Silverback 20.0 Update 2 TP2

Silverback 20.0. Update 2 Technical Preview 2

Silverback-Technical-Preview-2-20.0.2.png

Operating System Review

With this technical preview we reviewed all current beta version of upcoming releases for the following operating systems. At the current state all platforms are supported out of the box, so that a Silverback update for supporting the new versions isn't required.

iOS 14
iPadOS 14
macOS 11.0
Android 11

New Features

UUX for SUEM

We've added valuable information to the Secure Unified Endpoint Management. Please find all new information listed below.

Windows 10 Defender Information

With the last Technical Preview, we added already the Defender Health status for Windows 10 devices into the Silverback Management Console. With this technical preview and the updated Service Adapter Version 3.1.0 Administrators will be able to view the information in the Secure Unified Endpoint Management Console as well.

Windows 10 Security & Privacy

With the last release we brought already some new security and privacy features for macOS devices into the product. Currently we are focused on bringing the feature landscape to the Windows 10 device management. This includes for this Technical Preview the configuration of the Windows Defender Firewall.

Windows Defender Firewall

The Firewall configuration allows to control the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Administrators can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. The Firewall configuration is supported beginning with Windows 10, version 1709.

Settings	Options	Description
Defender Firewall Settings	Enabled or Disabled	Enables the Defender Firewall Profile
Global Settings
Security Association Idle Time Before Deletion (in secs)	e.g. 400	Security associations are deleted after network traffic is not seen for this number of seconds. Supported Values from 300 to 3600
Pre-shared Key Encoding	None UTF-8 (default)	Specifies the preshared key encoding that is used
IPsec Exemptions	No IPsec exemptions (default) Exempt neighbor discover IPv6 type-codes from IP-Sec Exempt ICMP from IPsec Exempt router discover IPv6 ICMP type-codes from IPsec Exempt both IPv4 and IPv6 DHCP traffice from IPsec	Configure specific traffic to be exempt from performing IPsec.
Certificate Revocation List Verification	Disables CRL checking (default) CRL checking is attempted CRL checking is required	Defines how certificate revocation list verification is enforced. The following options are available: Disables CRL checking CRL Checking is attempted specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. CRL checking is required means that checking is required and that certificate validation fails if any error is encountered during CRL processing
Packet Queuing	All queuing is to be disabled (default) Inbound encrypted packets are to be queued Packets are to be queued after decryption	Specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved.
File Transfer Protocol	Enabled or Disabled
Opportunistically Match Authentication Set Per Keying Module	Enabled or Disabled	If enabled, keying modules will ignore unsupported authentication suites.
Network Settings (applies to Domain, Private, or Public Network)
Microsoft Defender Firewall	Enabled or Disabled	If this setting is not enabled, no network traffic will be blocked regardless of other policy settings
Stealth Mode	Enabled or Disabled	When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific
IPsec Secured Packet Exemption With Stealth Mode	Enabled or Disabled	If stealth mode is enabled, this option will be ignored. Otherwise the stealth mode rules must not prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec
Shielded	Enabled or Disabled	If this value is true and Defender Firewall is on, the server must block all incoming traffic regardless of other policy settings
Unicast Responses to Multicast Broadcasts	Enabled or Disabled	If true, unicast responses to multicast broadcast traffic is blocked.
Inbound Notifications	Enabled or Disabled	If false, the Firewall may display a notification to the user when an application is blocked from listening on a port. If this setting is enabled, the Firewall must not display such notifications.
Default Action For Outbound Connections	Allow (default) Block	This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections.
Default Action for Inbound Connections	Allow Block (default)	This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections.
Auth App Firewall Rules From the Local Store	Enabled or Disabled	If this value is false, authorized application firewall rules in the local store are ignored and not enforced
Global Port Firewall Rules From the Local Store	Enabled or Disabled	If this value is false, global port firewall rules in the local store are ignored and not enforced
Firewall Rules From the Local Store	Enabled or Disabled	If this value is false, firewall rules from the local store are ignored and not enforced
IPsec Rules From the Local Store	Enabled or Disabled	If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and security rule version

Security Feedback on Android

With this technical preview we are happy to announce a feature that will improve the security management capabilities for any Administrator.

Android SafetyNet Attestation

The SafetyNet Attestation provides a cryptographically-signed attestation, assessing the device's integrity, which will help you to identity if devices in your device fleet has been tampered or modified. SafetyNet is an API provided by Google which validates software and hardware information on the device and creates a profile of that device, which then will be compared with certified devices. Based on the SafetyNet Attestation you will gain as an example the ability to detect devices with non-rooted custom ROMs or device emulators. The SafetyNet attestation provides different levels of integrity checks and thus intercepts different levels of security.

Information	Example	Description
Basic Integrity	Yes	Basic Integrity is a more lenient verdict of device integrity. If the value is yes , the device likely wasn't tampered but hasn't necessarily passed Android compatibility testing.
Extended Integrity	No	A stricter verdict of device integrity. If the value is yes, then the profile of the device matches the profile of a device that has passed Android compatibility testing.
Advisory Response	LOCK_BOOTLOADER	Provides a suggestion for how to get a device back into a good state. This Advisory Response can be empty and isn't influenced by the Management system.

Please review the examples of what the different integrity levels covers.

Device Status	Basic Integrity	Extended Integrity
Certified, genuine device that passes CTS	Yes	Yes
Certified device with unlocked bootloader	Yes	No
Genuine but uncertified device, such as when the manufacturer doesn't apply for certification	Yes	No
Device with custom ROM (not rooted)	Yes	No
Emulator	No	No
No device (such as a protocol emulating script)	No	No
Signs of system integrity compromise, one of which may be rooting	No	No
Signs of other active attacks, such as API hooking	No	No

macOS App Configuration

With this Technical Preview and the upcoming release of Silverback 20.0 Update 2 we enhanced the capabilities for Administrators to configure specific app controls through the Management Console. From now on it is possible to provide to Enterprise applications a specific XML formatted configuration file like on iOS and iPadOS applications.

Remote Application Configuration

We are offering two ways on configuring the application. If you add the configuration in the App Portal section (1), this will be used every time as default when you add the application into a Tag. However you can at every time adjust and overrule the configuration inside the Tag with the edit button (2). The documentation about the App Configuration XML should be part of the applications developer, so please get in touch to receive information about the configuration options for you desired application. With the following example the Incognito Mode for Google Chrome will be deactivated.

After configuration you can review your configuration on the device under Settings > Profiles > Silverback Managed Preferences

By default the target folder for configurations is Library > Managed Preferences


Global configuration for Chrome with allowed Incognito Mode	Tag based configuration with disallowed Incognito Mode

Improvements

Added new device actions to Windows 10 devices
- Defender Signature Update
- Defender Offline Scan
Improved User Experience for Application Feedback
Added additional values to Software Update Policy
Merged Bitlocker controls from Restrictions and Profiles
Updated to Service Bus Adapter version 3.1.0