Release notes for 2019 (10.72 - 10.76)

• S/MIME configuration in the iOS MDM policy: MaaS360 enhances the S/MIME configuration for the Exchange payload in the ActiveSync policy for iOS MDM. The Enable S/MIME setting lists all the S/MIME settings in one place. The following new S/MIME configurations are also available in this release:
  • Allow user to override enabling/disable encryption: The user can manage encryption on the device.
  • Allow user to override encryption certificate: The user can change the encryption certificate that is used on the device by overriding the default setting. Choose the encryption certificate on the device from Advanced Settings > S/MIME > Encrypt by Default.
  • Allow user to override S/MIME signing value: The user can manage signing on the device.
  • Allow user to override SMIME signing certificate: The user can change the signing certificate that is used on the device by overriding the default setting. You can choose the signing certificate on the device from Advanced Settings > S/MIME > Sign.

  In previous releases, the encryption certificate and the signing certificate that were pushed from the policy were the only certificates that were allowed on the device and the user could not override this value. For more information about the S/MIME settings, see the ActiveSync policy.

• OAuth (Open Authorization) authentication in the iOS MDM and macOS MDM policies: MaaS360 now provides the Enable OAuth authentication setting in the iOS MDM and the macOS MDM policies. This setting allows users to use OAuth 2.0 for authentication. When OAuth is enabled, the Authentication workflow uses the configured OAuth URL in the native mail app. This setting is supported on iOS 12.0+ and macOS 10.14+ devices.
  • For the iOS MDM policy, this setting is available from Device Settings > ActiveSync. For more information about the OAuth settings in the iOS MDM policy, see the ActiveSync policy.
  • For the macOS MDM policy, this setting is available from User Settings > Exchange. For more information about the OAuth settings in the macOS MDM policy, see the Exchange policy.
• New grouping mechanism for notifications in the iOS MDM policy: For the iOS 12.0+ release, Apple is providing a new mechanism to group notifications on a device. To support this feature, MaaS360 provides the Grouping Type setting in the iOS MDM policy under Supervised Settings > Notifications. This setting is supported on iOS supervised devices. For more information, see the Notifications policy.
• Skip the setup of items during Profile configuration in the Apple Device Enrollment Program (DEP): MaaS360 adds the following options to the Skip Items setting during Profile configuration for iOS, macOS, and all Device Enrollment Program (DEP) devices:
  • Screen time and software update options for iOS devices
  • Appearance option for macOS devices
  • SIM setup option for all Device Enrollment Program (DEP) devices

  If these options are enabled, the options are not displayed to users during iOS or macOS Device Enrollment Program (DEP) enrollment on the device. This function is supported on iOS 12.0+ and macOS 10.14+ devices. For more information, see Adding a profile to the Apple Device Enrollment Program (DEP).

• Time server configuration in the macOS MDM policy: MaaS360 supports a new Timer Server setting in the macOS MDM policy. This setting configures the timer server and the time zone on a device. When you publish this policy on a macOS device, the device time is synchronized with the configured server time and the time zone in the policy. The time zone cannot be changed by the user on the device. This setting is supported on macOS 12.4+ devices. For more information, see the Time Server policy.
• App store restrictions in the macOS MDM policy: MaaS360 introduces the following new App Compliance restriction settings in the macOS MDM policy:
  • Allow non admin users to install apps: Non-administrator users can install applications from the App Store. This setting is supported on macOS 10.9+ devices.
  • Allow software update notifications: The device can receive notifications about software updates. This setting is supported on macOS 10.10+ devices.

  For more information, see the App Compliance policy.

• Android Enterprise policies for Browser and Lock Screen on Samsung Knox devices: For Android MDM, the Browser and the Lock Screen policies use a new support tag PO with Knox and DO with Knox for the Android Enterprise settings. For more information about the Browser policy, see Browser. For more information about the Lock Screen policy, see Lock Screen.
• Migration from Google Cloud Messaging (GCM) to Firebase Cloud Messaging (FCM): Google announced the decommissioning of Google Cloud Messaging (GCM) on April 11, 2019. EMM vendors must move to Firebase Cloud Messaging (FCM) to provide real-time notifications to devices. Firebase Cloud Messaging (FCM) is a new push notification mechanism for communicating with any Android app from a web server such as EMM. MaaS360 will move to Firebase Cloud Messaging (FCM), which inherits the reliable and scalable Google Cloud Messaging (GCM) infrastructure.
  Customers should upgrade to Android agent 6.50+ as early as possible. Existing devices continue to work after April 11, 2019 until a device group must be re-enrolled. For re-enrollment, administrators should consider upgrading the device first to Android agent 6.50+ and then complete the enrollment.

  Note: Google Cloud Messaging (GCM) deprecation does not affect devices that are not supported by Play Services.

  Migration impact

  Devices that are enrolled before MaaS360 for Android app version 6.50 are already registered with Google Cloud Messaging (GCM) and continue to use Google Cloud Messaging (GCM). The Google Cloud Messaging (GCM) token continues to work indefinitely.

  The devices that are enrolled with MaaS360 for Android app version 6.50 and later are registered with Firebase Cloud Messaging (FCM). The Firebase Cloud Messaging (FCM) server generates both Google Cloud Messaging (GCM) and Firebase Cloud Messaging (FCM) tokens for Google Cloud Messaging (GCM) and Firebase Cloud Messaging (FCM) registered devices. Any new enrollments with the Agent version earlier than MaaS360 for Android app version 6.50 cannot create a new Google Cloud Messaging (GCM) token, when Google deprecates support for Google Cloud Messaging (GCM) in April. Devices must upgrade to MaaS360 for Android app version 6.50 and later to re-enroll.

• Beta release of the Samsung Knox License (SLK) and Knox License Management (KLM): MaaS360 adds support for Samsung Knox License (SLK) management that allows an administrator to deploy the Samsung Knox License (SLK) key to Samsung devices.

