only. For more information about this setting, see Adding a profile to the Apple Device Enrollment Program (DEP).
• The following enhancements are available for the Restrictions and Network supervised settings in the iOS policy:
  • Allow date and time modification: If this setting is enabled, the user is allowed to change the date and time on the iOS device. To restrict a user from editing the date and time on an iOS device, disable this setting and publish the policy to the device. This restriction setting is supported for iOS 12.0+ devices and is enabled by default in the policy.
  • Allow proximity setup to new devices: If this setting is enabled, the user can transfer data, settings, and content from an old device to a new device using the same Apple ID. The old device with the published policy allows automatic setup of new devices that are within the proximity of the old device. You can also take the following action from the Device Inventory page: More > Wipe > Disable proximity setup on next reboot for a selected device. In this release, this action is extended to supervised devices by using the supervised settings in the iOS policy. This restriction setting is supported on iOS 11.0+ devices.
  • Allow USB accessories while locked: If this setting is enabled, the device can connect to USB accessories even if the device is locked. This setting is enabled by default in the policy. This restriction setting is supported on iOS 11.3+ devices.
• The following enhancements are available for the Notifications supervised settings in the iOS policy:
  • Disable notifications in CarPlay: The notifications on the device are disabled during CarPlay mode. This setting is enabled by default in the policy. This restriction setting is supported on iOS 12.0+ devices.
  • Enable critical notification: If this setting is enabled, an app can set a notification as a critical notification on the device by overriding the Do Not Disturb setting and the device ringer settings. This setting is disabled by default in the policy. This restriction setting is supported on iOS 12.0+ devices.

• The option to set up Android Enterprise accounts is now available from the Quick Start wizard in the MaaS360 Portal.
• MaaS360 adds support for the following Android Enterprise policies:
  • Android MDM Policy > Android Enterprise Settings > Security > Device Security
    • Enable Factory Reset Protection
    • Enforce Network Date and Time
  • Android MDM Policy > Android Enterprise Settings > Passcode > Minimum Passcode Quality
  • Android MDM Policy > Android Enterprise Settings > Restrictions
    • Location Sharing Settings > Location Sharing Mode
    • Network Restrictions > Wi-Fi Timeout
  • Android MDM Policy > Android Enterprise Settings > Certificates > Configure Additional Certificate Management Settings
  • Android MDM Policy > Android Enterprise Settings > COSU (Kiosk Mode) > Customize Kiosk Launcher Settings
    • Show Custom Status Bar
      Note: This policy is unavailable if the COSU Mode type is Automatically launch a required app and lock the device to display only this.
    • Allow Users to Set Screen Brightness
• MaaS360 adds support for the following M3, Kiosk, and Bluebird policies:
  • M3 policies:
    • Android MDM Policy > Device Settings > Security > App Security
      • Allow installation of apps
      • Allow uninstallation of apps
    • Android MDM Policy > Device Settings > Wi-Fi > Wi-Fi Settings
    • Android MDM Policy > Device Settings > Restrictions
  • Kiosk policies:
    • Android MDM Policy > Advanced Settings > Kiosk Mode Restrictions
      • Hide Status Bar > Show Custom Status Bar
      • Kiosk Launcher Settings > Allow Users to Set Screen Brightness
        Note: The Kiosk Mode type must be Show custom home page with allowed apps.
  • Bluebird policies: Android MDM Policy > Advanced Settings > Device Security > Block Camera and Google Voice on Lock Screen
• MaaS360 adds support that allows administrators to send individual identity certificates from the Cloud Extender to devices by using Android MDM policies in the MaaS360 Portal. The authorized third-party apps can use the identity certificates to authenticate users against those apps on devices. Contact IBM Support to enable this setting for your account.
• MaaS360 supports Google device attestation during Android Enterprise enrollments. Google provides SafetyNet Attestation during Android Enterprise enrollment (DO and PO) to make sure that devices pass compatibility and integrity checks. Any device that fails attestation during the enrollment process cannot be provisioned. The SafetyNet Attestation status for a device is displayed in the Summary view for the device in the MaaS360 Portal. In previous releases, the SafetyNet Attestation ran after device enrollment. Contact IBM Support to enable this setting for your account.
• MaaS360 adds support in the Secure Mail Security Settings that allows administrators to restrict outgoing email messages that are sent to external domains. The outgoing email messages that are sent to external domains are either blocked or a warning message is displayed.
• MaaS360 provides the following enhancements to the app wrapping feature based on suggestions from Android:
  • Improvements on handling multiple .dex (Dalvik Executable) files: The partitioning of .dex files is handled automatically by MaaS360. In previous releases, users were required to manually provide the path for secondary .dex files.
  • Notification Manager extends Android Notification Manager (SDK/Wrapping): Users are now notified about issues with app wrapping and can take actions to fix issues due to crashes. This feature is supported on Android OS version 5.0 and later.
  • Use the MaaS360 SSL socket factory and hostname verifier by using an App Config parameter: If overrideNetworkParams=true, MaaS360 overrides the SSL socket factory on the user's app. The default value is true.
• MaaS360 supports a new configuration option called Prompt for Device Name that allows users to set a custom device name for a device that enrolls with Zero-touch (KME + DO, non-Samsung + DO) and QR code for work-managed device enrollments.

