Ivanti Blog: Posts by

MDM vs. MDM: What’s the Difference Between Mobile Device Management and Modern Device Management?

Mon, 06 Nov 2023 19:40:47 Z

When it comes to mobile device management versus modern device management, they may sound similar, but there’s a significant degree of difference between them. The explosive growth in these devices within enterprises makes it crucial for organizations to choose the right platform for overseeing them.

In this blog post, let’s examine:

What “mobile device management” and “modern device management” each mean.
The differences and similarities between the two platforms.
Why so many people confuse the two – it’s more than just the shared “MDM” acronym!

What's mobile device management?

Mobile device management — we’ll call it “mobile MDM” in this post — can be defined this way:

Mobile device management is a technology that helps an organization’s IT and security teams to manage and secure their enterprise’s mobile devices, such as smartphones, laptops and tablets, across different locations, formats and operating systems (OS).

Mobile MDM solutions help sysadmins efficiently configure, monitor and update the hardware and software settings on multiple mobile devices from one dashboard.

In this way, mobile MDMs ensure that an end user’s device usage — whether directly managed or permitted to access organizational apps through bring-your-own-device (BYOD) policies — complies with company policies and protects any confidential data stored or accessed through the endpoint.

Mobile MDM solutions typically include features such as:

Policy enforcement.
Software installation/update management.
Remote wipe capabilities.
Device tracking/monitoring.
User authentication/authorization controls.
Asset inventory management.

By allowing administrators to remotely manage these settings on all their organization’s mobile devices from a single console or dashboard — regardless of the device type or operating system — mobile MDM solutions make it much easier for organizations to maintain consistent security policies across all of their connected assets.

Plus, most mobile MDM solutions provide robust support for enterprise mobility management (EMM). EMM provides additional layers of security for mobile endpoints by allowing administrators to enforce granular access controls over which applications can be installed or accessed by specific end users.

This granularity ensures that specific employee user profiles only have access to approved applications through an organization-approved app store, while also providing detailed visibility into each user’s application usage and data sharing activities.

In addition to these security features, many mobile device management solutions also provide advanced analytics capabilities that allow organizations to gain valuable insights into endpoint device and data usage trends across their connected device base.

These endpoint analytics help organizations:

Identify potential problem areas so they can proactively address issues before they become serious threats.
Optimize IT and technology resources while improving user experience.

Overall, mobile MDM solutions represent a powerful tool for organizations looking to streamline the process of managing multiple mobile devices while maintaining a high level of security for their confidential data assets.

What's modern device management?

Modern device management — which for this post, we’ll call “modern MDM” — solutions represent an innovative evolution in managing the devices of an organization, and can be defined this way:

Modern device management is a form of endpoint management technology that focuses on standardizing, tracking and controlling all the devices used by employees within an organization’s network environment.

More specifically, a modern MDM solution helps organizations protect their data, applications and networks from malicious attacks and unauthorized access. It also enables them to centrally manage all their devices within one unified system.

Modern MDM solutions are designed to help companies establish control over the various types of devices they use in their businesses — ranging from smartphones and tablets to laptops, desktop computers and servers.

Modern MDM solutions help sysadmins:

Configure settings on each device remotely.
Monitor usage activity.
Apply restrictions on certain features or applications.
Enforce security policies.
Deploy application updates and patches.
Protect organizational data stored on or accessed through an employee’s phone and other devices.

Modern MDMs also offer advanced features such as:

Remote wiping of sensitive data if a device is lost or stolen.
Geofencing capabilities for locating misplaced hardware.
Location tracking for better asset management.
Software distribution for installing new applications quickly and easily across multiple endpoints.

(Of course, all these features must be used responsibly to legally support every employee’s privacy rights.)

Comparing MDM to MDM: what’s the difference between mobile and modern device management?

There are two primary areas of difference between modern device management and mobile device management:

The kinds of devices covered by each MDM.
Each MDM’s primary focus.

