Release Notes Silverback 21.0 Update 2
About This Release
Matrix42 Silverback 21.0 Update 2 provides new and improved features that have been implemented. During the development of this version, we have been focusing on valued feedback from our customers and partners to provide an ideal feature selection.
Important Announcements
Exchange Protection Service Account
With the claim to continuously improve ourselves and the product, we have dealt with our Exchange Protection in this release cycle, which generally allows you to only allow devices managed in Silverback to communicate with ActiveSync. For this integration, a service account is used that pushes the devices out of quarantine if it is a managed device. If you have enabled this feature in Silverback, we recommend to review the Exchange Protection Integration as you can significantly reduce the rights of the service account.
Zero Day Support
This autumn we can welcome some new versions of well-known operating systems. Depending on the manufacturer, various changes are brought to bear by the updates and some of them require installing a new Silverback or Companion version. In the following, we would like to give you an overview of the new operating system versions and whether they have an impact on your current device management.
| Operating System | Requirement | Additional Notes |
|---|---|---|
| Android 12 | Update to Companion 21.0 Update 2 | Android 12 contains changes about the provisioning method, which will be addressed in Silverback Companion 21.0 Update 2. If you are providing enrollment tutorials to your users, ensure to address the changes in Android 12. Please refer to Android 12 Enrollment Changes for Android Enterprise for additional information. |
| iOS 15 |
Update to Silverback 21.0 Update 1 with the Build Version 21.0.1.57 or to Silverback 21.0 Update 2 |
A change with iOS 15, iPadOS 15 and macOS 12 requires that each payload within a configuration profile must use an own unique identifier. These changes are addressed in Silverback 21.0.1.57 and in the 21.0 Update 2. Installed profiles will remain on devices, but several new profile installations will fail until an update is made to the above-mentioned Silverback versions. |
| iPadOS 15 | ||
| macOS 12 | ||
| tvOS 15 | No update needed | No relevant changes are made that might affect the tvOS 15 management with your current Silverback version. |
| Windows 11 | No update needed, but recommended |
We decided to handle Windows 11 in the same way as iOS 14 and 15+. This means that we changed in this Silverback version several Windows 10 UI elements to Windows, which aren't dependent from the Management itself. So, Windows 11 management does not require a Silverback update. Consider updating to a newer version if you are using the Unified User Experience. Silverback 21.0 Update 2 contains changes in the Service Bus to send all OS Version with 22.XXX and newer as Windows 11 devices. |
Overview
New Features
Unified User Experience
Apple Device Management Updates
Exchange Protection
New Improvements
New Changes
New Features
Unified User Experience
Please find all new Service Bus Listener related functionalities in Silverback 21.0 Update 2 below.
Enrollment Invitation
With the introduction of the Service Bus Listener, Silverback is capable to receive actions from the Unified User Experience. One new action in this Silverback 20.0 Update 2 release is to create pending enrollments with the usage of the Service Bus. By using the new +Add Mobile Device button in the Unified User Experience, Administrators are capable to select present users and define the Ownership. After pressing Send Invitation, Silverback will check based on the E-Mail Address value and in the following priority, if the selected user(s) are present as Local Users in Silverback (with the same Email address) or are part of the LDAP Filter and will take over either the Username (Local Users) or the Account Field (defined in Silverback LDAP Web Settings) and create a pending enrollment, if the validation is successful. Administrators which has enabled the Receive Email Alerts option, will receive an E-Mail Notification based on the Admin Provisioned a Device Notification Email Template. Users will receive an E-Mail Notification based on the Admin Provisioned a Device Notification for User Email Template. One Time Password settings will be taken over from the Silverback Management Console, as configured under Admin > Self Service Portal > One Time Passwords. All actions (Add Mobile Device) with execution steps and information can be reviewed in the Administration application in the Digital Workplace Platform under Integration > Service Bus > Remote Actions.
Please refer to the Secure Unified Endpoint Management Release Notes for additional information.