• MaaS360 extends BitLocker encryption support for Windows 10 Pro devices. In previous releases, the feature was limited to Windows 10 Education and Enterprise editions.
  Note: Existing customers must republish the Require Device Encryption BitLocker policy from the Security policies section to enforce the policy on Windows 10 Pro devices. This feature requires MDM Extender agent version 1.90 and the Core app version 3.90. The BitLocker Drive Encryption feature is not supported on Windows Home edition.
• MaaS360 adds new policies that allow administrators to back up the BitLocker recovery password to Active Directory (On-Premises or Azure) and to the MaaS360 End User Portal (EUP). Organizations that enforce BitLocker encryption through channels other than MaaS360 can also use these policies to back up the BitLocker Recovery password on managed Windows 10 devices.
• The device Wipe action is not supported on MDM-enrolled Windows 10 devices before Redstone 3 (RS3). Due to limitations with the Microsoft API supporting the device Wipe action on earlier versions of Windows 10, the Wipe action does not work on Windows 10 OS version Redstone 3 (RS3) or 1709+. If the Windows 10 OS version is earlier than the Redstone 3 (RS3) version, the Wipe action is not pushed to the device from the MaaS360 Portal. This restriction does not affect devices that are enrolled through the DTM enrollment method.

  To view the OS version of your Windows device in the MaaS360 Portal, go to Devices > Hardware & OS tab > OS version. The OS version is displayed in the 10.x.y.z format. The device Wipe action is supported on OS versions where y is greater than 15063. If the device Wipe action fails, you can track the status in the device history.

• Microsoft requires that user accounts that are enrolling in MDM must have local admin rights on the Windows machine. MaaS360 provides a workaround for organizations to overcome this limitation by allowing users to enroll Windows 10 devices into MaaS360 without local admin privileges.
  Note: You might not be able to install some apps that require administrator privileges or some apps might not function properly.
• MaaS360 now supports the option to send text notifications to a device when administrators enforce new policies or update existing policies. Contact IBM Support to enable this setting for your account.

• MaaS360 adds support for deep links in the Enterprise App Catalog. Users can navigate to a detailed view of an app in the Enterprise App Catalog by tapping a URL from a different app. For example, an IT administrator can create and distribute a custom URL pointing to the download page of a VPN application. This feature applies to iOS devices only. For more information about how to create deep links for your devices, see Creating deep links for Enterprise apps.
• Administrators can now view distributed apps or clips and the status of the apps or clips that are distributed to a user, whether the app is scheduled to be installed, installed, or not installed. For more information how to view distributed apps or clips, see Managing multiple versions of apps in the App Catalog.

The My Advisor notification email message sent to administrators now provides a total count of the insights that were mitigated from the previous week. A mitigated insight refers to a risk insight that is relevant to the customer and reduces the impacted device count to zero.

