IBM Support

MaaS360 Product Suite TLS v1.2 Weak Cipher Suite Deprecation Notice

News


Abstract

MaaS360 TLS v1.2 Weak Cipher Deprecation - (Platform Deprecation set for 10.84 release on 11 December 2021)

Content

MaaS360 TLS v1.2 Weak Cipher Deprecation - (Platform Deprecation set for 10.84 release on 11 December 2021)

MaaS360 uses TLS (Transportation Layer Security) to provide privacy and data integrity between devices and MaaS360 components. To keep the devices secure, MaaS360 is deprecating the weak cipher in TLS 1.2, which has direct impact on the below devices.

  • Android – Below version 5.0 (Lollipop)
  • iOS – Below version 9.0
  • macOS – Below version 10.11 (El Capitan)

As part of this deprecation, the devices on lower OS versions than those listed above will no longer be able to communicate with the MaaS360 platform.  Therefore, these devices cannot be managed going forward by MaaS360.

Required action

MaaS360 recommends upgrading the OS of devices that will be impacted to continue communication with the platform. If the devices are unable to upgrade to one of the supported versions, please remove MaaS360 control before the deprecation to avoid complications. MaaS360 always recommends using the latest available OS versions, as they often feature patches and enhancements that improve device security.

What is TLS?

The primary purpose of the TLS protocol is to provide privacy and data integrity between two communicating applications. The protocol is composed of two layers: TLS Record Protocol and TLS Handshake Protocol.  At the lowest level, layered on top of some reliable transport protocol (example, TCP), is the TLS Record Protocol.  It is the most widely deployed security protocol used today.  It is used for web browsers and other applications that require data to be securely exchanged over a network or internet. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification. The versions of TLS available today are TLS 1.0, 1.1, 1.2, 1.3.  The MaaS360 platform supports only TLS 1.2. 

How this relates to the MaaS360 Product Suite

IBM MaaS360 will start deprecating support for TLS 1.2 weak Cipher and will disable encryption protocol across services.

Cipher Details

TLS 1.2 Ciphers currently supported by MaaS360
TLS_RSA_WITH_AES_256_CBC_SHA256*
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA*
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256*
*Weak ciphers to be deprecated in Oct. 


MaaS360 continues to align with the PCI security standards and ensure highest security and safety of your data. The deprecation will have impact on all MaaS360 customers currently using TLS 1.2, and it is advised that you check if you're going to be affected. MaaS360 solution contains the platform, on-premises agents and mobile apps; each component will have a different path of upgrade and the below information will outline the areas where this deprecation will be affected.   After the deprecation occurs on the MaaS360 platform, any agent that has not been upgraded will no longer be able to connect and be managed by the platform. 

MaaS360 TLS Platform deprecation will occur along with the 10.84 release on 11 December 2021.   Please review section below for details.  

Described below are the compatibilities across MaaS360 Apps, Agents, Web Services, and Web Browsers:

  • Android Apps, SDK and App Wrapping
  • iOS Apps, SDK and App Wrapping
  • macOS Agents
  • Cloud Extender and MEG Agents
  • Windows/WinPhoneApps and Agents
  • WebServices
Device and App Management

MaaS360 will discontinue support for the devices running Android OS versions below 5.0 (Android L). 

MaaS360 Offering OS Version Impact Required Action

Device and App Management

Android (below 5.0)

iOS (below 9.0)

macOS (below 10.11)

All iOS, Android and macOS device that have the mentioned OS versions will not be able to communicate with the MaaS360 portal after the TLS 1.2 weak ciphers are deprecated. These devices need to be upgraded to the latest OS version or one of the supported OS versions.  If a device is unable to be upgraded, MaaS360 will no longer be able to manage or communicate with it after the portal has deprecated the TLS 1.2 weak ciphers.  These devices should be removed from MaaS360 control before the deprecation to avoid complications.

Android Apps, SDK and App Wrapping

MaaS360 discontinues support for the devices running Android OS versions below 5.0 (Android L). 