Enterprise Application Upload
Next to the Enrollment Invitation, the Service Bus Listener is now also capable to receive actions for Enterprise Applications, which has been uploaded in the Unified User Experience for Unified Endpoint Management and Secure Unified Endpoint Management. Each uploaded application will be added into the App Portal and automatically generate a new Tag that is assignable through the Unified User Experience and via Silverback. All newly created applications will have by default the App Management options "Visible in App Portal" and "Automatically push to managed devices" enabled. To simplify the process of adding applications in the Unified User Experience, *.apk files will be automatically added into both sections in the Silverback App Portal and in the created Tags. For *.ipa files, Administrators can decide if this bundle applies to iOS or iPadOS devices. Depending on the settings, the application will be either created in the iPhone and iPod (for iOS) section and/or in iPad (iPadOS) section. Existing applications records in Silverback will be updated only if no changes in the App Identifier / Bundle ID, Operating System, Version, Application Type are detected.
Please avoid uploading already existing Enterprise Applications again via the Unified User Experience. If you intend to do it for e.g., testing purpose, better remove the application first from Silverback.
Please refer to the Secure Unified Endpoint Management Release Notes for additional information.
Device Actions for all platforms
One important part of device management is to handle the day-by-day support for administrators. In this release we extended the Service Bus Listener to receive and handle for modern and co-managed devices several new day-by-day actions. Each action listed below can now be performed as a single method or in bulk inside the Unified User Experience for Unified Endpoint Management and Secure Unified Endpoint Management.
Please refer to the Secure Unified Endpoint Management Release Notes for additional information.
| Device Actions | Android | iOS / iPadOS | Windows | tvOS |
|---|---|---|---|---|
| Clear Passcode | Yes | Yes | ||
| Restart | Yes | Yes | Yes | Yes |
| Rename | Yes | Yes | Yes | |
| Message | Yes | |||
| Shutdown | Yes | |||
| Location | Yes | |||
| Play Sound | Yes | |||
| Lost Mode | Yes | |||
| Defender Signature Update | Yes | |||
| Defender Offline Scan | Yes | |||
| Clean | Yes |
Apple Device Management Updates
Please find all new Apple related features in Silverback 21.0 Update 2 below.
New Restrictions for iOS and iPadOS 14.5+ and macOS 12
The new OS versions brings a couple of new built-in mobile device management business capabilities, which we added into this Release and happy to share with you. In general restrictions are easy on/off settings that enhances the configuration options of your managed devices and increases security options. Silverback 21.0 Update 2 contains the following new restrictions:
| Availability | Options | Requirements | Description | |
|---|---|---|---|---|
| General | ||||
| Allow Auto Unlock |
|
|
|
Prevents the usage of the auto unlock capability. |
| Force On-Device Dictation |
|
|
|
You can use dictation instead of your keyboard to enter text with many apps and features that use the keyboard on your iPhone, iPad, or iPod touch running iOS 14.5 or iPadOS 14.5. This setting prevents dictated content from being sent to Siri servers for processing. |
| Force Managed Pasteboard |
|
|
|
With Managed Pasteboard settings, Apple provides the ability to apply the same restrictions to the copy and paste functionality, meaning that information copied from corporate apps cannot be pasted in unmanaged apps and/or the reverse. |
| Supervised | ||||
| Allow NFC |
|
|
|
Users can’t use built-in NFC hardware in compatible devices running iOS 14.2 or later. |
| Allow Recovery Mode From an Unpaired Host |
|
|
|
iPhone, iPod touch, and iPad previously allowed any external host computer to start a device in Recovery Mode, which meant that the host computer could completely erase the device and restore the operating system. iOS 14.5 and iPadOS 14.5 now prevent this behaviour by default. |
| Allow private iCloud Relay |
|
|
|
iCloud Private Relay is an internet privacy service offered as a part of an iCloud+ subscription that allows users connect to and browse the web more privately and securely |
Classroom Configuration
Classroom is a powerful app for iPad and Mac that helps you guide learning, share work, and manage student devices. You can launch a specific app, website, or textbook page on any iPad in the class, share documents between teacher and students, or share student work on a TV, monitor, or projector using Apple TV. With this Release, we introduce the Classroom Configuration with Silverback for iPads. This is the payload for configuring users, groups, and departments within an educational scenario. Apple Classroom can be configured in two main ways: Shared iPad or 1-to-1 iPad. The current classroom profile in Silverback supports the 1-to-1 scenario and the manual configuration of the classroom profile. In this scenario you don't need accounts on Apple School Manager or Managed Apple IDs and your users will always be keeping the same device with them. Please refer to Classroom Configuration in our Knowledgebase for additional information.
