Skip to main content
Matrix42 Self-Service Help Center

Release Notes Silverback 24.0 Update 1

About this Release

Matrix42 Silverback 24.0 Update 1 provides new and improved features that have been implemented. During the development of this version, we have been focusing on valued feedback from our customers and partners to provide an ideal feature selection.

Visit the following playlists on the Matrix42 YouTube channel to get a short overview presentation of the major new features: Link to English Video-Playlist | Link to German Video-Playlist.

Build Information

Important Announcements 

Support for User Profiles on DEP enrolled macOS devices 

In this release, we have focused significantly on improving and extending macOS device management. In addition to new and valuable features, this includes a change which affects the management of already integrated DEP devices and DEP devices which are newly enrolled after the update to the new Silverback version 24.0 Update 1. In previous versions of Silverback, we were not able to activate the so called user channel during DEP enrollments and the system installed all profiles for this purpose in the device scope by default. This was noticeable, for example, when it was planned to distribute WebClips for these devices. An error became visible in the pending commands, stating that this profile can only be installed in the user scope. 

With an improvement in the DEP enrollment process in this Silverback release, both the user and the device channel will now be active for new DEP enrollments, and the profiles are installed in the respective scope, aligned with non-DEP devices. Based on the new version, the update date, and the installation date of the MDM profile on the device in the database, the management system decides which scope to use for installing profiles on the devices. Devices already integrated via DEP before the update date will continue to receive all profiles in the device scope, while all newly integrated DEP devices will have profiles installed in the corresponding target scope.

This information is useful for reviewing the availability of the newly introduced software kiosk feature and for defining the scope of custom profiles. Since the App Portal is also a WebClip, it will not be possible to distribute the Software Kiosk for already integrated DEP devices. Custom profiles will be still installed by default in the device scope for previously enrolled DEP devices and for new devices, you can decide which scope to use. Unfortunately, there is no way to enable the User Scope for devices that have already been integrated, except by resetting to factory defaults. 

Additionally, please note that the new feature also affects migration or initiation of a new enrollment process using the sudo profiles renew -type enrollment command. As the user profiles will be now installed on the device for the user who initiated the enrollment, the terminal command must be executed in the context of the enrollment user who needs (temporary) administrative rights on the device in this case. If the command is executed from the admin account, only the admin account receives the user profiles.

New Features

macOS

Please find all new iOS, iPadOS, macOS related features in Silverback 24.0 Update 1 below:

Deploy a Software Kiosk to your users 

With Silverback, we already offer a software kiosk or app portal for smartphones and tablets where users can install, uninstall and update applications that are managed and approved by administrators. The App Portal consists of a web clip that is installed on the devices and when opened displays a web page that presents the App Portal. With this new release, we have made this functionality available for macOS laptops to enable you to provide a software kiosk-like option for your end users. This gives end users an App Store experience to install, uninstall and update applications, even if they are not allowed to download applications from the public App Store. At the same time, it gives you more flexibility in how you deliver and deploy applications to install software that users need on demand.

clipboard_ec57dc9fd91da49bcd169eb735b48d1b0.png

Use new Application Deployment Options

In this new release, our focus was on bringing macOS application management up to date and fully utilizing all the possibilities that Apple has made available in the recent past, so that there are hardly any differences in application management on iOS, iPadOS and macOS. The result is some new options that are already familiar to administrators of iOS and iPad devices. In addition to the settings for visibility in the App Portal, some new security-specific options can now be set in relation to the removal of applications and data backup, as well as forcing the takeover of applications already installed on the device. 

Setting Options Application Scope Description
Visible in App Portal Enabled or Disabled Volume Purchase Program + Enterprise Makes the App visible to users in the App Portal.
Take management if the app is already installed Enabled or Disabled Volume Purchase Program  If your organization uses an application that you want to manage, but the user has already installed it before enrolling the device, you can convert it to a managed application. For a supervised device, this process is completely silent and if the application is set to push automatically, it will happen as soon as Silverback detects the application. For non-supervised devices, the user will be asked if they want the server to take over management. They can confirm or decline. To take over management manually, open the Device Info page and where possible the action button will be Manage.
Remove App when MDM Profile is removed Enabled or Disabled Volume Purchase Program  Removes the App from the device when MDM Profile is removed from Silverback. (Same as deleting from Silverback Console)
Prevent Backup of App Data Enabled or Disabled Volume Purchase Program  Prevents iTunes from backing up any information from this client to a computer when tethered.
Install as Managed Enabled or Disabled Enterprise Applications If this option is activated, the application is installed as managed and can be uninstalled remotely. Please note that the operating system only considers applications installed in /Applications as managed when this option is enabled. In macOS 11 to 13, the operating system requires that the package contains only one signed application. Programs that do not meet these requirements will most likely not be installed if this option is enabled, although the installation command will be accepted. Check whether the application can be successfully installed on some devices with this setting before you start rolling out the application. Available in macOS 11 and later.