MDM difference #1: Modern device management solutions cover more types of endpoints than mobile device management

When comparing mobile device management versus modern device management (MDM), the first and most obvious difference between the two lies in their scope of coverage.

Mobile device management covers traditional mobile devices such as smartphones, tablets and laptops.
Modern device management reaches a wider range of connected network devices, including but not limited to:
- IoT sensors.
- Wearables (e.g., smart watches).
- Medical equipment.
- Industrial machinery.
- Desktops.

MDM difference #2: Mobile device management focuses on controlling configurations; modern device management primarily collects and gathers usage data

Additionally, while both mobile device management and modern device management platforms are designed to manage corporate-owned mobile or connected devices within an organization’s environment, the scope of control that each type of management provides varies greatly.

Mobile device management provides IT administrators with comprehensive control over the configuration settings of each mobile device they manage, including access restrictions on applications or certain features.
In contrast, modern device management is focused on monitoring user activity and providing insights into usage trends across all managed devices. It also allows for remote wiping of any sensitive data stored on the device if required.

Comparing MDMs: what do both mobile and modern device management have in common?

Despite these fundamental differences in scope and focus, these two types of device management solutions share some commonalities. Both:

Offer enterprise-level security capabilities through encryption and authentication techniques.
Allow for quick application patching.
Provide device location tracking.
Support geofencing capabilities.
Enable software distribution.
Have inventory management capabilities.
Provide detailed reporting insights about each managed device.
Enable automated backups.
Ensure compliance with industry privacy standards, such as HIPAA or GDPR regulations.
Reduce costs associated with managing a large fleet of devices by automating manual tasks.
Increase productivity by streamlining processes related to device management operations, among other features.

Clearing up confusion over mobile device management versus modern device management

The similarities between the two MDM platforms offer quite a bit of room for confusion — even if modern device management solutions clearly cover a wider range of possible endpoint devices.

For example, both systems offer encryption technology for data security. However:

Mobile MDM focuses more on authentication techniques.
Modern MDM offers more detailed monitoring of user activity.

Similarly, both systems provide location tracking capabilities, but:

Mobile MDM is better suited for managing fleets of devices or assets in remote locations.
Modern MDM is better suited for tracking individual user device behavior.

Another area where confusion arises is software distribution. Both systems can deploy application updates and patches to devices remotely. However:

Mobile MDM focuses only on over-the-air deployments.
Modern MDM provides more comprehensive control over configuration settings.

Encryption and security

Location tracking

Software distribution

Mobile device management

Focuses more on authentication techniques.

Better suited for managing fleets of devices or assets in remote locations.

Focuses only on over-the-air deployments.

Modern device management

Offers more detailed monitoring of user activity.

Better suited for tracking individual user device behavior.

Provides more comprehensive control over configuration settings.

Finally, there are also differences in terms of reporting insights and automated backups. While both systems provide these features to varying degrees, depending on device type and usage requirements, it’s important for customers to understand which system best meets their needs before making any decisions.

	Mobile device management	Modern device management
Primary devices focus	Phones, tablets, PDAs, COSU, etc.	Same as mobile, but with additional device types including servers, desktops, laptops, IoT, etc.
Management scope	Mobile device focus	User focus
Application deployment	Yes – via MAM	Yes – via in-house apps store
Endpoint configuration and policies	Mobile only	Yes
Device tracking	Mobile only	Yes
Reporting and trends	Limited	Yes
OS and application updates	Over-the-air	Comprehensive patching and management

Which MDM is right for you?

There are clear differences when contrasting mobile device management versus modern device management. And both offer extensive benefits to organizations looking for ways to optimize their IT infrastructure while ensuring their assets remain secure at all times.

The best practice in picking between the two? An organization should select an MDM system based on its individual requirements. For example, while both mobile and modern device management systems offer similar features like encryption technology or authentication techniques, they vary significantly in terms of scope and focus.