  Samsung Knox License (SLK) is a consolidated license that is designed by Samsung to replace Enterprise License Management (ELM) and Knox License Management (KLM) licenses. This feature requires MaaS360 for Android 6.50+ and Knox 3.0+.

  Note: This feature is not available by default. Contact IBM Support to enable this feature for your account. The Samsung Knox License (SLK) key expiration is not handled by MaaS360 yet. If you provide a key that is about to expire, you will lock users out of the Profile Owner mode and encounter issues in Device Owner mode. When this feature is enabled, all Android Enterprise enrollments on Knox 3.0+ devices require a Samsung Knox License (SLK). If the Samsung Knox License (SLK) key is not functioning properly, enrollments can fail.

  Configuring the Samsung Knox License (SLK) from the Settings menu option in the MaaS360 Portal

  To configure the Samsung Knox License (SLK) key from the Settings menu option in the MaaS360 Portal:

  1. Go to Setup > Settings.
  2. In the Device Enrollment Settings section, click Advanced.
  3. Expand the Advanced Management for Android Devices section and then enter the Samsung Knox License (SLK) key.

  Configuring the Samsung Knox License (SLK) from policies in the MaaS360 Portal

  To configure the Samsung Knox License (SLK) key from policies in the MaaS360 Portal:

  1. Go to Security > Policies.
  2. Open an Android MDM policy, expand the OEM Settings section in the sidebar, and then click Samsung License Management.
  3. Enter the Samsung Knox License (SLK) key and the Knox License Management (KLM) key.
• Track-only mode for IBM Trusteer® Threat Management: MaaS360 adds a new remediation action that allows administrators to track malware apps only. The Track only action allows administrators to keep a track of all devices that are running malware apps, but does not immediately take action on devices to remediate the issue. The user is not notified about the malware and the device is not placed out of compliance. In previous releases, the app was uninstalled from the device or the device was placed out of compliance based on the policy setting. This setting is available from Device Settings > Trusteer Threat Management > Configure Settings > Malware App Remediation Action.
• Track the Kiosk mode status on devices: MaaS360 allows administrators to easily track the stages of the Kiosk mode from the Kiosk Mode field in the Devices view. Administrators can also create advanced search criteria to filter devices in Kiosk mode by status.
  To view the Kiosk mode status:

  • Go to Devices > Inventory and then open the device. In the Device Summary view, the Kiosk mode status is tracked in the Kiosk Mode field. The following stages are tracked in the Kiosk Mode field:
    • Enabled: Kiosk mode is enabled on the device through policies.
    • Pending Enablement: The Kiosk mode policy is published, but Kiosk mode is not enabled on the device.
    • Exited: The Kiosk mode is enabled through policies, but the user exited the Kiosk mode.
    • Not Applicable: The default value before enabling the Kiosk mode on the device is enrolled with MaaS360 for Android version 6.50 and later.
    • Not Available: The default value before enabling the Kiosk mode on the device is enrolled with MaaS360 for Android version earlier than 6.50.
• App wrapping support for apps compiled with the AAPT2 (Android Asset Packaging Tool): MaaS360 now allows users to wrap apps that are compiled with AAPT2 (Android Asset Packaging Tool), a build tool that Android Studio and Android Gradle Plugin use to compile and package resources for the app.

• General availability of app inheritance: MaaS360 adds support for app inheritance that allows hierarchical management of public apps (iOS, Android, Windows, and macOS) and inheritance of these apps from channel partners to customers while controlling the apps that the customer receives. Any changes to apps at the partner level are applied to all customers and partners under the channel partner without any additional work required at each customer level. Channel partners can distribute apps or make them available to customers or partners.
  Note: The apps that are distributed by channel partners cannot be deleted by customer administrators.
  For more information, see Inheriting apps from channel partners to customers.
• Deploy web apps to macOS devices: MaaS360 now allows administrators to deploy web apps to macOS devices. The deployed web apps are available from the Web Apps section in the App Catalog agent.
  Note: By default, the web apps are opened in the Safari browser. This feature requires macOS App Catalog agent version 1.50.000.
• Post-enrollment installation of an app bundle: Administrators can deploy enterprise apps that are automatically installed on macOS devices after enrollment. This feature also allows administrators to arrange bundles in the order that they are installed on the device.
  Note: This feature is not available by default. Contact IBM Support to enable this feature for your account. When the Startup Bundle is enabled, the app bundle is marked for instant install. This feature is supported on macOS enterprise apps only and requires macOS App Catalog agent version 1.50.000.

  Adding a post-enrollment installation bundle from the MaaS360 Portal

  To add a post-enrollment installation bundle from the MaaS360 Portal:

  1. Go to Apps > Bundles.
  2. Click Add App Bundle. The App Bundle window is displayed.
  3. Complete the fields, and then select the Startup Bundle check box.

  Arranging the order of post-enrollment installation bundles in the MaaS360 Portal

  To arrange the order of post-enrollment installation bundles in the MaaS360 Portal:

  1. Go to Apps > Bundles.
  2. Click Order Startup Bundles.
  3. Drag and drop the startup bundles to arrange the order.
  4. Click Save Order.

