Release Notes Silverback 21.0 Update 3

Android Enterprise

• Advanced QR-Code Provisioning
• End-user credentials pass-through

Windows 10/11

• Device & Network Information Update
• Remote Desktop Configuration
• Device Location
• Request Diagnostics

iOS, iPadOS, macOS

• New Factory Wipe Options (Preserve Data Plan, Skip Proximity Setup, Require Network Tethering)
• New Network Information (eSIM and Dual SIM)
• New Device Information
• Deploy Tags to Apple Silicon devices
• New Device Actions for macOS devices (Restart, Shutdown, Remote Desktop)
• Prevent Erase All Content and Settings
• Enforce major, minor, and non-software update delays
• Allow nonadministrative users to approve Kernel Extensions option

Exchange Protection

• Modern Authentication for Exchange Protection

Advanced QR-Code Provisioning

Advanced QR-Code provisioning method allows to enroll corporate-owned devices into the Android Enterprise Device Owner Mode by scanning a QR-Code during the initial device setup. Administrators or users can tap the Welcome screen six times in the same spot to launch the QR code setup wizard. The QR-Code contains Wi-Fi credentials and allows either to automatic provisioning the device or let the user start at the Self-Service Portal. By selecting automatic provisioning, each value entered as usage count reserves the same number of licenses. Please refer to Advanced QR-Code Provisioning for additional information.

End-user credentials pass-through

With our new Companion version 21.0 Update 3, Administrators can use the End-user credential pass-through feature of Knox Mobile Enrollments for single or bulk enrollments for devices. A Knox Mobile Enrollment admin can associate both a username and password/secret with device(s) in the KME portal and our Matrix42 Companion is able to retrieve and handle the provided username and password from the cloud service to proceed with the enrollment, so your users won't get prompted for adding username and password manually during the enrollment. Please refer to Android Enterprise VI: Knox Mobile Enrollment and Bulk Enrollments with Samsung Knox Mobile Enrollment for additional information.

Device & Network Information Update

For Windows 10 and Windows 11 devices, we improved and extended the device and network information for your managed devices and now you can retrieve all information about network interfaces and cellular identities. Additionally, we removed non-applicable device information. 

Device Information

• Added Version 21H2 for all build versions 19044 and newer
• Last PIN Reset Values, Radio Software Version, WiFi MAC, Screen Resolution and Processor Type has been removed
• Merged and renamed Hardware Version and Software Version to BIOS Version.

• International Mobile Station Equipment Identity (IMEI) value is now shown properly
• Processor Architecture type displays now the friendly name of the architecture instead of digits
• Added RAM information in MB, which specifies the total available memory in MB on the device (may be less than total physical memory)

Network Information

• Network and device properties has been added with the following information:
  • MAC address of the wireless network card. A MAC address is present for each network card on the device.
  • IPv4 address of the network card associated with the MAC address.
  • IPv6 address of the network card associated with the MAC address.
  • Connected value that indicates whether the network card associated with the MAC address has an active network connection.
  • Type of Network connection (WLAN, LAN or unknown)
• Node for queries on the SIM cards has been added with the following information:
  • Subscriber Country build from the first three digits from International Mobile Subscriber Identity (IMSI)
  • The International Mobile Subscriber Identity (IMSI) associated with the IMEI number.
  • The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number.
  • Phone number associated with the specific IMEI number
  • Current Network as the mobile service provider or mobile operator associated with the specific IMEI number.
  • Roaming Status indicates whether the SIM card associated with the specific IMEI number is roaming.

Remote Desktop Configuration

With Silverback 21.0 Update 3, you have now the capability to configure Remote Desktop devices for Windows 10 and Windows 11 devices. These options include first to allow or prevent remote access to computer by using Remote Desktop Services and prevent or allow mapping of clients drives in a Remote Desktop Services session. With passwords options, you can define if the option to save credentials will be applied for Remote Desktop connections and if password prompts will be forced upon connections. As additional security options you can specify whether a Remote Desktop Session Host server requires a secure RPC communication with all clients or if it allows unsecured communication. If you are using native RDP encryption as secure communication between client computers and RD Session Hosts, you can specify encryption levels for these connections. Please refer to Tags Guide Part IV: Windows 10/11 and Windows 10/11 Working with Firewall Rules and Remote Desktop for additional information.