Make sure you select the solution that matches best with your current security protocols and desired feature set — because while they may share an acronym, their differences may make all the difference for your enterprise.

What's New in Ivanti Neurons for Mobile Device Management?

Mon, 02 May 2022 18:25:13 Z

The latest release of Ivanti Neurons for MDM includes enhancements for managing COSU devices and transitioning to cloud-based device management.

Provide extra security and support for your Android COSU devices

Corporate-owned single-use (COSU) devices are dedicated for a single use, and Android Enterprise's capabilities can help configure those devices to best serve that purpose. Use cases for COSU devices include:

Point-of-sale (POS) systems in retail.
Handheld barcode scanners in supply chain.
Smart panels (such as information kiosks, timecard entry panels, physical access entry panels, etc.) across a number of industries, including healthcare, retail and manufacturing.

These locked-down devices can be dedicated to a single user, multiple users or external users. The Android Enterprise COSU configuration provides more control over how your staff and customers use the device by compartmentalizing the operating system to deploy in a locked-down environment, running a single application or a specific set of apps. Usually, one application is intended to run on the device and that’s all. COSU improves security, efficiency, processes, compliance and user experience by locking devices down to execute a small range of specific tasks.

With the latest release of Ivanti Neurons for MDM, several new features have been added to better secure and support your COSU devices.

5G slicing support

With more COSU devices deployed in remote locations, 5G support becomes more essential for securing those devices. Not only does Neurons for MDM provides 5G information to let you know if your device is part of your private 5G network slice, 5G network slicing allows your provider to take a shared physical network and portion it out into logical segments. Each segment is provisioned for a different set of users, devices and applications, and the logical separations mean the traffic from one slice does not interfere with another.

In a retail environment, different slices can be configured to provide for your mobile POS devices and for your customer kiosks. Your remote retail environments might employ these slicing schemes to provide better employee and customer experience, while behind the scenes keeping track of inventory. These slices would separate each other’s traffic and resources, improving security. 5G slicing can be enabled in the lockdown Android Enterprise configuration within Ivanti Neurons for MDM.

Configuring higher app priority distribution and updates on your COSU devices

With Ivanti Neurons for MDM, IT can set higher-priority apps for enrollment and update on COSU devices. This will allow admins to set which applications are critical for deployment and updating. This is important especially if the update would resolve or prevent a production-related issue. Getting these updates out as fast as possible can reduce downtime or even prevent a production-affecting event from surfacing.

Providing additional USB security to your COSU devices

With Ivanti Neurons for MDM, you can configure the USB port to be used for charging only to prevent the USB port from being used as a physical vector for malicious attacks, keeping unauthorized users from accessing confidential data. This is important particularly important for COSU devices in an open area, such as kiosks and POS devices in retail stores.

Unattended remote session support

Remote session support becomes even more of a necessity for remote COSU devices, particularly in a retail environment where there maybe no one is available after the store closes to troubleshoot and resolve technical issues.

With Neurons for MDM, you can initiate a remote session from within the console without requiring input from any user at that location, making it easy to manage COSU devices when there is no physical access to those devices.

Easily transition Windows devices to cloud-based modern management

We are excited to announce an Ivanti Neurons for MDM deployment package with the Q2 release to support customers with an easy transition for their Windows devices from traditional management to modern management.

Ivanti Neurons for MDM deployment package

IT can enroll devices managed by Microsoft Configuration Manager (formerly SCCM) or Ivanti Endpoint Manager into Ivanti Neurons for MDM. The Deployment Package tool allows organizations to streamline the transition of Windows devices to cloud-based modern management, without downtime or end-user interruption. Seamless transition is achieved by downloading a unique deployment package from the Neurons for MDM console, then deploying it through the existing management tool or domain. Once the package is deployed, it will silently enroll endpoints into Neurons for MDM for ongoing management. This approach allows administrators to first migrate devices easily, then have flexibility to configure devices later over the air. When device enrollment is completed silently into Neurons for MDM, it is joined with MDM and gets co-managed by two management authorities. Once an administrator configures the desired Windows experience within Neurons for MDM, a legacy management platform can be decommissioned, leaving Neurons for MDM as the single management authority of the device.