• Force a device to connect to wifi networks in range: MaaS360 forces devices to automatically connect to a wifi network that is in range and prevents the device from connecting to an alternative network. The Force connect connection mode is available in the Wifi settings policy for Windows MDM. The connection mode is supported on Windows 10 MDM devices and Agent: MDM Extender 2.10.x. For more information, see the Wifi settings policy.
• Silent installation/uninstallation of Office 365 Suite on Windows 10 devices: MaaS360 supports the silent installation and uninstallation of Office 365 Suite on Windows 10 MDM devices through a simple device group action. With this action, you can use the Office Deployment Tool (ODT) to install or uninstall the Microsoft Office client on devices. This action is supported on Windows 10 devices 1703+. The deploy Office 365 Suite and uninstall Office 365 suite actions allow administrators to attach an Office XML configuration file to automatically download and automatically install or remove various Office 365 editions. The Office XML configuration file is sent to the Office Deployment Tool (ODT) through MDM commands that trigger the installation or uninstallation as needed. For more information, see Installing Office 365 Suite on Windows 10+ devices.
• Bulk Provisioning Tool - associating user names with bulk-enrolled devices: The Associate Users setting allows administrators to assign a device that is enrolled with the Windows 10 Bulk Provisioning Tool to a specific user. For more information, see Associating users with bulk enrolled Windows 10+ devices.
• Passcode and User accounts - Profile Management policies for HoloLens devices: MaaS360 provides added support to handle security for HoloLens devices, including enhanced support for the following policies in Windows MDM:
  • Passcode: The Passcode settings enforce the use of a secure passcode to unlock a HoloLens device. This policy enforces passcode restrictions such as passcode length, passcode value, quality of the passcode, and the minimum amount of characters. For more information, see the Passcode policy.
  • User accounts - Profile Management: Administrators can delete user profiles on devices with multiple inactive users to manage storage space on devices. For more information, see the User accounts settings policy. The following settings are now available for this policy:
    • Deletion Policy
    • Storage capacity percentage threshold to start profile deletion (%)
    • Storage capacity percentage threshold to stop profile deletion (%)
    Note: The User accounts - Profile Management policy is supported on HoloLens Business Edition only.

  To enable either of these policy settings, go to Security > Policies > Windows MDM policy > Device Settings.

• Geo-fencing rules to manage wifi locations for Windows devices: MaaS360 introduces geo-fencing support for Windows 10 desktops, laptops, and tablets. The geo-fencing rule included with the compliance ruleset places a device out of compliance if a device is removed from a designated location, including managed wifi locations. The administrator can issue actions or dynamic policies on the device to restrict the use of the device if the device is removed from a designated wifi location. For more information, see Managing secure locations for a device.
  Note: Geo-fencing is currently enabled for managed wifi-based locations for Windows 10 desktops, laptops, and tablets for Pro, Education, and Enterprise editions. This setting requires MES 2.0+ and MaaS360 Core App for Windows 4.0+.
• Define custom attributes from the status of a service on a Windows device: Maas360 introduces a feature to define and handle custom attributes based on the installed or running status of a service on a Windows 10 device. This setting requires Windows MES agent 2.10+. Contact IBM Support to enable this feature.
• Notification - DigiCert End Of Sale notice for Symantec Enterprise Mobile Code Signing Certificate impacts Windows Phone 8.1 and Windows Phone 10 Management: DigiCert has announced that DigiCert and Microsoft will discontinue issuing the Symantec Enterprise Mobile Code-Signing Certificate after February 28, 2019. Organizations that use this certificate with MaaS360 for Windows Phone 8.1 or Windows Phone 10 management are impacted if they do not renew the certificates prior to February 28, 2019. For more information, see https://products.websecurity.symantec.com/orders/enrollment/microsoftCert.do.

  Organizations that continue to use Windows Phone 8.1 or Windows Phone 10 management with MaaS360 should consider renewing their existing Mobile Code Signing Certificate before February 28, 2019. To continue to manage existing Windows Phone devices, upload the renewed Symantec Mobile Code Signing Certificate to the MaaS360 Portal at Setup > Services before the current certificate expires. After February 28, 2019, Symantec will no longer issue certificates. Microsoft has not announced a replacement vendor for these certificates. Self-signed certificates or other vendor certificates are not valid.

  Impact from not renewing the Symantec Mobile Code Signing Certificate

  Windows Phone devices that are already enrolled with MaaS360 continue to work as long as the existing Symantec Enterprise Mobile Code Signing Certificate that is uploaded to MaaS360 remains valid.

  If you fail to renew the Symantec Enterprise Mobile Code Signing Certificate by February 28, 2019 and upload a certificate to the MaaS360 Portal before the current certificate expires, the following services will not work on Windows Phones that already enrolled with MaaS360 or new Windows Phones that enroll after the certificate expiration date:

  • MaaS360 App for Windows Phone including messages and the App Catalog
  • MaaS360 User Identity Certificate distribution for email access, VPN access, or wifi access based on the configured MDM policy
  • Distribution and installation of Enterprise Silverlight apps (.xap) that are compiled from the Windows Phone 8.1 SDK in the MaaS360 App Catalog
  • MaaS360 Email for Windows Phone (Store app)
  • MaaS360 Browser for Windows Phone (Store app)
  • MaaS360 Docs for Windows Phone (Store app)

  Services that remain unaffected

  • Limited MDM capabilities that do not require the Symantec Mobile Code Signing Certificate are still available.
  • No impact on the management of Windows desktops, laptops, or tablets.

• EULA policy management: MaaS360 adds support in the WorkPlace Persona policy that allows administrators to upload an end user license agreement (EULA) usage policy as an HTML file. This policy also supports new settings such as usage policy expiration grace period (in days) and actions that are taken on devices if they do not accept the usage policy. You can also configure how often email reminders and prompts messages are displayed on the device about the usage policy when the user launches the app on their device. For more information, see Services settings (WorkPlace Persona policy).
• Delete administrator roles from the MaaS360 Portal: You can now delete a custom role from the MaaS360 Portal that is associated with an administrator account. In previous releases, you could not delete a role that was associated with an administrator account. You had to unassign the role from the administrator account to successfully delete the role.

  If an administrator account is associated with only one role and that role is deleted, the administrator account becomes inactive. You must contact IBM Support to reactivate the administrator account with the Read-only role. For more information, see Managing admin roles for portal administrators.

• Filter Patch Management reports based on an updated value for the Source release date setting: MaaS360 expands the custom value range for the Source release date setting from 30 days to 90 days. You can now filter patch management reports up to 90 days from the source release date. For more information, see Viewing the patch management grid in the MaaS360 Portal.
• Cognitive recommendations for creating policies: MaaS360 suggests a cognitive policy based on your industry, deployment size, and area. You can enhance your existing policies with the community-derived policies. The policy recommendations indicate if your peers are following better approaches. If you are new to policies, you can easily start from a policy that is based on community-based recommendations to make sure that you are inline with industry standards. For more information, see Creating a community-based policy in the MaaS360 Portal.
• Accessibility matrix for editing branding elements: The accessibility matrix allows IBM Administrators and Partners to edit properties of the branding elements. The following levels of hierarchy are available for editing branding elements:
  • IBM Administrator (edit)
  • Partner (edit)
  • Customer (view)

  For more information, see Accessing the MaaS360 Branding workflow.

