Release Notes Silverback 24.0 Update 2
About this Release
Matrix42 Silverback 24.0 Update 2 provides new and improved features that have been implemented. During the development of this version, we have been focusing on valued feedback from our customers and partners to provide an ideal feature selection.
Visit the following playlists on the Matrix42 YouTube channel to get a short overview presentation of the major new features: Link to English Video-Playlist | Link to German Video-Playlist.
Build Information
- Current State: Controlled Rollout
- Download: Marketplace
- Initial Build Version: 24.0.2.60
Important Announcements
Profile Location on macOS Sequoia
With the new macOS release, Apple has changed the location of the Mobile Device Management profile. After updating to macOS Sequioa, profiles installed via a Mobile Device Management solution are now located in System Settings under General and Device Management. Until macOS 15, you will the profile located under Privacy & Security, Others, and Profiles.
Overview
The following content is included in this new Silverback release:
New Features
New Improvements and Changes
New Features
Force and block application updates for user installed applications
This feature block is made up of two of the most voted features from our ideas portal. As an administrator, you want the system to automatically update applications and block updates if they are faulty or incompatible, so that users always have the latest stable version without experiencing issues from problematic updates, in order to ensure smooth application performance, reduce downtime, and enhance user satisfaction. Although the functionality for automatic application updates and blocking users from updating applications were already available in a way, we have incorporated further granularity options in this release based on the feedback we received in order to meet the respective requirements. In our new release, Auto Update Mode is a new application management option for Volume Purchase Program applications that you can configure to suit your needs. The 3 new options fulfill the following scenarios:
- Enabled: When the automatic update mode is enabled, Silverback compares the available application versions from the application portal with the list of installed applications received from devices and updates the application by sending an install application command.
- Disabled: Silverback will not initiate application updates. Users will still be given the option to update in the app portal on their device. Administrators can update the application remotely for individual devices via the managed application list.
- Disabled and blocked in App Portal: Silverback will not initiate application updates. In this case, users will see an Update Blocked message in the App Portal. However, administrators can still update the application remotely for individual devices via the managed application list.
The update logic behind the Enabled option is the equal as in previous releases when the Automatic push to managed device option was enabled, so this option will be enabled after the update for all applications inside Tags and the App Portal that are set to Automatically push to managed devices. Under to Admin > Volume Purchase Program > Import and you will see that Auto Update Mode will be set to enabled, ensuring that all new applications purchased through the Volume Purchase Program will have this option enabled. In order not to interfere with your current configurations, Automatic update mode will be set to disabled after the update for existing applications in the App Portal that don't have automatic push to managed devices enabled. Also remember that changing the App Management settings in the App Portal has no effect on the options set in a Tag. The App Portal settings are only used as a predefined configuration when importing the app into the tag. In addition, we recommend to enable also the Take Management option when having Auto Update Mode enabled.
Streamline User Authentication with Extensible Single Sign-On
Extensible Single Sign-On streamlines and secures user authentication across apps and services by allowing customized, centralized login experiences. With Silverback 24.0 Update 2 you can now use the Extensible Single Sign-On profile to define extensions for multifactor user authentication on your enrolled iPhone, iPad, or Mac devices. This extension is for use by identity providers to deliver a seamless experience as users sign in to apps and websites. When properly configured, the user authenticates once then gains access to subsequent native apps and websites automatically. This should result in an enhanced user experience and reduced login friction, while improving security and reducing support costs while having consistent authentication policies. Please refer to Streamline User Authentication with Extensible Single Sign-On for additional information.
Allow Proxy Fallback and Captive Logins for your Global HTTP Proxy
The Global HTTP Proxy feature allows you to configure a proxy server that applies system-wide across all network connections. This means all HTTP and HTTPS traffic on the device is routed through a specified proxy server, ensuring consistent network monitoring, filtering, and security protocols. Within this release, we extended the Global HTTP Proxy with two additional settings, as highlighted below:
Settings | Availability | Options | Description |
---|---|---|---|
Allow Proxy PAC Fallback |
|
|
If enabled, allows connecting directly to the destination if the proxy auto configuration (PAC) file is unreachable. Requires supervision on iPhone, iPad, and AppleTV. |
Allow Proxy Captive Login |
|
|
If enabled, allows the device to bypass the proxy server to display the login page for captive networks. Requires supervision on iPhone, iPad, and AppleTV. |
Deploy a Global HTTP Proxy to macOS devices
The Global HTTP Proxy feature allows you to configure a proxy server that applies system-wide across all network connections. This means all HTTP and HTTPS traffic on the device is routed through a specified proxy server, ensuring consistent network monitoring, filtering, and security protocols. By enforcing proxy settings across all apps and services, you can ensure that employees' web traffic is routed through company-approved channels, maintaining consistent security and compliance standards. Routing internet traffic through a secure proxy helps protect against threats, malware, and unauthorized access, as well as ensuring that confidential data remains encrypted and protected. You can block access to non-work-related or malicious websites, improving productivity and safeguarding against harmful content. With a Global HTTP Proxy, you can optimize bandwidth usage, manage data traffic more effectively, and apply custom rules to improve overall network performance. With Silverback 24.0 Update 2, you can now remotely configure and enforce proxy settings on all your managed macOS devices, reducing manual setup and ensuring compliance across the workforce.