This package can be deployed in environments that do not leverage Azure Active Directory (AAD). The main elements of Neurons for MDM modern Windows management suite do not require AAD. Co-management or co-existence may require certain workloads or configurations to be deployed upon silent enrollment, to avoid any impact during transition.

Why move to cloud-based modern management?

As UEM solutions have evolved and added more capabilities over the years, it has become critical to provide a consistent user experience and management capabilities between mobile (iOS and Android) and Windows devices. Cloud-based modern device management on Windows devices is fundamentally different from traditional device management, but similar to mobile device management on iOS and Android.

One of key differences is profile-based management. Breaking from image-based management relieves significant IT workload from manual device imaging and maintenance. A profile is a collection of configuration settings that are applied to a device based on group membership, which allows profiles to be created as a module with multiple profiles assigned to a single user depending on their job function and required apps. With profile-based management, IT can remotely make changes on any configuration and push patch updates over the air.

Those differences mean that cloud-based modern management significantly reduces IT overhead and the complexity of managing Windows devices.

There are a number of drivers for considering a transition from client-based to cloud-based modern device management:

Higher scalability and lower cost impact. We can view scalability into two different ways – faster deployment and ease of scaling. First, a cloud-based solution is faster to deploy compared to an on-prem solution. Second, if you want to deploy more devices with a cloud-based solution, you don’t need to build a new server, which would be required for an on-prem solution to scale. Also, cloud-based solutions are managed by the vendor, so customers can save the cost of managing infrastructure and servers on their own.
Better security posture. Some might argue that on-prem has a better reputation when it comes to security posture. And it is true that some customers in heavily regulated industries still prefer to continue using on-prem solutions. The caveat is that security posture really depends on a customer’s infrastructure, and it often requires a heavy investment for customers to build their own security infrastructure and hire experts to manage it. Cloud service providers, including Ivanti, meet a high security standard with various certifications — for example, Ivanti Neurons for MDM is FedRAMP and SOC2 certified.
Improved productivity and user experience. Remember the significant efforts that went into the Windows 10 migration of a few years ago — and the loss of productivity due to downtime during the update? Modern device management minimizes impacts on productivity between Windows OS updates, as devices are being managed like smartphones. Modern device management also allows you to leverage a zero-touch provisioning solution that integrates systems like Windows Autopilot, Apple Business Manager, Android Enterprise and Samsung Knox Mobile Enrollment. IT can ship a Windows device directly to a user, and it automatically gets enrolled into the cloud-based UEM solution. You can cut onboarding time from weeks to two days, which results not only in a faster onboarding but also higher user satisfaction.

Learn more

For more information about Ivanti Neurons for MDM, visit the product page or view the release notes.

What's New in EPM 2022?

Tue, 26 Apr 2022 18:29:11 Z

The latest release of Ivanti Endpoint Manager includes several new features.

Enhanced Windows Autopilot support

Ivanti Endpoint Manager 2022 will allow customers to easily deploy provisioned devices to end users, regardless of where they are located, without infrastructure changes. Additionally, Ivanti Endpoint Manager will continue to be the trusted solution to manage modern devices anywhere within the device lifecycle. These enhancements include adding new Autopilot functionality:

Updated search UI.
Updated APIs.
PowerShell requirements and detection rules.

Web console 2.0 – software distribution enhancements

This enhancement now allows the helpdesk analyst role to deliver software to end users via the new web console. This includes the following features set for this role:

Quickly find a user and/or device.
Install and uninstall software packages.
Find and filter between different types of software packages.
Get deployment status via task notifications.