MaaS360 provides additional support for Azure Authentication and AD/LDAP Authentication mixed-mode setup. For more information, see Supporting mixed-mode and Azure Active Directory (AAD) and On-Premises Active Directory (OPAD) scenarios.

• MaaS360 now uses Apple's new method for manually installing a downloaded profile on iOS 12.2+ devices. From the Device Settings page, you can inspect each of the downloaded profiles and install the required MaaS360 MDM enrollment profile on the device. For devices earlier than iOS 12.2 and on macOS, the enrollment method remains the same.
  Note: During device enrollment for all versions of iOS or macOS devices, the user receives an alert to finish the MDM profile installation before they can install apps on the device. For more information, see Enrolling your iOS device (MDM) and Enrolling your macOS device (MDM).
• MaaS360 now supports using the Apple Configurator Tool to manually download and install the MDM profile while deploying MDM to corporate devices. The Apple Configurator Tool now includes an additional step to download and install the MDM profile manually on iOS 12.2+ devices before the administrator can assign the device to a user. This added step supports Apple's new method of enrolling iOS 12.2+ devices (MDM). For more information, see Enrolling your iOS device (MDM).
• The macOS MDM policy now supports kernel extensions on macOS devices. This setting allows users to allow kernel extensions by using team IDs and to approve third-party kernel extensions that are included in the policy. This setting prevents the operating system from blocking kernel extensions on macOS 10.13.2+ devices. For more information, see the Advanced settings policy.
• MaaS360 now supports the Intercede certificate authority for Derived Personal Identity Verification (PIV) Credential authentication. For more information, see Settings in the MaaS360 Portal and Configuring app settings in the MaaS360 Portal.
• MaaS360 now allows iOS SDK apps to authenticate with a server by using an Identity Certificate that you configure on the Basic App Settings page. You can enable the certificate-based authentication in the WorkPlace Persona Security policy, and then choose a configured Derived Personal Identity Verification (PIV) Credential certificate to authenticate the iOS SDK apps. For more information, see Configuring WorkPlace Persona policy settings for WorkPlace apps.
• The WorkPlace Persona Security policy now supports Bluetooth-based authentication for workstations. This setting is supported on iOS 10.0+ devices and applies only if Entrust is selected as the Derived Personal Identity Verification (PIV) Credential vendor. For more information, see Security settings (WorkPlace Persona policy).
• The iOS MDM policies now support server logging for Siri and personal hotspot settings for iOS 12.2+ devices. For more information, see the Restrictions policy and the Restrictions and Network policy.

MaaS360 offers new business dashboards for Unified Endpoint Management (UEM). The UEM Overview dashboard includes mobile device reports (UEM Overview reports) for all device platforms. To enable UEM Overview reports for a customer account, contact IBM Support. When this setting is enabled, the MDM Overview report is replaced with the new UEM Overview reports. For more information, see Unified Endpoint Management (UEM) Overview reports for MaaS360.

The subscription settings for the UEM Overview reports are listed on the Administrator Settings page in the Analytics section. Once the administrator configures the subscription settings, you can access the UEM Overview reports from the Reports tab in the MaaS360 Portal. For more information, see Configuring administrator settings in the MaaS360 Portal.

• MaaS360 now allows administrators to change the device name for enrolled Android devices through a new device-level action. Administrators can assign a custom device name that easily identifies the device.
  Note: This feature is supported on Android devices enrolled in both MDM and Android Enterprise.
• MaaS360 enhances the QR code and Zero-touch enrollment workflows with different options to set the default locale and time zones on enrolled devices. However, users can still change the locale and time zones on a device after device enrollment. For more information, see Generating a QR code and Creating enrollment configurations in the MaaS360 Portal.
• MaaS360 adds a device-wide restriction to block app installations through sources other than Google Play. This policy is applied at the device level. App installations from unknown sources are blocked in both the personal profile and the work profile. For more information, see Blocking app installations from unknown sources (Android Enterprise PO mode).
  Note: This policy applies to Android devices 9.0 and later enrolled in PO mode only. System settings remain active on the device, but the system blocks app installation. This policy only affects future installations, so apps that are already installed through unknown sources remain on the device.
• Google has imposed a limitation to the number of devices enrolled for an Android Enterprise user account. Google now supports a maximum of 10 enrolled devices for an Android Enterprise user account. MaaS360 now displays a warning message to users if the user tries to enroll beyond 10 devices for the user account.

  If users ignore this warning message and continue with device enrollment, administrators can contact IBM Support to set the configuration to Do not allow enrollment. This setting prevents users from enrolling more than 10 devices to the same Android Enterprise user account.

• MaaS360 adds certificate-based authentication support for enrolling devices into Android Enterprise for G Suite and managed Google accounts. G Suite customers that use IBM Cloud® Identity can authenticate with the MaaS360 app during the Android Enterprise enrollment process. In previous releases, if IBM Cloud Identity was used as the identity provider for G Suite, users had to authenticate with the MaaS360 app using their Cloud Directory credentials.
  Note: The user certificate is removed from the device after enrollment. This feature requires the MaaS360 for Android 6.60 agent.
• MaaS360 now uses Google EMM notification APIs to receive real-time notifications in the MaaS360 Portal about application updates for approved apps from a managed Google Play Store. In previous releases, MaaS360 ran a batch job once a week to process application updates for approved and unapproved Google Play apps.
  Note: Apps that are not updated through the Google EMM notification APIs are still updated from the batch job.
• MaaS360 can now discover DO mode enrollments without relying on the self-enrollment options in the Deployment settings. In previous releases, the QR code and the Zero-touch Device Owner enrollments failed if corresponding device ownership options were not selected in the self-enrollment options for the Deployment settings.