Configure Volume Purchase Program applications 

Another new feature regarding application management on macOS devices is the direct configuration of Volume Purchase Program applications via the XML schema. Once again, Apple has added the ability to configure applications purchased through the Volume Purchase Program. Both the App Portal and Tags now provide the ability to provide applications with an XML configuration to customize the application to your needs. However, in our experience, configuring macOS Volume Purchase Program applications via XML is currently very limited by the application vendors, and generally configuration has been and still is available via Managed Preferences, which is still the preferred method for Microsoft Outlook in particular. In any case, this new feature makes it possible to simplify application configuration if the application vendor offers the app configuration option(s) for you.

clipboard_e1d7bc708a7aabe03beb7bc240ec2a731.png

Allow Standard Users to configure Privacy Settings for Remote Assistance applications

By default, if you need to initiate a remote session with the user for support purposes, users on macOS devices will need to set appropriate sharing permissions for the application before they can share their screen or initiate remote control. This is not a problem in cases where the user is set up as an administrator on the device. However, if the user is a standard user and wants to grant the permission, an administrative account must be specified, leaving you with the challenge of enabling a good balance between security and support activities. Starting with macOS 11, Apple offers an additional option in the Privacy Preference profile that allows you to specify for certain applications that users without administrative rights can set the required sensitive permissions for Screen Recording (Capture) and Listen Event. In particular, the new Screen Capture option will finally allow any remote assistance application to allow non-administrative users to share the screen in a remote session. Combined with the long available setting for the Accessibility permission, the Screen Recording permission now provides the last missing piece of peace of mind for a good experience on managed macOS devices. Within the Privacy Preference profile, you now have the ability to set the Screen Capture and Listen to Events permission to allow standard users to set the system service. This ensures that a standard (non-admin) user can configure the permissions for the specified application in the privacy settings for services that would otherwise require administrative permissions.

clipboard_eed4096971d7139f48fa6f00418cb07a9.png

Unlock user accounts and reset administrators passwords

It can happen that users' accounts are locked due to too many failed login attempts on their device, especially after we added the option for you to configure the maximum number of failed attempts in the last release. In this case, manual intervention on the device is required to unlock the user's account with administrative credentials. To provide a better approach, in this release we have added a new action for macOS devices to unlock locked accounts. When the action is started from the Device Overview > Actions > Unlock User Account, it displays a selection of users that the device has submitted to the system after requesting the UserList command. In addition it shows reported Auto Setup Admin Accounts (see below). After selecting the target user name, the action is confirmed with OK. If a user is not found in the list, it is possible to enter the account short name manually. The action is available to system users with the Administrator, Super Helpdesk, and Helpdesk roles. 

clipboard_e1ed4c0601a8b3bbdd885b410c0820fca.png

Another newly added action is resetting the admin account password if devices were enrolled through the Device Enrollment Program and an admin account was created during the out-of-the-box experience. The device reports with the device information the created Auto Setup Admin Account, which is predefined listed under Device Overview > Actions > Reset Admin Password when the action is initiated. This action is available to system users with the Administrator role and is active if the device information reports the presence of an Auto Setup Admin account. 

clipboard_eb2447000f44c15bf3d1372fc808760df.png

You can review as usual the execution of both actions from the Pending Commands overview, by locating the request types UnlockUserAccount and SetAutoAdminPassword

Define the Scope for Custom Profiles

In macOS, Apple generally offers the option to install configuration profiles and applications in the device or user scope. Profiles installed in the device scope are valid for all users on the device, while user profiles are only active for the user or the account with which the device was logged in to the system. Custom profiles, on the other hand, provide the ability to deploy configurations that are not natively available within the management system and/or are sometimes provided by software vendors. In previous releases, the scope of profile installations was handled by the system, and profiles were installed in the user scope for all non-DEP enrolled devices. For DEP devices, the scope was set to device. However, according to the MDM protocol, some profiles can be installed in both scopes, some require the user scope, and some require the device scope. To address this situation, we have now added a drop-down field in the custom profile configuration to define the required scope for the profile. 

clipboard_ebc30508421f120341fa1a4878e619a3e.png

Please note that macOS devices that have been integrated with Silverback 24.0 and older via the Device Enrollment program do not have an active user channel and therefore no profiles can be installed in the user channel, as mentioned above in the Important Announcements. For devices that were integrated via the DEP after the update to Silverback 24.0 Update 1, both channels are active.

iOS, iPadOS

Please find all new iOS and iPadOS related features in Silverback 24.0 Update 1 below:

Allow or Disallow Mail Privacy Protection

Within this release, we added a new restriction for iOS and iPadOS. In general, restrictions are easy on/off settings that enhances the configuration options of your managed devices and increases security options. This means with this new Silverback release, you can now configure the following new security & privacy setting for supervised devices: 

  Availability Options Requirements Description
Allow Mail Privacy Protection
  • iPhone
  • iPad
  • Enabled or Disabled
  • iOS 15.2
  • iPadOS 15.2
If disabled, the system disables Mail Privacy Protection on the device. Requires a supervised device.