Console - improved query import capabilities

Admins often require reporting on a large list of devices. Originally, EPM limited queries to 50 devices when importing. This limitation has been removed within the EPM console.

Improved inventory scanner for macOS

Ivanti rewrote and optimized the agent inventory scanner to improve interoperability with macOS endpoints, making it more efficient and reducing scan time from 7-12 minutes down to 1-2 minutes.

More resources

Visit the Ivanti Community Endpoint Manager page for additional resources, including release notes, and to download the latest service pack for Ivanti EPM products.

How to Mitigate CVE-2022-0847 (The Dirty Pipe Vulnerability)

Wed, 16 Mar 2022 13:09:48 Z

What is the “Dirty Pipe Vulnerability”?

Dirty Pipe vulnerability is a Linux kernel vulnerability that allows the ability of non-privileged users to overwrite read-only files. The vulnerability is due to an uninitialized “pipe_buffer.flags” variable, which overwrites any file contents in the page cache even if the file is not permitted to be written, immutable, or on a read-only mount, including CD-ROM mounts. The page cache is always writable by the kernel and writing to a pipe never checks any permissions. An extensive write-up on the Dirty Pipe vulnerability can be found in the reference links at the end of this blog.

Why is this important?

This enables attackers to perform privilege escalation by overwriting data in arbitrary read-only files and injecting code from unprivileged processes to privileged processes. This can make Linux and Android systems vulnerable to a multitude of malware and other exploits, including ransomware.

Who is affected?

This vulnerability affects endpoints running Linux with a kernel version 5.8 or higher. This includes a multitude of devices running Android 12 and Linux.

How to find out if I am affected?

Linux:

From the Linux command line, run the following command:

uname -srm

Your output should show something similar:

Linux 5.13.19-3-generic x86_64

Android:

To find the kernel version on Android:

With most generic Android devices, go to setting and search or select “About Phone” -> “Android Version” and you should see the “Kernel version.”

With Samsung, go to settings and search or select “About Phone” -> “Software Information” and your “Kernel version” should be displayed.

Currently, the most common Android devices affected by this vulnerability are Samsung S22 and Google Pixel 6 series.

How to mitigate Dirty Pipe

Linux

If your endpoint is running a Linux kernel version 5.8 or higher, you should patch your kernel to 5.16.11, 5.15.25 and 5.10.102 or greater. Most distributions have already released a kernel patch. You can run an update with your distro’s package manager to update to the latest kernel.

Ivanti Patch for Endpoint Manager can find which Linux endpoints are affected and automatically apply the vulnerability fix.

Android

On Android, manufacturers are working on applying a critical system update. It is highly recommended to contact your device manufacturer to confirm they are addressing this vulnerability.

You can create reports in Neurons for Discovery to find which Android endpoints are affected.

With Ivanti Neurons for MDM, applying a “System Update” configuration and setting the “Android System Update” to “Automatic” will push the latest manufacture approved system updates to your devices.

Reference Links

Best Practices to Secure Your Corporate-Owned Personally Enabled (COPE) Android Devices

Fri, 11 Feb 2022 18:20:44 Z

What is COPE?

COPE stands for Corporate Owned Personally Enabled Device. These are devices that are owned and provided by the company for work but are also expected to be used for personal reasons. It’s a term that’s especially relevant today, with the adoption of Everywhere Workplace, as companies are giving employees more freedom with corporate-owned and controlled devices.

Why COPE is important to your IT

Over the years, IT professionals have voiced their frustration over carrying multiple devices—one for work and another for personal use. As a result, many organizations have provided Android mobile devices to their employees, expecting that a single device will serve a dual personal/professional purpose. However, this has created multiple challenges for IT, as they need to keep corporate data protected from personal use. Unlike BYO devices, COPE devices are owned by the company, which means you’ll need to track and monitor these assets while minimizing the chance of them being used to exploit the security of your infrastructure.