• Migrating App Compliance settings for blocklist and allowlist entries to the new Advanced App Compliance settings in the Windows MDM policy: Advanced App Compliance is a new policy setting to create blocklists and allowlists of universal apps, desktops apps, and binaries for Windows 10 desktop, laptop, and tablet devices. The new Advanced App Compliance tab deprecates the App Compliance tab. Administrators should move existing desktop and laptop-based blocklist and allowlist entries from the App Compliance tab to the Advanced App Compliance tab. For more information, see Advanced App Compliance settings.
• MaaS360 adds support for address-based geo-fencing for Windows 10 (Enterprise and Pro) desktop, laptop, and tablets. The geo-fencing rule, included with the compliance rule set, places a device out of compliance if a device is removed from a designated secure location. Administrators can take actions against the device and also apply policies to the device when the device checks back from a designated secure location. This setting requires MES 2.16+ and MaaS360 Core App for Windows 4.0+. For more information, see Managing secure locations for a device.

• MaaS360 now supports deleting inactive devices from the Device Inventory view. Bulk delete support is expected in a future release.
• MaaS360 introduces the Account Actions Control access right for Partner Administrators. Partner Administrators can now restrict administrators from creating, converting, and expiring trial accounts, but still allow Partner role functions such as Reporting and Manage As. For more information, see Access roles and rights for portal administrators.
• MaaS360 uses Exchange Web Services (EWS) to subscribe to notifications for user's mailboxes. When you enable push notifications, notifications are delivered to the device when the Secure Mail app is active or terminated by the operating system. You do not have to set up Cloud Extender® to subscribe to push notifications. This feature requires the MaaS360 iOS app 3.86 and later.
• MaaS360 now supports the Modify Users web services API that allows administrators to add or remove multiple users in a group.

The Certificate Integration module now provides an alternative to the SCEP method for requesting device certificates from a Microsoft Certificate Authority server. The Cloud Extender provides a feature that directly obtains certificates from Microsoft Certificate Authority servers that reside in the same forest, or trusted forests, as the Cloud Extender server. For more information, see Configuring direct certificate authority access to a Microsoft CA server.

The Functionality macOS MDM policy now supports the Allow Screenshot option that restricts screen captures and screen recordings on macOS 14.4+ devices. For more information, see the Functionality policy.

• Android Enterprise Migration Program: General Availability of DA to Work Profile migration: MaaS360 announces the general availability of the Device Admin (DA) to Work Profile (Android Enterprise Profile Owner) migration. For this release, MaaS360 adds support to migrate multiple devices at once (group action), enforces the Work Profile migration (forced migration after 90 days), activates Samsung Knox License (SKL) / Enterprise License Management (ELM), and tracks migration status in the Action history.
  Note: This feature requires the MaaS360 for Android agent version 6.70 and later.
  For more information, see Migrating from Device Admin (DA) to the Work Profile.
• Android Enterprise as the default enrollment mode: MaaS360 now allows administrators to make Android Enterprise the default enrollment mode for organizations that want to move off the Device Admin deployment mode and adopt Android Enterprise. MaaS360 also displays an alert message on the MaaS360 Portal Home page if Android Enterprise is not set up for the organization.

  For new customers, Android Enterprise must be set up in the MaaS360 Portal to complete Android Enterprise enrollments on the device. Existing customers can contact their MaaS360 Account Representative to enable this feature for their account.

• Configuring the minimum OS restriction for Android Enterprise self-enrollments: MaaS360 adds support to allow administrators to enroll Android Enterprise devices based on the minimum OS version of the device. This feature allows organizations to implement a phased adoption to Android Enterprise. The administrator can push the OS version to Android Enterprise and older OS versions can fall back on Device Admin deployment. Administrators can use the self-enrollment options in the Device Enrollment settings to configure the OS versions that are used for Android Enterprise. When users start enrolling their devices, the devices that meet the minimum OS requirement are enrolled into Android Enterprise (Work Profile) and the devices that do not meet the minimum OS requirement fall back to Device Admin deployment. For more information, see Configuring directory and enrollment settings in the MaaS360 Portal.
• Blocking automatic system updates on Android devices: MaaS360 adds support to block automatic system updates during a scheduled time to allow administrators to evaluate the new update for compatibility before rolling the update out to employee devices. Administrators can suspend system updates for up to 90 days. When a device is in the freeze period, the device does not receive notifications about pending system updates, install system updates to the OS, and users cannot manually check for system updates. For more information, see System Update Settings.
• MaaS360 for Android includes various behavior changes for Android OS version 10. For more information, see https://www.ibm.com/support/docview.wss?uid=ibm10957305.
• New TeamViewer unattended access retry logic: When an administrator sends an unattended access request for TeamViewer Remote Support, MaaS360 tries to re-initiate remote support on the device, up to one minute. In previous releases, when the TeamViewer host app was inactive, the initial request failed to execute and MaaS360 displayed an error message without waiting for the host app to become active again.

  With the new retry logic, MaaS360 sends four unattended access requests at 15 intervals each over the span of one minute to establish unattended access connection to the device.

• New closed track testing for Android Enterprise apps: Google no longer supports the current method for managing tracks. If an administrator hovers over an existing distribution of an alpha/beta app version in the App Catalog, track information is no longer displayed for those apps. By default Google tracks all existing apps at the production versions, not the alpha/beta versions.

  For the new method, administrators must allow their enterprise apps (alpha/beta, custom) for the track that they want to test. The MaaS360 App Catalog displays the track in the App Summary during the next app refresh. The update can take up to seven days. The administrator can also manually refresh the app, which can take up to four hours to refresh.

  When the track is available in the MaaS360 App Catalog, the administrator can distribute the track by using the Distribute app workflow. MaaS360 displays an associated track ID against each track in the app distribution workflow to allow administrators to uniquely identify the app track. Administrators can also view and distribute apps to the custom closed app tracks that are created by app developers in the Managed Google Play Console. For more information, see Distributing Android Enterprise apps for closed testing.