Android Enterprise

Please find all new Android Enterprise related features in Silverback 24.0 Update 1 below:

Share and Save Logs Locally

Another new feature of Silverback 24.0 Update 1 can be found in the Companion application for Android Enterprise devices. Based on feedback from our partners, support agents, and of course from our own experience, we know that sending logs via the email account on the device in troubleshooting scenarios is sometimes not the easiest way. For this purpose, we have implemented two new options in the Companion that allow you to save the log files on the device and then copy them to a PC or laptop with a connected USB cable that supports data transfer. On the other hand, you can also use the sharing feature of the operating system and save the archived log file with the corresponding information about the device in another application, such as Google Drive or Microsoft OneDrive. 

If you choose to store the logs locally on the device, a logs.zip file is created in the internal storage directory for the Companion application. After saving the file, connect your device with a computer via USB cable that supports data transfer. Navigate to Internal storage\Android\data\com.silverbackmdm.epic.companion.ss\files and locate the logs.zip. Be sure to select Use USB for Transferring files / Android Auto on the device and accept any access permissions that may be requested. Also note that the folder may not be accessible from a file explorer application on the device.

Screenshot_20240613-145137_framed.png Screenshot_20240613-145143_framed.png image (3)_framed.png

New Improvements

Please find all new improvements in Silverback 24.0 below.

Management Console

  • Improved and aligned several Policy Violations displayed in the device overview
    • Several applications are now displayed in a row for blacklist and whitelist violations
    • Fixed an issue where a blacklist or whitelist violation was inadvertently displayed with an empty list of applications
  • Adjusted slightly some text in Policy Violation emails
  • Optimized the subject for the Silverback passcode clearance email
  • Optimized the subject for the Silverback Admin Provision email
  • Optimized the content and layout of the Manual Unenrollment Alert and Admin Provisioned a Device Notification Email Templates
    • We recommend to reset both templates for German and French language
  • Optimized the content of the Admin Provisioned a Device Notification for User and Local User Created Alert Email Templates
    • We recommend to reset both templates for English language
  • For checked out devices, it is now possible to review the status history and pending commands
  • Fixed an issue with incorrect labels in the Certificate profile in Resultant Tags on Windows devices
  • Removed unnecessary mandatory flag for Custom Profile descriptions
  • Fixed, added, and improved several translations
  • Fixed a layout issue in Edit View when using a large icon for Android and Windows applications

Android Enterprise

  • Improved the installation and handling process for Enterprise application
  • Fixed an issue with granting automatically sensitive permissions for Enterprise applications
  • Applications permissions for Enterprise apps are now granted immediately after the installation process
  • When sending or sharing logs, the Device ID and UDID information has been updated
  • Removed inadvertently displayed app identity input field while adding App Store apps for Android and Samsung Knox
  • Fixed an issue with displaying the certificate profile in Companion under certain conditions
  • Fixed an issue with managed configurations when adding the same application for Android and Samsung Knox in a Tag

Apple Management

  • Extended the Device Enrollment Programs table column sizes in the database to prevent issues with importing long information
  • Fixed an issue with uploading new *.plist files for macOS Enterprise Apps
  • The App Identity field is now also available in the App Portal for macOS Enterprise Apps
  • The managed application list displays now the managed status for macOS applications
  • The managed application list shows now clearer the available server and installed client versions
  • Fixed an issue with the disown action for devices added to the Device Enrollment Program
  • Removed inadvertently displayed Volume Purchase Program section in device overview for Apple TV devices
  • Stopped sending Invite to Program command to Apple TV devices

App Portal

  • The available server version is now displayed for all applications

Security

  • Added Anti Forgery Token for the Enterprise App Manager Controller
  • Added allowed source for Apple Document Type Definition
  • Increased cryptographic hash algorithms for digest authentication, SyncML, and system warning hashes
  • Updated Google APIs Client Library for .NET 
  • Updated Azure SDK for .NET
  • Updated Microsoft ASP.NET Web API Client 
  • Updated .NET Compiler Platform 
  • Updated .NET Microsoft authentication libraries
  • Updated .NET library for read and write Office formats
  • Updated Identity Model extensions for .NET 
  • Updated Dependency injector for .NET and refreshed UAF Assembly bindings to all latest versions
  • Updated APIs for cryptography and cryptographic protocols
  • Removed code-base for legacy NitroDesk TouchDown email configuration
  • Removed configuration for legacy Knox container password
  • Moved cryptographic license validation to solution

API

  • Fixed an issue with duplicate emails sent to users during pending enrollment creation
  • Fixed an issue with executing block action
  • Was this article helpful?