Best practices to secure COPE devices

Work Profile to protect company apps and data

Use a work profile to protect your company apps and data. With a work profile, you can securely and privately use the same device for work and personal purposes. The work profile keeps your company’s apps and data and the employee’s apps and data in a separate encrypted security domain.

Using White or Blacklist apps outside the work profile

Decide what apps that can be used on the separate personal enable, not in the work profile domain. Protect your users from themselves from downloading apps that can compromise the device by limiting what apps they can install.

Lockdown Configuration

Use a lockdown configuration to protect the device from unauthorized access. There are many options you can use to protect your users from malicious activities and your devices from unauthorized access.

Disable USB file transfer

Protect your users and company data by preventing files from transferring over USB. This locks the USB port to only be used for charging.

Disallow debugging features

Debugging data provides verbose data of not only the applications and Android but can also include data that are used by those apps and OS. Only enable debugging when troubleshooting using debug is required by your software or hardware vendors.

Ensure verify apps

Protect your users from possible malicious us apps that are sideloaded. Insure only verified apps that have been scanned and verified by Google Play Protect can be installed via the Google Play store.

Disable data roaming

Keep data on your trusted cellular networks, this can be vital if you are implementing 5G slicing for your Android devices.

Disallow Bluetooth sharing

Prevent user’s personal data from transferring off the device using Bluetooth protocols.

Disallow Bluetooth settings

Preconfigure and pair only authorized Bluetooth devices. Once you are done pairing those authorized devices, disable access to the Bluetooth settings

Disable Wi-Fi settings

If you want the COPE device to only connect to authorized company Wi-Fi networks, preconfigure those Wi-Fi networks with a Wi-Fi policy and disable Wi-Fi setting to prevent users adding and accessing unauthorized Wi-Fi networks.

Disallow tethering

Tethering may allow access to your mobile endpoint and your corporate network using personal devices. Disabling tethering prevents unauthorized access to the Android device and using your android device to exploit access to your company network.

Disallow adding or modifying accounts

Personal accounts on Work Profile allows user to download public apps on corporate container, which is a risk. Basic AE security always starts from preventing users from adding or modifying accounts within Work Profile

Secure your device with Mobile Threat Protection

Add that next level of protection with Mobile Threat Defense. MTD adds not only provides protection from exploits but also protect your users from phishing attacks by using a hybrid on-device and cloud detection capabilities. MTD is also fully integrated into the MobileIron Go app, which means that when you deploy your devices, MTD is also already deployed to your devices.

Why Ivanti Neurons for MDM?

With Ivanti Neurons for MDM, you can secure your employee- and executive-assigned devices while giving employees the freedom to use those Android devices for personal reasons.

Ivanti Neurons for MDM will integrate your Android COPE devices using a cloud-base device management and security, which integrates mobile application management (MAM), app distribution and configuration, easily onboard Android devices with zero-touch, and the ability to scale when you grow, and secure your employees productivity and connectivity. In addition, Neurons of MDM also integrates with not just Android,. but other Operating Systems and Devices: iOS, MAC, Windows, and Linux.

Learn more about Ivanti Neurons for MDM.

How to Secure BYO Android Devices

Mon, 06 Dec 2021 17:55:51 Z

Two-thirds of US white-collar employees are working from home some or all of the time, according to a September 2021 Gallup survey – and of those, 91 percent hope to continue to do so even after the pandemic.

In this Everywhere Workplace environment, a “bring your own device” (BYOD) policy is an appealing proposition for employees and IT departments alike, leading to an average annual savings of $350 per employee and a 34 percent increase in productivity.

But with BYOD policies come new requirements for securing those employee-owned devices, keeping corporate information safe while respecting employees’ privacy. Enter: Ivanti Neurons for Mobile Device Management (MDM).

Zero Trust for Android BYOD

Android holds over 72 percent of the mobile operating system market, so Ivanti Neurons for MDM, which integrates with Android Enterprise, is an ideal zero-trust foundation for implementing a BYOD directive with relative ease.