• Editing the Download URL for enterprise apps for Android: The Download URL specifies the location where the actual .apk file is hosted. Administrators can provide a download URL when uploading an enterprise app for Android so that the app is downloaded from a specific location instead of from the MaaS360 tenant CDN. For organizations that use the local organization specific CDN location to host enterprise apps for Android, MaaS360 now adds support to edit the Download URL after the app is added to the MaaS360 Portal. This feature allows new installations to pick up the app from the updated location. For more information, see Adding an enterprise app for Android.
• Disabling the removal of macOS apps: MaaS360 adds support to allow administrators to prevent users from removing the macOS iTunes App Store apps on the device. All apps that are eligible for uninstallation are displayed in the Uninstallers tab in the end-user App Catalog. For this release, MaaS360 adds a new flag Allow Uninstaller for Users for macOS App Catalog workflows at the app level. If this setting is disabled, the macOS app is not displayed in the Uninstallers tab in the end-user macOS App Catalog. For more information, see Adding a public app for macOS.
• MaaS360 renames the existing app distribution status and provides an in depth view of the app installation lifecycle. The app distribution status allows administrators to track installation progress and to troubleshoot issues during app deployments. This feature is supported on iOS and Windows app deployments only. Windows devices support the Failed status only. For more information, see Tracking the status of an app.

• MaaS360 adds support to install and uninstall more than one version of Office on the same Windows machine. For more information, see Installing Office 365 Suite on Windows 10+ devices.
• MaaS360 adds support for co-managing devices with the Microsoft System Center Configuration Manager (SCCM) and MDM. For this feature, administrators can take the following actions:
  • Deploy the Bulk Provisioning Tool to endpoints through SCCM
  • Migrate the Group policy
  • Override the Group policy with the MDM policy if there are policy conflicts

  For more information, see Enrolling SCCM registered Windows 10+ devices to co-exist with MDM.

• Office 365 endpoint URL setting in the Email WorkPlace Persona Policy: The Enable SSO advanced setting for Secure Mail configurations now allows administrators to enter an Office 365 endpoint URL. The default endpoint URL for Office 365 is https://outlook.office365.com. If you change the Office 365 endpoint URL, the MaaS360 Email app accesses the Office 365 endpoint URL that you configured, instead of the default Office 365 endpoint URL. This setting is supported on iOS 3.95+ and Android App 6.70+ devices only. For more information, see Advanced settings for Secure Mail (WorkPlace Persona policy).
• Updates to the DEP Profile configuration user interface: For the Add Profile configuration, detailed information was added to the DEP Add Profile user interface to specify the configurations that are supported on iOS devices.
  • The Require MDM Enrollment setting is supported on iOS 11.3 and later.
  • The Supervise Device setting is supported on iOS 13 and later, but not supported on macOS.
  • The Allow Pairing setting is not supported from iOS 13. Alternatively, you can use the Allow Host Pairing setting at iOS MDM policy > Supervised Settings > Restrictions & Network to configure device pairing settings for iOS 13 devices.
  For more information, see Adding a profile to the Apple Device Enrollment Program (DEP).
• iOS 13 restrictions for zero-day support: Some of the iOS device restrictions in the iOS MDM policy for iOS 13.0+ managed devices were moved to Supervised Settings > Restrictions & Network. These restrictions apply to iOS devices earlier than iOS 13. The new location of these settings allows an administrator to configure restrictions that are specific to an iOS device version. For more information, see the Restrictions and Network policy.

• Device Administrator (DA) to Work Profile migration: Users can now enable the Android Enterprise Work Profile migration (also called Profile Owner) for bring your own devices (BYOD) that are enrolled as a Device Administrator. To enable this feature in the MaaS360 Portal, go to Settings > Enrollment Settings. Follow the setup instructions in Migrating from Device Admin (DA) to the Work Profile before you migrate devices.
• MaaS360 adds advanced policies on restrictions and Kiosk mode/corporate owned single use (COSU) settings for Android Enterprise devices. For more information, see https://www.ibm.com/support/pages/node/1073746.
• Administrators can now issue commands such as device wipe, reset passcode, and profile wipe when a device is in direct boot mode. For more information, see https://www.ibm.com/support/pages/node/1073840.
• MaaS360 replaces the version-specific agent download URL for Samsung Knox Mobile Enrollment (KME) and Android Enterprise Zero-touch enrollment setup with a generic URL that points customers to the latest version of the MaaS360 app. Customers who create profiles for KME or zero-touch enrollment receive the most current version of the MaaS360 app automatically, and no longer need to manually update their enrollment profiles.
• The Android 6.80+ release includes the following features and improvements for the MaaS360 Android agent app and for Android devices that are enrolled in the MaaS360 Portal:
  • The MaaS360 core app is exempt from battery optimization by default. The app will not enter battery saving mode on the device even if the user has not accessed the app for a long period of time.
  • MaaS360 uses a new API from Samsung that resets the password on Samsung Knox 3.2.1+ devices that are enrolled in Device Admin mode.
  • For WorkPlace authentication on Samsung devices, MaaS360 now supports Samsung's iris and facial recognition technology, in addition to supporting fingerprint scans.
  • For apps in Kiosk mode, MaaS360 displays notification badges that inform users about missed calls or unread email messages. The Kiosk launcher Settings (gear) icon was redesigned to appear more prominently on any device background. For more information, see https://www.ibm.com/support/pages/node/1073822.
  • When the MaaS360 for Android app enters background mode during device enrollment, enrollment screens that contain confidential information are not displayed until the user accesses the device. Users are also prevented from taking screenshots of enrollment screens.

