Skip to main content
Matrix42 Self-Service Help Center

Silverback 20.0 Update 2 TP2

Silverback 20.0. Update 2 Technical Preview 2

Silverback-Technical-Preview-2-20.0.2.png

Download: Matrix42 Marketplace

Operating System Review

With this technical preview we reviewed all current beta version of upcoming releases for the following operating systems. At the current state all platforms are supported out of the box, so that a Silverback update for supporting the new versions isn't required. 

  • iOS 14
  • iPadOS 14
  • macOS 11.0
  • Android 11

New Features

UUX for SUEM

We've added valuable information to the Secure Unified Endpoint Management.  Please find all new information listed below. 

Windows 10 Defender Information

With the last Technical Preview, we added already the Defender Health status for Windows 10 devices into the Silverback Management Console. With this technical preview and the updated Service Adapter Version 3.1.0 Administrators will be able to view the information in the Secure Unified Endpoint Management Console as well. 

clipboard_e7aebcc19388f61f4ad7c60087816aaa8.png

Windows 10 Security & Privacy 

With the last release we brought already some new security and privacy features for macOS devices into the product. Currently we are focused on bringing the feature landscape to the Windows 10 device management. This includes for this Technical Preview the configuration of the Windows Defender Firewall.

Windows Defender Firewall

The Firewall configuration allows to control the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device.  Administrators can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. The Firewall configuration is supported beginning with Windows 10, version 1709.

Settings Options Description
Defender Firewall Settings Enabled or Disabled Enables the Defender Firewall Profile
Global Settings
Security Association Idle Time Before Deletion (in secs) 

e.g. 400

Security associations are deleted after network traffic is not seen for this number of seconds. Supported Values from 300 to 3600
Pre-shared Key Encoding 
  • None
  • UTF-8 (default)
Specifies the preshared key encoding that is used
IPsec Exemptions 
  • No IPsec exemptions (default)
  • Exempt neighbor discover IPv6 type-codes from IP-Sec
  • Exempt ICMP from IPsec
  • Exempt router discover IPv6 ICMP type-codes from IPsec
  • Exempt both IPv4 and IPv6 DHCP traffice from IPsec
Configure specific traffic to be exempt from performing IPsec.
Certificate Revocation List Verification 
  • Disables CRL checking (default)
  • CRL checking is attempted
  • CRL checking is required

Defines how certificate revocation list verification is enforced. The following options are available:

  • Disables CRL checking
  • CRL Checking is attempted specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.
  • CRL checking is required means that checking is required and that certificate validation fails if any error is encountered during CRL processing
Packet Queuing 
  • All queuing is to be disabled (default)
  • Inbound encrypted packets are to be queued
  • Packets are to be queued after decryption

Specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved.

File Transfer Protocol  Enabled or Disabled  
Opportunistically Match Authentication Set Per Keying Module Enabled or Disabled If enabled, keying modules will ignore unsupported authentication suites.
Network Settings (applies to Domain, Private, or Public Network)
Microsoft Defender Firewall Enabled or Disabled If this setting is not enabled, no network traffic will be blocked regardless of other policy settings
Stealth Mode Enabled or Disabled When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific
IPsec Secured Packet Exemption With Stealth Mode Enabled or Disabled If stealth mode is enabled, this option will be ignored. Otherwise the stealth mode rules must not prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec
Shielded Enabled or Disabled If this value is true and Defender Firewall is on, the server must block all incoming traffic regardless of other policy settings
Unicast Responses to Multicast Broadcasts Enabled or Disabled If true, unicast responses to multicast broadcast traffic is blocked.
Inbound Notifications Enabled or Disabled If false, the Firewall may display a notification to the user when an application is blocked from listening on a port. If this setting is enabled, the Firewall must not display such notifications. 
Default Action For Outbound Connections
  • Allow (default)
  • Block
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections.
Default Action for Inbound Connections
  • Allow
  • Block (default)
This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections.
Auth App Firewall Rules From the Local Store Enabled or Disabled If this value is false, authorized application firewall rules in the local store are ignored and not enforced
Global Port Firewall Rules From the Local Store Enabled or Disabled If this value is false, global port firewall rules in the local store are ignored and not enforced
Firewall Rules From the Local Store Enabled or Disabled If this value is false, firewall rules from the local store are ignored and not enforced
IPsec Rules From the Local Store Enabled or Disabled If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and security rule version

Security Feedback on Android

With this technical preview we are happy to announce a feature that will improve the security management capabilities for any Administrator. 

Android SafetyNet Attestation

The SafetyNet Attestation provides a cryptographically-signed attestation, assessing the device's integrity, which will help you to identity if devices in your device fleet has been tampered or modified.  SafetyNet is an API provided by Google which validates software and hardware information on the device and creates a profile of that device, which then will be compared with certified devices.  Based on the SafetyNet Attestation you will gain as an example the ability to detect devices with non-rooted custom ROMs or device emulators. The SafetyNet attestation provides different levels of integrity checks and thus intercepts different levels of security. 

Information Example Description
Basic Integrity Yes Basic Integrity is a more lenient verdict of device integrity. If the value is yes , the device likely wasn't tampered but hasn't necessarily passed Android compatibility testing.
Extended Integrity No A stricter verdict of device integrity. If the value is yes, then the profile of the device matches the profile of a device that has passed Android compatibility testing.
Advisory Response LOCK_BOOTLOADER Provides a suggestion for how to get a device back into a good state. This Advisory Response can be empty and isn't influenced by the Management system. 

Please review the examples of what the different integrity levels covers.

Device Status Basic Integrity Extended Integrity
Certified, genuine device that passes CTS Yes Yes
Certified device with unlocked bootloader Yes No
Genuine but uncertified device, such as when the manufacturer doesn't apply for certification Yes No
Device with custom ROM (not rooted) Yes No
Emulator No No
No device (such as a protocol emulating script) No No
Signs of system integrity compromise, one of which may be rooting No No
Signs of other active attacks, such as API hooking No No

macOS App Configuration

With this Technical Preview and the upcoming release of Silverback 20.0 Update 2 we enhanced the capabilities for Administrators to configure specific app controls through the Management Console. From now on it is possible to provide to Enterprise applications a specific XML formatted configuration file like on iOS and iPadOS applications. 

Remote Application Configuration

We are offering two ways on configuring the application. If you add the configuration in the App Portal section (1),  this will be used every time as default when you add the application into a Tag. However you can at every time adjust and overrule the configuration inside the Tag with the edit button (2). The documentation about the App Configuration XML should be part of the applications developer, so please get in touch to receive information about the configuration options for you desired application. With the following example the Incognito Mode for Google Chrome will be deactivated. 

After configuration you can review your configuration on the device under Settings > Profiles > Silverback Managed Preferences

 By default the target folder for configurations is Library > Managed Preferences

clipboard_e9b2189cd2b5e0bb148a9c1dd5b4be3c4.png clipboard_e095f285f031e56473a263067f02fea19.png
Global configuration for Chrome with allowed Incognito Mode Tag based configuration with disallowed Incognito Mode
Screenshot 2020-08-27 at 15.44.17.png Image 27.08.20 at 15.38.jpg

Improvements

  • Added new device actions to Windows 10 devices
    • Defender Signature Update
    • Defender Offline Scan
  • Improved User Experience for Application Feedback
  • Added additional values to Software Update Policy
  • Merged Bitlocker controls from Restrictions and Profiles
  • Updated to Service Bus Adapter version 3.1.0
  • Was this article helpful?