MaaS360 Offering OS Version Impact Required Action

Android SDK

Android Wrapping

MaaS360 for Android Apps

Below 5.0 Android devices below OS 5.0 (L) will not be able to communicate with the MaaS360 portal after the TLS 1.2 weak ciphers are deprecated on the Portal. Android device below OS 5.0 will need to be upgraded to OS 5.0 or greater.  If device is unable to be upgraded, it will not be able to be managed by the MaaS360 Portal after the portal has deprecated the TLS 1.2 weak ciphers.  These devices should be replaced with a device that can be upgraded.

iOS Apps, SDK and App Wrapping

MaaS360 discontinues support for the devices running iOS OS versions below 9.0. 
MaaS360 Offering OS Version Impact Required Action

iOS SDK

iOS Wrapping

MaaS360 for iOS Apps

Below 9.0 iOS devices below OS9.0 will not be able to communicate with the MaaS360 portal after the TLS 1.2 weak ciphers are deprecated on the Portal. iOS device below OS 9.0 will need to be upgraded to OS 9.0 or greater.  If device is unable to be upgraded, it will not be able to be managed by the MaaS360 Portal after the portal has deprecated the TLS 1.2 weak ciphers.  These devices should be replaced with a device that can be upgraded.

macOS Agents

MaaS360 discontinues support for the devices running macOS versions below 10.11. 

MaaS360 Offering OS Version Impact Required Action

macOS

Below 10.11 macOS devices below OS 10.11 will not be able to communicate with the MaaS360 portal after the TLS 1.2 weak ciphers are deprecated on the Portal. macOS device below OS 10.11 will need to be upgraded to OS 10.11 or greater.  If device is unable to be upgraded, it will not be able to be managed by the MaaS360 Portal after the portal has deprecated the TLS 1.2 weak ciphers.  These devices should be replaced with a device that can be upgraded.

Cloud Extender and MEG Agents

No Action required. The Cloud Extender(CE) and Mobile Enterprise Gateway (MEG) services are composed of two components: the core agent and modules.  Neither the core agent or modules are impacted. 

Windows/DTM Apps and Agents

No Action required. The Windows and DTM agents all work with no impact. 

Web Services and 3rd Party Portal Integrations

For those customers using WebServices/API's or have enabled 3rd Party Integrations using API's on the MaaS360 Platform, the API client used on the Customer side may require adjustments or upgrades. Please check with your client's documentation on how to upgrade to TLS 1.2 support.

Steps to check for API compatibility

  1. Set up an API client in a test environment. This could be any software or library that you are using to integrate to MaaS360 or any custom integration code that you have written. The examples cited in this write up uses python as a client language. This could be Java or any other language in your environment.
  2. A web service client usually makes GET and POST requests to servers.
  3. Using your client test environment, make a GET request to the following URL https://tlstest.maas360.com/.
  4. Your version of client library should be able to make a successful GET request to the URL above and receive a result of "0". This response means that underlying TLS v1.2 with ciphers deprecated connection is successful.
  5. If you get anything other than "0" in the result, it would indicate that the client you have could not make a successful connection to our servers which has TLS v1.2 with ciphers deprecated. You need to upgrade your client library which supports TLS v1.2 ciphers and run the same test to confirm you are getting a result of "0". 

An example of doing this in a python script is as follows:
  import requests
  url = "https://tlstest.maas360.com/"
  data = requests.get(url)._content
  assert data == "0"

If you are using python for consuming MaaS360 web services then, run this code to see if your client connects to a URL that has TLS v1.2 with ciphers deprecated.

Note: If a different programming language is in use, similar code should be written in that environments language and verified using the test URL if the client works with the URL that has TLS v1.2 with ciphers deprecated.

Change History

Oct 25, 2021
  • Date changed from October, to align with 10.84 release scheduled on Dec 11, 2021. 
  • Added 3rd Party Portal Integrations noted along with Web services section. 

[{"Type":"none","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYSXX","label":"IBM MaaS360"},"ARM Category":[{"code":"a8m0z0000000712AAA","label":"INTEGRATIONS"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
22 December 2021

UID

ibm16439547