Set Custom Expiration Dates for API Tokens
To be able to utilize the Silverback API, a token must first be created. An API token is a secure and unique string of characters used to authenticate and authorize access to an API. It's essentially like a digital key that allows a user or system to interact with an API's resources while ensuring that only authorized entities can access certain data or services. To increase the security of access to the API, the new release now allows you to configure the validity period of the API token. From the Edit User Details screen in Admin > User Management, there is also a new overview that shows existing API tokens with their expiry date and the quick actions Copy to Clipboard, View and Delete. An orange expiration date indicates that the token will expire within the next 30 days. Red indicates expired tokens.
Pressing Create brings up a new window where you can configure your token and the expiry date. Enter a description, enable at least one scope and select either 30, 60, 90, 180, 360 days from the drop down list or select Custom to select or enter your custom expiration date within a timeframe of up to 2 years.
In addition, token generation is now much faster with this new version than before.
New Improvements
Please find all new improvements in Silverback 24.0 Update 2 below.
Management Console
- Fixed an issue with manually updating custom variables from the device overview when the device has been enrolled multiple times
- Added several missing french translations in Resultant Tags
- Added missing content for OTP Strength option Alphanumeric Uppercase
- Aligned checkbox inputs for Global HTTP Proxy Profiles on Apple platforms
- Added Device ID to logs in case of Windows Push Notification Service Exception
- Added an option to display logs starting on a specific date
- Improved usability of Services Log section
- Renamed the Azure Active Directory Admin tab to Microsoft Entra ID and consolidated the settings tabs into one page
Android Enterprise
Companion
- Updated Target SDK to version 34 and set minimum SDK version to 21
- Updated DPC library to version 20240216
- Updated Knox library to version 3.10
- Updated Gradle to version 8.1.4
- Updated several additional third party libraries
- Changed the timeout for installing Managed Accounts to 30 seconds
- Added an error chain when having issues with installing Managed Accounts
- Ensure Working Environment will now be called every time before loading commands
- Fixed an issue with the installation of managed accounts when a passcode is present on the device
Server
- Fixed an issue with the json serialization/deserialization used for Managed Configurations on Android Management API
- Improved the process of deleting managed play applications from App Portal and Policies on Android Management API
Apple Management
- Fixed an issue that cause reassigning the Default Profile to all devices after pressing save in General Settings
- Fixed an validation issue for the usage of variables in the Email Address field on Google Accounts Profile
- Removed Custom Profiles from Tag cloning action as profiles must have a unique payload identifier
- Adjusted the MIME type for Apple configuration profiles to avoid Safari on iOS 18 and iPadOS from not directly recognizing the profile downloaded via the SSP as an MDM profile if the X-Content-Type-Option nosniff ist activated on the server.
Security
- Added security setting CookieSameSite = Lax for Self Service and API cookies that helps control how cookies are sent in cross-site requests, thereby mitigating certain types of potential cross-site request forgery (CSRF) attacks.
- Added X-Content-Type-Options=nosniff as an HTTP response header used to enhance security by preventing web browsers from "sniffing" the content type of a resource. This header instructs the browser to strictly adhere to the Content-Type declared by the server and not attempt to guess or infer the type if it is incorrect or missing.
- Added URL Rewrite Rule to abort legacy HTTP/1.0 requests to prevent potential address disclosure.
- Added URL Rewrite Rule to abort any request that contains the ~ character in the URL to stop the potential disclosure of filename or directory information on the server.
- Removed the Company Hub legacy components in the installer and inside the code, which mitigates a disclosure of the used ASP.Net MVC version. After on-premises updates, you can optional delete the remaining Company Hub under your Silverback installation folder, e.g. under C:\inetpub\Silverback\CompanyHub. Perform afterwards a refresh in your IIS Manager and the companyhub application/folder should disappear forever.
- Removed a legacy action and related code that was used for updating an incorrect value for the Audience Settings on STS. Very old Silverback version contained the incorrect value and fix is nowadays not needed anymore.
- Removed an redundant and already commented code that contain an external source for the latest jQuery library.
- Passwords for a downloaded copy of the Apple Push Notification Service or Companion Push Notification Service certificate are no longer visible in the URL. This also includes a fix for issues with generated passwords that contained special symbols. In addition, there is now a copy to clipboard action available while exporting certificates.
- The default length of an manually created API Token is now by default one year and can be set to a maximum time span of 2 years.