Apple School Manager is still in an unsupported state. The Classroom configuration can be used without any Apple School Manager Integration.
Unique Identifiers for Payloads for iOS, iPadOS 15 and macOS
With iOS15, iPadOS15 and macOS12, Apple has introduced a new requirement for configuration profiles in which every payload in a configuration profile must contain a unique payload identifier. For this, we addressed this requirement with Silverback 20.0 Update 2, so that a transition to the new operating system versions can be seamless and service interruptions can be avoided. Please note that this change only affects the installation of new profiles, for example on newly enrolled devices. All profiles already installed on devices will continue to work after the OS update. If profiles cannot be installed, then the error message “The payloads in this profile do not have unique identifiers” will be displayed in the pending commands under Install Profile.
New Device Information for macOS devices
macOS Big Sur 11.3 and Monterey 12 offer two new device information, which are now part of any macOS device in Silverback:
| Attribute | Description |
|---|---|
| Apple Silicon Processor |
Query whether the device is a Mac with Apple silicon. Available in macOS 12.0 and later. |
|
Can install iOS apps |
Query whether the device is capable to Install iPhone and iPad apps on Apple Silicon via the Volume Purchase Program. Available in macOS 11.3 and later. |
Assigning iOS applications to macOS devices is part of our roadmap.
System Variable support for Custom Profiles
Custom Profiles are a very helpful option to configure additional payloads for your managed devices. You can utilize the Apple Configurator 2 to create custom profiles in a *.mobileconfig format. You can easily open and edit these files by adjusting the file type to *.txt (e.g., on Windows 10) or opening these files directly with the Text Editor (e.g., on macOS devices). With this new Silverback version we are supporting that System Variables can be entered either in the new Use XML option or by uploading a *.mobileconfig file that contains a System Variable. Silverback will adjust the XML or the mobileconfig on the fly and convert the System Variables to the individual values and install this payload with the desired content on your devices.
Deploy iOS family applications to iPadOS devices
Based on valued customer feedback, we added in the Volume Purchase Program Import settings an option to overrule the VPP application metadata. When Silverback imports Volume Purchase Program Assets (applications), the product relies on and trusts the given metadata by each application. This metadata contains a device family's part that divides the family to iPhone, iPad and iPod like in the following example:
"deviceFamilies": ["iphone","ipad","ipod"]
This separation is usually working great, but applications are missing sometimes one device family, even when the device is capable to install the application (e.g., Instagram or Salesforce Authenticator). In these cases, the applications containing only iPhone and iPod as family and will be imported only in this way into Silverback. To overrule this most common scenario, we added in Silverback 20.0 Update 2 the new import option "Ignore Metadata for Device Families" in the Volume Purchase Program section. By enabling this option, given Metadata for Volume Purchase Program applications will be ignored by Silverback and flagged iPhone applications will be automatically added as iPad applications in the App Portal.
With enabling this option, you acknowledge that some available iPadOS application might not be installable on iPadOS devices even if they are listed in the App Portal. These scenarios will be out of support.
Exchange Protection
Please find the new Exchange Protection feature in Silverback 21.0 Update 2 below.