• Group Policy Migration Tool enhancements: The Group Policy Migration Tool now displays a View Migration Summary button that allows you to generate an HTML report that summarizes the GPO policies that were migrated to an MDM policy. The report also summarizes the GPO policies that were not migrated because MaaS360 or the MDM does not support those policies. For more information, see Migrating existing group policies and creating equivalent MDM policies in MaaS360 using the SCCM Migration Tool.
• New CMT Migration Status column in the MaaS360 Portal Device Inventory view shows the status of co-managed devices: The Device Inventory view in the MaaS360 Portal now provides a new customizable column called CMT Migration Status. The CMT Migration Status column displays the following values for migrated devices:
  • Co-existing with SCCM: Devices that are managed by both SCCM (Microsoft System Center Configuration Manager) and MDM.
  • Migrated from SCCM: Devices that were fully migrated from SCCM and are now managed by MDM only.
  • Not Applicable: Devices are not co-managed because the SCCM client was never installed on the device.
  For more information, see Viewing the co-existence status of CMT migrated devices in the MaaS360 Portal.
• Advanced search using the new CMT Migration Status device keyword attribute: From the Advanced Search view in the MaaS360 Portal, you can now use the CMT Migration Status keyword attribute to search for devices that are co-managed by SCCM and MDM or fully migrated from SCCM to MDM. For more information, see Viewing the co-existence status of CMT migrated devices in the MaaS360 Portal.
• Updated list of Group policies that can be migrated as MaaS360 Windows MDM policies using the Group Policy Management Tool: This release provides an updated version of the MaaS360 Group Policy Management Tool and additional support for Group policies that can be migrated to Windows MDM policies using the tool. For more information, see List of Group policies migrated to MaaS360 Windows MDM policies using the SCCM Migration Tool.

• iOS 13 restrictions support: The following restrictions were added to supervised settings in the Restrictions and Network policy (Security > Policy > Supervised Settings > Restrictions & Network) for iOS 13+ supervised devices:
  • Allow Network Drives Access Files App
  • Allow USB Drive Access Files App
  • Allow Find My iPhone
  • Allow Find My Friends
  • Force Wifi On
  • Allow Quick Path Keyboard

  For more information, see Restrictions and Network.

• New iOS policy parameters in the ActiveSync payload: MaaS360 now supports flexibility in the ActiveSync payload to manage individual services (Email, Calendar, Contacts, Tasks, and Reminders) in the native mail app. This feature is added to the ActiveSync iOS MDM policy.

  To set up the ActiveSync payload, the administrator must enable one of these services (Email, Calendar, Contacts, Tasks, and Reminders). The administrator can also provide an override option that allows users to enable these services. For more information, see ActiveSync.

• Skip the setup of items in the DEP profile configuration: MaaS360 adds the following options to Skip Items during the configuration of the Device Enrollment Program (DEP) profile for iOS devices:
  • Welcome: If this setting is enabled, MaaS360 skips the Welcome screen configuration during the DEP profile setup.
  • Device to Device Migration: If this setting is enabled, MaaS360 skips the quick start configuration during DEP profile setup.

  For more information, see Adding a profile to the Apple Device Enrollment Program (DEP).

• Automatically upload B2B apps using a VPP token: MaaS360 now supports Apple's Custom B2B app workflow from the Apple Connect portal by allowing users to automatically upload private (B2B apps) to the MaaS360 App Catalog using a VPP token.

  This workflow allows users to add private apps through a VPP token for B2B app distribution rather than using a traditional method to upload apps. For more information, see Uploading the Apple VPP token to MaaS360.

• Enterprise app management with Managed Google Play iframe (newer version): MaaS360 enhances the administrative experience for customers who want to publish applications to Android Enterprise devices using the latest version of Google's Managed Play Store iframe. Administrators can now browse and publish apps by uploading apps directly to the Managed Google Play Store.

  With this feature, MaaS360 uses Managed Google Play as the single source of applications for Android Enterprise deployments for all use cases: Device Owner (DO), Profile Owner (PO), and Corporate-Owned Single-Use (COSU). The option to add public apps from the regular Google Play Store (retail), which was redundant, was also removed for Android Enterprise customers. This change does not impact apps that were added using the regular Google Play Store option.

  In previous releases, MaaS360 displayed options to publish public apps from the Managed Google Play Store or from the regular Google Play Store. For this release, Android Enterprise customers publish apps from the Managed Google Play Store and non-Android Enterprise customers continue to publish apps from the regular Google Play Store.

  Note: This change impacts Android Enterprise customers only. Some features in iframe 1.0 were deprecated by Google such as the ability to auto-accept new permissions for future app versions and to receive email notifications when there are permission changes. As a result, administrators must accept new permissions from the App Catalog manually.

  For more information, see Adding a public app for Android Enterprise.
• Publish private and web apps directly from the Managed Google Play Store: MaaS360 extends support for publishing private apps and web apps using Managed Google Play iframe. Web apps are now distributed to devices as regular native Android apps.

  With this support, administrators can publish private LOB (line-of-business) apps directly from MaaS360 without having to switch to the Google Play Developer console. When a private app is published, Google creates a Play Console account on behalf of the enterprise and waives the registration fee. The app is automatically approved for an organization and the app is then ready for distribution. For more information, see Adding a private app for Android Enterprise and Adding a web app for Android Enterprise.

• Enhancements to the Kiosk notification badge count for apps: In previous releases, MaaS360 added notification badge support for third-party apps that were deployed in traditional kiosk mode or in Android Enterprise COSU mode. This feature allowed users in kiosk mode to subscribe to badge notifications such as missed calls or new email alerts for critical applications, especially if the notification bar was disabled on the device.

  For this release, MaaS360 extends notification badge support to all first party apps including MaaS360 Email and Messages. To support unmanned use cases, where devices might not have a user to turn on notifications, MaaS360 also adds a new Kiosk/COSU policy named Show App Badges to allow administrators to restrict the display of the Show/Hide app badges option in the kiosk settings on the device. This policy is enabled by default. If this policy is disabled, the Show App Badges option in the Kiosk/COSU settings is not available to users. For more information, see COSU (Corporate Owned Single Use) Kiosk Mode.