Android Enterprise is the set of features and services built into Android that allows companies to secure and manage corporate data and apps on Android devices. With Android Enterprise’s work profiles, employees’ personal data and information on the device are unavailable to their IT department, while the company knows their corporate apps and data are secure. Android enforces separation between personal and work data at the kernel level across process, memory and storage. All applications from Google Play work out of the box with separate data storage.

Ivanti Neurons for MDM

With Ivanti Neurons for MDM, you can manage work apps and data within the work profile while personal apps, data and usage remain private – all with minimal interaction from the employee.

Simply email employees a Google Play Store link to download and run Ivanti’s app. All that is required to complete the setup process is their employee email and credentials.

Your IT department can configure Neurons for MDM to automatically configure the work profile to download and install the apps and their settings so the employee can hit the ground running.

Key Features of Ivanti Neurons for MDM

App catalog. Add, configure, distribute, promote and whitelist managed Google Play Store apps, company private apps, and private or third-party web applications within the work profile.
Always-on encryption policy. Create a protection/encryption disable policy to monitor and automatically audit actions if encryption on the device is disable or compromised.
Passcode configuration. Define the passcode requirements for the device and work profile, which protects corporate applications and data from unauthorized access. You can also option to allow the use of biometrics to unlock the device and work profile.
Ivanti tunnel. Secure per-app VPN for business apps and data from anywhere. Mobile apps can access protected corporate data and content behind a firewall.
Client out of contact policy. Set up a set of actions to take if the Ivanti MobileIron Go client has not checked in for a specified number of hours or days. This can be set to deny, quarantine or even delete the work profile in order to protect corporate apps and data when out of compliance.
Default app permissions configuration. Set default runtime permissions for work profile apps.
Lockdown configuration. Decide what Android Enterprise features are used to restrict the work profile.
Certificate distribution. Configure to automatically create app and identity certificates for your devices to establish trust with your corporate assets using your choice of cert authorities.
Auto update. Set update options and requirements for when to update private and Google Play Store apps within the work profile.
Notifications and reporting. Set up automated reports for you and your upper management while adding notifications when a device fails compliance.
Zero sign-on (ZSO). With ZSO, eliminate the need for passwords by making mobile devices the primary factor for user authentication.
Mobile threat defense (MTD). Easily deploy threat protection with machine-learning algorithms that provide on-device phishing and threat protection. MTD also supplies reputation scores for apps in the apps catalog.

Ivanti Neurons for MDM is Android Enterprise Recommended (AER)

Ivanti is certified by Google’s Android Enterprise Recommended (AER) program, the continual seal of approval that Ivanti Neurons for MDM meets Google’s strict Android Enterprise requirements. Ivanti Neurons for MDM is Android Enterprise Recommended for the work profile, which is the primary management set used for BYO devices, proving you can trust Ivanti Neurons for MDM to manage current and future versions of Android.

A Secure Foundation for BYOD Policies

Over 59 percent of organizations already have an BYOD policy, and 13 percent are in the process of implementing BYOD. With Ivanti Neurons for MDM, you can be confident not only that your enterprise apps and data are secure on your employees’ personal devices thanks to Ivanti’s zero-trust foundation, but also that your employees’ personal data is kept private.

Learn more. Hear how Android 12’s new features improve productivity and security and how you can use Ivanti UEM to implement these new capabilities and mature your zero-trust journey. Watch the on-demand webinar.

Ivanti Delivers Day-Zero Compatibility and Key Feature Support for Android 12

Mon, 04 Oct 2021 17:55:24 Z

Here at Ivanti, we are excited about Android 12. I’m pleased to share that we offer day-zero compatibility and key feature support across the Ivanti product portfolio for the new features built into Google’s updated OSs.

Android 12 brings plenty of new things to see and experience with a combination of security and privacy. Some of the coolest new features and improvements include performance class classifications, enrollment-specific ID, streamlining of the work profile security challenge, changes in the user privacy permissions, disabling the USB port, and limiting input methods.