Custom Matching Criteria for Mailboxes
As mentioned already in the beginning of this article, we have dealt with our Exchange Protection in this release cycle, which generally allows you to only allow devices managed in Silverback to communicate with ActiveSync. Based on valued feedback, we extended the capability of the Exchange Protection with a new Matching Criteria option, which you will find under the Exchange Protection configuration in the Admin section. In previous versions, Silverback was trying by default to search on your Exchange server the users' mailbox or the identity by the username attribute. In some scenarios the Username in Silverback, e.g., when using non personalized account names like B23115, the mailbox or the identity could not be found on the Exchange Server, with the following exception
Exception: System.ApplicationException Message: No result return from Get-CASMailbox b23115
With Silverback 21.0 Update 2, the Matching Criteria can easily be changed from the default {UserName} to any other System Variable, e.g. {UserEmail} or to a mixed input like {firstname}.{lastname}@imagoverum.com.
| System Variables for Maria Miller | Exchange Protection Configuration Example |
|---|---|
 |
 |
Improvements
Please find all new Improvements in Silverback 21.0 Update 2 below.
General
- Removed all dependencies from old SMIME Certification Authority Web Setting
- Added Clear cache functionality for all web applications after saving system settings as Settings Administrator to prevent the need of restart IIS.
When a Cloud Connector in use, restart after changes related to LDAP, Certificates or Cloud Connector, the Cloud Connector services.
- Fixes for multiple Queuing Service Exceptions
- Changed Cloud Connector Exchange Task Interval (mins) default value from 2147483647 to 30
- Fix for not applying correct Auth. Mechanism when Exchange Protection is used in combination with Cloud Connector
- Fixed an issue when trying to generate Pending Enrollments and phone numbers contains a + symbol
- Forced Mobile Portal to use TLS 1.2 for Android Enterprise activations
Management Console
- Added Exchange Active Sync ID to Hardware Summary report
- Removed Samsung UMC Enrollment from Hardware Summary report
- Device Enrollment Program shows now on all Tabs the Enabled checkbox
- Removed vertical pop-up scroll bar when assigning Apps into Tags
- Added macOS privacy settings to translations resources
- Added untranslated labels in M42 Mobile to translation resources
- Added hard coded masks for certificate password when uploading an Enterprise Certificate for Exchange Active Sync
- Fixed an issue in Resultant Tags for Content Providers
- Fixed, added, and changed several translations
Enterprise Service Bus
- Added a Connection Check for Azure Service Bus
- Added method to delete applications in Unified User Experience during Volume Purchase Program Sync. E.g., when switching from one Volume Purchase Program token to another, all previously synchronized applications remained in UUX, even when they are not part of the new Token. This is now solved.
iOS, iPadOS and macOS
- Updated Companion Push Notification Service for iOS & iPadOS
- Added Magnifier as System App
- Added application name information in Pending Commands for macOS devices
- Removed Clear Passcode action for macOS devices due to non-support
- Added new dependency for Printing restrictions
- Moved Allow Bookstore Erotica restriction from supervised section to general section
- Fixed Resultant Tag information for Allow Activation Lock and App Store & iTunes restrictions
- Added Tooltip for Allow Apple Personalized Advertising and Allow App Clips to show proper availability
- Changed DEP Profile option Software Update Completed to Update Completed
Android Enterprise
- Prevent loop for certificate deletion and creation in Certificate Profile (Preview)
Windows 10
- Changed applied value for Windows 10 Allow Bluetooth restriction from 1 to 2. Anyway, the restriction was working, but it's now aligned with the Microsoft documentation
- Fix for Defender Antivirus option "Send File Samples When Further Analysis Is Required" is send to devices when "Not configured" is set
- Renamed Product to Product name in device information to align with Registry information
- Added several operating system product types from GetProductInfo which reflects the Edition in the device information
Knowledgebase
Several new Knowledge Base articles has been added:
- Classroom Configuration
- Apple Device Migration and Backup Principles
- Missing Device Models
- Create a Custom Profile for Apple devices
- iOS & iPadOS: Open Web Clips with Chrome or Edge
- Exchange Protection and Windows Remote Management
- Exchange Protection Allow managed devices
- Volume Purchase Program Token Renewal
- Device Enrollment Program Token Renewal
- Cisco Security Connector Umbrella Setup
- Uninstall or Reinstall Silverback
Changes
- Updated Service Bus Message Model to 6.7.2
- Updated Service Bus Adapter to 6.5.3
- Updated Service Bus Contracts to 1.3.0