• Support for Lock screen management policies for devices enrolled in Profile Owner (PO) mode: MaaS360 extends the Keyguard management policies to Profile Owner (Work Profile) devices.

  In previous releases, these policies applied to Device Owner (DO) devices only. This feature is supported on Android 9 and later devices. For more information, see Security.

• New policy that manages Airplane Mode on Bluebird devices: MaaS360 extends the Allow Airplane Mode policy to Bluebird devices that are enrolled in Device Administrator mode. This policy allows administrators to remotely manage the use of Airplane Mode on devices. This feature is located at Android MDM policy > Device Settings > Restrictions > Network Settings > Allow Airplane Mode.
  Note: This feature requires the MaaS360 for Bluebird app version 6.90.
• Enhancements to app configuration settings: MaaS360 has redesigned the app configuration settings workflow for Android Enterprise and added support to track app configuration status at the device level.

  The app configuration settings now support four-level nesting and hierarchical display as opposed to a flat model that was displayed in previous releases. MaaS360 adds a new device-level action Enable App Config Status that allows administrators to track the status of managed configurations at the device level. After administrators push configurations to the app, MaaS360 attempts to apply the configurations and retrieves the keyed app configuration state indicating its status (for example, a confirmation message or error notification). Administrators can use the device-level action Disable App Config Status to stop tracking app configuration status on a device.

  Note: MaaS360 supports tracking app configuration status for apps that support app feedback only such as for OEM Config apps. To enable app configuration status tracking, contact your IBM Account Manager for MaaS360 or IBM Support.

• Updates to Windows-based patch management: For customers who signed up for MaaS360 after July 2019 or did not renew their BigFix patch management (Advanced Desktop/Laptop management) account, MaaS360 now provides a way to natively find, distribute, and install missing patches for managed Windows 7 and Windows 10 devices.

  The patch management feature is available at no additional charge to customers who have a valid MaaS360 entitlement for Windows. For more information, see Distributing OS patches to Windows devices.

• Updates to the Intune MAM integration policies in the MaaS360 Portal: The Intune policy workflow in the MaaS360 Portal was updated to synchronize with Intune policy additions and changes in the Microsoft Azure Portal. For more information, see Microsoft Intune App Protection policies.
• Migrating apps from a Microsoft SCCM server to MaaS360: MaaS360 provides a new workflow to migrate applications from an SCCM server directly into MaaS360 using the MaaS360 Migration Tool.

  In addition to Group Policy Objects (GPO) migration, the tool includes a new option named Applications Migration, where the tool connects to an SCCM server, fetches the metadata of MSI apps from the SCCM server, and then populates the tool with the fetched app name. Administrators can choose which apps to migrate into MaaS360. When migration is initiated, MaaS360 fetches the binaries from the apps that are selected and uploads the corresponding apps to the MaaS360 server.

  For this release, only the migration of MSI apps is supported. Support for additional app types is expected in future releases. For more information, see Migrating apps from an SCCM server to MaaS360 using the SCCM Migration Tool.

General availability (GA) of the Basic Apps Inventory reports: The Basic Apps Inventory reports provide Overview and Trends statistics for managed and unmanaged apps on devices that are enrolled in the MaaS360 customer account. You can access this report from the MaaS360 Portal at Reports > Mobile Apps > Apps Inventory.

To subscribe to the new reports, go to the MaaS360 Portal Home page and select Setup > Settings > Administrator Settings > Analytics. For more information, see Basic Apps Inventory reports for MaaS360.

This feature is not supported for departmentalized and SPS customers. This feature is available to new customers by default, but existing customers will continue to see the old settings. For more information, see Configuring app settings in the MaaS360 Portal.

• Enhancements to the MaaS360 Portal user interface: MaaS360 continues to enhance user experience by updating the application portal with new color themes and fonts. Additional changes to the MaaS360 Portal user interface are expected in upcoming months.

  For this release, the user interface enhancements did not affect or change workflows in the Portal. For more information, see https://www.ibm.com/support/pages/node/1103397.

• Enhancements to managing user passwords: The following enhancements were applied to the user passwords on the User Directory page in the MaaS360 Portal:
  • Ability to reset local user password by using URL: This workflow allows user to reset their password without administrator intervention.
  • Scenario if a user account is locked: The user account is locked for security reasons if the user enters the wrong login password more than 5 times consecutively. The user receives a message that the account is locked and that they must contact the administrator to unlock the account.
  • Password expiry management: The User Directory page added a new column named Password Expiry Date. This column displays the date that a user's password is set to expire. You can filter this column based on password expiration values such as expired, expiring in 1 week, and expiring in 2 weeks.

  For more information, see Using the User Directory.

• Auto provisioning web services: MaaS360 introduces a new option in the MaaS360 Portal named Manage Access Keys under Setup > Web Services API. This option allows customers and partners to generate an access key without customer support intervention.

  Customer and partners can also generate an OAuth token to use web services. The Manage Access Keys option is available to customers and partners with the Web Service-Access Keys access right only. Administrators can enable permissions to manage access keys at Setup > Roles. Administrators can use this workflow to generate platform-specific access keys only, but not app SDK access keys. For more information, see Auto-provisioning web services.

• Azure multi-factor authentication (MFA) support to enroll users into MaaS360: MaaS360 now supports Azure multi-factor authentication to enroll users of all devices (iOS, Android, Windows) into MaaS360.

  In previous releases, MaaS360 only supported a single type of enrollment workflow where MaaS360 automatically authenticated a user by using the user's username and password credentials to enroll users into the MaaS360 Portal without user intervention.

  For this release, MaaS360 also supports Azure multi-factor authentication for the enrollment workflow, where the user is directed to an external Microsoft Login page to enter their username/password credentials, authentication is validated by Azure, and the user is redirected back to MaaS360 to continue enrolling into MaaS360. This feature requires that a new customer property is enabled in the MaaS360 Portal. To enable this feature, contact IBM Support. For more information, see Supporting Azure multi-factor authentication (MFA) to enroll users into MaaS360.