Performance Class Classifications

Google also is working with ecosystem partners and introduced a new standard called “Performance Class”. Performance class sets classification levels for sets of Android devices that includes the minimum technical requirements for Google’s Compatibility Definition Document (CDD) and the verification of the classification using the Android Compatibility Test Suite (CTS). This allows developers to check to see if the device not only meets Android’s requirements, but also the developers’ performance requirements or automatically change features within their application to best run on that performance class. Ivanti is certified by Google to meet the three types of management solutions for your Android devices.

Security and Privacy Changes

As for this new version of Android, the enterprise component has made several changes to improve security and privacy features that will be implemented within Ivanti UEM, formerly MobileIron.

Enrollment-specific ID

Work Profiles for BYOD devices, Ivanti UEM will no longer have access to several hardware identifiers in Android 12. This means that BYOD devices can no longer be identified via IMEI, MEID and the serial number of the devices. Google has implemented enrollment-specific IDs for enrolling BYOD devices. When enrolling into UEM, the work profile on the device will be provided a unique ID and will remain with the device, even after a device has been factory reset.

Due to this, we highly recommend at your earliest convenience, that you remove any dependencies for hardware identifiers for Android devices in Ivanti UEM.

Simplified password complexity settings

Google has simplified the default requirements for password requirements. With Ivanti UEM, you can choose between predefined complexity sets (High, Medium, Low and None) for accessing the work profile on a device.

The streamlining of the work profile security challenge

UEM enrollment setup now takes into account if the device passcode meets company security requirements and makes it easy for the administrator to choose whether to increase the strength of the device passcode or to use the work profile security challenge.

User privacy permissions

Users now have more privacy controls within the work profile apps. The following permissions can be granted by the user in the work profile unless limited by UEM profile configuration settings.

Location
Camera
Microphone
Body Sensor
Physical activity

In addition, IT administrators can manage permission or choose to opt out of managing sensor-related permission grants during provisioning for fully managed company own devices. If the administrator chooses to manage permissions, users see an explicit message during the setup wizard. If the administrator chooses to opt out, users are prompted to accept or deny permissions in-app when the app is first used.

Disabling the USB port

On a fully managed company own device, you can now configure the device to use the USB port only for charging. IT admins can mitigate users unknowingly downloading malware through the USB port at public charging locations such as airport lounges or the USB port being maliciously used to accessing the data on the device itself.

Limiting input methods used in the personal profile

IT admins can now approve what input methods can be used within the work profile on a fully managed device. IT admins can set a configuration profile within UEM to prevent the use of the 3rd party keyboards/swiping input apps that replace the default Android or the device manufacturers on screen keyboard.

Keeping up to date on compatibility

To check on your device compatibility with Android 12, we recommend contacting your device manufacturer.

Ivanti is keeping an updated live KB (Knowledge Base) on current issues of using Android 12 with UEM: https://forums.ivanti.com/s/article/MobileIron-Guidance-on-Android-12-Compatibility?language=en_US

Please note that Ivanti cloud services are already configured to support Android 12 and its new features. Once Android 12 is released, Ivanti software releases will be already available and updated applications would be supported on Android 12. Our on-prem customers can choose to update their UEM software when Android 12 is released for some features, but backward compatibility on MobileIron Core ensures devices are also supported with some versions of UEM software.

At Ivanti, we are committed to providing excellent customer service and support. This is why Ivanti UEM is Android Recommended. With this stamp of approval, have confidence that Ivanti is supporting Android 12 and future versions of Android Enterprise and their features.

To learn more about Android 12 requirements, changes and features, please visit Google’s “About Android 12” page.

Statements in the blog concerning future product availability and plans are forward looking statements, and they are subject to change. They do not represent a commitment, promise or legal obligation to deliver any material, code or functionality, and should not be relied upon in making purchasing decisions.