New Zebra Printer Management module: MaaS360 introduces a new module for Cloud Extender that allows administrators to remotely manage configuration settings and take actions on Zebra printers that are discoverable on the corporate network. For more information about this new module, see Zebra Printer Management module.

• MaaS360 now supports the Disown Device web services API for the Apple Device Enrollment Program (DEP). The Disown Device API disowns a Device Enrollment Program (DEP) device (based on the device identifier) that is associated with a Device Enrollment Program (DEP) token. After a device is disowned, the administrator must manually remove the device to unenroll the device from the Device Enrollment Program (DEP). The API then informs Apple servers that the server no longer owns one or more MaaS360 enrolled DEP devices. The server returns the following responses:
  • Success: The device is successfully disowned.
  • Not accessible: A device with the specified device ID is not accessible.
  • Failed: The process of disowning the device failed due to an unexpected issue. If the process fails after 3 attempts, you must contact Apple Support.
• MaaS360 adds support in the WorkPlace Persona policy that allows users to enable certificate-based authentication for web pages. This setting is available in the MaaS360 Portal at WorkPlace Persona policy > Browser Defaults. This setting allows users to authenticate to web pages with an identity certificate. This setting is supported on iOS 2.6+ devices.

• MaaS360 adds the Android Enrollment Wizard, a consolidated workflow for all Android enrollments, both Device Admin DO (Device Owner) and (PO) Profile Owner. The enrollment wizard displays interactive options that guides you through the Android enrollment method that suits your requirements. The existing Android enrollment menus are still available from the MaaS360 Portal. For more information, see Android Enrollment Wizard.
• The following Device Admin policies are deprecated in the MaaS360 Portal when Android upgrades its OS to version 10 in 2019:

  Portal path	Policy
  Android MDM policy > Device Settings > Passcode > Passcode Settings	Maximum Passcode Age (in Days) Minimum Passcode Quality Minimum Passcode Length (4-16 characters)
  Android MDM policy > Device Settings > Passcode > Security	Disable Keyguard Features
  Android MDM policy > Device Settings > Passcode > Restrictions	Camera

• MaaS360 adds support for additional Android Enterprise policies for Android devices that are running OS version 9.0+.
• MaaS360 adds support for new configuration parameters to overcome issues during app wrapping for Android Enterprise apps. For the MaaS360 10.71 platform release, administrators can enable multidex for Analytics-only (marked for collecting analytics data) apps. For more information, see Android app wrapping parameters.

• MaaS360 extends support for the Delivery Optimization (DO) method in a Windows 10 policy. The Delivery Optimization (DO) method is a peer-to-peer delivery of updates to networked PCs in an organization. These updates include Windows updates, security updates, Windows Store apps, and Windows Store for Business apps. This setting is available in the MaaS360 Portal at Windows policy > Device Settings. For more information, see Delivery optimization.
• Windows 10 MDM policies in the MaaS360 Portal now display the specific version of the Windows OS that is supported by the policy. Some of the OS versions that are supported include Windows Phone 8+, Windows 10 Professional, Education, Enterprise, Windows Team, and Windows Holographic. For more information, see Configuring Windows MDM policy settings.
• The deep links feature in the Enterprise App Catalog now allows users to download and install an app directly from a provided link. In previous releases, users tapped a URL from a different app or from the web portal to navigate to a detailed view of the app in the Enterprise App Catalog. This feature is available on Windows 10+ MDM devices. The default syntax to download and install an app is as follows: maas360appcatalog://launchapp?appID=77a5f49b-3d10-3c1f-a073-8eca625dba2d&appVersion=1&downloadinstall=true .
  Note: This feature requires Windows Core 4.00 and Windows MES 2.00.
  For more information, see Creating deep links for Enterprise apps.
• MaaS360 now supports wifi-based geo-fencing for Windows 10 MDM enrolled devices. Administrators can add managed wifi locations in the MaaS360 Portal at Security > Locations > Add Wi-Fi Locations. For more information, see Managing secure locations for a device.
  Administrators use the Assign Policies action to enforce different policies based on whether the devices checked in to the managed wifi locations. The MaaS360 Portal also displays a Checked In or Checked Out status for devices that are connecting or disconnecting from wifi locations. Device users can view managed wifi locations from the Windows 10 MaaS360 app on the device.