Device Location

Another new action in Silverback 21.0 Update 3 for corporate-owned Windows 10 and 11 devices is the Location action. By executing the remote find action, Silverback will request the device location and reports the current location in the device information of the devices in the location section. The captured and displayed information are the last known location, which will provide you a hyperlink to review the location on Google Maps. Besides that, the last captured at information is shown with the specific accuracy of the location. Please note that users get informed about the location tracking as shown in the screenshot below. If Administrators are executing this action, an Audit entry will be created in the Logs section.  Additionally, you can now remotely configure if the Location Services on managed devices should be turned on or off, without letting users to overwrite this setting. This new Allow Location Service option is present in the Restrictions profile in the System category. When you remotely request the Location for one of your managed devices and either the Allow Location Service is forced off by the restriction profile or by the user itself, Silverback will turn for this specific action the location services on, request the location and turn the location off afterwards. This will ensure at any time when the device is reachable to gain the device location. 

Request Diagnostics

Request Diagnostics is a new action that helps to remotely collect and download Windows devices logs without interrupting the user. The request diagnostics action is used to trigger devices to gather troubleshooting data into a zip archive and uploads that archive to an Azure Blob storage. With Silverback 21.0 Update 3, now you can add your Azure Blob shared access signature in the Azure Active Directory section under the Admin Tab. By enabling the Azure Blob, the Request Diagnostic action gets active and by executing, a diagnostic archive will be triggered and uploaded to your Azure Blob. To download generated archives, navigate to the Logs section in the Admin Tab and press View Logs in the Vendor specific Logs section for Windows Diagnostics. Please refer to Windows 10/11 Diagnostics and Logs for additional information.

New Factory Wipe Options

With Silverback 21.0 Update 3, the following new Factory Wipe options are present and can be executed within the Management Console. 

New Network Information (eSIM and Dual SIM)

We extended the Device Overview for iOS and iPadOS devices with additional (e)SIM card information and now you can retrieve all information about all sim cards or data plans. These information are present of the Service Subscription device response from managed iOS and iPadOS devices and are available with iOS 12 and later. IMEIs, EID and MEID Identifiers are displayed under Network Information and SIM Card / Data Plan specific information are displayed as separated SIM Card / Data Plan for each available slot. In case older devices are still under management, the information is not present, and the network information is shown as prior to this Silverback version. Please take into account that iPads with two SIM cards (physical + esim) might only report the active used card to the management system and additionally, it might be that phone numbers for esim cards will not be reported. This might change for future iOS and iPadOS versions or newer devices. 

Identifiers

• IMEI - International Mobile Equipment Identity
• EID - Embedded Identity Document
• MEID - Mobile Equipment Identifier 
• ICCID - Integrated Circuit Card Identification Number

Voice and Data

• Roaming
• Data Preferred
• Voice Preferred

Additional Information

• Label
• Phone Number
• Slot 

New Device Information

We added several new dictionaries to display more device information for iOS, iPadOS, macOS and tvOS devices. This information will be queried from every device and if devices does not return the information to the management server, the information will not be shown at all in the Device Information of the corresponding device. Please take this into account, if you might miss some of these information for a specific device within the device overview. 

Deploy Tags to Apple Silicon devices

To create more flexibility and granularity and to be ready for the future, you can now split Tag assignments between Apple Silicon and Non-Apple Silicon devices. As an example, it will ensure to distribute applications to your macOS devices, that have different binaries for Apple Silicon and Non-Apple Silicon devices. By enabling the Auto Population, select the Device Variable Key Apple Silicon and select as value either Yes or No. By selecting Yes, all Apple Silicon devices will automatically be assigned to this Tag. 

New Device Actions for macOS

With Silverback 21.0 Update 3, the following four new Device Actions are present for macOS devices and can be executed within the Management Console. 

Prevent Erase All Content and Settings 

With the release of macOS Monterey this year, Apple made it easier to restore macOS. In the System Preferences application, there is a new erase all contents and settings option, which is like the restore mechanism on iOS and iPadOS devices that makes it easier to return any macOS device to factory settings. To prevent users from executing this new erase all contents and settings options, you can disable the Allow Erase Content and Settings option in the Restriction Profile. By default, this option is allowed to users and the restriction is in the System Settings group.