  Note: This feature requires MES Agent version 1.85 and the MaaS360 Core app 4.00. You must contact IBM Support to enable this feature.

  For more information, see Managing secure locations for a device.
• MaaS360 automates and simplifies the handling of Java™ patches by providing a customized Enterprise Patch Repository administered from the MaaS360 Portal. The Enterprise Patch Repository definition does not require visibility into missing Java patches, but is required to deploy and manage patches to users that are on or off the corporate network. Oracle mandates that its customers submit enterprise licenses to download and distribute Java patches.
• MaaS360 now supports IBM Security Verify integration with Windows 10 desktops and laptops. IBM Security Verify is a stand-alone identity service from IBM that provides single sign-on (SSO) capabilities to ensure that only trusted devices and apps can access enterprise or corporate resources. In previous releases, this feature only supported mobile devices with iOS 7+ or Android 5.0+. For more information, see IBM Security Verify integration with MaaS360.

• MaaS360 allows administrators to access the web services API documentation from the MaaS360 Portal user interface. The user interface includes a reference about the web services API, and an option to try out the APIs depending on the type of access rights assigned to the administrator account. For more information, see Web services.
• MaaS360 enhances the Business Templates based policy by providing two new business use case templates: Center of Internet Security (CIS) and Security Technical Implementation Guide (STIG). The new business use case templates are listed for the Business Templates based policy as part of the Add Policy workflow. With this feature, you can create a policy based on the CIS and STIG security compliance templates-based policy.
• MaaS360 adds support for a new search attribute in the Advanced Search feature that is based on operating system: OS Version (numeric). The OS Version (numeric) attribute supports the following conditions:
  • Equal To
  • Greater Than
  • Greater Than or Equal To
  • Less Than
  • Less Than or Equal To
  • Not Equal To
  The OS Version (numeric) attribute applies to iOS, Android, Windows, macOS, and the Windows Phone operating system. For more information, see Configuring search criteria.
• Administrators can now check the origin of a policy in the MaaS360 Portal. The MaaS360 policy recommendation engine can suggest policies based on peer best practices. These community-based policies are derived using an organization profile that consists of variables from industry, device count, and region. MaaS360 also provides pre-defined policies based on business use cases. For more information, see Configuring administrator settings in the MaaS360 Portal.
• MaaS360 now displays password prompts for important actions in the MaaS360 Portal. The password prompt ensures that only authorized personnel can take actions in theMaaS360 Portal. MaaS360 suggests that prompts are always displayed to all administrators.
  This setting is available in the MaaS360 Portal at Setup > Administrators > More > Administrator Settings. This setting includes the following options that are available for administrator roles:

  • Prompt Always: Administrators are always prompted for a password if necessary.
  • Let Administrator Choose: An administrator can disable the password prompt for 5 minutes, 10 minutes, 20 minutes, or for the rest of the portal session. If the administrator logs out, they are prompted for a password the next time they log into the MaaS360 Portal.
  • Never Prompt: Administrators are not prompted for a password for any actions on the MaaS360 Portal.
  Note: If no option is set for the role, the default setting is Prompt Always. These settings are applied for the next login by an administrator into the MaaS360 Portal. All actions on the MaaS360 Portal might not require password confirmation. Only global administrators with a Service Admin role can modify password prompt settings. For more information, see Configuring administrator settings in the MaaS360 Portal.
• MaaS360 now allows administrators to import specific user groups for an Azure AD tenant into the MaaS360 Portal and synchronize data for these groups with existing groups in the MaaS360 Portal. This feature is available in the IBM Admin Portal as the Enable Azure Group Based Data Sync custom property. For more information, see Importing specific user groups for an Azure AD tenant into the MaaS360 Portal.