Enforce major, minor, and non-software update delays

Beginning with macOS BigSur 11.3., Apple extended and separated the OS updates control in context of postponing operating systems up to 90 days. In previous macOS versions, the Defer Operating System Updates and Defer Non-Operating System Updates options were able to be defined for a value up to 90 days. With Silverback 21.0 Update 3 and for devices starting from macOS BigSur 11.3, we extended and added additional options that are targeting these OS versions. As a benefit, you have now different controls for major, minor and Non-Operating System Updates and you can enforce the deferral period for each option separately. Please refer to Tags Guide Part V: macOS for additional information. For migrations scenarios to the new options we recommend to create a new Tag with set Auto Population variable key to greater than OS Version >11.2.3, to let these options apply to applicable devices only. If two Tags will be applied to devices, the newer Tag will win as this is in addition useful if you want to decrease the deferral period for specific devices.

Allow nonadministrative users to approve Kernel Extensions option

With the Kernel Extensions you can configure or allow third-party kernel extensions that are defined inside the profile. We granted the options to configure Kernel Extensions in Silverback 20.0 Update 1 and with this release, we extend the options with the Allow nonadministrative users to approve Kernel Extensions option. If enabled, nonadministrative users can approve additional kernel extensions in the Security & Privacy preferences. This option is supported on macOS 11 and later and the default value is set to disabled. 

Modern Authentication Method to Exchange Protection

With this release we added the option to use the Modern Authentication for the Exchange protection. In general, you will need to Register a new application in Azure AD and assign the Exchange Online API Permissions and Azure AD Roles to the application. After that you will need to generate a self signed certificate and attach the public key to the Azure AD application and attach the certificate (private Key) to your Silverback Server. To ensure that Silverback can connect to Exchange Online, you will need to install the PowerShell EXO V2 module to finalize the integration. Please refer to Exchange Protection Integration I: Exchange Online with Modern Authentication for additional information.

Management Console

• Added a View OTP option for Pending Enrollments and QR-codes are now downloadable
• Device ID, Device Name, Username and Operating System are now shown in Confirmation pop-ups for several actions
• Pending Commands in Device Overview shows now which Profile will be installed with the InstallProfile command
• Improved several screens, translations and behaviours in the Management Console including improving several validations
• Added several Quick Links under Admin > Logs and added a grouping for available Log options
• Fixed the duplicated time information under Bulk Provision Users
• Added over 500 new device models
• Fixed missing Titles for Dashboard Exports

Enterprise Service Bus

• Added heartbeat answers to provide health status to the Unified User Experience
• Added customizable Instance Display Name which is by default the Silverback URL build from the STS URL

Android Enterprise

• Added field paths for Knox Service Plugin Application Feedback
• Aligned naming for Samsung Knox and Android restriction Allow Remove Work Profile

iOS, iPadOS, macOS

• Increased cryptography for client certificates to SHA-256 with RSA algorithm and key length 2048 bits
• Volume Purchase Program Logs will now be cleared after selected Retention Period under Logs
• Added a queue check for Install Enterprise Application commands when tag settings changed
• Adjusted visibility for Shared Devices & Classroom restrictions from iPhone and iPod Tags due to non-support
• Renamed Authentication for Device Enrollment Program from Active Directory Authentication to Authentication
• Added drop down list for Device Enrollment Program Authentication with Username + Password or Username + OTP option. 

Windows 10/11

• Switched from Azure Active Directory Graph API to Microsoft Graph API for Azure AD and Autopilot devices
• Fixed an issue with the SSL Client Cert Search Criteria value in registry for Azure AD and Autopilot devices
• Fixed an issue with Managed Application List for Azure Active Directory Joined devices (including Autopilot)
• Allow MSI Always Install With Elevated Privileges restriction will now be installed in user and device scope
• Fixed an UI issue for scheduled Antivirus scan as 11 am was shown as 1 am. 
• Fixed an UI alignment in Device Information for Current state of the product (German)
• Fixed an validation issue with Specify Search URL for Microsoft Edge
• Adjusted several naming and tool tips for Defender Firewall Rules
• Fixed an issue with adding and removing Defender Firewall Rules
• Removed Storage value from Managed Devices Overview

Knowledge Base

Several new Knowledge Base articles has been added:

• Windows 10/11 Bulk Enrollments with Empirum and Provisioning Packages
• Bulk Enrollments with Samsung Knox Mobile Enrollment
• Windows 10/11 Create custom profiles
• Advanced QR-Code Provisioning
• Windows 10/11 Diagnostics and Logs
• Uninstall UEM Agent on macOS devices
• Device Enrollment Program: Token Alerts
• Windows 10/11 Working with Firewall Rules and Remote Desktop